Funktionierender Prototyp des Serious Games zur Vermittlung von Wissen zu Software-Engineering-Arbeitsmodellen.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

websocket.py 5.7KB

1 year ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153
  1. from urllib.parse import urlparse
  2. from django.conf import settings
  3. from django.http.request import is_same_domain
  4. from ..generic.websocket import AsyncWebsocketConsumer
  5. class OriginValidator:
  6. """
  7. Validates that the incoming connection has an Origin header that
  8. is in an allowed list.
  9. """
  10. def __init__(self, application, allowed_origins):
  11. self.application = application
  12. self.allowed_origins = allowed_origins
  13. async def __call__(self, scope, receive, send):
  14. # Make sure the scope is of type websocket
  15. if scope["type"] != "websocket":
  16. raise ValueError(
  17. "You cannot use OriginValidator on a non-WebSocket connection"
  18. )
  19. # Extract the Origin header
  20. parsed_origin = None
  21. for header_name, header_value in scope.get("headers", []):
  22. if header_name == b"origin":
  23. try:
  24. # Set ResultParse
  25. parsed_origin = urlparse(header_value.decode("latin1"))
  26. except UnicodeDecodeError:
  27. pass
  28. # Check to see if the origin header is valid
  29. if self.valid_origin(parsed_origin):
  30. # Pass control to the application
  31. return await self.application(scope, receive, send)
  32. else:
  33. # Deny the connection
  34. denier = WebsocketDenier()
  35. return await denier(scope, receive, send)
  36. def valid_origin(self, parsed_origin):
  37. """
  38. Checks parsed origin is None.
  39. Pass control to the validate_origin function.
  40. Returns ``True`` if validation function was successful, ``False`` otherwise.
  41. """
  42. # None is not allowed unless all hosts are allowed
  43. if parsed_origin is None and "*" not in self.allowed_origins:
  44. return False
  45. return self.validate_origin(parsed_origin)
  46. def validate_origin(self, parsed_origin):
  47. """
  48. Validate the given origin for this site.
  49. Check than the origin looks valid and matches the origin pattern in
  50. specified list ``allowed_origins``. Any pattern begins with a scheme.
  51. After the scheme there must be a domain. Any domain beginning with a
  52. period corresponds to the domain and all its subdomains (for example,
  53. ``http://.example.com``). After the domain there must be a port,
  54. but it can be omitted. ``*`` matches anything and anything
  55. else must match exactly.
  56. Note. This function assumes that the given origin has a schema, domain
  57. and port, but port is optional.
  58. Returns ``True`` for a valid host, ``False`` otherwise.
  59. """
  60. return any(
  61. pattern == "*" or self.match_allowed_origin(parsed_origin, pattern)
  62. for pattern in self.allowed_origins
  63. )
  64. def match_allowed_origin(self, parsed_origin, pattern):
  65. """
  66. Returns ``True`` if the origin is either an exact match or a match
  67. to the wildcard pattern. Compares scheme, domain, port of origin and pattern.
  68. Any pattern can be begins with a scheme. After the scheme must be a domain,
  69. or just domain without scheme.
  70. Any domain beginning with a period corresponds to the domain and all
  71. its subdomains (for example, ``.example.com`` ``example.com``
  72. and any subdomain). Also with scheme (for example, ``http://.example.com``
  73. ``http://exapmple.com``). After the domain there must be a port,
  74. but it can be omitted.
  75. Note. This function assumes that the given origin is either None, a
  76. schema-domain-port string, or just a domain string
  77. """
  78. if parsed_origin is None:
  79. return False
  80. # Get ResultParse object
  81. parsed_pattern = urlparse(pattern.lower())
  82. if parsed_origin.hostname is None:
  83. return False
  84. if not parsed_pattern.scheme:
  85. pattern_hostname = urlparse("//" + pattern).hostname or pattern
  86. return is_same_domain(parsed_origin.hostname, pattern_hostname)
  87. # Get origin.port or default ports for origin or None
  88. origin_port = self.get_origin_port(parsed_origin)
  89. # Get pattern.port or default ports for pattern or None
  90. pattern_port = self.get_origin_port(parsed_pattern)
  91. # Compares hostname, scheme, ports of pattern and origin
  92. if (
  93. parsed_pattern.scheme == parsed_origin.scheme
  94. and origin_port == pattern_port
  95. and is_same_domain(parsed_origin.hostname, parsed_pattern.hostname)
  96. ):
  97. return True
  98. return False
  99. def get_origin_port(self, origin):
  100. """
  101. Returns the origin.port or port for this schema by default.
  102. Otherwise, it returns None.
  103. """
  104. if origin.port is not None:
  105. # Return origin.port
  106. return origin.port
  107. # if origin.port doesn`t exists
  108. if origin.scheme == "http" or origin.scheme == "ws":
  109. # Default port return for http, ws
  110. return 80
  111. elif origin.scheme == "https" or origin.scheme == "wss":
  112. # Default port return for https, wss
  113. return 443
  114. else:
  115. return None
  116. def AllowedHostsOriginValidator(application):
  117. """
  118. Factory function which returns an OriginValidator configured to use
  119. settings.ALLOWED_HOSTS.
  120. """
  121. allowed_hosts = settings.ALLOWED_HOSTS
  122. if settings.DEBUG and not allowed_hosts:
  123. allowed_hosts = ["localhost", "127.0.0.1", "[::1]"]
  124. return OriginValidator(application, allowed_hosts)
  125. class WebsocketDenier(AsyncWebsocketConsumer):
  126. """
  127. Simple application which denies all requests to it.
  128. """
  129. async def connect(self):
  130. await self.close()