Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
100.00% |
45 / 45 |
|
100.00% |
6 / 6 |
CRAP | |
100.00% |
1 / 1 |
CorsUtils | |
100.00% |
45 / 45 |
|
100.00% |
6 / 6 |
18 | |
100.00% |
1 / 1 |
__construct | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
1 | |||
authorize | |
100.00% |
7 / 7 |
|
100.00% |
1 / 1 |
5 | |||
allowOrigin | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
1 | |||
getCanonicalDomain | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
2 | |||
modifyResponse | |
100.00% |
14 / 14 |
|
100.00% |
1 / 1 |
8 | |||
createPreflightResponse | |
100.00% |
12 / 12 |
|
100.00% |
1 / 1 |
1 |
1 | <?php |
2 | |
3 | namespace MediaWiki\Rest; |
4 | |
5 | use MediaWiki\Config\ServiceOptions; |
6 | use MediaWiki\MainConfigNames; |
7 | use MediaWiki\Rest\BasicAccess\BasicAuthorizerInterface; |
8 | use MediaWiki\Rest\HeaderParser\Origin; |
9 | use MediaWiki\User\UserIdentity; |
10 | |
11 | /** |
12 | * @internal |
13 | */ |
14 | class CorsUtils implements BasicAuthorizerInterface { |
15 | /** @var array */ |
16 | public const CONSTRUCTOR_OPTIONS = [ |
17 | MainConfigNames::AllowedCorsHeaders, |
18 | MainConfigNames::AllowCrossOrigin, |
19 | MainConfigNames::RestAllowCrossOriginCookieAuth, |
20 | MainConfigNames::CanonicalServer, |
21 | MainConfigNames::CrossSiteAJAXdomains, |
22 | MainConfigNames::CrossSiteAJAXdomainExceptions, |
23 | ]; |
24 | |
25 | /** @var ServiceOptions */ |
26 | private $options; |
27 | |
28 | /** @var ResponseFactory */ |
29 | private $responseFactory; |
30 | |
31 | /** @var UserIdentity */ |
32 | private $user; |
33 | |
34 | /** |
35 | * @param ServiceOptions $options |
36 | * @param ResponseFactory $responseFactory |
37 | * @param UserIdentity $user |
38 | */ |
39 | public function __construct( |
40 | ServiceOptions $options, |
41 | ResponseFactory $responseFactory, |
42 | UserIdentity $user |
43 | ) { |
44 | $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS ); |
45 | $this->options = $options; |
46 | $this->responseFactory = $responseFactory; |
47 | $this->user = $user; |
48 | } |
49 | |
50 | /** |
51 | * Only allow registered users to make unsafe cross-origin requests. |
52 | * |
53 | * @param RequestInterface $request |
54 | * @param Handler $handler |
55 | * @return string|null If the request is denied, the string error code. If |
56 | * the request is allowed, null. |
57 | */ |
58 | public function authorize( RequestInterface $request, Handler $handler ) { |
59 | // Handlers that need write access are by definition a cache-miss, therefore there is no |
60 | // need to vary by the origin. |
61 | if ( |
62 | $handler->needsWriteAccess() |
63 | && $request->hasHeader( 'Origin' ) |
64 | && !$this->user->isRegistered() |
65 | ) { |
66 | $origin = Origin::parseHeaderList( $request->getHeader( 'Origin' ) ); |
67 | |
68 | if ( !$this->allowOrigin( $origin ) ) { |
69 | return 'rest-cross-origin-anon-write'; |
70 | } |
71 | } |
72 | |
73 | return null; |
74 | } |
75 | |
76 | /** |
77 | * @param Origin $origin |
78 | * @return bool |
79 | */ |
80 | private function allowOrigin( Origin $origin ): bool { |
81 | $allowed = array_merge( [ $this->getCanonicalDomain() ], |
82 | $this->options->get( MainConfigNames::CrossSiteAJAXdomains ) ); |
83 | $excluded = $this->options->get( MainConfigNames::CrossSiteAJAXdomainExceptions ); |
84 | |
85 | return $origin->match( $allowed, $excluded ); |
86 | } |
87 | |
88 | /** |
89 | * @return string |
90 | */ |
91 | private function getCanonicalDomain(): string { |
92 | $res = parse_url( $this->options->get( MainConfigNames::CanonicalServer ) ); |
93 | '@phan-var array $res'; |
94 | |
95 | $host = $res['host'] ?? ''; |
96 | $port = $res['port'] ?? null; |
97 | |
98 | return $port ? "$host:$port" : $host; |
99 | } |
100 | |
101 | /** |
102 | * Modify response to allow for CORS. |
103 | * |
104 | * This method should be executed for every response from the REST API |
105 | * including errors. |
106 | * |
107 | * @param RequestInterface $request |
108 | * @param ResponseInterface $response |
109 | * @return ResponseInterface |
110 | */ |
111 | public function modifyResponse( RequestInterface $request, ResponseInterface $response ): ResponseInterface { |
112 | if ( !$this->options->get( MainConfigNames::AllowCrossOrigin ) ) { |
113 | return $response; |
114 | } |
115 | |
116 | $allowedOrigin = '*'; |
117 | |
118 | if ( $this->options->get( MainConfigNames::RestAllowCrossOriginCookieAuth ) ) { |
119 | // @TODO Since we only Vary the response if (1) the method is OPTIONS or (2) the user is |
120 | // registered, it is safe to only add the Vary: Origin when those two conditions |
121 | // are met since a response to a logged-in user's request is not cachable. |
122 | // Therefore, logged out users should always get `Access-Control-Allow-Origin: *` |
123 | // on all non-OPTIONS request and logged-in users *may* get |
124 | // `Access-Control-Allow-Origin: <requested origin>` |
125 | |
126 | // Vary All Requests by the Origin header. |
127 | $response->addHeader( 'Vary', 'Origin' ); |
128 | |
129 | // If the Origin header is missing, there is nothing to check against. |
130 | if ( $request->hasHeader( 'Origin' ) ) { |
131 | $origin = Origin::parseHeaderList( $request->getHeader( 'Origin' ) ); |
132 | if ( $this->allowOrigin( $origin ) ) { |
133 | // Only set the allowed origin for preflight requests, or for main requests where a registered |
134 | // user is authenticated. This prevents having to Vary all requests by the Origin. |
135 | // Anonymous users will always get '*', registered users *may* get the requested origin back. |
136 | if ( $request->getMethod() === 'OPTIONS' || $this->user->isRegistered() ) { |
137 | $allowedOrigin = $origin->getSingleOrigin(); |
138 | } |
139 | } |
140 | } |
141 | } |
142 | |
143 | // If the Origin was determined to be something other than *any* allow the session |
144 | // cookies to be sent with the main request. If this is the main request, allow the |
145 | // response to be read. |
146 | // |
147 | // If the client includes the credentials on a simple request (HEAD, GET, etc.), but |
148 | // they do not pass this check, the browser will refuse to allow the client to read the |
149 | // response. The client may resolve this by repeating the request without the |
150 | // credentials. |
151 | if ( $allowedOrigin !== '*' ) { |
152 | $response->setHeader( 'Access-Control-Allow-Credentials', 'true' ); |
153 | } |
154 | |
155 | $response->setHeader( 'Access-Control-Allow-Origin', $allowedOrigin ); |
156 | |
157 | return $response; |
158 | } |
159 | |
160 | /** |
161 | * Create a CORS preflight response. |
162 | * |
163 | * @param array $allowedMethods |
164 | * @return ResponseInterface |
165 | */ |
166 | public function createPreflightResponse( array $allowedMethods ): ResponseInterface { |
167 | $response = $this->responseFactory->createNoContent(); |
168 | $response->setHeader( 'Access-Control-Allow-Methods', $allowedMethods ); |
169 | |
170 | $allowedHeaders = $this->options->get( MainConfigNames::AllowedCorsHeaders ); |
171 | $allowedHeaders = array_merge( $allowedHeaders, array_diff( [ |
172 | // Authorization header must be explicitly listed which prevent the use of '*' |
173 | 'Authorization', |
174 | // REST must allow Content-Type to be operational |
175 | 'Content-Type', |
176 | // REST relies on conditional requests for some endpoints |
177 | 'If-Mach', |
178 | 'If-None-Match', |
179 | 'If-Modified-Since', |
180 | ], $allowedHeaders ) ); |
181 | $response->setHeader( 'Access-Control-Allow-Headers', $allowedHeaders ); |
182 | |
183 | return $response; |
184 | } |
185 | } |