Merge pull request #72 from PerimeterX/dev

Version 3.2.0

Author: Johnny Tordgeman

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Change Log
 
+## [v3.2.0](https://github.com/PerimeterX/perimeterx-python-wsgi) (2019-03-17)
+- Added support for enforced_specific_routes
+- Added .json to the list of whitelisted extensions
+
 ## [v3.1.0](https://github.com/PerimeterX/perimeterx-python-wsgi) (2019-02-26)
 - Refactor of px_logger to use native python logger
 - Added support for bypass monitor mode header

README.md

@@ -4,9 +4,9 @@
 
 [PerimeterX](http://www.perimeterx.com) Python Middleware
 =============================================================
-> Latest stable version: [v3.1.0](https://pypi.org/project/perimeterx-python-wsgi/)
+> Latest stable version: [v3.2.0](https://pypi.org/project/perimeterx-python-wsgi/)
 
-> Latest GAE stable version: [v3.1.0](https://pypi.org/project/perimeterx-python-wsgi-gae/)
+> Latest GAE stable version: [v3.2.0](https://pypi.org/project/perimeterx-python-wsgi-gae/)
 
 Table of Contents
 -----------------
@@ -29,6 +29,7 @@ Table of Contents
     * [Additional Activity Handler](#additional_activity_handler)
     * [Px Disable Request](#px_disable_request)
     * [Test Block Flow on Monitoring Mode](#bypass_monitor_header)
+    * [Enforce Specific Routes](#enforce_specific_routes)
 
 ## <a name="installation"></a> Installation
 
@@ -255,7 +256,7 @@ environ['px_disable_request'] = True #The enforcer shall be disabled for that re
 
 ```
 
-#### <a name=“bypassMonitorHeader”></a> Test Block Flow on Monitoring Mode
+#### <a name="bypass_monitor_header"></a> Test Block Flow on Monitoring Mode
 
 Allows you to test an enforcer’s blocking flow while you are still in Monitor Mode.
 
@@ -273,3 +274,16 @@ config = {
   ...
 }
 ```
+
+#### <a name="enforce_specific_routes"></a> Enforced Specific Routes
+An array of route prefixes that are always validated by the PerimeterX Worker (as opposed to whitelisted routes).
+When this property is set, any route which is not added - will be whitelisted.
+
+**Default:** Empty
+ ```python
+config = {
+  ...
+  enforced_specific_routes: ['/profile']
+  ...
+};
+```

perimeterx/px_config.py

@@ -47,8 +47,13 @@ def __init__(self, config_dict):
         whitelist_routes = config_dict.get('whitelist_routes', [])
         if not isinstance(whitelist_routes, list):
             raise TypeError('whitelist_routes must be a list')
-
         self._whitelist_routes = whitelist_routes
+
+        enforced_routes = config_dict.get('enforced_specific_routes', [])
+        if not isinstance(enforced_routes, list):
+            raise TypeError('enforced_specific_routes must be a list')
+        self._enforced_specific_routes = enforced_routes
+
         self._block_html = 'BLOCK'
         self._logo_visibility = 'visible' if custom_logo is not None else 'hidden'
         self._telemetry_config = self.__create_telemetry_config()
@@ -196,6 +201,10 @@ def testing_mode(self):
     def bypass_monitor_header(self):
         return self._bypass_monitor_header
 
+    @property
+    def enforced_specific_routes(self):
+        return self._enforced_specific_routes
+
     def __instantiate_user_defined_handlers(self, config_dict):
         self._custom_request_handler = self.__set_handler('custom_request_handler', config_dict)
         self._get_user_ip = self.__set_handler('get_user_ip', config_dict)

perimeterx/px_constants.py

@@ -30,7 +30,7 @@
 EMPTY_GIF_B64 = 'R0lGODlhAQABAPAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw=='
 COLLECTOR_HOST = 'collector.perimeterx.net'
 FIRST_PARTY_FORWARDED_FOR = 'X-FORWARDED-FOR'
-MODULE_VERSION = 'Python WSGI Module{} v3.1.0'
+MODULE_VERSION = 'Python WSGI Module{} v3.2.0'
 API_RISK = '/api/v3/risk'
 PAGE_REQUESTED_ACTIVITY = 'page_requested'
 BLOCK_ACTIVITY = 'block'

perimeterx/px_context.py

@@ -53,6 +53,8 @@ def __init__(self, request, config):
             filter(lambda sensitive_route_item: uri.startswith(sensitive_route_item), config.sensitive_routes)) > 0
         whitelist_route = len(
             filter(lambda whitelist_route_item: uri.startswith(whitelist_route_item), config.whitelist_routes)) > 0
+        enforced_route = len(
+            filter(lambda enforced_route_item: uri.startswith(enforced_route_item), config.enforced_specific_routes)) > 0
 
         protocol_split = request.environ.get('SERVER_PROTOCOL', '').split('/')
         if protocol_split[0].startswith('HTTP'):
@@ -78,6 +80,7 @@ def __init__(self, request, config):
         self._query_params = request.query_string
         self._sensitive_route = sensitive_route
         self._whitelist_route = whitelist_route
+        self._enforced_route = enforced_route
         self._s2s_call_reason = 'none'
         self._cookie_origin = cookie_origin
         self._is_mobile = cookie_origin == "header"
@@ -123,6 +126,14 @@ def extract_ip(self, config, request):
             ip = config.get_user_ip
         return ip
 
+    @property
+    def enforced_route(self):
+        return self._enforced_route
+
+    @enforced_route.setter
+    def enforced_route(self, enforced_route):
+        self._enforced_route = enforced_route
+
     @property
     def headers(self):
         return self._headers

perimeterx/px_request_verifier.py

@@ -27,6 +27,9 @@ def verify_request(self, ctx, request):
         if ctx.whitelist_route:
             self.logger.debug('The requested uri is whitelisted, passing request')
             return True
+        if len(self.config.enforced_specific_routes) > 0 and not ctx.enforced_route:
+            self.logger.debug('The request uri {} is not listed in specific routes to enforce, passing request.'.format(uri))
+            return True
         # PX Cookie verification
         if not px_cookie_validator.verify(ctx, self.config):
             # Server-to-Server verification fallback

perimeterx/px_utils.py

@@ -28,7 +28,7 @@ def is_static_file(ctx):
     static_extensions = ['.css', '.bmp', '.tif', '.ttf', '.docx', '.woff2', '.js', '.pict', '.tiff', '.eot',
                          '.xlsx', '.jpg', '.csv', '.eps', '.woff', '.xls', '.jpeg', '.doc', '.ejs', '.otf', '.pptx',
                          '.gif', '.pdf', '.swf', '.svg', '.ps', '.ico', '.pls', '.midi', '.svgz', '.class', '.png',
-                         '.ppt', '.mid', 'webp', '.jar']
+                         '.ppt', '.mid', 'webp', '.jar', '.json']
 
     for ext in static_extensions:
         if uri.endswith(ext):

setup-gae.py

@@ -2,7 +2,7 @@
 
 from setuptools import setup, find_packages
 
-version = 'v3.1.0'
+version = 'v3.2.0'
 setup(name='perimeterx-python-wsgi-gae',
       version=version,
       license='MIT',

setup.py

@@ -2,7 +2,7 @@
 
 from setuptools import setup, find_packages
 
-version = 'v3.1.0'
+version = 'v3.2.0'
 setup(name='perimeterx-python-wsgi',
       version=version,
       license='MIT',

test/test_px_request_validator.py

@@ -159,4 +159,40 @@ def test_bypass_monitor_header_on_valid_request(self):
         context = PxContext(request, request_handler.config)
         context.score = 0
         response = request_handler.handle_verification(context, request)
-        self.assertEqual(response, True)
+        self.assertEqual(response, True)
+
+    def test_specific_enforced_routes_with_enforced_route(self):
+      config = PxConfig({'app_id': 'PXfake_app_id',
+                               'auth_token': '',
+                               'module_mode': px_constants.MODULE_MODE_BLOCKING,
+                               'enforced_specific_routes': ['/profile'],
+                               });
+      headers = {'X-FORWARDED-FOR': '127.0.0.1',
+                     'remote-addr': '127.0.0.1',
+                     'content_length': '100'}
+      request_handler = PxRequestVerifier(config)
+      builder = EnvironBuilder(headers=headers, path='/profile')
+      env = builder.get_environ()
+      request = Request(env)
+      context = PxContext(request, request_handler.config)
+      context.score = 100
+      response = request_handler.handle_verification(context, request)
+      self.assertEqual(response.status, '403 Forbidden')
+
+    def test_specific_enforced_routes_with_unenforced_route(self):
+      config = PxConfig({'app_id': 'PXfake_app_id',
+                               'auth_token': '',
+                               'module_mode': px_constants.MODULE_MODE_BLOCKING,
+                               'enforced_specific_routes': ['/profile'],
+                               });
+      headers = {'X-FORWARDED-FOR': '127.0.0.1',
+                     'remote-addr': '127.0.0.1',
+                     'content_length': '100'}
+      request_handler = PxRequestVerifier(config)
+      builder = EnvironBuilder(headers=headers, path='/')
+      env = builder.get_environ()
+      request = Request(env)
+      context = PxContext(request, request_handler.config)
+      context.score = 100
+      response = request_handler.verify_request(context, request)
+      self.assertEqual(response, True)