[SEC] implement robust CORS configuration with settings support

Dependent on: odoo/aw-webui#1

Author: RaoufGhrissi

.gitignore

@@ -10,3 +10,5 @@ NDK
 *.sqlite*
 *.db
 *.db-journal
+
+.vscode

Cargo.lock

@@ -34,6 +34,7 @@ aw-datastore = { path = "../aw-datastore" }
 aw-models = { path = "../aw-models" }
 aw-transform = { path = "../aw-transform" }
 aw-query = { path = "../aw-query" }
+regex = "1.12.3"
 
 [target.'cfg(target_os="linux")'.dependencies]
 sd-notify = "0.4.2"

aw-server/Cargo.toml

@@ -36,6 +36,24 @@ pub struct AWConfig {
     #[serde(default = "default_cors")]
     pub cors_regex: Vec<String>,
 
+    #[serde(default = "default_true")]
+    pub allow_aw_chrome_extension: bool,
+
+    #[serde(default = "default_false")]
+    pub allow_all_mozilla_extension: bool,
+
+    #[serde(default = "default_cors")]
+    pub cors_from_settings: Vec<String>,
+
+    #[serde(default = "default_cors")]
+    pub cors_regex_from_settings: Vec<String>,
+
+    #[serde(skip)]
+    pub allow_aw_chrome_extension_from_settings: Option<bool>,
+
+    #[serde(skip)]
+    pub allow_all_mozilla_extension_from_settings: Option<bool>,
+
     // A mapping of watcher names to paths where the
     // custom visualizations are located.
     #[serde(default = "default_custom_static")]
@@ -50,6 +68,12 @@ impl Default for AWConfig {
             testing: default_testing(),
             cors: default_cors(),
             cors_regex: default_cors(),
+            allow_aw_chrome_extension: default_true(),
+            allow_all_mozilla_extension: default_false(),
+            cors_from_settings: default_cors(),
+            cors_regex_from_settings: default_cors(),
+            allow_aw_chrome_extension_from_settings: None,
+            allow_all_mozilla_extension_from_settings: None,
             custom_static: default_custom_static(),
         }
     }
@@ -91,6 +115,14 @@ fn default_testing() -> bool {
     is_testing()
 }
 
+fn default_true() -> bool {
+    true
+}
+
+fn default_false() -> bool {
+    false
+}
+
 fn default_port() -> u16 {
     if is_testing() {
         5666

aw-server/src/config.rs

@@ -8,20 +8,29 @@ pub fn cors(config: &AWConfig) -> rocket_cors::Cors {
     let root_url_localhost = format!("http://localhost:{}", config.port);
     let mut allowed_exact_origins = vec![root_url, root_url_localhost];
     allowed_exact_origins.extend(config.cors.clone());
+    allowed_exact_origins.extend(config.cors_from_settings.clone());
 
-    if config.testing {
-        allowed_exact_origins.push("http://127.0.0.1:27180".to_string());
-        allowed_exact_origins.push("http://localhost:27180".to_string());
+    let mut allowed_regex_origins = config.cors_regex.clone();
+    allowed_regex_origins.extend(config.cors_regex_from_settings.clone());
+
+    // Settings-based flags override file-based config flags
+    let allow_chrome = config.allow_aw_chrome_extension_from_settings
+        .unwrap_or(config.allow_aw_chrome_extension);
+    if allow_chrome {
+        allowed_regex_origins.push("chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi".to_string());
     }
-    let mut allowed_regex_origins = vec![
-        "chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi".to_string(),
-        // Every version of a mozilla extension has its own ID to avoid fingerprinting, so we
-        // unfortunately have to allow all extensions to have access to aw-server
-        "moz-extension://.*".to_string(),
-    ];
-    allowed_regex_origins.extend(config.cors_regex.clone());
+
+    let allow_mozilla = config.allow_all_mozilla_extension_from_settings
+        .unwrap_or(config.allow_all_mozilla_extension);
+    if allow_mozilla {
+        allowed_regex_origins.push("moz-extension://.*".to_string());
+    }
+
     if config.testing {
-        allowed_regex_origins.push("chrome-extension://.*".to_string());
+        allowed_exact_origins.extend(vec![
+            "http://127.0.0.1:27180".to_string(), 
+            "http://localhost:27180".to_string(),
+        ]);
     }
 
     let allowed_origins = AllowedOrigins::some(&allowed_exact_origins, &allowed_regex_origins);
@@ -31,7 +40,6 @@ pub fn cors(config: &AWConfig) -> rocket_cors::Cors {
         .collect();
     let allowed_headers = AllowedHeaders::all(); // TODO: is this unsafe?
 
-    // You can also deserialize this
     rocket_cors::CorsOptions {
         allowed_origins,
         allowed_methods,

aw-server/src/endpoints/cors.rs

@@ -127,11 +127,44 @@ fn get_file(file: PathBuf, state: &State<ServerState>) -> Option<(ContentType, V
     Some((content_type, asset))
 }
 
-pub fn build_rocket(server_state: ServerState, config: AWConfig) -> rocket::Rocket<rocket::Build> {
+pub fn build_rocket(server_state: ServerState, mut config: AWConfig) -> rocket::Rocket<rocket::Build> {
     info!(
         "Starting aw-server-rust at {}:{}",
         config.address, config.port
     );
+    {
+        let db = server_state.datastore.lock().unwrap();
+        let parse_cors_list = |raw: String| -> Vec<String> {
+            serde_json::from_str::<String>(&raw)
+                .unwrap_or_default()
+                .split(',')
+                .map(|s| s.trim().to_string())
+                .filter(|s| !s.is_empty())
+                .collect()
+        };
+        let parse_bool = |raw: String| -> Option<bool> {
+            serde_json::from_str::<bool>(&raw)
+                .ok()
+                .or_else(|| {
+                    if raw == "true" { Some(true) }
+                    else if raw == "false" { Some(false) }
+                    else { None }
+                })
+        };
+
+        if let Ok(raw) = db.get_key_value("settings.cors") {
+            config.cors_from_settings = parse_cors_list(raw);
+        }
+        if let Ok(raw) = db.get_key_value("settings.cors_regex") {
+            config.cors_regex_from_settings = parse_cors_list(raw);
+        }
+        if let Ok(raw) = db.get_key_value("settings.allow_aw_chrome_extension") {
+            config.allow_aw_chrome_extension_from_settings = parse_bool(raw);
+        }
+        if let Ok(raw) = db.get_key_value("settings.allow_all_mozilla_extension") {
+            config.allow_all_mozilla_extension_from_settings = parse_bool(raw);
+        }
+    } // lock released here
     let cors = cors::cors(&config);
     let hostcheck = hostcheck::HostCheck::new(&config);
     let custom_static = config.custom_static.clone();