| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| |
| //"use strict"; |
| |
| // Initializes client-side handling of cross-site request forgery (CSRF) |
| // protection by figuring out the custom HTTP headers that need to be sent in |
| // requests and which HTTP methods are ignored because they do not require CSRF |
| // protection. |
| define(function(require) { |
| "use strict"; |
| require('jquery'); |
| var restCsrfCustomHeader = null; |
| var restCsrfMethodsToIgnore = null; |
| |
| if(!window.location.origin){ |
| window.location.origin = window.location.protocol + "//" + window.location.hostname + (window.location.port ? ':' + window.location.port: ''); |
| } |
| |
| var baseUrl = window.location.origin + window.location.pathname.substr(0, window.location.pathname.lastIndexOf("/")); |
| |
| if(baseUrl.slice(-1) == "/") { |
| baseUrl = baseUrl.slice(0,-1); |
| } |
| var url = baseUrl + "/service/plugins/csrfconf"; |
| |
| $.ajax({'url': url, 'dataType': 'json', 'async': false}).done( |
| function(data) { |
| function getTrimmedStringArrayValue(element) { |
| var str = element, array = []; |
| if (str) { |
| var splitStr = str.split(','); |
| for (var i = 0; i < splitStr.length; i++) { |
| array.push(splitStr[i].trim()); |
| } |
| } |
| return array; |
| } |
| |
| // Get all relevant configuration properties. |
| var $xml = $(data); |
| var csrfEnabled = false; |
| var header = null; |
| var methods = []; |
| $xml.each(function(indx,element){ |
| if(element['ranger.rest-csrf.enabled']) { |
| var str = "" + element['ranger.rest-csrf.enabled']; |
| csrfEnabled = (str.toLowerCase() == 'true'); |
| } |
| if (element['ranger.rest-csrf.custom-header']) { |
| header = element['ranger.rest-csrf.custom-header'].trim(); |
| } |
| if (element['ranger.rest-csrf.methods-to-ignore']) { |
| methods = getTrimmedStringArrayValue(element['ranger.rest-csrf.methods-to-ignore']); |
| } |
| }); |
| |
| // If enabled, set up all subsequent AJAX calls with a pre-send callback |
| // that adds the custom headers if necessary. |
| if (csrfEnabled) { |
| restCsrfCustomHeader = header; |
| restCsrfMethodsToIgnore = {}; |
| methods.map(function(method) { restCsrfMethodsToIgnore[method] = true; }); |
| $.ajaxSetup({ |
| beforeSend: addRestCsrfCustomHeader |
| }); |
| } |
| }); |
| |
| // Adds custom headers to request if necessary. This is done only for WebHDFS |
| // URLs, and only if it's not an ignored method. |
| function addRestCsrfCustomHeader(xhr, settings) { |
| // if (settings.url == null || !settings.url.startsWith('/webhdfs/')) { |
| if (settings.url == null ) { |
| return; |
| } |
| var method = settings.type; |
| if (restCsrfCustomHeader != null && !restCsrfMethodsToIgnore[method]) { |
| // The value of the header is unimportant. Only its presence matters. |
| xhr.setRequestHeader(restCsrfCustomHeader, '""'); |
| } |
| } |
| }); |