From b0aa229d9b88e89c7fc3eb7f136096a2ca16e624 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone <exarkun@twistedmatrix.com> Date: Wed, 20 Nov 2019 14:28:20 -0500 Subject: [PATCH] Add configuration and NixOS module support for specifying allowed origins --- morph/grid.config.json | 5 +++++ morph/issuer.nix | 2 ++ morph/testing-grid.config.json | 4 ++++ nixos/modules/issuer.nix | 17 +++++++++++++++-- 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/morph/grid.config.json b/morph/grid.config.json index c6ee2642..db199357 100644 --- a/morph/grid.config.json +++ b/morph/grid.config.json @@ -3,4 +3,9 @@ , "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret" , "issuerDomain": "payments.privatestorage.io" , "letsEncryptAdminEmail": "jean-paul@privatestorage.io" +, "allowedChargeOrigins": [ + "http://localhost:5000" + , "https://privatestorage-staging.com" + , "https://www.privatestorage-staging.com" + ] } diff --git a/morph/issuer.nix b/morph/issuer.nix index fe448699..a37bba5c 100644 --- a/morph/issuer.nix +++ b/morph/issuer.nix @@ -3,6 +3,7 @@ , stripeSecretKeyPath , issuerDomain , letsEncryptAdminEmail +, allowedChargeOrigins , stateVersion , ... }: { @@ -32,6 +33,7 @@ databasePath = "/var/db/vouchers.sqlite3"; inherit letsEncryptAdminEmail; domain = issuerDomain; + inherit allowedChargeOrigins; }; system.stateVersion = stateVersion; diff --git a/morph/testing-grid.config.json b/morph/testing-grid.config.json index 46cf4ff2..16d93802 100644 --- a/morph/testing-grid.config.json +++ b/morph/testing-grid.config.json @@ -3,4 +3,8 @@ , "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret" , "issuerDomain": "payments.privatestorage-staging.com" , "letsEncryptAdminEmail": "jean-paul@privatestorage.io" +, "allowedChargeOrigins": [ + "https://privatestorage.io" + , "https://www.privatestorage.io" + ] } diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix index dbe75132..fdf63d64 100644 --- a/nixos/modules/issuer.nix +++ b/nixos/modules/issuer.nix @@ -78,6 +78,14 @@ in { for the service's TLS certificate. ''; }; + services.private-storage-issuer.allowedChargeOrigins = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = '' + The CORS "Origin" values which are allowed to submit charges to the + payment server. Note this is not currently enforced by the + PaymentServer. It just controls the CORS headers served. + ''; + }; }; config = @@ -131,9 +139,14 @@ in { else # Only for automated testing. "--http-port 80"; - stripeArgs = "--stripe-key ${builtins.readFile cfg.stripeSecretKeyPath}"; + + prefixOption = s: "--allow-origin=" + s; + originStrings = map prefixOption cfg.allowedChargeOrigins; + originArgs = builtins.concatStringsSep " " originStrings; + + stripeArgs = "--stripe-key-path ${cfg.stripeSecretKeyPath}"; in - "${cfg.package}/bin/PaymentServer-exe ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}"; + "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}"; }; # Certificate renewal. We must declare that we *require* it in our -- GitLab