From c80a026dac1c8d6800327cdffad1ea58c1a10b88 Mon Sep 17 00:00:00 2001 From: Seth House Date: Tue, 16 May 2017 18:52:21 -0600 Subject: [PATCH] Add enable_sessions setting to disable all session-respecing URLs --- salt/netapi/rest_cherrypy/app.py | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/salt/netapi/rest_cherrypy/app.py b/salt/netapi/rest_cherrypy/app.py index 7d4494b14c..94e809e0ea 100644 --- a/salt/netapi/rest_cherrypy/app.py +++ b/salt/netapi/rest_cherrypy/app.py @@ -117,6 +117,12 @@ A REST API for Salt static_path : ``/static`` The URL prefix to use when serving static assets out of the directory specified in the ``static`` setting. + enable_sessions : ``True`` + Enable or disable all endpoints that rely on session cookies. This can + be useful to enforce only header-based authentication. + + .. versionadded:: Nitrogen + app : ``index.html`` A filesystem path to an HTML file that will be served as a static file. This is useful for bootstrapping a single-page JavaScript app. @@ -1007,6 +1013,7 @@ class LowDataAdapter(object): def __init__(self): self.opts = cherrypy.config['saltopts'] + self.apiopts = cherrypy.config['apiopts'] self.api = salt.netapi.NetapiClient(self.opts) def exec_lowstate(self, client=None, token=None): @@ -2596,7 +2603,15 @@ class API(object): CherryPy uses class attributes to resolve URLs. ''' - for url, cls in six.iteritems(self.url_map): + if self.apiopts.get('enable_sessions', True) is False: + url_blacklist = ['login', 'logout', 'minions', 'jobs'] + else: + url_blacklist = [] + + urls = ((url, cls) for url, cls in six.iteritems(self.url_map) + if url not in url_blacklist) + + for url, cls in urls: setattr(self, url, cls()) def _update_url_map(self):