From da5294166894d619968c0ad5165d31a2ab6fc87f Mon Sep 17 00:00:00 2001
From: Corey Wright <corey.wright@rackspace.com>
Date: Thu, 4 Oct 2018 22:01:43 -0500
Subject: [PATCH] Allow disabling OPTIONS method on server root, "/"

To appease automated security audits that are concerned about a
web-based service volunteering too much information, allow disabling
Flask's OPTIONS method support with the `enable-options-method`
boolean configuration option (that defaults to "true" to maintain
Designate's default behavior).

Of course Flask is only used for the server root for advertising API
versions, so it is only applied and effective there, but it is
unnecessary elsewhere (ie `/v2` & `/admin`) as Pecan doesn't implement
the OPTIONS method nor does Designate (eg implementing
`_hander_options()`, `post_options()`, or `options()` on its
Pecan-based REST controllers).
---
 designate/api/__init__.py | 3 +++
 designate/api/versions.py | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/designate/api/__init__.py b/designate/api/__init__.py
index 94ce519..313ddf8 100644
--- a/designate/api/__init__.py
+++ b/designate/api/__init__.py
@@ -58,6 +58,9 @@ api_opts = [
                     "max_header_line may need to be increased when using "
                     "large tokens (typically those generated by the "
                     "Keystone v3 API with big service catalogs)."),
+    cfg.BoolOpt('enable-options-method', default=True,
+                help='Enable OPTIONS method. '
+                     'Only applies to "/", the server root.'),
 ]
 
 api_v2_opts = [
diff --git a/designate/api/versions.py b/designate/api/versions.py
index 520e08f..a43d214 100644
--- a/designate/api/versions.py
+++ b/designate/api/versions.py
@@ -17,6 +17,8 @@ import flask
 from oslo_config import cfg
 
 cfg.CONF.import_opt('enable_host_header', 'designate.api', group='service:api')
+cfg.CONF.import_opt('enable_options_method', 'designate.api',
+                    group='service:api')
 
 
 def factory(global_config, **local_conf):
@@ -44,7 +46,8 @@ def factory(global_config, **local_conf):
     if cfg.CONF['service:api'].enable_api_v2:
         _version('v2', 'CURRENT', base)
 
-    @app.route('/', methods=['GET'])
+    @app.route('/', methods=['GET'],
+      provide_automatic_options=cfg.CONF['service:api'].enable_options_method)
     def version_list():
         if cfg.CONF['service:api'].enable_host_header:
             _host_header_links()
-- 
2.7.4