ipsilon/util/endpoint.py

   1 # Copyright (C) 2015  Ipsilon Contributors see COPYING for license
   2
   3 import cherrypy
   4 from ipsilon.util.log import Log
   5 from ipsilon.util.user import UserSession
   6 from urllib import unquote
   7 from functools import wraps
   8 try:
   9     from urlparse import urlparse
  10 except ImportError:
  11     # pylint: disable=no-name-in-module, import-error
  12     from urllib.parse import urlparse
  13
  14
  15 def allow_iframe(func):
  16     """
  17     Remove the X-Frame-Options and CSP frame-options deny headers.
  18     """
  19     @wraps(func)
  20     def wrapper(*args, **kwargs):
  21         result = func(*args, **kwargs)
  22         for (header, value) in [
  23                 ('X-Frame-Options', 'deny'),
  24                 ('Content-Security-Policy', 'frame-options \'deny\'')]:
  25             if cherrypy.response.headers.get(header, None) == value:
  26                 cherrypy.response.headers.pop(header, None)
  27         return result
  28
  29     return wrapper
  30
  31
  32 class Endpoint(Log):
  33     def __init__(self, site):
  34         self._site = site
  35         self.basepath = cherrypy.config.get('base.mount', "")
  36         self.user = None
  37         self.default_headers = {
  38             'Cache-Control': 'no-cache, no-store, must-revalidate, private',
  39             'Pragma': 'no-cache',
  40             'Content-Security-Policy': 'frame-options \'deny\'',
  41             'X-Frame-Options': 'deny',
  42         }
  43         self.auth_protect = False
  44
  45     def get_url(self):
  46         return cherrypy.url(relative=False)
  47
  48     def instance_base_url(self):
  49         url = self.get_url()
  50         s = urlparse(unquote(url))
  51         return '%s://%s%s' % (s.scheme, s.netloc, self.basepath)
  52
  53     def _check_referer(self, referer, url):
  54         r = urlparse(unquote(referer))
  55         u = urlparse(unquote(url))
  56         if r.scheme != u.scheme:
  57             return False
  58         if r.netloc != u.netloc:
  59             return False
  60         if r.path.startswith(self.basepath):
  61             return True
  62         return False
  63
  64     def __call__(self, *args, **kwargs):
  65         cherrypy.response.headers.update(self.default_headers)
  66
  67         self.user = UserSession().get_user()
  68
  69         if self.auth_protect and self.user.is_anonymous:
  70             raise cherrypy.HTTPError(401)
  71
  72         self.debug("method: %s" % cherrypy.request.method)
  73         op = getattr(self, cherrypy.request.method, None)
  74         if callable(op):
  75             # Basic CSRF protection
  76             if cherrypy.request.method != 'GET':
  77                 url = self.get_url()
  78                 if 'referer' not in cherrypy.request.headers:
  79                     self.debug("Missing referer in %s request to %s"
  80                                % (cherrypy.request.method, url))
  81                     raise cherrypy.HTTPError(403)
  82                 referer = cherrypy.request.headers['referer']
  83                 if not self._check_referer(referer, url):
  84                     self.debug("Wrong referer %s in request to %s"
  85                                % (referer, url))
  86                     raise cherrypy.HTTPError(403)
  87             return op(*args, **kwargs)
  88         else:
  89             op = getattr(self, 'root', None)
  90             if callable(op):
  91                 return op(*args, **kwargs)
  92
  93         return self.default(*args, **kwargs)
  94
  95     def default(self, *args, **kwargs):
  96         raise cherrypy.NotFound()
  97
  98     def add_subtree(self, name, page):
  99         self.__dict__[name] = page
 100
 101     def del_subtree(self, name):
 102         del self.__dict__[name]
 103
 104     exposed = True