Merge pull request #1921 from jberry-suse/obs_operator-robustness

obs_operator: improve robustness

obs_operator.py

@@ -55,13 +55,16 @@ class RequestHandler(BaseHTTPRequestHandler):
             self.end_headers()
             return
 
-        with OSCRequestEnvironment(self) as oscrc_file:
+        try:
-            func = getattr(self, 'handle_{}'.format(path_prefix.replace('/', '_')))
+            with OSCRequestEnvironment(self) as oscrc_file:
-            command = func(path_parts[2:], query)
+                func = getattr(self, 'handle_{}'.format(path_prefix.replace('/', '_')))
+                command = func(path_parts[2:], query)
 
-            self.end_headers()
+                self.end_headers()
-            if command and not self.execute(oscrc_file, command):
+                if command and not self.execute(oscrc_file, command):
-                self.write_string('failed')
+                    self.write_string('failed')
+        except OSCRequestEnvironmentException as e:
+            self.write_string(str(e))
 
     def do_POST(self):
         action = self.path.lstrip('/')
@@ -79,16 +82,19 @@ class RequestHandler(BaseHTTPRequestHandler):
         if self.debug:
             print('data: {}'.format(data))
 
-        with OSCRequestEnvironment(self, user) as oscrc_file:
+        try:
-            func = getattr(self, 'handle_{}'.format(action))
+            with OSCRequestEnvironment(self, user) as oscrc_file:
-            commands = func(data)
+                func = getattr(self, 'handle_{}'.format(action))
-            self.end_headers()
+                commands = func(data)
+                self.end_headers()
 
-            for command in commands:
+                for command in commands:
-                self.write_string('$ {}\n'.format(' '.join(command)))
+                    self.write_string('$ {}\n'.format(' '.join(command)))
-                if not self.execute(oscrc_file, command):
+                    if not self.execute(oscrc_file, command):
-                    self.write_string('failed')
+                        self.write_string('failed')
-                    break
+                        break
+        except OSCRequestEnvironmentException as e:
+            self.write_string(str(e))
 
     def data_parse(self):
         data = self.rfile.read(int(self.headers['Content-Length']))
@@ -98,12 +104,12 @@ class RequestHandler(BaseHTTPRequestHandler):
         if self.apiurl:
             return self.apiurl
 
-        origin = self.headers.get('Origin')
+        host = self.headers.get('Host')
-        if not origin:
+        if not host:
             return None
 
         # Strip port if present.
-        domain = urlparse(origin).netloc.split(':', 2)[0]
+        domain = host.split(':', 2)[0]
         if '.' not in domain:
             return None
 
@@ -111,6 +117,16 @@ class RequestHandler(BaseHTTPRequestHandler):
         domain_parent = '.'.join(domain.split('.')[1:])
         return 'https://api.{}'.format(domain_parent)
 
+    def origin_domain_get(self):
+        origin = self.headers.get('Origin')
+        if origin is not None:
+            # Strip port if present.
+            domain = urlparse(origin).netloc.split(':', 2)[0]
+            if '.' in domain:
+                return '.'.join(domain.split('.')[1:])
+
+        return None
+
     def session_get(self):
         if self.session:
             return self.session
@@ -210,24 +226,30 @@ class OSCRequestEnvironment(object):
 
     def __enter__(self):
         apiurl = self.handler.apiurl_get()
-        if not apiurl:
+        origin_domain = self.handler.origin_domain_get()
+        if not apiurl or (origin_domain and not apiurl.endswith(origin_domain)):
             self.handler.send_response(400)
             self.handler.end_headers()
-            return
+            if not apiurl:
+                raise OSCRequestEnvironmentException('unable to determine apiurl')
+            else:
+                raise OSCRequestEnvironmentException('origin does not match host domain')
 
         session = self.handler.session_get()
         if not session:
             self.handler.send_response(401)
             self.handler.end_headers()
-            return
+            raise OSCRequestEnvironmentException('unable to determine session')
+
         if self.handler.debug:
             print('apiurl: {}'.format(apiurl))
             print('session: {}'.format(session))
 
         self.handler.send_response(200)
         self.handler.send_header('Content-type', 'text/plain')
-        self.handler.send_header('Access-Control-Allow-Credentials', 'true')
+        if origin_domain:
-        self.handler.send_header('Access-Control-Allow-Origin', self.handler.headers.get('Origin'))
+            self.handler.send_header('Access-Control-Allow-Credentials', 'true')
+            self.handler.send_header('Access-Control-Allow-Origin', self.handler.headers.get('Origin'))
 
         self.cookiejar_file = tempfile.NamedTemporaryFile()
         self.oscrc_file = tempfile.NamedTemporaryFile()
@@ -244,6 +266,9 @@ class OSCRequestEnvironment(object):
         self.cookiejar_file.__exit__(exc_type, exc_val, exc_tb)
         self.oscrc_file.__exit__(exc_type, exc_val, exc_tb)
 
+class OSCRequestEnvironmentException(Exception):
+    pass
+
 def main(args):
     RequestHandler.apiurl = args.apiurl
     RequestHandler.session = args.session