Development mode for Signer UI (#1788)
* Development mode for Signer * CLI option for signer-dev * Renaming CLI option * Make obvious that CLI option is insecure. [ci:skip] * Additional warning over security
This commit is contained in:
Tomasz Drwięga
Gav Wood
@@ -53,6 +53,7 @@ pub struct ServerBuilder {
|
||||
queue: Arc<ConfirmationsQueue>,
|
||||
handler: Arc<IoHandler>,
|
||||
authcodes_path: PathBuf,
|
||||
skip_origin_validation: bool,
|
||||
}
|
||||
|
||||
impl Extendable for ServerBuilder {
|
||||
@@ -68,13 +69,21 @@ impl ServerBuilder {
|
||||
queue: queue,
|
||||
handler: Arc::new(IoHandler::new()),
|
||||
authcodes_path: authcodes_path,
|
||||
skip_origin_validation: false,
|
||||
}
|
||||
}
|
||||
|
||||
/// If set to `true` server will not verify Origin of incoming requests.
|
||||
/// Not recommended. Use only for development.
|
||||
pub fn skip_origin_validation(mut self, skip: bool) -> Self {
|
||||
self.skip_origin_validation = skip;
|
||||
self
|
||||
}
|
||||
|
||||
/// Starts a new `WebSocket` server in separate thread.
|
||||
/// Returns a `Server` handle which closes the server when droped.
|
||||
pub fn start(self, addr: SocketAddr) -> Result<Server, ServerError> {
|
||||
Server::start(addr, self.handler, self.queue, self.authcodes_path)
|
||||
Server::start(addr, self.handler, self.queue, self.authcodes_path, self.skip_origin_validation)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -89,10 +98,10 @@ pub struct Server {
|
||||
impl Server {
|
||||
/// Starts a new `WebSocket` server in separate thread.
|
||||
/// Returns a `Server` handle which closes the server when droped.
|
||||
fn start(addr: SocketAddr, handler: Arc<IoHandler>, queue: Arc<ConfirmationsQueue>, authcodes_path: PathBuf) -> Result<Server, ServerError> {
|
||||
fn start(addr: SocketAddr, handler: Arc<IoHandler>, queue: Arc<ConfirmationsQueue>, authcodes_path: PathBuf, skip_origin_validation: bool) -> Result<Server, ServerError> {
|
||||
let config = {
|
||||
let mut config = ws::Settings::default();
|
||||
// It's also used for handling min-sysui requests (browser can make many of them in paralel)
|
||||
// accept only handshakes beginning with GET
|
||||
config.method_strict = true;
|
||||
// Was shutting down server when suspending on linux:
|
||||
config.shutdown_on_interrupt = false;
|
||||
@@ -101,7 +110,9 @@ impl Server {
|
||||
|
||||
// Create WebSocket
|
||||
let origin = format!("{}", addr);
|
||||
let ws = try!(ws::Builder::new().with_settings(config).build(session::Factory::new(handler, origin, authcodes_path)));
|
||||
let ws = try!(ws::Builder::new().with_settings(config).build(
|
||||
session::Factory::new(handler, origin, authcodes_path, skip_origin_validation)
|
||||
));
|
||||
|
||||
let panic_handler = PanicHandler::new_in_arc();
|
||||
let ph = panic_handler.clone();
|
||||
|
||||
@@ -96,6 +96,7 @@ fn add_headers(mut response: ws::Response, mime: &str) -> ws::Response {
|
||||
|
||||
pub struct Session {
|
||||
out: ws::Sender,
|
||||
skip_origin_validation: bool,
|
||||
self_origin: String,
|
||||
authcodes_path: PathBuf,
|
||||
handler: Arc<IoHandler>,
|
||||
@@ -107,9 +108,11 @@ impl ws::Handler for Session {
|
||||
let host = req.header("host").or_else(|| req.header("Host")).map(|x| &x[..]);
|
||||
|
||||
// Check request origin and host header.
|
||||
if !origin_is_allowed(&self.self_origin, origin) && !(origin.is_none() && origin_is_allowed(&self.self_origin, host)) {
|
||||
warn!(target: "signer", "Blocked connection to Signer API from untrusted origin.");
|
||||
return Ok(ws::Response::forbidden(format!("You are not allowed to access system ui. Use: http://{}", self.self_origin)));
|
||||
if !self.skip_origin_validation {
|
||||
if !origin_is_allowed(&self.self_origin, origin) && !(origin.is_none() && origin_is_allowed(&self.self_origin, host)) {
|
||||
warn!(target: "signer", "Blocked connection to Signer API from untrusted origin.");
|
||||
return Ok(ws::Response::forbidden(format!("You are not allowed to access system ui. Use: http://{}", self.self_origin)));
|
||||
}
|
||||
}
|
||||
|
||||
// Detect if it's a websocket request.
|
||||
@@ -150,14 +153,16 @@ impl ws::Handler for Session {
|
||||
|
||||
pub struct Factory {
|
||||
handler: Arc<IoHandler>,
|
||||
skip_origin_validation: bool,
|
||||
self_origin: String,
|
||||
authcodes_path: PathBuf,
|
||||
}
|
||||
|
||||
impl Factory {
|
||||
pub fn new(handler: Arc<IoHandler>, self_origin: String, authcodes_path: PathBuf) -> Self {
|
||||
pub fn new(handler: Arc<IoHandler>, self_origin: String, authcodes_path: PathBuf, skip_origin_validation: bool) -> Self {
|
||||
Factory {
|
||||
handler: handler,
|
||||
skip_origin_validation: skip_origin_validation,
|
||||
self_origin: self_origin,
|
||||
authcodes_path: authcodes_path,
|
||||
}
|
||||
@@ -171,6 +176,7 @@ impl ws::Factory for Factory {
|
||||
Session {
|
||||
out: sender,
|
||||
handler: self.handler.clone(),
|
||||
skip_origin_validation: self.skip_origin_validation,
|
||||
self_origin: self.self_origin.clone(),
|
||||
authcodes_path: self.authcodes_path.clone(),
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user