2010-04-07 Sebastien Pouliot <[email protected]>

	* BaseDomainPolicy.cs: Abstract-fy IsAllowed(WebRequest) and 
	remove abstract IsAllowed(Uri,string[]) since it cannot provide
	enough information for the client access policy.
	* ClientAccessPolicy.cs: Replace IsAllowed(Uri,string[]) with
	IsAllowed(WebRequest) and add logic for AllowAnyMethod
	* ClientAccessPolicyParser.cs: Read "http-methods" attribute (new
	in SL3) and set the new AllowAnyMethod property if the value is
	"*" (the only legal value if the attribute is present).
	* FlashCrossDomainPolicy.cs: Add IsAllowed(WebRequest) since it's
	not part of BaseDomainPolicy anymore.


svn path=/trunk/mcs/; revision=154949

mcs/class/System.Net/System.Net.Policy/BaseDomainPolicy.cs

@@ -128,12 +128,7 @@ namespace System.Net.Policy {
 			}
 		}
 
-		public bool IsAllowed (WebRequest request)
-		{
-			return IsAllowed (request.RequestUri, request.Headers.AllKeys);
-		}
-
-		abstract public bool IsAllowed (Uri uri, params string [] headerKeys);
+		abstract public bool IsAllowed (WebRequest request);
 	}
 }
 

mcs/class/System.Net/System.Net.Policy/ChangeLog

@@ -1,3 +1,16 @@
+2010-04-07  Sebastien Pouliot  <[email protected]>
+
+	* BaseDomainPolicy.cs: Abstract-fy IsAllowed(WebRequest) and 
+	remove abstract IsAllowed(Uri,string[]) since it cannot provide
+	enough information for the client access policy.
+	* ClientAccessPolicy.cs: Replace IsAllowed(Uri,string[]) with
+	IsAllowed(WebRequest) and add logic for AllowAnyMethod
+	* ClientAccessPolicyParser.cs: Read "http-methods" attribute (new
+	in SL3) and set the new AllowAnyMethod property if the value is
+	"*" (the only legal value if the attribute is present).
+	* FlashCrossDomainPolicy.cs: Add IsAllowed(WebRequest) since it's
+	not part of BaseDomainPolicy anymore.
+
 2010-04-06  Sebastien Pouliot  <[email protected]> 
 
 	* ClientAccessPolicyParser.cs: Don't forget "http-request-headers"

mcs/class/System.Net/System.Net.Policy/ClientAccessPolicy.cs

@@ -74,7 +74,7 @@ namespace System.Net.Policy {
 			foreach (AccessPolicy policy in AccessPolicyList) {
 				// does something allow our URI in this policy ?
 				foreach (AllowFrom af in policy.AllowedServices) {
-					if (af.IsAllowed (ApplicationUri, null)) {
+					if (af.IsAllowed (ApplicationUri, null, null)) {
 						// if so, is our request port allowed ?
 						if (policy.PortAllowed (endpoint.Port))
 							return true;
@@ -114,7 +114,12 @@ namespace System.Net.Policy {
 			return true;
 		}
 
-		public override bool IsAllowed (Uri uri, params string [] headerKeys)
+		public override bool IsAllowed (WebRequest request)
+		{
+			return IsAllowed (request.RequestUri, request.Method, request.Headers.AllKeys);
+		}
+
+		public bool IsAllowed (Uri uri, string method, params string [] headerKeys)
 		{
 			// at this stage the URI has removed the "offending" characters so we need to look at the original
 			if (!CheckOriginalPath (uri)) 
@@ -124,7 +129,7 @@ namespace System.Net.Policy {
 				// does something allow our URI in this policy ?
 				foreach (AllowFrom af in policy.AllowedServices) {
 					// is the application (XAP) URI allowed by the policy ?
-					if (af.IsAllowed (ApplicationUri, headerKeys)) {
+					if (af.IsAllowed (ApplicationUri, method, headerKeys)) {
 						foreach (GrantTo gt in policy.GrantedResources) {
 							// is the requested access to the Uri granted under this policy ?
 							if (gt.IsGranted (uri))
@@ -152,9 +157,11 @@ namespace System.Net.Policy {
 
 			public Headers HttpRequestHeaders { get; private set; }
 
+			public bool AllowAnyMethod { get; set; }
+
 			public string Scheme { get; internal set; }
 
-			public bool IsAllowed (Uri uri, string [] headerKeys)
+			public bool IsAllowed (Uri uri, string method, string [] headerKeys)
 			{
 				// check headers
 				if (!HttpRequestHeaders.IsAllowed (headerKeys))
@@ -173,6 +180,16 @@ namespace System.Net.Policy {
 						return false;
 					}
 				}
+				// check methods
+				if (!AllowAnyMethod) {
+					// if not all methods are allowed (*) then only GET and POST request are possible
+					// further restriction exists in the Client http stack
+					if ((String.Compare (method, "GET", StringComparison.OrdinalIgnoreCase) != 0) &&
+						(String.Compare (method, "POST", StringComparison.OrdinalIgnoreCase) != 0)) {
+						return false;
+					}
+				}
+
 				// check domains
 				if (AllowAnyDomain)
 					return true;

mcs/class/System.Net/System.Net.Policy/ClientAccessPolicyParser.cs

@@ -163,19 +163,23 @@ namespace System.Net.Policy {
 				return;
 			}
 
+			bool valid = true;
 			string headers = null;
+			string methods = null;		// new in SL3
 			if (reader.HasAttributes) {
 				int n = reader.AttributeCount;
 				headers = reader.GetAttribute ("http-request-headers");
 				if (headers != null)
 					n--;
-				if (n != 0)
-					return;
+				methods = reader.GetAttribute ("http-methods");
+				if (methods != null)
+					n--;
+				valid = (n == 0);
 			}
 
-			bool valid = true;
 			var v = new AllowFrom ();
 			v.HttpRequestHeaders.SetHeaders (headers);
+			v.AllowAnyMethod = (methods == "*"); // only legal value defined, otherwise restricted to GET and POST
 			reader.ReadStartElement ("allow-from", String.Empty);
 			for (reader.MoveToContent (); reader.NodeType != XmlNodeType.EndElement; reader.MoveToContent ()) {
 				if (reader.NodeType != XmlNodeType.Element)

mcs/class/System.Net/System.Net.Policy/FlashCrossDomainPolicy.cs

@@ -54,7 +54,12 @@ namespace System.Net.Policy {
 			set { site_control = value; }
 		}
 
-		public override bool IsAllowed (Uri uri, string [] headerKeys)
+		public override bool IsAllowed (WebRequest request)
+		{
+			return IsAllowed (request.RequestUri, request.Headers.AllKeys);
+		}
+
+		public bool IsAllowed (Uri uri, string [] headerKeys)
 		{
 			switch (SiteControl) {
 			case "all":