From 150fbba53a0e241de3622335e11d31bb3c536a49 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 21 Jul 2022 15:25:38 +0200 Subject: [PATCH] [Fixes #9718] fix renaming of CORS_ORIGIN_ALLOW_ALL (#9719) (#9720) * fix renaming of CORS_ORIGIN_ALLOW_ALL * test * fixed pep Co-authored-by: Giovanni Allegri --- .circleci/config.yml | 2 +- .devcontainer/.env | 2 +- .env | 2 +- .env_dev | 2 +- .env_local | 2 +- .env_test | 2 +- geonode/local_settings.py.geoserver.sample | 2 +- geonode/settings.py | 2 +- geonode/tests/test_headers.py | 45 ++++++++++++++++++++++ package/support/geonode.local_settings | 2 +- 10 files changed, 54 insertions(+), 9 deletions(-) create mode 100644 geonode/tests/test_headers.py diff --git a/.circleci/config.yml b/.circleci/config.yml index e8e8155c001..e23a7f40f3f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -128,7 +128,7 @@ workflows: name: geonode_test_suite_smoke load_docker_cache: false save_docker_cache: false - test_suite: ./test.sh geonode.tests.smoke geonode.tests.test_message_notifications geonode.tests.test_rest_api geonode.tests.test_search geonode.tests.test_utils + test_suite: ./test.sh geonode.tests.smoke geonode.tests.test_message_notifications geonode.tests.test_rest_api geonode.tests.test_search geonode.tests.test_utils geonode.tests.test_headers - build: name: geonode_test_suite load_docker_cache: false diff --git a/.devcontainer/.env b/.devcontainer/.env index 1723f259678..bd27dcf42dd 100644 --- a/.devcontainer/.env +++ b/.devcontainer/.env @@ -126,7 +126,7 @@ DEFAULT_FROM_EMAIL='GeoNode ' # Session/Access Control LOCKDOWN_GEONODE=False -CORS_ORIGIN_ALLOW_ALL=True +CORS_ALLOW_ALL_ORIGINS=True X_FRAME_OPTIONS="SAMEORIGIN" SESSION_EXPIRED_CONTROL_ENABLED=True DEFAULT_ANONYMOUS_VIEW_PERMISSION=True diff --git a/.env b/.env index 084e6bf7e0f..97106e5931a 100644 --- a/.env +++ b/.env @@ -129,7 +129,7 @@ DEFAULT_FROM_EMAIL='GeoNode ' # Session/Access Control LOCKDOWN_GEONODE=False -CORS_ORIGIN_ALLOW_ALL=True +CORS_ALLOW_ALL_ORIGINS=True X_FRAME_OPTIONS="SAMEORIGIN" SESSION_EXPIRED_CONTROL_ENABLED=True DEFAULT_ANONYMOUS_VIEW_PERMISSION=True diff --git a/.env_dev b/.env_dev index f3f9a081016..f0ca3c0a05c 100644 --- a/.env_dev +++ b/.env_dev @@ -123,7 +123,7 @@ DEFAULT_FROM_EMAIL='GeoNode ' # Session/Access Control LOCKDOWN_GEONODE=False -CORS_ORIGIN_ALLOW_ALL=True +CORS_ALLOW_ALL_ORIGINS=True X_FRAME_OPTIONS="SAMEORIGIN" SESSION_EXPIRED_CONTROL_ENABLED=True DEFAULT_ANONYMOUS_VIEW_PERMISSION=True diff --git a/.env_local b/.env_local index d7e9b77b506..bceaa90c863 100644 --- a/.env_local +++ b/.env_local @@ -123,7 +123,7 @@ DEFAULT_FROM_EMAIL='GeoNode ' # Session/Access Control LOCKDOWN_GEONODE=False -CORS_ORIGIN_ALLOW_ALL=True +CORS_ALLOW_ALL_ORIGINS=True X_FRAME_OPTIONS="SAMEORIGIN" SESSION_EXPIRED_CONTROL_ENABLED=True DEFAULT_ANONYMOUS_VIEW_PERMISSION=True diff --git a/.env_test b/.env_test index 8403ef327a8..5715b72bb8a 100644 --- a/.env_test +++ b/.env_test @@ -123,7 +123,7 @@ DEFAULT_FROM_EMAIL='GeoNode ' # Session/Access Control LOCKDOWN_GEONODE=False -CORS_ORIGIN_ALLOW_ALL=True +CORS_ALLOW_ALL_ORIGINS=True X_FRAME_OPTIONS="SAMEORIGIN" SESSION_EXPIRED_CONTROL_ENABLED=True DEFAULT_ANONYMOUS_VIEW_PERMISSION=True diff --git a/geonode/local_settings.py.geoserver.sample b/geonode/local_settings.py.geoserver.sample index a77d4539ea6..8e6dbfdb253 100644 --- a/geonode/local_settings.py.geoserver.sample +++ b/geonode/local_settings.py.geoserver.sample @@ -602,6 +602,6 @@ LOGGING = { # Additional settings X_FRAME_OPTIONS = 'ALLOW-FROM %s' % SITEURL -CORS_ORIGIN_ALLOW_ALL = True +CORS_ALLOW_ALL_ORIGINS = True GEOIP_PATH = "/usr/local/share/GeoIP" diff --git a/geonode/settings.py b/geonode/settings.py index 3622d787d18..befeff1c563 100644 --- a/geonode/settings.py +++ b/geonode/settings.py @@ -789,7 +789,7 @@ SESSION_COOKIE_SECURE = ast.literal_eval(os.environ.get('SESSION_COOKIE_SECURE', 'False')) CSRF_COOKIE_SECURE = ast.literal_eval(os.environ.get('CSRF_COOKIE_SECURE', 'False')) CSRF_COOKIE_HTTPONLY = ast.literal_eval(os.environ.get('CSRF_COOKIE_HTTPONLY', 'False')) -CORS_ORIGIN_ALLOW_ALL = ast.literal_eval(os.environ.get('CORS_ORIGIN_ALLOW_ALL', 'False')) +CORS_ALLOW_ALL_ORIGINS = ast.literal_eval(os.environ.get('CORS_ALLOW_ALL_ORIGINS', 'False')) X_FRAME_OPTIONS = os.environ.get('X_FRAME_OPTIONS', 'DENY') SECURE_CONTENT_TYPE_NOSNIFF = ast.literal_eval(os.environ.get('SECURE_CONTENT_TYPE_NOSNIFF', 'True')) SECURE_BROWSER_XSS_FILTER = ast.literal_eval(os.environ.get('SECURE_BROWSER_XSS_FILTER', 'True')) diff --git a/geonode/tests/test_headers.py b/geonode/tests/test_headers.py new file mode 100644 index 00000000000..6546bc83181 --- /dev/null +++ b/geonode/tests/test_headers.py @@ -0,0 +1,45 @@ +######################################################################### +# +# Copyright (C) 2022 OSGeo +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +######################################################################### + +from django.shortcuts import reverse +from geonode.tests.base import GeoNodeBaseTestSupport + +from corsheaders.middleware import ACCESS_CONTROL_ALLOW_ORIGIN + + +class TestHeaders(GeoNodeBaseTestSupport): + + def test_cors_headers(self): + categories_url = reverse('categories-list') + headers = { + 'HTTP_ORIGIN': "http://127.0.0.1" + } + with self.settings(CORS_ALLOW_ALL_ORIGINS=True, CORS_ALLOW_CREDENTIALS=False): + response = self.client.get( + categories_url, + **headers + ) + self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], '*') + + with self.settings(CORS_ALLOW_ALL_ORIGINS=False): + response = self.client.get( + categories_url, + **headers + ) + self.assertIsNone(getattr(response, 'ACCESS_CONTROL_ALLOW_ORIGIN', None)) diff --git a/package/support/geonode.local_settings b/package/support/geonode.local_settings index a683692284e..a23fdf341eb 100644 --- a/package/support/geonode.local_settings +++ b/package/support/geonode.local_settings @@ -414,7 +414,7 @@ LOGGING = { } # Additional settings -CORS_ORIGIN_ALLOW_ALL = True +CORS_ALLOW_ALL_ORIGINS = True GEOIP_PATH = "/usr/local/share/GeoIP"