Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver/lib/subdomains.py

92 lines
3.3 KiB
Python
Raw Normal View History

subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. If a Zulip install at example.org got a request at an HTTP `Host` like foo.example.org.evil.com (or even foo.example.orgevil.com), we would accept it as subdomain foo. This isn't likely to happen in practice because it shouldn't pass ALLOWED_HOSTS, and it's not obvious to me that anything untoward could be done with it even if ALLOWED_HOSTS were set wide open, but if nothing else it multiplies the cases in analyzing this logic. The reason we had a loose match like this, I assume, is to allow the user to come from arbitrary ports -- especially in development. So tighten the pattern to allow just that, and add some tests for that behavior and a comment explaining why this complication is needed.
2017-10-20 06:30:34 +02:00
import re
markdown: Rewrite all external images to use Camo. Requesting external images is a privacy risk, so route all external images through Camo. Tweaked by tabbott for better test coverage, more comments, and to fix bugs.
2021-03-23 10:34:55 +01:00
import urllib
subdomains: Fix realm=None case for is_static_or_current_realm_url. Fixes #22636. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-10-06 21:24:46 +02:00
from typing import Optional
subdomains: Extract zerver.lib.subdomains library. These never really belonged with the rest of zerver.lib.utils.py, and having a separate library makes it easier to enforce full test coverage.
2017-10-19 07:21:57 +02:00
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from django.conf import settings
from django.http import HttpRequest
subdomains: Extend "static" to include resources hosted on S3. This causes avatars and emoji which are hosted by Zulip in S3 (or compatible) servers to no longer go through camo. Routing these requests through camo does not add any privacy benefit (as the request logs there go to the Zulip admins regardless), and may break emoji imported from Slack before 1bf385e35f04aad8121d685c42e46a3829130508, which have `application/octet-stream` as their stored Content-Type.
2021-06-05 02:38:54 +02:00
from zerver.lib.upload import get_public_upload_root_url
get_realm: raise DoesNotExist instead of returning None. This makes the implementation of `get_realm` consistent with its declared return type of `Realm` rather than `Optional[Realm]`. Fixes #12263. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-04 04:47:44 +02:00
from zerver.models import Realm, UserProfile
subdomains: Add a variable for how root domain is represented. We use Realm.SUBDOMAIN_FOR_ROOT_DOMAIN as the special name for how the root domain is referred to as a subdomain in the code.
2017-10-19 07:46:05 +02:00
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
zerver/lib: Change use of typing.Text to str.
2018-05-10 19:13:36 +02:00
def get_subdomain(request: HttpRequest) -> str:
subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. If a Zulip install at example.org got a request at an HTTP `Host` like foo.example.org.evil.com (or even foo.example.orgevil.com), we would accept it as subdomain foo. This isn't likely to happen in practice because it shouldn't pass ALLOWED_HOSTS, and it's not obvious to me that anything untoward could be done with it even if ALLOWED_HOSTS were set wide open, but if nothing else it multiplies the cases in analyzing this logic. The reason we had a loose match like this, I assume, is to allow the user to come from arbitrary ports -- especially in development. So tighten the pattern to allow just that, and add some tests for that behavior and a comment explaining why this complication is needed.
2017-10-20 06:30:34 +02:00
# The HTTP spec allows, but doesn't require, a client to omit the
# port in the `Host` header if it's "the default port for the
# service requested", i.e. typically either 443 or 80; and
# whatever Django gets there, or from proxies reporting that via
# X-Forwarded-Host, it passes right through the same way. So our
# logic is a bit complicated to allow for that variation.
#
alias domains: Add a v1 of this feature. The main limitation of this version is that it's controlled entirely from settings, with nothing in the database and no web UI or even management command to control it. That makes it a bit more of a burden for the server admins than it'd ideally be, but that's fine for now. Relatedly, the web flow for realm creation still requires choosing a subdomain even if the realm is destined to live at an alias domain. Specific to the dev environment, there is an annoying quirk: the special dev login flow doesn't work on a REALM_HOSTS realm. Also, in this version the `add_new_realm` and `add_new_user` management commands, which are intended for use in development environments only, don't support this feature. In manual testing, I've confirmed that a REALM_HOSTS realm works for signup and login, with email/password, Google SSO, or GitHub SSO. Most of that was in dev; I used zulipstaging.com to also test * logging in with email and password; * logging in with Google SSO... far enough to correctly determine that my email address is associated with some other realm.
2017-10-20 06:36:50 +02:00
# For both EXTERNAL_HOST and REALM_HOSTS, we take a missing port
# to mean that any port should be accepted in Host. It's not
# totally clear that's the right behavior, but it keeps
# compatibility with older versions of Zulip, so that's a start.
subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. If a Zulip install at example.org got a request at an HTTP `Host` like foo.example.org.evil.com (or even foo.example.orgevil.com), we would accept it as subdomain foo. This isn't likely to happen in practice because it shouldn't pass ALLOWED_HOSTS, and it's not obvious to me that anything untoward could be done with it even if ALLOWED_HOSTS were set wide open, but if nothing else it multiplies the cases in analyzing this logic. The reason we had a loose match like this, I assume, is to allow the user to come from arbitrary ports -- especially in development. So tighten the pattern to allow just that, and add some tests for that behavior and a comment explaining why this complication is needed.
2017-10-20 06:30:34 +02:00
subdomains: Refactor get_subdomain a bit. The helper _extract_subdomain doesn't have a super meaningful interface, and this is its one callsite. So just inline it.
2017-10-20 05:23:00 +02:00
host = request.get_host().lower()
subdomains: Extract get_subdomain_from_hostname function.
2019-03-06 12:59:40 +01:00
return get_subdomain_from_hostname(host)
subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. If a Zulip install at example.org got a request at an HTTP `Host` like foo.example.org.evil.com (or even foo.example.orgevil.com), we would accept it as subdomain foo. This isn't likely to happen in practice because it shouldn't pass ALLOWED_HOSTS, and it's not obvious to me that anything untoward could be done with it even if ALLOWED_HOSTS were set wide open, but if nothing else it multiplies the cases in analyzing this logic. The reason we had a loose match like this, I assume, is to allow the user to come from arbitrary ports -- especially in development. So tighten the pattern to allow just that, and add some tests for that behavior and a comment explaining why this complication is needed.
2017-10-20 06:30:34 +02:00
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:19:30 +01:00
subdomains: Extract get_subdomain_from_hostname function.
2019-03-06 12:59:40 +01:00
def get_subdomain_from_hostname(host: str) -> str:
python: Reformat with Black 22 (stable). Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-02-15 23:45:41 +01:00
m = re.search(rf"\.{settings.EXTERNAL_HOST}(:\d+)?$", host)
subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. If a Zulip install at example.org got a request at an HTTP `Host` like foo.example.org.evil.com (or even foo.example.orgevil.com), we would accept it as subdomain foo. This isn't likely to happen in practice because it shouldn't pass ALLOWED_HOSTS, and it's not obvious to me that anything untoward could be done with it even if ALLOWED_HOSTS were set wide open, but if nothing else it multiplies the cases in analyzing this logic. The reason we had a loose match like this, I assume, is to allow the user to come from arbitrary ports -- especially in development. So tighten the pattern to allow just that, and add some tests for that behavior and a comment explaining why this complication is needed.
2017-10-20 06:30:34 +02:00
if m:
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:19:30 +01:00
subdomain = host[: m.start()]
subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. If a Zulip install at example.org got a request at an HTTP `Host` like foo.example.org.evil.com (or even foo.example.orgevil.com), we would accept it as subdomain foo. This isn't likely to happen in practice because it shouldn't pass ALLOWED_HOSTS, and it's not obvious to me that anything untoward could be done with it even if ALLOWED_HOSTS were set wide open, but if nothing else it multiplies the cases in analyzing this logic. The reason we had a loose match like this, I assume, is to allow the user to come from arbitrary ports -- especially in development. So tighten the pattern to allow just that, and add some tests for that behavior and a comment explaining why this complication is needed.
2017-10-20 06:30:34 +02:00
if subdomain in settings.ROOT_SUBDOMAIN_ALIASES:
return Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
return subdomain
alias domains: Add a v1 of this feature. The main limitation of this version is that it's controlled entirely from settings, with nothing in the database and no web UI or even management command to control it. That makes it a bit more of a burden for the server admins than it'd ideally be, but that's fine for now. Relatedly, the web flow for realm creation still requires choosing a subdomain even if the realm is destined to live at an alias domain. Specific to the dev environment, there is an annoying quirk: the special dev login flow doesn't work on a REALM_HOSTS realm. Also, in this version the `add_new_realm` and `add_new_user` management commands, which are intended for use in development environments only, don't support this feature. In manual testing, I've confirmed that a REALM_HOSTS realm works for signup and login, with email/password, Google SSO, or GitHub SSO. Most of that was in dev; I used zulipstaging.com to also test * logging in with email and password; * logging in with Google SSO... far enough to correctly determine that my email address is associated with some other realm.
2017-10-20 06:36:50 +02:00
for subdomain, realm_host in settings.REALM_HOSTS.items():
python: Reformat with Black 22 (stable). Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-02-15 23:45:41 +01:00
if re.search(rf"^{realm_host}(:\d+)?$", host):
alias domains: Add a v1 of this feature. The main limitation of this version is that it's controlled entirely from settings, with nothing in the database and no web UI or even management command to control it. That makes it a bit more of a burden for the server admins than it'd ideally be, but that's fine for now. Relatedly, the web flow for realm creation still requires choosing a subdomain even if the realm is destined to live at an alias domain. Specific to the dev environment, there is an annoying quirk: the special dev login flow doesn't work on a REALM_HOSTS realm. Also, in this version the `add_new_realm` and `add_new_user` management commands, which are intended for use in development environments only, don't support this feature. In manual testing, I've confirmed that a REALM_HOSTS realm works for signup and login, with email/password, Google SSO, or GitHub SSO. Most of that was in dev; I used zulipstaging.com to also test * logging in with email and password; * logging in with Google SSO... far enough to correctly determine that my email address is associated with some other realm.
2017-10-20 06:36:50 +02:00
return subdomain
subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. If a Zulip install at example.org got a request at an HTTP `Host` like foo.example.org.evil.com (or even foo.example.orgevil.com), we would accept it as subdomain foo. This isn't likely to happen in practice because it shouldn't pass ALLOWED_HOSTS, and it's not obvious to me that anything untoward could be done with it even if ALLOWED_HOSTS were set wide open, but if nothing else it multiplies the cases in analyzing this logic. The reason we had a loose match like this, I assume, is to allow the user to come from arbitrary ports -- especially in development. So tighten the pattern to allow just that, and add some tests for that behavior and a comment explaining why this complication is needed.
2017-10-20 06:30:34 +02:00
return Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
subdomains: Extract zerver.lib.subdomains library. These never really belonged with the rest of zerver.lib.utils.py, and having a separate library makes it easier to enforce full test coverage.
2017-10-19 07:21:57 +02:00
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:19:30 +01:00
zerver/lib: Use python 3 syntax for typing. With tweaks by tabbott to fix line spacing.
2017-11-05 11:15:10 +01:00
def is_subdomain_root_or_alias(request: HttpRequest) -> bool:
subdomains: Simplify is_subdomain_root_or_alias. This logic is equivalent, though it takes a couple of readings to convince oneself of that. This version should then be easier to reason about.
2017-10-20 05:10:32 +02:00
return get_subdomain(request) == Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
subdomains: Extract zerver.lib.subdomains library. These never really belonged with the rest of zerver.lib.utils.py, and having a separate library makes it easier to enforce full test coverage.
2017-10-19 07:21:57 +02:00
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:19:30 +01:00
subdomain: Remove impossible None case from user_matches_subdomain. The only two callers pass get_subdomain(request) which can’t be None. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-09-14 07:45:28 +02:00
def user_matches_subdomain(realm_subdomain: str, user_profile: UserProfile) -> bool:
subdomains: Complete the refactor to user_matches_subdomain. Now that the old `check_subdomain` has no callers except in implementing the new, improved interface `user_matches_subdomain`, inline it into that. Also simplify the Boolean logic a bit.
2017-10-20 02:54:57 +02:00
return user_profile.realm.subdomain == realm_subdomain
subdomains: Refactor check_subdomain to a clearer interface. Now that every call site of check_subdomain produces its second argument in exactly the same way, push that shared bit of logic into a new wrapper for check_subdomain. Also give that new function a name that says more specifically what it's checking -- which I think is easier to articulate for this interface than for that of check_subdomain.
2017-10-20 02:53:24 +02:00
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:19:30 +01:00
zerver/lib: Use python 3 syntax for typing. With tweaks by tabbott to fix line spacing.
2017-11-05 11:15:10 +01:00
def is_root_domain_available() -> bool:
subdomains: Pass whether root domain is available to registration. This data is necessary to determine whether to offer the root domain in the realm creation form.
2017-10-19 07:42:03 +02:00
if settings.ROOT_DOMAIN_LANDING_PAGE:
return False
get_realm: raise DoesNotExist instead of returning None. This makes the implementation of `get_realm` consistent with its declared return type of `Realm` rather than `Optional[Realm]`. Fixes #12263. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-04 04:47:44 +02:00
return not Realm.objects.filter(string_id=Realm.SUBDOMAIN_FOR_ROOT_DOMAIN).exists()
markdown: Rewrite all external images to use Camo. Requesting external images is a privacy risk, so route all external images through Camo. Tweaked by tabbott for better test coverage, more comments, and to fix bugs.
2021-03-23 10:34:55 +01:00
subdomains: Fix realm=None case for is_static_or_current_realm_url. Fixes #22636. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-10-06 21:24:46 +02:00
def is_static_or_current_realm_url(url: str, realm: Optional[Realm]) -> bool:
settings: Allow customization of STATIC_URL. Some requests will still be to `/static/`, either at the realm's domain, or at the root domain.
2023-01-24 23:44:06 +01:00
assert settings.STATIC_URL is not None
markdown: Rewrite all external images to use Camo. Requesting external images is a privacy risk, so route all external images through Camo. Tweaked by tabbott for better test coverage, more comments, and to fix bugs.
2021-03-23 10:34:55 +01:00
split_url = urllib.parse.urlsplit(url)
split_static_url = urllib.parse.urlsplit(settings.STATIC_URL)
# The netloc check here is important to correctness if STATIC_URL
# does not contain a `/`; see the tests for why.
if split_url.netloc == split_static_url.netloc and url.startswith(settings.STATIC_URL):
return True
# HTTPS access to this Zulip organization's domain; our existing
# HTTPS protects this request, and there's no privacy benefit to
# using camo in front of the Zulip server itself.
subdomains: Fix realm=None case for is_static_or_current_realm_url. Fixes #22636. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-10-06 21:24:46 +02:00
if (
realm is not None
and split_url.netloc == realm.host
and f"{split_url.scheme}://" == settings.EXTERNAL_URI_SCHEME
):
markdown: Rewrite all external images to use Camo. Requesting external images is a privacy risk, so route all external images through Camo. Tweaked by tabbott for better test coverage, more comments, and to fix bugs.
2021-03-23 10:34:55 +01:00
return True
# Relative URLs will be processed by the browser the same way as the above.
if split_url.netloc == "" and split_url.scheme == "":
return True
subdomains: Extend "static" to include resources hosted on S3. This causes avatars and emoji which are hosted by Zulip in S3 (or compatible) servers to no longer go through camo. Routing these requests through camo does not add any privacy benefit (as the request logs there go to the Zulip admins regardless), and may break emoji imported from Slack before 1bf385e35f04aad8121d685c42e46a3829130508, which have `application/octet-stream` as their stored Content-Type.
2021-06-05 02:38:54 +02:00
# S3 storage we control, if used, is also static and thus exempt
if settings.LOCAL_UPLOADS_DIR is None:
# The startswith check is correct here because the public
# upload base URL is guaranteed to end with /.
public_upload_root_url = get_public_upload_root_url()
assert public_upload_root_url.endswith("/")
if url.startswith(public_upload_root_url):
return True
markdown: Rewrite all external images to use Camo. Requesting external images is a privacy risk, so route all external images through Camo. Tweaked by tabbott for better test coverage, more comments, and to fix bugs.
2021-03-23 10:34:55 +01:00
return False