73 lines
1.9 KiB
Python
73 lines
1.9 KiB
Python
"""Central deny-by-default policy for sensitive HTTP surfaces."""
|
|
|
|
from __future__ import annotations
|
|
|
|
POLICY = "ewoooc_sensitive_http_access_policy_v1"
|
|
|
|
# Entire blueprints that expose business data or operator actions.
|
|
SESSION_REQUIRED_BLUEPRINTS = frozenset({
|
|
"auto_import",
|
|
"category",
|
|
"cicd",
|
|
"crawler",
|
|
"crawler_management",
|
|
"vendor",
|
|
})
|
|
|
|
# Mixed public/private blueprints use endpoint-level protection.
|
|
SESSION_REQUIRED_ENDPOINTS = frozenset({
|
|
"alert.alert_status",
|
|
"alert.test_alert",
|
|
"code_review.api_history",
|
|
"code_review.api_status",
|
|
"code_review.dashboard",
|
|
"misc.test_url",
|
|
"openclaw_bot.set_webhook",
|
|
"openclaw_bot.webhook_info",
|
|
"sales.abc_analysis_detail",
|
|
"system_public.get_logs_api",
|
|
"system_public.settings",
|
|
"system_public.show_logs",
|
|
"system_public.system_settings_page",
|
|
})
|
|
|
|
# Every anonymous GET must be intentional and small enough for public exposure.
|
|
INTENTIONALLY_PUBLIC_ENDPOINTS = frozenset({
|
|
"bot_api.bot_api_status",
|
|
"elephant_alpha.status",
|
|
"misc.brand_assets",
|
|
"system_public.favicon",
|
|
"system_public.health_check",
|
|
"system_public.prometheus_metrics",
|
|
"system_public.webcrumbs_asset_proxy",
|
|
"user_bp.get_password_reqs",
|
|
})
|
|
|
|
|
|
def is_session_required(endpoint: str | None, blueprint: str | None) -> bool:
|
|
return bool(
|
|
blueprint in SESSION_REQUIRED_BLUEPRINTS
|
|
or endpoint in SESSION_REQUIRED_ENDPOINTS
|
|
)
|
|
|
|
|
|
def enforce_http_access_policy():
|
|
"""Protect sensitive routes before their route function executes."""
|
|
from flask import request
|
|
|
|
if not is_session_required(request.endpoint, request.blueprint):
|
|
return None
|
|
from auth import require_authenticated_request
|
|
|
|
return require_authenticated_request()
|
|
|
|
|
|
__all__ = [
|
|
"POLICY",
|
|
"SESSION_REQUIRED_BLUEPRINTS",
|
|
"SESSION_REQUIRED_ENDPOINTS",
|
|
"INTENTIONALLY_PUBLIC_ENDPOINTS",
|
|
"enforce_http_access_policy",
|
|
"is_session_required",
|
|
]
|