Allow to configure other valids referrers for HTTPS

[Et7f3]

This check was added to protect against possible CRSF

However it doesn't works well behind a proxy like we saw here. This change allow to define multiple valid referers (that would solve the issue) but also related issued https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VN3RXS36GFK4JMZCCSHPJ3DKLSBEXDE4/ in the precedent message the user have to comment this check to have a working freeipa. Better to accept multiple referers so it works.

I remember comment about kerberos might not work for the added domains. Since we don't use kerberos we are not affected. It seems still possible to configure it.

User with kerberos won't see change because they will keep using the classical name.

possible improvements:

• use only one field ? I see it in many place so I think it is safest to add a non-conflicting field. It also don't overload usage.
• Is it really optional ?
• Do we extend config.Env to support list ?
• strip space between value ? Or don't and apply like the manual show ?

[Et7f3]

We might not show the sub_folder aspect to be future proof ?

[abbra]

Frankly speaking, I don't like to add a half-baked solution. A proper support for multi-host setup (including reverse proxying) would need to take into account more than just a referrer aliases. Please see https://vda.li/en/posts/2023/08/16/Support-multi-homed-FreeIPA-Server/ for an analysis I did.

More comments:

• env constant definition is missing. This means if allowed_referers is not present in the config, api.env.allowed_referers will throw an exception:

>>> api.env.allowed_referers
Traceback (most recent call last):
  File "<console>", line 1, in <module>
AttributeError: 'Env' object has no attribute 'allowed_referers'

The discussion you are linking to has a reference to my old draft PR (https://github.com/abbra/freeipa/pull/9/files) which implements most part of the aliasing support already.

• please follow https://www.freeipa.org/page/Contribute/Code#commit-message-requirements when writing commit messages
• please sign-off the commit (git commit -s)

[abbra]

This is actually can be seen in the CI tests:

[Thu May 16 18:23:27.406873 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302] ipa: ERROR: WSGI jsonserver_kerb.__call__():
[Thu May 16 18:23:27.406901 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302] Traceback (most recent call last):
[Thu May 16 18:23:27.406916 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]   File "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 498, in __call__
[Thu May 16 18:23:27.406921 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]     response = self.wsgi_execute(environ)
[Thu May 16 18:23:27.406925 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]                ^^^^^^^^^^^^^^^^^^^^^^^^^^
[Thu May 16 18:23:27.406930 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]   File "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 394, in wsgi_execute
[Thu May 16 18:23:27.406934 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]     allowed_referers = self.api.env.allowed_referers.split(',')
[Thu May 16 18:23:27.406938 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302]                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Thu May 16 18:23:27.406943 2024] [wsgi:error] [pid 7089:tid 7403] [remote 2001:db8:1:1::2:60302] AttributeError: 'Env' object has no attribute 'allowed_referers'