From a962a5afc364195bc2be37c6a822bffeb93735cc Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Mon, 16 Oct 2017 10:20:49 -0400
Subject: [PATCH] Exempt Web Forwarding from CSRF

Web forward from popup context requires it be exempt from CSRF
protection.  This is harmless (as all GET should be, but erring on side
of caution), so add it to the whitelist of CSRF skipping on a CSRF
enabled client session.
---
 confluent_server/confluent/httpapi.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py
index 35dee601..0a5f1e4d 100644
--- a/confluent_server/confluent/httpapi.py
+++ b/confluent_server/confluent/httpapi.py
@@ -216,11 +216,17 @@ def _should_skip_authlog(env):
         return True
     return False
 
+
+def _csrf_exempt(path):
+    # first a get of info to get CSRF key, also '/forward/web' to enable
+    # the popup ability to just forward
+    return path == '/sessions/current/info' or path.endswith('/forward/web')
+
+
 def _csrf_valid(env, session):
     # This could be simplified into a statement, but this is more readable
     # to have it broken out
-    if (env['REQUEST_METHOD'] == 'GET' and
-            env['PATH_INFO'] == '/sessions/current/info'):
+    if (env['REQUEST_METHOD'] == 'GET' and _csrf_exmept(env['PATH_INFO']):
         # Provide a web client a safe hook to request the CSRF token
         # This means that we consider GET of /sessions/current/info to be
         # a safe thing to inflict via CSRF, since CORS should prevent