From b0aa229d9b88e89c7fc3eb7f136096a2ca16e624 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Wed, 20 Nov 2019 14:28:20 -0500
Subject: [PATCH] Add configuration and NixOS module support for specifying
 allowed origins

---
 morph/grid.config.json         |  5 +++++
 morph/issuer.nix               |  2 ++
 morph/testing-grid.config.json |  4 ++++
 nixos/modules/issuer.nix       | 17 +++++++++++++++--
 4 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/morph/grid.config.json b/morph/grid.config.json
index c6ee2642..db199357 100644
--- a/morph/grid.config.json
+++ b/morph/grid.config.json
@@ -3,4 +3,9 @@
 , "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret"
 , "issuerDomain": "payments.privatestorage.io"
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
+, "allowedChargeOrigins": [
+    "http://localhost:5000"
+  , "https://privatestorage-staging.com"
+  , "https://www.privatestorage-staging.com"
+  ]
 }
diff --git a/morph/issuer.nix b/morph/issuer.nix
index fe448699..a37bba5c 100644
--- a/morph/issuer.nix
+++ b/morph/issuer.nix
@@ -3,6 +3,7 @@
 , stripeSecretKeyPath
 , issuerDomain
 , letsEncryptAdminEmail
+, allowedChargeOrigins
 , stateVersion
 , ...
 }: {
@@ -32,6 +33,7 @@
     databasePath = "/var/db/vouchers.sqlite3";
     inherit letsEncryptAdminEmail;
     domain = issuerDomain;
+    inherit allowedChargeOrigins;
   };
 
   system.stateVersion = stateVersion;
diff --git a/morph/testing-grid.config.json b/morph/testing-grid.config.json
index 46cf4ff2..16d93802 100644
--- a/morph/testing-grid.config.json
+++ b/morph/testing-grid.config.json
@@ -3,4 +3,8 @@
 , "stripeSecretKeyPath": "../../PrivateStorageSecrets/stripe.secret"
 , "issuerDomain": "payments.privatestorage-staging.com"
 , "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
+, "allowedChargeOrigins": [
+    "https://privatestorage.io"
+  , "https://www.privatestorage.io"
+  ]
 }
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index dbe75132..fdf63d64 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -78,6 +78,14 @@ in {
         for the service's TLS certificate.
       '';
     };
+    services.private-storage-issuer.allowedChargeOrigins = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = ''
+        The CORS "Origin" values which are allowed to submit charges to the
+        payment server.  Note this is not currently enforced by the
+        PaymentServer.  It just controls the CORS headers served.
+      '';
+    };
   };
 
   config =
@@ -131,9 +139,14 @@ in {
             else
               # Only for automated testing.
               "--http-port 80";
-          stripeArgs = "--stripe-key ${builtins.readFile cfg.stripeSecretKeyPath}";
+
+          prefixOption = s: "--allow-origin=" + s;
+          originStrings = map prefixOption cfg.allowedChargeOrigins;
+          originArgs = builtins.concatStringsSep " " originStrings;
+
+          stripeArgs = "--stripe-key-path ${cfg.stripeSecretKeyPath}";
         in
-          "${cfg.package}/bin/PaymentServer-exe ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
+          "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
     };
 
     # Certificate renewal.  We must declare that we *require* it in our
-- 
GitLab