httpmw

package
v2.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 28, 2023 License: AGPL-3.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Server headers.
	AccessControlAllowOriginHeader      = "Access-Control-Allow-Origin"
	AccessControlAllowCredentialsHeader = "Access-Control-Allow-Credentials"
	AccessControlAllowMethodsHeader     = "Access-Control-Allow-Methods"
	AccessControlAllowHeadersHeader     = "Access-Control-Allow-Headers"
	VaryHeader                          = "Vary"

	// Client headers.
	OriginHeader                      = "Origin"
	AccessControlRequestMethodsHeader = "Access-Control-Request-Methods"
	AccessControlRequestHeadersHeader = "Access-Control-Request-Headers"
)
View Source 
const (
	SignedOutErrorMessage = "You are signed out or your session has expired. Please sign in again to continue."
)
View Source 
const (
	// WorkspaceProxyAuthTokenHeader is the auth header used for requests from
	// external workspace proxies.
	//
	// The format of an external proxy token is:
	//     <proxy id>:<proxy secret>
	//
	//nolint:gosec
	WorkspaceProxyAuthTokenHeader = "Coder-External-Proxy-Token"
)

Variables

This section is empty.

Functions

func APIKey 

func APIKey(r *http.Request) database.APIKey

APIKey returns the API key from the ExtractAPIKey handler.

func APIKeyFromRequest 

func APIKeyFromRequest(ctx context.Context, db database.Store, sessionTokenFunc func(r *http.Request) string, r *http.Request) (*database.APIKey, codersdk.Response, bool)

func APIKeyOptional 

func APIKeyOptional(r *http.Request) (database.APIKey, bool)

APIKeyOptional may return an API key from the ExtractAPIKey handler.

func APITokenFromRequest 

func APITokenFromRequest(r *http.Request) string

APITokenFromRequest returns the api token from the request. Find the session token from: 1: The cookie 1: The devurl cookie 3: The old cookie 4. The coder_session_token query parameter 5. The custom auth header

func AsAuthzSystem 

func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) http.Handler

AsAuthzSystem is a chained handler that temporarily sets the dbauthz context to System for the inner handlers, and resets the context afterwards.

TODO: Refactor the middleware functions to not require this. This is a bit of a kludge for now as some middleware functions require usage as a system user in some cases, but not all cases. To avoid large refactors, we use this middleware to temporarily set the context to a system.

func AttachRequestID 

func AttachRequestID(next http.Handler) http.Handler

AttachRequestID adds a request ID to each HTTP request.

func CSPHeaders 

func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Handler

CSPHeaders returns a middleware that sets the Content-Security-Policy header for coderd. It takes a function that allows adding supported external websocket hosts. This is primarily to support the terminal connecting to a workspace proxy.

func CSRF 

func CSRF(secureCookie bool) func(next http.Handler) http.Handler

CSRF is a middleware that verifies that a CSRF token is present in the request for non-GET requests.

func Cors 

func Cors(allowAll bool, origins ...string) func(next http.Handler) http.Handler

func EnsureXForwardedForHeader 

func EnsureXForwardedForHeader(req *http.Request) error

EnsureXForwardedForHeader ensures that the request has an X-Forwarded-For header. It uses the following logic:

  1. If we have a direct connection (remoteAddr == proxyAddr), then set it to remoteAddr
  2. If we have a proxied connection (remoteAddr != proxyAddr) and X-Forwarded-For doesn't begin with remoteAddr, then overwrite it with remoteAddr,proxyAddr
  3. If we have a proxied connection (remoteAddr != proxyAddr) and X-Forwarded-For begins with remoteAddr, then append proxyAddr to the original X-Forwarded-For header
  4. If X-Forwarded-Proto is not set, then it will be set to "https" if req.TLS != nil, otherwise it will be set to "http"

func ExtractAPIKeyMW 

func ExtractAPIKeyMW(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler

ExtractAPIKeyMW calls ExtractAPIKey with the given config on each request, storing the result in the request context.

func ExtractGitAuthParam 

func ExtractGitAuthParam(configs []*gitauth.Config) func(next http.Handler) http.Handler

func ExtractGroupByNameParam 

func ExtractGroupByNameParam(db database.Store) func(http.Handler) http.Handler

func ExtractGroupParam 

func ExtractGroupParam(db database.Store) func(http.Handler) http.Handler

ExtraGroupParam grabs a group from the "group" URL parameter.

func ExtractOAuth2 

func ExtractOAuth2(config OAuth2Config, client *http.Client, authURLOpts map[string]string) func(http.Handler) http.Handler

ExtractOAuth2 is a middleware for automatically redirecting to OAuth URLs, and handling the exchange inbound. Any route that does not have a "code" URL parameter will be redirected. AuthURLOpts are passed to the AuthCodeURL function. If this is nil, the default option oauth2.AccessTypeOffline will be used.

func ExtractOrganizationMemberParam 

func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.Handler

ExtractOrganizationMemberParam grabs a user membership from the "organization" and "user" URL parameter. This middleware requires the ExtractUser and ExtractOrganization middleware higher in the stack

func ExtractOrganizationParam 

func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler

ExtractOrganizationParam grabs an organization from the "organization" URL parameter. This middleware requires the API key middleware higher in the call stack for authentication.

func ExtractRealIP 

func ExtractRealIP(config *RealIPConfig) func(next http.Handler) http.Handler

ExtractRealIP is a middleware that uses headers from reverse proxies to propagate origin IP address information, when configured to do so.

func ExtractRealIPAddress 

func ExtractRealIPAddress(config *RealIPConfig, req *http.Request) (net.IP, error)

ExtractRealIPAddress returns the original client address according to the configuration and headers. It does not mutate the original request.

func ExtractTemplateParam 

func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler

ExtractTemplateParam grabs a template from the "template" URL parameter.

func ExtractTemplateVersionParam 

func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Handler

ExtractTemplateVersionParam grabs template version from the "templateversion" URL parameter.

func ExtractUserParam 

func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Handler) http.Handler

ExtractUserParam extracts a user from an ID/username in the {user} URL parameter.

func ExtractWorkspaceAgent 

func ExtractWorkspaceAgent(opts ExtractWorkspaceAgentConfig) func(http.Handler) http.Handler

ExtractWorkspaceAgent requires authentication using a valid agent token.

func ExtractWorkspaceAgentParam 

func ExtractWorkspaceAgentParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceAgentParam grabs a workspace agent from the "workspaceagent" URL parameter.

func ExtractWorkspaceAndAgentParam 

func ExtractWorkspaceAndAgentParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceAndAgentParam grabs a workspace and an agent from the "workspace_and_agent" URL parameter. `ExtractUserParam` must be called before this. This can be in the form of:

  • "<workspace-name>.[workspace-agent]" : If multiple agents exist
  • "<workspace-name>" : If one agent exists

func ExtractWorkspaceBuildParam 

func ExtractWorkspaceBuildParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceBuildParam grabs workspace build from the "workspacebuild" URL parameter.

func ExtractWorkspaceParam 

func ExtractWorkspaceParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceParam grabs a workspace from the "workspace" URL parameter.

func ExtractWorkspaceProxy 

func ExtractWorkspaceProxy(opts ExtractWorkspaceProxyConfig) func(http.Handler) http.Handler

ExtractWorkspaceProxy extracts the external workspace proxy from the request using the external proxy auth token header.

func ExtractWorkspaceProxyParam 

func ExtractWorkspaceProxyParam(db database.Store, deploymentID string, fetchPrimaryProxy func(ctx context.Context) (database.WorkspaceProxy, error)) func(http.Handler) http.Handler

ExtractWorkspaceProxyParam extracts a workspace proxy from an ID/name in the {workspaceproxy} URL parameter.

func ExtractWorkspaceResourceParam 

func ExtractWorkspaceResourceParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceResourceParam grabs a workspace resource from the "provisionerjob" URL parameter.

func FilterUntrustedOriginHeaders 

func FilterUntrustedOriginHeaders(config *RealIPConfig, req *http.Request)

FilterUntrustedOriginHeaders removes all known proxy headers from the request for untrusted origins, and ensures that only one copy of each proxy header is set.

func GitAuthParam 

func GitAuthParam(r *http.Request) *gitauth.Config

func GroupParam 

func GroupParam(r *http.Request) database.Group

GroupParam returns the group extracted via the ExtraGroupParam middleware.

func HSTS 

func HSTS(next http.Handler, cfg HSTSConfig) http.Handler

HSTS will add the strict-transport-security header if enabled. This header forces a browser to always use https for the domain after it loads https once. Meaning: On first load of product.coder.com, they are redirected to https. On all subsequent loads, the client's local browser forces https. This prevents man in the middle.

This header only makes sense if the app is using tls.

Full header example: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

func Logger 

func Logger(log slog.Logger) func(next http.Handler) http.Handler

func OrganizationMemberParam 

func OrganizationMemberParam(r *http.Request) database.OrganizationMember

OrganizationMemberParam returns the organization membership that allowed the query from the ExtractOrganizationParam handler.

func OrganizationParam 

func OrganizationParam(r *http.Request) database.Organization

OrganizationParam returns the organization from the ExtractOrganizationParam handler.

func ParseUUIDParam 

func ParseUUIDParam(rw http.ResponseWriter, r *http.Request, param string) (uuid.UUID, bool)

ParseUUIDParam consumes a url parameter and parses it as a UUID.

func Prometheus 

func Prometheus(register prometheus.Registerer) func(http.Handler) http.Handler

func RateLimit 

func RateLimit(count int, window time.Duration) func(http.Handler) http.Handler

RateLimit returns a handler that limits requests per-minute based on IP, endpoint, and user ID (if available).

func Recover 

func Recover(log slog.Logger) func(h http.Handler) http.Handler

func RedirectToLogin 

func RedirectToLogin(rw http.ResponseWriter, r *http.Request, dashboardURL *url.URL, message string)

RedirectToLogin redirects the user to the login page with the `message` and `redirect` query parameters set.

If dashboardURL is nil, the redirect will be relative to the current request's host. If it is not nil, the redirect will be absolute with dashboard url as the host.

func ReportCLITelemetry 

func ReportCLITelemetry(log slog.Logger, rep telemetry.Reporter) func(http.Handler) http.Handler

func RequestID 

func RequestID(r *http.Request) uuid.UUID

RequestID returns the ID of the request.

func RequireAPIKeyOrWorkspaceAgent 

func RequireAPIKeyOrWorkspaceAgent() func(http.Handler) http.Handler

RequireAPIKeyOrWorkspaceAgent is middleware that should be inserted after optional ExtractAPIKey and ExtractWorkspaceAgent middlewares to ensure one of the two is provided.

If both are provided an error is returned to avoid misuse.

func RequireAPIKeyOrWorkspaceProxyAuth 

func RequireAPIKeyOrWorkspaceProxyAuth() func(http.Handler) http.Handler

RequireAPIKeyOrWorkspaceProxyAuth is middleware that should be inserted after optional ExtractAPIKey and ExtractWorkspaceProxy middlewares to ensure one of the two authentication methods is provided.

If both are provided, an error is returned to avoid misuse.

func SplitAPIToken 

func SplitAPIToken(token string) (id string, secret string, err error)

SplitAPIToken verifies the format of an API key and returns the split ID and secret.

APIKeys are formatted: ${ID}-${SECRET}

func TemplateParam 

func TemplateParam(r *http.Request) database.Template

TemplateParam returns the template from the ExtractTemplateParam handler.

func TemplateVersionParam 

func TemplateVersionParam(r *http.Request) database.TemplateVersion

TemplateVersionParam returns the template version from the ExtractTemplateVersionParam handler.

func UserParam 

func UserParam(r *http.Request) database.User

UserParam returns the user from the ExtractUserParam handler.

func WorkspaceAgent 

func WorkspaceAgent(r *http.Request) database.WorkspaceAgent

WorkspaceAgent returns the workspace agent from the ExtractAgent handler.

func WorkspaceAgentOptional 

func WorkspaceAgentOptional(r *http.Request) (database.WorkspaceAgent, bool)

func WorkspaceAgentParam 

func WorkspaceAgentParam(r *http.Request) database.WorkspaceAgent

WorkspaceAgentParam returns the workspace agent from the ExtractWorkspaceAgentParam handler.

func WorkspaceAppCors 

func WorkspaceAppCors(regex *regexp.Regexp, app httpapi.ApplicationURL) func(next http.Handler) http.Handler

func WorkspaceBuildParam 

func WorkspaceBuildParam(r *http.Request) database.WorkspaceBuild

WorkspaceBuildParam returns the workspace build from the ExtractWorkspaceBuildParam handler.

func WorkspaceParam 

func WorkspaceParam(r *http.Request) database.Workspace

WorkspaceParam returns the workspace from the ExtractWorkspaceParam handler.

func WorkspaceProxy 

func WorkspaceProxy(r *http.Request) database.WorkspaceProxy

WorkspaceProxy returns the workspace proxy from the ExtractWorkspaceProxy middleware.

func WorkspaceProxyOptional 

func WorkspaceProxyOptional(r *http.Request) (database.WorkspaceProxy, bool)

WorkspaceProxyOptional may return the workspace proxy from the ExtractWorkspaceProxy middleware.

func WorkspaceProxyParam 

func WorkspaceProxyParam(r *http.Request) database.WorkspaceProxy

WorkspaceProxyParam returns the worksace proxy from the ExtractWorkspaceProxyParam handler.

func WorkspaceResourceParam 

func WorkspaceResourceParam(r *http.Request) database.WorkspaceResource

ProvisionerJobParam returns the template from the ExtractTemplateParam handler.

Types

type Authorization 

type Authorization struct {
	Actor rbac.Subject
	// ActorName is required for logging and human friendly related identification.
	// It is usually the "username" of the user, but it can be the name of the
	// external workspace proxy or other service type actor.
	ActorName string
}

func ExtractAPIKey 

func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyConfig) (*database.APIKey, *Authorization, bool)

ExtractAPIKey requires authentication using a valid API key. It handles extending an API key if it comes close to expiry, updating the last used time in the database.

If the configuration specifies that the API key is optional, a nil API key and authz object may be returned. False is returned if a response was written to the request and the caller should give up. nolint:revive

func UserAuthorization 

func UserAuthorization(r *http.Request) Authorization

UserAuthorization returns the roles and scope used for authorization. Depends on the ExtractAPIKey handler.

func UserAuthorizationOptional 

func UserAuthorizationOptional(r *http.Request) (Authorization, bool)

UserAuthorizationOptional may return the roles and scope used for authorization. Depends on the ExtractAPIKey handler.

type CSPFetchDirective 

type CSPFetchDirective string

CSPFetchDirective is the list of all constant fetch directives that can be used/appended to.

type ExtractAPIKeyConfig 

type ExtractAPIKeyConfig struct {
	DB                          database.Store
	OAuth2Configs               *OAuth2Configs
	RedirectToLogin             bool
	DisableSessionExpiryRefresh bool

	// Optional governs whether the API key is optional. Use this if you want to
	// allow unauthenticated requests.
	//
	// If true and no session token is provided, nothing will be written to the
	// request context. Use the APIKeyOptional and UserAuthorizationOptional
	// functions to retrieve the API key and authorization instead of the
	// regular ones.
	//
	// If true and the API key is invalid (i.e. deleted, expired), the cookie
	// will be deleted and the request will continue. If the request is not a
	// cookie-based request, the request will be rejected with a 401.
	Optional bool

	// SessionTokenFunc is a custom function that can be used to extract the API
	// key. If nil, the default behavior is used.
	SessionTokenFunc func(r *http.Request) string
}

type ExtractWorkspaceAgentConfig 

type ExtractWorkspaceAgentConfig struct {
	DB database.Store
	// Optional indicates whether the middleware should be optional.  If true, any
	// requests without the a token or with an invalid token will be allowed to
	// continue and no workspace agent will be set on the request context.
	Optional bool
}

type ExtractWorkspaceProxyConfig 

type ExtractWorkspaceProxyConfig struct {
	DB database.Store
	// Optional indicates whether the middleware should be optional. If true,
	// any requests without the external proxy auth token header will be
	// allowed to continue and no workspace proxy will be set on the request
	// context.
	Optional bool
}

type HSTSConfig 

type HSTSConfig struct {
	// HeaderValue is an empty string if hsts header is disabled.
	HeaderValue string
}

func HSTSConfigOptions 

func HSTSConfigOptions(maxAge int, options []string) (HSTSConfig, error)

type OAuth2Config 

type OAuth2Config interface {
	AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string
	Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
	TokenSource(context.Context, *oauth2.Token) oauth2.TokenSource
}

OAuth2Config exposes a subset of *oauth2.Config functions for easier testing. *oauth2.Config should be used instead of implementing this in production.

type OAuth2Configs 

type OAuth2Configs struct {
	Github OAuth2Config
	OIDC   OAuth2Config
}

OAuth2Configs is a collection of configurations for OAuth-based authentication. This should be extended to support other authentication types in the future.

func (*OAuth2Configs) IsZero 

func (c *OAuth2Configs) IsZero() bool

type OAuth2State 

type OAuth2State struct {
	Token       *oauth2.Token
	Redirect    string
	StateString string
}

func OAuth2 

func OAuth2(r *http.Request) OAuth2State

OAuth2 returns the state from an oauth request.

type RealIPConfig 

type RealIPConfig struct {
	// TrustedOrigins is a list of networks that will be trusted. If
	// any non-trusted address supplies these headers, they will be
	// ignored.
	TrustedOrigins []*net.IPNet

	// TrustedHeaders lists headers that are trusted for forwarding
	// IP addresses. e.g. "CF-Connecting-IP", "True-Client-IP", etc.
	TrustedHeaders []string
}

RealIPConfig configures the search order for the function, which controls which headers to consider trusted.

func ParseRealIPConfig 

func ParseRealIPConfig(headers, origins []string) (*RealIPConfig, error)

ParseRealIPConfig takes a raw string array of headers and origins to produce a config.

type RealIPState 

type RealIPState struct {
	// Config is the configuration applied in the middleware. Consider
	// this read-only and do not modify.
	Config *RealIPConfig

	// OriginalRemoteAddr is the original RemoteAddr for the request.
	OriginalRemoteAddr string
}

RealIPState is the original state prior to modification by this middleware, useful for getting information about the connecting client if needed.

func RealIP 

func RealIP(ctx context.Context) *RealIPState

FromContext retrieves the state from the given context.Context.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.