From 80e35fca88e61384f92ee4ab6b555ebdce162d2f Mon Sep 17 00:00:00 2001
From: Michael FIG <mfig@agoric.com>
Date: Tue, 15 Oct 2019 14:37:39 -0600
Subject: [PATCH] fix(origin): allow any localhost origin

This provides less protection, but not any different from the fact
that local programs can also access /vat or the websocket.

It's needed for Docker images to be independent of port or
listening address.
---
 lib/ag-solo/start.js                       |  9 ++++-----
 lib/ag-solo/vats/vat-http.js               | 14 ++++++++++----
 lib/ag-solo/web.js                         | 16 ++++------------
 provisioning-server/src/ag_pserver/main.py |  2 +-
 4 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/lib/ag-solo/start.js b/lib/ag-solo/start.js
index 5553bdbc995..138b2ae4dab 100644
--- a/lib/ag-solo/start.js
+++ b/lib/ag-solo/start.js
@@ -195,16 +195,15 @@ export default async function start(basedir, withSES, argv) {
   // Install the contracts, if given a client role.
   if (argv.find(value => value.match(/^--role=.*client/)) !== undefined) {
     const contractsDir = path.join(basedir, 'contracts');
-    const pairs = (await fs.promises.readdir(contractsDir)).reduce(
-      (prior, name) => {
+    const pairs = (await fs.promises.readdir(contractsDir))
+      .sort()
+      .reduce((prior, name) => {
         const match = name.match(CONTRACT_REGEXP);
         if (match) {
           prior.push(`${match[1]}=${contractsDir}/${name}`);
         }
         return prior;
-      },
-      [],
-    );
+      }, []);
 
     if (pairs.length > 0) {
       // eslint-disable-next-line no-await-in-loop
diff --git a/lib/ag-solo/vats/vat-http.js b/lib/ag-solo/vats/vat-http.js
index 597c8cd5fb3..1fd475bcb7b 100644
--- a/lib/ag-solo/vats/vat-http.js
+++ b/lib/ag-solo/vats/vat-http.js
@@ -7,8 +7,14 @@ import { getReplHandler } from './repl';
 function build(E, D) {
   let commandDevice;
   let provisioner;
-  const homeObjects = { LOADING: 'fetching home objects' };
-  let exportedToCapTP = { LOADING: 'fetching home objects' };
+  const loaded = {};
+  loaded.p = new Promise((resolve, reject) => {
+    loaded.res = resolve;
+    loaded.rej = reject;
+  });
+  harden(loaded);
+  const homeObjects = { LOADING: loaded.p };
+  let exportedToCapTP = { LOADING: loaded.p };
 
   let handler = {};
   let canvasState;
@@ -90,9 +96,9 @@ function build(E, D) {
     },
 
     setPresences(ps, privateObjects) {
-      delete homeObjects.LOADING;
-      exportedToCapTP = Object.assign({}, ps, privateObjects);
+      exportedToCapTP = { ...ps, ...privateObjects };
       Object.assign(homeObjects, ps, privateObjects);
+      loaded.res('chain bundle loaded');
       if (ps.canvasStatePublisher) {
         const subscriber = harden({
           notify(m) {
diff --git a/lib/ag-solo/web.js b/lib/ag-solo/web.js
index 8b7141faec2..64883484556 100644
--- a/lib/ag-solo/web.js
+++ b/lib/ag-solo/web.js
@@ -41,24 +41,16 @@ export function makeHTTPListener(basedir, port, host, inboundCommand) {
     const url = new URL(origin);
     const isLocalhost = hostname =>
       hostname.match(/^(localhost|127\.0\.0\.1)$/);
-    if (isLocalhost(host)) {
-      if (!isLocalhost(url.hostname)) {
-        console.log(id, `Invalid origin host ${origin} is not local`);
-        return false;
-      }
-    } else if (url.hostname !== host) {
-      console.log(id, `Invalid origin host ${origin}`);
+
+    if (!isLocalhost(url.hostname)) {
+      console.log(id, `Invalid origin host ${origin} is not localhost`);
+      return false;
     }
 
     if (url.protocol !== 'http:' && url.protocol !== 'https:') {
       console.log(id, `Invalid origin protocol ${origin}`, url.protocol);
       return false;
     }
-    if (String(url.port) !== String(port)) {
-      console.log(id, `Invalid origin port ${origin}`, url.port);
-      return false;
-    }
-
     return true;
   };
 
diff --git a/provisioning-server/src/ag_pserver/main.py b/provisioning-server/src/ag_pserver/main.py
index 6e907b583fb..7347043265e 100644
--- a/provisioning-server/src/ag_pserver/main.py
+++ b/provisioning-server/src/ag_pserver/main.py
@@ -227,7 +227,7 @@ def ret(server_message):
         resp = yield treq.post(controller_url, m.encode('utf-8'), reactor=reactor,
                                 headers={
                                     b'Content-Type': [b'application/json'],
-                                    b'Origin': [controller_url.encode('utf-8')],
+                                    b'Origin': [b'http://127.0.0.1'],
                                 })
         if resp.code < 200 or resp.code >= 300:
             raise Exception('invalid response code ' + str(resp.code))