Remove obsolete dapps and update security headers (#2694)

* Embed allowed only on signer port * Adding security headers to dapps * Adding security headers to signer * Removing old dapps
2016-10-19 11:02:21 +02:00
parent 487dfb0208
commit 5e67c89b4b
18 changed files with 123 additions and 93 deletions
--- a/dapps/Cargo.toml
+++ b/dapps/Cargo.toml
@@ -31,9 +31,7 @@ parity-ui = { path = "./ui" }
 parity-dapps-glue = { path = "./js-glue" }
 ### DEPRECATED
 parity-dapps = { git = "https://github.com/ethcore/parity-ui.git", version = "1.4" }
-parity-dapps-status = { git = "https://github.com/ethcore/parity-ui.git", version = "1.4" }
 parity-dapps-home = { git = "https://github.com/ethcore/parity-ui.git", version = "1.4" }
-parity-dapps-wallet = { git = "https://github.com/ethcore/parity-ui.git", version = "1.4", optional = true }
 ### /DEPRECATED

 mime_guess = { version = "1.6.1" }
@@ -43,14 +41,11 @@ clippy = { version = "0.0.90", optional = true}
 serde_codegen = { version = "0.8", optional = true }

 [features]
-default = ["serde_codegen", "extra-dapps"]
-extra-dapps = ["parity-dapps-wallet"]
+default = ["serde_codegen"]
 nightly = ["serde_macros"]
 dev = ["clippy", "ethcore-rpc/dev", "ethcore-util/dev"]

 use-precompiled-js = [
 	"parity-ui/use-precompiled-js",
-	"parity-dapps-status/use-precompiled-js",
 	"parity-dapps-home/use-precompiled-js",
-	"parity-dapps-wallet/use-precompiled-js"
 ]
--- a/dapps/src/apps/mod.rs
+++ b/dapps/src/apps/mod.rs
@@ -26,7 +26,6 @@ pub mod urlhint;
 pub mod fetcher;
 pub mod manifest;

-extern crate parity_dapps_status;
 extern crate parity_dapps_home;
 extern crate parity_ui;

@@ -50,37 +49,22 @@ pub fn utils() -> Box<Endpoint> {
 	Box::new(PageEndpoint::with_prefix(parity_dapps_home::App::default(), UTILS_PATH.to_owned()))
 }

-pub fn all_endpoints(dapps_path: String) -> Endpoints {
+pub fn all_endpoints(dapps_path: String, signer_port: Option<u16>) -> Endpoints {
 	// fetch fs dapps at first to avoid overwriting builtins
 	let mut pages = fs::local_endpoints(dapps_path);
-	// Home page needs to be safe embed
-	// because we use Cross-Origin LocalStorage.
-	// TODO [ToDr] Account naming should be moved to parity.
-	pages.insert("home".into(), Box::new(
-		PageEndpoint::new_safe_to_embed(parity_dapps_home::App::default())
-	));
+
 	// NOTE [ToDr] Dapps will be currently embeded on 8180
 	pages.insert("ui".into(), Box::new(
-		PageEndpoint::new_safe_to_embed(NewUi::default())
+		PageEndpoint::new_safe_to_embed(NewUi::default(), signer_port)
 	));
-	pages.insert("proxy".into(), ProxyPac::boxed());
-	insert::<parity_dapps_status::App>(&mut pages, "status");
-	insert::<parity_dapps_status::App>(&mut pages, "parity");

-	// Optional dapps
-	wallet_page(&mut pages);
+	pages.insert("proxy".into(), ProxyPac::boxed());
+	insert::<parity_dapps_home::App>(&mut pages, "home");
+

 	pages
 }

-#[cfg(feature = "parity-dapps-wallet")]
-fn wallet_page(pages: &mut Endpoints) {
-	extern crate parity_dapps_wallet;
-	insert::<parity_dapps_wallet::App>(pages, "wallet");
-}
-#[cfg(not(feature = "parity-dapps-wallet"))]
-fn wallet_page(_pages: &mut Endpoints) {}
-
 fn insert<T : WebApp + Default + 'static>(pages: &mut Endpoints, id: &str) {
 	pages.insert(id.to_owned(), Box::new(PageEndpoint::new(T::default())));
 }
--- a/dapps/src/handlers/content.rs
+++ b/dapps/src/handlers/content.rs
@@ -23,53 +23,55 @@ use hyper::status::StatusCode;

 use util::version;

+use handlers::add_security_headers;
+
 #[derive(Clone)]
 pub struct ContentHandler {
 	code: StatusCode,
 	content: String,
 	mimetype: String,
 	write_pos: usize,
+	safe_to_embed_at_port: Option<u16>,
 }

 impl ContentHandler {
 	pub fn ok(content: String, mimetype: String) -> Self {
-		ContentHandler {
-			code: StatusCode::Ok,
-			content: content,
-			mimetype: mimetype,
-			write_pos: 0
-		}
+		Self::new(StatusCode::Ok, content, mimetype)
 	}

 	pub fn not_found(content: String, mimetype: String) -> Self {
-		ContentHandler {
-			code: StatusCode::NotFound,
-			content: content,
-			mimetype: mimetype,
-			write_pos: 0
-		}
+		Self::new(StatusCode::NotFound, content, mimetype)
 	}

-	pub fn html(code: StatusCode, content: String) -> Self {
-		Self::new(code, content, "text/html".into())
+	pub fn html(code: StatusCode, content: String, embeddable_at: Option<u16>) -> Self {
+		Self::new_embeddable(code, content, "text/html".into(), embeddable_at)
 	}

 	pub fn error(code: StatusCode, title: &str, message: &str, details: Option<&str>) -> Self {
+		Self::error_embeddable(code, title, message, details, None)
+	}
+
+	pub fn error_embeddable(code: StatusCode, title: &str, message: &str, details: Option<&str>, embeddable_at: Option<u16>) -> Self {
 		Self::html(code, format!(
 			include_str!("../error_tpl.html"),
 			title=title,
 			message=message,
 			details=details.unwrap_or_else(|| ""),
 			version=version(),
-		))
+		), embeddable_at)
 	}

 	pub fn new(code: StatusCode, content: String, mimetype: String) -> Self {
+		Self::new_embeddable(code, content, mimetype, None)
+	}
+
+	pub fn new_embeddable(code: StatusCode, content: String, mimetype: String, embeddable_at: Option<u16>) -> Self {
 		ContentHandler {
 			code: code,
 			content: content,
 			mimetype: mimetype,
 			write_pos: 0,
+			safe_to_embed_at_port: embeddable_at,
 		}
 	}
 }
@@ -86,6 +88,7 @@ impl server::Handler<HttpStream> for ContentHandler {
 	fn on_response(&mut self, res: &mut server::Response) -> Next {
 		res.set_status(self.code);
 		res.headers_mut().set(header::ContentType(self.mimetype.parse().unwrap()));
+		add_security_headers(&mut res.headers_mut(), self.safe_to_embed_at_port.clone());
 		Next::write()
 	}

--- a/dapps/src/handlers/mod.rs
+++ b/dapps/src/handlers/mod.rs
@@ -31,6 +31,24 @@ pub use self::fetch::{ContentFetcherHandler, ContentValidator, FetchControl};
 use url::Url;
 use hyper::{server, header, net, uri};

+/// Adds security-related headers to the Response.
+pub fn add_security_headers(headers: &mut header::Headers, embeddable_at: Option<u16>) {
+	headers.set_raw("X-XSS-Protection", vec![b"1; mode=block".to_vec()]);
+	headers.set_raw("X-Content-Type-Options", vec![b"nosniff".to_vec()]);
+
+	// Embedding header:
+	if let Some(port) = embeddable_at {
+		headers.set_raw(
+			"X-Frame-Options",
+			vec![format!("ALLOW-FROM http://127.0.0.1:{}", port).into_bytes()]
+			);
+	} else {
+		// TODO [ToDr] Should we be more strict here (DENY?)?
+		headers.set_raw("X-Frame-Options",  vec![b"SAMEORIGIN".to_vec()]);
+	}
+}
+
+/// Extracts URL part from the Request.
 pub fn extract_url(req: &server::Request<net::HttpStream>) -> Option<Url> {
 	match *req.uri() {
 		uri::RequestUri::AbsoluteUri(ref url) => {
--- a/dapps/src/lib.rs
+++ b/dapps/src/lib.rs
@@ -108,6 +108,7 @@ pub struct ServerBuilder {
 	handler: Arc<IoHandler>,
 	registrar: Arc<ContractClient>,
 	sync_status: Arc<SyncStatus>,
+	signer_port: Option<u16>,
 }

 impl Extendable for ServerBuilder {
@@ -124,6 +125,7 @@ impl ServerBuilder {
 			handler: Arc::new(IoHandler::new()),
 			registrar: registrar,
 			sync_status: Arc::new(|| false),
+			signer_port: None,
 		}
 	}

@@ -132,6 +134,11 @@ impl ServerBuilder {
 		self.sync_status = status;
 	}

+	/// Change default signer port.
+	pub fn with_signer_port(&mut self, signer_port: Option<u16>) {
+		self.signer_port = signer_port;
+	}
+
 	/// Asynchronously start server with no authentication,
 	/// returns result with `Server` handle on success or an error.
 	pub fn start_unsecured_http(&self, addr: &SocketAddr, hosts: Option<Vec<String>>) -> Result<Server, ServerError> {
@@ -141,6 +148,7 @@ impl ServerBuilder {
 			NoAuth,
 			self.handler.clone(),
 			self.dapps_path.clone(),
+			self.signer_port.clone(),
 			self.registrar.clone(),
 			self.sync_status.clone(),
 		)
@@ -155,6 +163,7 @@ impl ServerBuilder {
 			HttpBasicAuth::single_user(username, password),
 			self.handler.clone(),
 			self.dapps_path.clone(),
+			self.signer_port.clone(),
 			self.registrar.clone(),
 			self.sync_status.clone(),
 		)
@@ -189,13 +198,14 @@ impl Server {
 		authorization: A,
 		handler: Arc<IoHandler>,
 		dapps_path: String,
+		signer_port: Option<u16>,
 		registrar: Arc<ContractClient>,
 		sync_status: Arc<SyncStatus>,
 	) -> Result<Server, ServerError> {
 		let panic_handler = Arc::new(Mutex::new(None));
 		let authorization = Arc::new(authorization);
 		let content_fetcher = Arc::new(apps::fetcher::ContentFetcher::new(apps::urlhint::URLHintContract::new(registrar), sync_status));
-		let endpoints = Arc::new(apps::all_endpoints(dapps_path));
+		let endpoints = Arc::new(apps::all_endpoints(dapps_path, signer_port));
 		let special = Arc::new({
 			let mut special = HashMap::new();
 			special.insert(router::SpecialEndpoint::Rpc, rpc::rpc(handler, panic_handler.clone()));
--- a/dapps/src/page/builtin.rs
+++ b/dapps/src/page/builtin.rs
@@ -25,7 +25,7 @@ pub struct PageEndpoint<T : WebApp + 'static> {
 	/// Prefix to strip from the path (when `None` deducted from `app_id`)
 	pub prefix: Option<String>,
 	/// Safe to be loaded in frame by other origin. (use wisely!)
-	safe_to_embed: bool,
+	safe_to_embed_at_port: Option<u16>,
 	info: EndpointInfo,
 }

@@ -36,7 +36,7 @@ impl<T: WebApp + 'static> PageEndpoint<T> {
 		PageEndpoint {
 			app: Arc::new(app),
 			prefix: None,
-			safe_to_embed: false,
+			safe_to_embed_at_port: None,
 			info: EndpointInfo::from(info),
 		}
 	}
@@ -49,7 +49,7 @@ impl<T: WebApp + 'static> PageEndpoint<T> {
 		PageEndpoint {
 			app: Arc::new(app),
 			prefix: Some(prefix),
-			safe_to_embed: false,
+			safe_to_embed_at_port: None,
 			info: EndpointInfo::from(info),
 		}
 	}
@@ -57,12 +57,12 @@ impl<T: WebApp + 'static> PageEndpoint<T> {
 	/// Creates new `PageEndpoint` which can be safely used in iframe
 	/// even from different origin. It might be dangerous (clickjacking).
 	/// Use wisely!
-	pub fn new_safe_to_embed(app: T) -> Self {
+	pub fn new_safe_to_embed(app: T, port: Option<u16>) -> Self {
 		let info = app.info();
 		PageEndpoint {
 			app: Arc::new(app),
 			prefix: None,
-			safe_to_embed: true,
+			safe_to_embed_at_port: port,
 			info: EndpointInfo::from(info),
 		}
 	}
@@ -79,8 +79,8 @@ impl<T: WebApp> Endpoint for PageEndpoint<T> {
 			app: BuiltinDapp::new(self.app.clone()),
 			prefix: self.prefix.clone(),
 			path: path,
-			file: Default::default(),
-			safe_to_embed: self.safe_to_embed,
+			file: handler::ServedFile::new(self.safe_to_embed_at_port.clone()),
+			safe_to_embed_at_port: self.safe_to_embed_at_port.clone(),
 		})
 	}
 }
--- a/dapps/src/page/handler.rs
+++ b/dapps/src/page/handler.rs
@@ -22,7 +22,7 @@ use hyper::net::HttpStream;
 use hyper::status::StatusCode;
 use hyper::{Decoder, Encoder, Next};
 use endpoint::EndpointPath;
-use handlers::ContentHandler;
+use handlers::{ContentHandler, add_security_headers};

 /// Represents a file that can be sent to client.
 /// Implementation should keep track of bytes already sent internally.
@@ -57,13 +57,14 @@ pub enum ServedFile<T: Dapp> {
 	Error(ContentHandler),
 }

-impl<T: Dapp> Default for ServedFile<T> {
-	fn default() -> Self {
-		ServedFile::Error(ContentHandler::error(
+impl<T: Dapp> ServedFile<T> {
+	pub fn new(embeddable_at: Option<u16>) -> Self {
+		ServedFile::Error(ContentHandler::error_embeddable(
 			StatusCode::NotFound,
 			"404 Not Found",
 			"Requested dapp resource was not found.",
-			None
+			None,
+			embeddable_at,
 		))
 	}
 }
@@ -81,7 +82,7 @@ pub struct PageHandler<T: Dapp> {
 	/// Requested path.
 	pub path: EndpointPath,
 	/// Flag indicating if the file can be safely embeded (put in iframe).
-	pub safe_to_embed: bool,
+	pub safe_to_embed_at_port: Option<u16>,
 }

 impl<T: Dapp> PageHandler<T> {
@@ -115,7 +116,7 @@ impl<T: Dapp> server::Handler<HttpStream> for PageHandler<T> {
 				self.app.file(&self.extract_path(url.path()))
 			},
 			_ => None,
-		}.map_or_else(|| ServedFile::default(), |f| ServedFile::File(f));
+		}.map_or_else(|| ServedFile::new(self.safe_to_embed_at_port.clone()), |f| ServedFile::File(f));
 		Next::write()
 	}

@@ -128,9 +129,8 @@ impl<T: Dapp> server::Handler<HttpStream> for PageHandler<T> {
 			ServedFile::File(ref f) => {
 				res.set_status(StatusCode::Ok);
 				res.headers_mut().set(header::ContentType(f.content_type().parse().unwrap()));
-				if !self.safe_to_embed {
-					res.headers_mut().set_raw("X-Frame-Options", vec![b"SAMEORIGIN".to_vec()]);
-				}
+				// Security headers:
+				add_security_headers(&mut res.headers_mut(), self.safe_to_embed_at_port);
 				Next::write()
 			},
 			ServedFile::Error(ref mut handler) => {
@@ -212,8 +212,8 @@ fn should_extract_path_with_appid() {
 			port: 8080,
 			using_dapps_domains: true,
 		},
-		file: Default::default(),
-		safe_to_embed: true,
+		file: ServedFile::new(None),
+		safe_to_embed_at_port: None,
 	};

 	// when
--- a/dapps/src/page/local.rs
+++ b/dapps/src/page/local.rs
@@ -61,16 +61,16 @@ impl Endpoint for LocalPageEndpoint {
 				app: LocalSingleFile { path: self.path.clone(), mime: mime.clone() },
 				prefix: None,
 				path: path,
-				file: Default::default(),
-				safe_to_embed: false,
+				file: handler::ServedFile::new(None),
+				safe_to_embed_at_port: None,
 			})
 		} else {
 			Box::new(handler::PageHandler {
 				app: LocalDapp { path: self.path.clone() },
 				prefix: None,
 				path: path,
-				file: Default::default(),
-				safe_to_embed: false,
+				file: handler::ServedFile::new(None),
+				safe_to_embed_at_port: None,
 			})
 		}
 	}
--- a/dapps/src/tests/api.rs
+++ b/dapps/src/tests/api.rs
@@ -14,7 +14,7 @@
 // You should have received a copy of the GNU General Public License
 // along with Parity.  If not, see <http://www.gnu.org/licenses/>.

-use tests::helpers::{serve, serve_with_registrar, request};
+use tests::helpers::{serve, serve_with_registrar, request, assert_security_headers};

 #[test]
 fn should_return_error() {
@@ -36,6 +36,7 @@ fn should_return_error() {
 	assert_eq!(response.status, "HTTP/1.1 404 Not Found".to_owned());
 	assert_eq!(response.headers.get(0).unwrap(), "Content-Type: application/json");
 	assert_eq!(response.body, format!("58\n{}\n0\n\n", r#"{"code":"404","title":"Not Found","detail":"Resource you requested has not been found."}"#));
+	assert_security_headers(&response.headers);
 }

 #[test]
@@ -58,6 +59,7 @@ fn should_serve_apps() {
 	assert_eq!(response.status, "HTTP/1.1 200 OK".to_owned());
 	assert_eq!(response.headers.get(0).unwrap(), "Content-Type: application/json");
 	assert!(response.body.contains("Parity Home Screen"), response.body);
+	assert_security_headers(&response.headers);
 }

 #[test]
@@ -80,6 +82,7 @@ fn should_handle_ping() {
 	assert_eq!(response.status, "HTTP/1.1 200 OK".to_owned());
 	assert_eq!(response.headers.get(0).unwrap(), "Content-Type: application/json");
 	assert_eq!(response.body, "0\n\n".to_owned());
+	assert_security_headers(&response.headers);
 }


@@ -101,5 +104,6 @@ fn should_try_to_resolve_dapp() {
 	// then
 	assert_eq!(response.status, "HTTP/1.1 404 Not Found".to_owned());
 	assert_eq!(registrar.calls.lock().len(), 2);
+	assert_security_headers(&response.headers);
 }

--- a/dapps/src/tests/authorization.rs
+++ b/dapps/src/tests/authorization.rs
@@ -14,7 +14,7 @@
 // You should have received a copy of the GNU General Public License
 // along with Parity.  If not, see <http://www.gnu.org/licenses/>.

-use tests::helpers::{serve_with_auth, request};
+use tests::helpers::{serve_with_auth, request, assert_security_headers};

 #[test]
 fn should_require_authorization() {
@@ -76,4 +76,5 @@ fn should_allow_on_valid_auth() {

 	// then
 	assert_eq!(response.status, "HTTP/1.1 200 OK".to_owned());
+	assert_security_headers(&response.headers);
 }
--- a/dapps/src/tests/fetch.rs
+++ b/dapps/src/tests/fetch.rs
@@ -14,7 +14,7 @@
 // You should have received a copy of the GNU General Public License
 // along with Parity.  If not, see <http://www.gnu.org/licenses/>.

-use tests::helpers::{serve_with_registrar, request};
+use tests::helpers::{serve_with_registrar, request, assert_security_headers};

 #[test]
 fn should_resolve_dapp() {
@@ -34,5 +34,6 @@ fn should_resolve_dapp() {
 	// then
 	assert_eq!(response.status, "HTTP/1.1 404 Not Found".to_owned());
 	assert_eq!(registrar.calls.lock().len(), 2);
+	assert_security_headers(&response.headers);
 }

--- a/dapps/src/tests/helpers.rs
+++ b/dapps/src/tests/helpers.rs
@@ -92,3 +92,7 @@ pub fn serve() -> Server {
 pub fn request(server: Server, request: &str) -> http_client::Response {
 	http_client::request(server.addr(), request)
 }
+
+pub fn assert_security_headers(headers: &[String]) {
+	http_client::assert_security_headers_present(headers)
+}
--- a/dapps/src/tests/redirection.rs
+++ b/dapps/src/tests/redirection.rs
@@ -14,7 +14,7 @@
 // You should have received a copy of the GNU General Public License
 // along with Parity.  If not, see <http://www.gnu.org/licenses/>.

-use tests::helpers::{serve, request};
+use tests::helpers::{serve, request, assert_security_headers};

 #[test]
 fn should_redirect_to_home() {
@@ -74,6 +74,7 @@ fn should_display_404_on_invalid_dapp() {
 	// then
 	assert_eq!(response.status, "HTTP/1.1 404 Not Found".to_owned());
 	assert!(response.body.contains("href=\"/home/"));
+	assert_security_headers(&response.headers);
 }

 #[test]
@@ -94,6 +95,7 @@ fn should_display_404_on_invalid_dapp_with_domain() {
 	// then
 	assert_eq!(response.status, "HTTP/1.1 404 Not Found".to_owned());
 	assert!(response.body.contains("href=\"http://home.parity/"));
+	assert_security_headers(&response.headers);
 }

 #[test]
@@ -160,6 +162,7 @@ fn should_serve_proxy_pac() {
 	// then
 	assert_eq!(response.status, "HTTP/1.1 200 OK".to_owned());
 	assert_eq!(response.body, "86\n\nfunction FindProxyForURL(url, host) {\n\tif (shExpMatch(host, \"*.parity\"))\n\t{\n\t\treturn \"PROXY 127.0.0.1:8080\";\n\t}\n\n\treturn \"DIRECT\";\n}\n\n0\n\n".to_owned());
+	assert_security_headers(&response.headers);
 }

 #[test]
@@ -181,5 +184,6 @@ fn should_serve_utils() {
 	// then
 	assert_eq!(response.status, "HTTP/1.1 200 OK".to_owned());
 	assert_eq!(response.body.contains("function(){"), true);
+	assert_security_headers(&response.headers);
 }