Merge pull request #226 from release-engineering/better-cors

Properly handle CORS and don't default to a wild-card
redhat-exd-rebuilds · Feb 25, 2019 · 2042800 · 2042800
2 parents 9dc7339 + 43c9e30
commit 2042800
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 10 deletions.
diff --git a/estuary/app.py b/estuary/app.py
@@ -5,7 +5,7 @@
 import os
 import warnings
 
-from flask import Flask, current_app
+from flask import Flask, current_app, request
 from werkzeug.exceptions import default_exceptions
 from neomodel import config as neomodel_config
 from neo4j.exceptions import ServiceUnavailable, AuthError
@@ -51,6 +51,8 @@ def load_config(app):
         app.config['OIDC_CLIENT_ID'] = os.environ['OIDC_CLIENT_ID']
     if os.environ.get('OIDC_CLIENT_SECRET'):
         app.config['OIDC_CLIENT_SECRET'] = os.environ['OIDC_CLIENT_SECRET']
+    if os.environ.get('CORS_ORIGINS'):
+        app.config['CORS_ORIGINS'] = os.environ['CORS_ORIGINS'].split(',')
 
 
 def insert_headers(response):
@@ -61,9 +63,10 @@ def insert_headers(response):
     :return: modified Flask response
     :rtype: flask.Response
     """
-    cors_url = current_app.config.get('CORS_URL')
-    if cors_url:
-        response.headers['Access-Control-Allow-Origin'] = cors_url
+    cors_origins = current_app.config.get('CORS_ORIGINS', [])
+    origin = request.headers.get('Origin')
+    if origin and origin in cors_origins:
+        response.headers['Access-Control-Allow-Origin'] = origin
         response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
         response.headers['Access-Control-Allow-Method'] = 'GET, OPTIONS'
     return response

diff --git a/estuary/config.py b/estuary/config.py
@@ -18,7 +18,8 @@ class Config(object):
     SHOW_DB_URI = False
     SECRET_KEY = 'replace-me-with-something-random'
     NEO4J_URI = 'bolt://neo4j:neo4j@localhost:7687'
-    CORS_URL = '*'
+    # By default, only allow the front-end on localhost to make cross-origin requests
+    CORS_ORIGINS = ['http://localhost:4200']
     STORY_MANAGER_SEQUENCE = ['ModuleStoryManager', 'ContainerStoryManager']
     ENABLE_AUTH = False
     OIDC_INTROSPECT_URL = None

diff --git a/tests/test_app.py b/tests/test_app.py
@@ -2,10 +2,21 @@
 
 from __future__ import unicode_literals
 
+import pytest
 
-def test_insert_headers(client):
+
+@pytest.mark.parametrize('origin, header_set', [
+    ('http://localhost:4200', True),
+    ('http://some-hacker.domain.local', False)
+])
+def test_cors_header(client, origin, header_set):
     """Test that the appropriate headers are inserted in a Flask response."""
-    rv = client.get('/api/v1/')
-    assert 'Access-Control-Allow-Origin: *' in str(rv.headers)
-    assert 'Access-Control-Allow-Headers: Content-Type' in str(rv.headers)
-    assert 'Access-Control-Allow-Method: GET, OPTIONS' in str(rv.headers)
+    rv = client.get('/api/v1/', headers={'Origin': origin})
+    if header_set:
+        assert 'Access-Control-Allow-Origin: {}'.format(origin) in str(rv.headers)
+        assert 'Access-Control-Allow-Headers: Content-Type' in str(rv.headers)
+        assert 'Access-Control-Allow-Method: GET, OPTIONS' in str(rv.headers)
+    else:
+        assert 'Access-Control-Allow-Origin' not in str(rv.headers)
+        assert 'Access-Control-Allow-Headers' not in str(rv.headers)
+        assert 'Access-Control-Allow-Method' not in str(rv.headers)