httpmw

package
v0.18.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 1, 2023 License: AGPL-3.0 Imports: 32 Imported by: 0

Documentation

Index

Constants

View Source 
const DevURLSessionTokenCookie = "coder_devurl_session_token"

The special cookie name used for subdomain-based application proxying. TODO: this will make dogfooding harder so come up with a more unique solution

View Source 
const (
	SignedOutErrorMessage = "You are signed out or your session has expired. Please sign in again to continue."
)

Variables

This section is empty.

Functions

func APIKey 

func APIKey(r *http.Request) database.APIKey

APIKey returns the API key from the ExtractAPIKey handler.

func APIKeyOptional added in v0.9.0 

func APIKeyOptional(r *http.Request) (database.APIKey, bool)

APIKeyOptional may return an API key from the ExtractAPIKey handler.

func AsAuthzSystem added in v0.17.2 

func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) http.Handler

AsAuthzSystem is a chained handler that temporarily sets the dbauthz context to System for the inner handlers, and resets the context afterwards.

TODO: Refactor the middleware functions to not require this. This is a bit of a kludge for now as some middleware functions require usage as a system user in some cases, but not all cases. To avoid large refactors, we use this middleware to temporarily set the context to a system.

func AttachAuthzCache added in v0.17.4 

func AttachAuthzCache(next http.Handler) http.Handler

AttachAuthzCache enables the authz cache for the authorizer. All rbac checks will run against the cache, meaning duplicate checks will not be performed.

Note the cache is safe for multiple actors. So mixing user and system checks is ok.

func AttachRequestID added in v0.8.12 

func AttachRequestID(next http.Handler) http.Handler

AttachRequestID adds a request ID to each HTTP request.

func CSRF added in v0.8.15 

func CSRF(secureCookie bool) func(next http.Handler) http.Handler

CSRF is a middleware that verifies that a CSRF token is present in the request for non-GET requests.

func EnsureXForwardedForHeader added in v0.11.0 

func EnsureXForwardedForHeader(req *http.Request) error

EnsureXForwardedForHeader ensures that the request has an X-Forwarded-For header. It uses the following logic:

  1. If we have a direct connection (remoteAddr == proxyAddr), then set it to remoteAddr
  2. If we have a proxied connection (remoteAddr != proxyAddr) and X-Forwarded-For doesn't begin with remoteAddr, then overwrite it with remoteAddr,proxyAddr
  3. If we have a proxied connection (remoteAddr != proxyAddr) and X-Forwarded-For begins with remoteAddr, then append proxyAddr to the original X-Forwarded-For header
  4. If X-Forwarded-Proto is not set, then it will be set to "https" if req.TLS != nil, otherwise it will be set to "http"

func ExtractAPIKey 

func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler

ExtractAPIKey requires authentication using a valid API key. It handles extending an API key if it comes close to expiry, updating the last used time in the database. nolint:revive

func ExtractGroupByNameParam added in v0.12.0 

func ExtractGroupByNameParam(db database.Store) func(http.Handler) http.Handler

func ExtractGroupParam added in v0.9.9 

func ExtractGroupParam(db database.Store) func(http.Handler) http.Handler

ExtraGroupParam grabs a group from the "group" URL parameter.

func ExtractOAuth2 added in v0.4.4 

func ExtractOAuth2(config OAuth2Config, client *http.Client) func(http.Handler) http.Handler

ExtractOAuth2 is a middleware for automatically redirecting to OAuth URLs, and handling the exchange inbound. Any route that does not have a "code" URL parameter will be redirected.

func ExtractOrganizationMemberParam added in v0.6.0 

func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.Handler

ExtractOrganizationMemberParam grabs a user membership from the "organization" and "user" URL parameter. This middleware requires the ExtractUser and ExtractOrganization middleware higher in the stack

func ExtractOrganizationParam 

func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler

ExtractOrganizationParam grabs an organization from the "organization" URL parameter. This middleware requires the API key middleware higher in the call stack for authentication.

func ExtractRealIP added in v0.11.0 

func ExtractRealIP(config *RealIPConfig) func(next http.Handler) http.Handler

ExtractRealIP is a middleware that uses headers from reverse proxies to propagate origin IP address information, when configured to do so.

func ExtractRealIPAddress added in v0.11.0 

func ExtractRealIPAddress(config *RealIPConfig, req *http.Request) (net.IP, error)

ExtractRealIPAddress returns the original client address according to the configuration and headers. It does not mutate the original request.

func ExtractTemplateParam added in v0.4.0 

func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler

ExtractTemplateParam grabs a template from the "template" URL parameter.

func ExtractTemplateVersionParam added in v0.4.0 

func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Handler

ExtractTemplateVersionParam grabs template version from the "templateversion" URL parameter.

func ExtractUserParam 

func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Handler) http.Handler

ExtractUserParam extracts a user from an ID/username in the {user} URL parameter.

func ExtractWorkspaceAgent 

func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceAgent requires authentication using a valid agent token.

func ExtractWorkspaceAgentParam added in v0.4.1 

func ExtractWorkspaceAgentParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceAgentParam grabs a workspace agent from the "workspaceagent" URL parameter.

func ExtractWorkspaceAndAgentParam added in v0.8.9 

func ExtractWorkspaceAndAgentParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceAndAgentParam grabs a workspace and an agent from the "workspace_and_agent" URL parameter. `ExtractUserParam` must be called before this. This can be in the form of:

  • "<workspace-name>.[workspace-agent]" : If multiple agents exist
  • "<workspace-name>" : If one agent exists

func ExtractWorkspaceBuildParam 

func ExtractWorkspaceBuildParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceBuildParam grabs workspace build from the "workspacebuild" URL parameter.

func ExtractWorkspaceParam 

func ExtractWorkspaceParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceParam grabs a workspace from the "workspace" URL parameter.

func ExtractWorkspaceResourceParam 

func ExtractWorkspaceResourceParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceResourceParam grabs a workspace resource from the "provisionerjob" URL parameter.

func FilterUntrustedOriginHeaders added in v0.11.0 

func FilterUntrustedOriginHeaders(config *RealIPConfig, req *http.Request)

FilterUntrustedOriginHeaders removes all known proxy headers from the request for untrusted origins, and ensures that only one copy of each proxy header is set.

func GroupParam added in v0.9.9 

func GroupParam(r *http.Request) database.Group

GroupParam returns the group extracted via the ExtraGroupParam middleware.

func HSTS added in v0.17.2 

func HSTS(next http.Handler, cfg HSTSConfig) http.Handler

HSTS will add the strict-transport-security header if enabled. This header forces a browser to always use https for the domain after it loads https once. Meaning: On first load of product.coder.com, they are redirected to https. On all subsequent loads, the client's local browser forces https. This prevents man in the middle.

This header only makes sense if the app is using tls.

Full header example: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

func Logger added in v0.8.10 

func Logger(log slog.Logger) func(next http.Handler) http.Handler

func OrganizationMemberParam 

func OrganizationMemberParam(r *http.Request) database.OrganizationMember

OrganizationMemberParam returns the organization membership that allowed the query from the ExtractOrganizationParam handler.

func OrganizationParam 

func OrganizationParam(r *http.Request) database.Organization

OrganizationParam returns the organization from the ExtractOrganizationParam handler.

func Prometheus added in v0.5.4 

func Prometheus(register prometheus.Registerer) func(http.Handler) http.Handler

func RateLimit added in v0.11.0 

func RateLimit(count int, window time.Duration) func(http.Handler) http.Handler

RateLimit returns a handler that limits requests per-minute based on IP, endpoint, and user ID (if available).

func Recover added in v0.8.10 

func Recover(log slog.Logger) func(h http.Handler) http.Handler

func RedirectToLogin added in v0.10.0 

func RedirectToLogin(rw http.ResponseWriter, r *http.Request, message string)

RedirectToLogin redirects the user to the login page with the `message` and `redirect` query parameters set.

func RequestID added in v0.8.12 

func RequestID(r *http.Request) uuid.UUID

RequestID returns the ID of the request.

func SplitAPIToken added in v0.9.0 

func SplitAPIToken(token string) (id string, secret string, err error)

SplitAPIToken verifies the format of an API key and returns the split ID and secret.

APIKeys are formatted: ${ID}-${SECRET}

func TemplateParam added in v0.4.0 

func TemplateParam(r *http.Request) database.Template

TemplateParam returns the template from the ExtractTemplateParam handler.

func TemplateVersionParam added in v0.4.0 

func TemplateVersionParam(r *http.Request) database.TemplateVersion

TemplateVersionParam returns the template version from the ExtractTemplateVersionParam handler.

func UserParam 

func UserParam(r *http.Request) database.User

UserParam returns the user from the ExtractUserParam handler.

func WorkspaceAgent 

func WorkspaceAgent(r *http.Request) database.WorkspaceAgent

WorkspaceAgent returns the workspace agent from the ExtractAgent handler.

func WorkspaceAgentParam added in v0.4.1 

func WorkspaceAgentParam(r *http.Request) database.WorkspaceAgent

WorkspaceAgentParam returns the workspace agent from the ExtractWorkspaceAgentParam handler.

func WorkspaceBuildParam 

func WorkspaceBuildParam(r *http.Request) database.WorkspaceBuild

WorkspaceBuildParam returns the workspace build from the ExtractWorkspaceBuildParam handler.

func WorkspaceParam 

func WorkspaceParam(r *http.Request) database.Workspace

WorkspaceParam returns the workspace from the ExtractWorkspaceParam handler.

func WorkspaceResourceParam 

func WorkspaceResourceParam(r *http.Request) database.WorkspaceResource

ProvisionerJobParam returns the template from the ExtractTemplateParam handler.

Types

type Authorization added in v0.9.0 

type Authorization struct {
	Actor rbac.Subject
	// Username is required for logging and human friendly related
	// identification.
	Username string
}

func UserAuthorization added in v0.9.0 

func UserAuthorization(r *http.Request) Authorization

UserAuthorization returns the roles and scope used for authorization. Depends on the ExtractAPIKey handler.

func UserAuthorizationOptional added in v0.9.0 

func UserAuthorizationOptional(r *http.Request) (Authorization, bool)

UserAuthorizationOptional may return the roles and scope used for authorization. Depends on the ExtractAPIKey handler.

type ExtractAPIKeyConfig added in v0.9.0 

type ExtractAPIKeyConfig struct {
	DB                          database.Store
	OAuth2Configs               *OAuth2Configs
	RedirectToLogin             bool
	DisableSessionExpiryRefresh bool

	// Optional governs whether the API key is optional. Use this if you want to
	// allow unauthenticated requests.
	//
	// If true and no session token is provided, nothing will be written to the
	// request context. Use the APIKeyOptional and UserAuthorizationOptional
	// functions to retrieve the API key and authorization instead of the
	// regular ones.
	//
	// If true and the API key is invalid (i.e. deleted, expired), the cookie
	// will be deleted and the request will continue. If the request is not a
	// cookie-based request, the request will be rejected with a 401.
	Optional bool
}

type HSTSConfig added in v0.17.2 

type HSTSConfig struct {
	// HeaderValue is an empty string if hsts header is disabled.
	HeaderValue string
}

func HSTSConfigOptions added in v0.17.2 

func HSTSConfigOptions(maxAge int, options []string) (HSTSConfig, error)

type OAuth2Config 

type OAuth2Config interface {
	AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string
	Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
	TokenSource(context.Context, *oauth2.Token) oauth2.TokenSource
}

OAuth2Config exposes a subset of *oauth2.Config functions for easier testing. *oauth2.Config should be used instead of implementing this in production.

type OAuth2Configs added in v0.4.4 

type OAuth2Configs struct {
	Github OAuth2Config
	OIDC   OAuth2Config
}

OAuth2Configs is a collection of configurations for OAuth-based authentication. This should be extended to support other authentication types in the future.

type OAuth2State added in v0.4.4 

type OAuth2State struct {
	Token    *oauth2.Token
	Redirect string
}

func OAuth2 added in v0.4.4 

func OAuth2(r *http.Request) OAuth2State

OAuth2 returns the state from an oauth request.

type RealIPConfig added in v0.11.0 

type RealIPConfig struct {
	// TrustedOrigins is a list of networks that will be trusted. If
	// any non-trusted address supplies these headers, they will be
	// ignored.
	TrustedOrigins []*net.IPNet

	// TrustedHeaders lists headers that are trusted for forwarding
	// IP addresses. e.g. "CF-Connecting-IP", "True-Client-IP", etc.
	TrustedHeaders []string
}

RealIPConfig configures the search order for the function, which controls which headers to consider trusted.

func ParseRealIPConfig added in v0.11.0 

func ParseRealIPConfig(headers, origins []string) (*RealIPConfig, error)

ParseRealIPConfig takes a raw string array of headers and origins to produce a config.

type RealIPState added in v0.11.0 

type RealIPState struct {
	// Config is the configuration applied in the middleware. Consider
	// this read-only and do not modify.
	Config *RealIPConfig

	// OriginalRemoteAddr is the original RemoteAddr for the request.
	OriginalRemoteAddr string
}

RealIPState is the original state prior to modification by this middleware, useful for getting information about the connecting client if needed.

func RealIP added in v0.11.0 

func RealIP(ctx context.Context) *RealIPState

FromContext retrieves the state from the given context.Context.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.