1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482
//! # Corsware //! Yet another implementation of the CORS Specification for Iron. extern crate iron; extern crate unicase; #[macro_use] extern crate hyper; pub use unicase::UniCase; use iron::prelude::*; use iron::method::Method; use iron::method::Method::*; use iron::status; //use iron::headers::Origin as OriginHeader; use iron::headers::{AccessControlRequestMethod, AccessControlRequestHeaders, AccessControlAllowOrigin, AccessControlAllowHeaders, AccessControlMaxAge, AccessControlAllowMethods, AccessControlAllowCredentials, AccessControlExposeHeaders, Vary}; use iron::middleware::{AroundMiddleware, Handler}; use std::collections::HashSet; use std::iter::FromIterator; pub use origin::Origin; mod origin; header! { /// A Custom Origin header which allows for null origins, something the standard /// Iron header does not. (OriginHeader, "Origin") => [String] } /// Specifies which origins are allowed to access this resource #[derive(Clone)] pub enum AllowedOrigins { /// Any origin is allowed. Any { /// Allowing a null origin is a separate setting, since it's /// risky to trust sources with a null origin, see /// https://tools.ietf.org/id/draft-abarth-origin-03.html#rfc.section.6 /// https://w3c.github.io/webappsec-cors-for-developers/ allow_null: bool, }, /// Allow a specific set of origins. Remember that allowing /// for a null header is risky. Specific(HashSet<Origin>), } impl AllowedOrigins { /// Allow the provided origin access. Respond with the appropriate /// AccessControlAllowOrigin header. fn allow(&self, origin_string: &str, prefer_wildcard: bool, allow_credentials: bool) -> Option<String> { { if allow_credentials { // Allow credentials does not permit using wildcard Some(origin_string.to_owned()) } else { // Use wildcard if preferred Some(if prefer_wildcard { "*".to_owned() } else { origin_string.to_owned() }) } } } /// Returns the value of AccessControlAllowOrigin /// given the specified Origin header in the request. The allow_credentials /// flag is supplied since AccessControlAllowOrigin * is forbidden when credentials /// are allowed. /// /// We're not using the iron Origin header to construct an origin directly, since /// we are dependent on url.port_or_known_default() to get the default port. This /// method is only available after parsing the Origin header to an URL. pub fn allowed_for(&self, origin_string: &str, allow_credentials: bool, prefer_wildcard: bool) -> Option<String> { match Origin::parse_allow_null(origin_string) { Err(_) => None, Ok(origin) => { match *self { AllowedOrigins::Any { allow_null } => { // Any origin is allowed, but this does not include Null, // special check for that if origin == Origin::Null && !allow_null { None } else { self.allow(origin_string, prefer_wildcard, allow_credentials) } } AllowedOrigins::Specific(ref allowed) => { if allowed.contains(&origin) { self.allow(origin_string, prefer_wildcard, allow_credentials) } else { None } } } } } } } /// An Iron middleware implementing CORS. /// /// Note: Not using `Vec<Header>` to represent /// headers since the Iron `Header` /// type is representing a `Key=Value` pair and not just the key. /// In other words, the Header type represents an instance of /// a HTTP header. What we need here is something representing the /// type of header. Since the Header trait defines a a method /// `fn header_name() -> &'static str`, we conclude that Iron uses /// strings to represent this. /// /// # Simple Example /// ``` /// extern crate iron; /// extern crate corsware; /// use corsware::CorsMiddleware; /// use iron::prelude::*; /// use iron::status; /// /// fn main() { /// let handler = |_: &mut Request| { /// Ok(Response::with((status::Ok, "Hello world!"))) /// }; /// let mut chain = Chain::new(handler); /// chain.link_around(CorsMiddleware::permissive()); /// let mut listening = Iron::new(chain).http("localhost:0").unwrap(); /// listening.close().unwrap(); /// } /// ``` /// # A More Elaborate Example /// ``` /// extern crate iron; /// extern crate corsware; /// use corsware::{CorsMiddleware, AllowedOrigins, UniCase}; /// use iron::method::Method::{Get,Post}; /// use iron::prelude::*; /// use iron::status; /// /// fn main() { /// let handler = |_: &mut Request| { /// Ok(Response::with((status::Ok, "Hello world!"))) /// }; /// let cors = CorsMiddleware { /// allowed_origins : AllowedOrigins::Any { allow_null: false }, /// allowed_headers: vec![UniCase("Content-Type".to_owned())], /// allowed_methods : vec![ Get, Post ], /// exposed_headers: vec![], /// allow_credentials: false, /// max_age_seconds: 60 * 60, /// prefer_wildcard: true /// }; /// /// let chain = cors.decorate(handler); /// let mut listening = Iron::new(chain).http("localhost:0").unwrap(); /// listening.close().unwrap(); /// } /// ``` #[derive(Clone)] pub struct CorsMiddleware { /// The origins which are allowed to access this resource pub allowed_origins: AllowedOrigins, /// The methods allowed to perform on this resource pub allowed_methods: Vec<Method>, /// The headers allowed to send to this resource pub allowed_headers: Vec<UniCase<String>>, /// The headers allowed to read from the response from this resource pub exposed_headers: Vec<UniCase<String>>, /// Whether to allow clients to send cookies to this resource or not pub allow_credentials: bool, /// Defines the max cache lifetime for operations allowed on this /// resource pub max_age_seconds: u32, /// If set, wildcard ('*') will be used as value /// for AccessControlAllowOrigin if possible. If not set, /// echoing the incoming origin will be preferred. /// If credentials are allowed, echoing will always be used. pub prefer_wildcard: bool, } /// Returns all standard HTTP verbs: /// `[Options, Get, Post, Put, Delete, Head, Trace, Connect, Patch]` pub fn all_std_methods() -> Vec<Method> { vec![Options, Get, Post, Put, Delete, Head, Trace, Connect, Patch] } /// Returns HTTP Headers commonly set by clients (js frontend frameworks and the like): /// `[Authorization, Content-Type and X-Requested-With]` pub fn common_req_headers() -> Vec<unicase::UniCase<String>> { vec![UniCase("Authorization".to_owned()), UniCase("Content-Type".to_owned()), UniCase("X-Requested-With".to_owned())] } impl CorsMiddleware { /// New middleware with sensible permissive settings. /// Allows any origin. /// Allows all standard HTTP methods. /// Allows common request headers (as defined by `common_req_headers()`. /// Does not expose any headers. /// Does not allow credentials. /// Sets MaxAge to 60 minutes. pub fn permissive() -> CorsMiddleware { CorsMiddleware { allowed_origins: AllowedOrigins::Any { allow_null: false }, allowed_methods: all_std_methods(), allowed_headers: common_req_headers(), exposed_headers: vec![], allow_credentials: false, max_age_seconds: 60 * 60, prefer_wildcard: false, } } /// These are all headers which can influence the outcome of /// any given CORS request. fn vary_headers() -> Vec<UniCase<String>> { vec![UniCase("Origin".to_owned()), UniCase("Access-Control-Request-Method".to_owned()), UniCase("Access-Control-Request-Headers".to_owned())] } /// Handle a potential CORS request. Detects if this is a /// preflight or normal method, adding CORS headers as appropriate fn handle(&self, req: &mut Request, handler: &Handler) -> IronResult<Response> { // http://stackoverflow.com/questions/14015118/ // what-is-the-expected-response-to-an-invalid-cors-request // http://stackoverflow.com/questions/32331737/ // how-can-i-identify-a-cors-preflight-request let res = if req.method == Options && req.headers.get::<AccessControlRequestMethod>().is_some() { self.handle_preflight(req, handler) } else { self.handle_normal(req, handler) }; // Vary-Headers are outside the CORS specification, but still important for // caching. These should be set unconditionally for all resources covered by CORS match res { Ok(mut r) => { r.headers.set(Vary::Items(CorsMiddleware::vary_headers())); Ok(r) } x => x, } } /// Handle a preflight request fn handle_preflight(&self, req: &mut Request, _: &Handler) -> IronResult<Response> { // Successful preflight status code is NoContent let mut res = Response::with(status::NoContent); // - Preflight request // - 1.If the Origin header is not present terminate this set of steps. The request is // - outside the scope of this specification. let maybe_origin = req.headers.get::<OriginHeader>(); if maybe_origin.is_none() { let resp = Response::with((status::BadRequest, "Preflight request without Origin header")); return Ok(resp); } let origin = maybe_origin.unwrap(); // // - 2.If the value of the Origin header is not a case-sensitive match for any of the // - values in list of origins do not set any additional headers and terminate this // - set of steps. // // - Note: Always matching is acceptable since the list of origins can be unbounded. // // - Note: The Origin header can only contain a single origin as the user agent // will not follow redirects. // let origin_str = origin.to_string(); let allowed_origin = self.allowed_origins.allowed_for(&origin_str, self.allow_credentials, self.prefer_wildcard); if allowed_origin.is_none() { let resp = Response::with((status::BadRequest, format!("Preflight request requesting \ disallowed origin '{}'", origin_str))); return Ok(resp); } // // - 3. Let method be the value as result of parsing the Access-Control-Request-Method // - header. // // - If there is no Access-Control-Request-Method header or if parsing failed, do not // - set any additional headers and terminate this set of steps. The request is // - outside the scope of this specification. // We can assume that this header exists, since we already checked that before // classifying the request as preflight let requested_method = req.headers.get::<AccessControlRequestMethod>().unwrap(); // // - 4. Let header field-names be the values as result of parsing the // - Access-Control-Request-Headers headers. // // - If there are no Access-Control-Request-Headers headers let header field-names be // - the empty list. // // - If parsing failed do not set any additional headers and terminate this set of // - steps. The request is outside the scope of this specification. // let empty_vec: Vec<UniCase<String>> = vec![]; let maybe_requested_headers = req.headers.get::<AccessControlRequestHeaders>(); let requested_headers: &Vec<UniCase<String>> = if maybe_requested_headers.is_some() { &maybe_requested_headers.unwrap().0 } else { &empty_vec }; // - 5.If method is not a case-sensitive match for any of the values in list of // - methods do not set any additional headers and terminate this set of steps. // // - Always matching is acceptable since the list of methods can be unbounded. // if !self.allowed_methods.contains(requested_method) { return Ok(Response::with((status::BadRequest, format!("Preflight request requesting disallowed method {}", requested_method)))); } // - 6. If any of the header field-names is not a ASCII case-insensitive match for any // - of the values in list of headers do not set any additional headers and terminate // - this set of steps. let requested_headers_set: HashSet<UniCase<String>> = HashSet::from_iter(requested_headers.iter().cloned()); let allowed_headers_set: HashSet<UniCase<String>> = HashSet::from_iter(self.allowed_headers.iter().cloned()); let disallowed_headers: HashSet<UniCase<String>> = requested_headers_set.difference(&allowed_headers_set).cloned().collect(); if !disallowed_headers.is_empty() { let a = disallowed_headers.iter() .map(|uh| uh.to_string()) .collect::<Vec<_>>() .join(","); let msg = format!("Preflight request requesting disallowed header(s) {}", a); return Ok(Response::with((status::BadRequest, msg))); } // // - Always matching is acceptable since the list of headers can be unbounded. // // - 7. If the resource supports credentials add a single Access-Control-Allow-Origin // - header, with the value of the Origin header as value, and add a single // - Access-Control-Allow-Credentials header with the case-sensitive string "true" as // - value. // // - Otherwise, add a single Access-Control-Allow-Origin header, with either the // - value of the Origin header or the string "*" as value. // // - The string "*" cannot be used for a resource that supports credentials. // if self.allow_credentials { res.headers.set(AccessControlAllowCredentials); } res.headers.set(AccessControlAllowOrigin::Value(allowed_origin.unwrap())); // - 8. Optionally add a single Access-Control-Max-Age header with as value the amount // - of seconds the user agent is allowed to cache the result of the request. res.headers.set(AccessControlMaxAge(self.max_age_seconds)); // // - 9. If method is a simple method this step may be skipped. // // - Add one or more Access-Control-Allow-Methods headers consisting of (a subset of) // - the list of methods. // // - If a method is a simple method it does not need to be listed, but this is not // - prohibited. // // - Since the list of methods can be unbounded, simply returning the method // - indicated by Access-Control-Request-Method (if supported) can be enough. // res.headers.set(AccessControlAllowMethods(self.allowed_methods.clone())); // - 10.If each of the header field-names is a simple header and none is Content-Type, // - this step may be skipped. // // - Add one or more Access-Control-Allow-Headers headers consisting of (a subset of) // - the list of headers. // // - If a header field name is a simple header and is not Content-Type, it is not // - required to be listed. Content-Type is to be listed as only a subset of its // - values makes it qualify as simple header. // // - Since the list of headers can be unbounded, simply returning supported headers // - from Access-Control-Allow-Headers can be enough. res.headers.set(AccessControlAllowHeaders(self.allowed_headers.clone())); Ok(res) } /// Handle a normal (i.e non-preflight) CORS request fn handle_normal(&self, req: &mut Request, handler: &Handler) -> IronResult<Response> { // Normal request // - 1.If the Origin header is not present terminate this set of steps. The request is // - outside the scope of this specification. let have_origin; { let maybe_origin = req.headers.get::<OriginHeader>(); have_origin = maybe_origin.is_some(); } if !have_origin { // No origin, treat as normal request. // We could return error here if we wanted according to // https://tools.ietf.org/id/draft-abarth-origin-03.html#rfc.section.6 return handler.handle(req); } // // - 2.If the value of the Origin header is not a case-sensitive match for any of the // - values in list of origins, do not set any additional headers and terminate this // - set of steps. // // - Note: Always matching is acceptable since the list of origins can be unbounded. // let origin = req.headers .get::<OriginHeader>() .unwrap() .clone(); let origin_str = origin.to_string(); let allowed_origin = self.allowed_origins.allowed_for(&origin_str, self.allow_credentials, self.prefer_wildcard); if allowed_origin.is_none() { let resp = Response::with((status::BadRequest, format!("Normal request requesting \ disallowed origin '{}'", origin_str))); return Ok(resp); } let result = handler.handle(req); match result { Ok(mut res) => { // // - 3. If the resource supports credentials add a single // - Access-Control-Allow-Origin // - header, with the value of the Origin header as value, and add a single // - Access-Control-Allow-Credentials header with the case-sensitive string // - "true" as value. // // - Otherwise, add a single Access-Control-Allow-Origin header, with either the // - value of the Origin header or the string "*" as value. // // - Note: The string "*" cannot be used for a resource that supports credentials. if self.allow_credentials { res.headers.set(AccessControlAllowCredentials); } res.headers.set(AccessControlAllowOrigin::Value(allowed_origin.unwrap())); // // - 4. If the list of exposed headers is not empty add one or more // - Access-Control-Expose-Headers headers, with as values the header field names // - given in the list of exposed headers. if !self.exposed_headers.is_empty() { res.headers.set(AccessControlExposeHeaders(self.exposed_headers.clone())); } Ok(res) } _ => result, } } /// Util function for wrapping the supplied handler with this CorsMiddleware. /// Works by constructing a chain with only this middleware linked. pub fn decorate<T: Handler>(self, handler: T) -> Chain { let mut chain = Chain::new(handler); chain.link_around(self); chain } } impl AroundMiddleware for CorsMiddleware { fn around(self, handler: Box<Handler>) -> Box<Handler> { Box::new(move |req: &mut Request| self.handle(req, &handler)) } }