feat: Allow specifying a custom CSP
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
parent
fb54cc73f0
commit
308a72e1b5
@ -23,7 +23,7 @@ import (
|
||||
"github.com/urfave/cli/v2"
|
||||
)
|
||||
|
||||
func handleSubdomain(domain string, cname string, path, giteaUrl string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
|
||||
func handleSubdomain(domain, cname, path, giteaUrl, defaultCsp string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
|
||||
hostParts := strings.Split(domain, ".")
|
||||
username := hostParts[0]
|
||||
|
||||
@ -45,16 +45,16 @@ func handleSubdomain(domain string, cname string, path, giteaUrl string, giteaCl
|
||||
return
|
||||
}
|
||||
|
||||
pages.ServeFile(username, repo.Name, path, giteaClient, w)
|
||||
pages.ServeFile(username, repo.Name, path, defaultCsp, giteaClient, w)
|
||||
}
|
||||
|
||||
func Handler(pagesDomain, giteaUrl string, giteaClient *repo.GiteaClient) http.HandlerFunc {
|
||||
func Handler(pagesDomain, giteaUrl, defaultCsp string, giteaClient *repo.GiteaClient) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Header().Set("Server", "rio")
|
||||
|
||||
if strings.HasSuffix(req.Host, pagesDomain) {
|
||||
log.Debug("Domain can be directly handled")
|
||||
handleSubdomain(req.Host, "", req.URL.Path, giteaUrl, giteaClient, w)
|
||||
handleSubdomain(req.Host, "", req.URL.Path, giteaUrl, defaultCsp, giteaClient, w)
|
||||
return
|
||||
}
|
||||
|
||||
@ -68,7 +68,7 @@ func Handler(pagesDomain, giteaUrl string, giteaClient *repo.GiteaClient) http.H
|
||||
|
||||
if strings.HasSuffix(cname, pagesDomain) {
|
||||
log.Debugf("%s is alias of %s and can be handled after a CNAME query", req.Host, cname)
|
||||
handleSubdomain(cname, cname, req.URL.Path, giteaUrl, giteaClient, w)
|
||||
handleSubdomain(cname, cname, req.URL.Path, giteaUrl, defaultCsp, giteaClient, w)
|
||||
return
|
||||
}
|
||||
|
||||
@ -87,6 +87,7 @@ func runServer(ctx *cli.Context) error {
|
||||
acmeHost := ctx.String("acme-host")
|
||||
acmePort := ctx.String("acme-port")
|
||||
acmeDisable := ctx.Bool("acme-disable")
|
||||
defaultCsp := ctx.String("default-csp")
|
||||
|
||||
// Init Logging
|
||||
if ctx.Bool("debug") {
|
||||
@ -172,7 +173,7 @@ func runServer(ctx *cli.Context) error {
|
||||
listener = tls.NewListener(listener, tlsConfig)
|
||||
}
|
||||
|
||||
if err := http.Serve(listener, Handler(domain, giteaUrl, &giteaClient)); err != nil {
|
||||
if err := http.Serve(listener, Handler(domain, giteaUrl, defaultCsp, &giteaClient)); err != nil {
|
||||
fmt.Printf("Listening failed")
|
||||
return err
|
||||
}
|
||||
@ -254,6 +255,12 @@ func main() {
|
||||
Usage: "Whether to enable debug logging",
|
||||
EnvVars: []string{"DEBUG_ENABLE"},
|
||||
},
|
||||
&cli.StringFlag{
|
||||
Name: "default-csp",
|
||||
Usage: "The default CSP to include when sending HTTP responses",
|
||||
Value: "",
|
||||
EnvVars: []string{"DEFAULT_CSP"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,6 @@
|
||||
package constants
|
||||
|
||||
const (
|
||||
// The branch to serve.
|
||||
PagesBranch = "pages"
|
||||
)
|
||||
|
@ -27,10 +27,23 @@ func makePageContentCacheEntry(username, path string) string {
|
||||
return username + ":" + path
|
||||
}
|
||||
|
||||
func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
|
||||
// Provide a default
|
||||
if path == "" {
|
||||
func addHeaders(csp, contentType string, w http.ResponseWriter) {
|
||||
w.Header().Set("Content-Type", contentType)
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Header().Set("Strict-Transport-Security", "max-age=31536000")
|
||||
|
||||
if csp != "" {
|
||||
w.Header().Set("Content-Security-Policy", csp)
|
||||
}
|
||||
}
|
||||
|
||||
func ServeFile(username, reponame, path, defaultCsp string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
|
||||
// Provide a default file.
|
||||
switch {
|
||||
case path == "":
|
||||
path = "/index.html"
|
||||
case path[len(path)-1] == '/':
|
||||
path = path + "index.html"
|
||||
}
|
||||
|
||||
// Strip away a starting / as it messes with Gitea
|
||||
@ -59,15 +72,17 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
|
||||
path,
|
||||
since,
|
||||
)
|
||||
csp := repo.GetCSPForRepository(username, reponame, "", giteaClient)
|
||||
|
||||
if err != nil {
|
||||
if !found {
|
||||
log.Errorf("Failed to get file %s/%s/%s (%s)", username, reponame, path, err)
|
||||
addHeaders(csp, "text/html", w)
|
||||
w.WriteHeader(404)
|
||||
} else {
|
||||
log.Debugf("Request failed but page %s is cached in memory", path)
|
||||
addHeaders(csp, mimeType, w)
|
||||
w.WriteHeader(200)
|
||||
w.Header().Set("Content-Type", mimeType)
|
||||
w.Write(content)
|
||||
}
|
||||
|
||||
@ -76,8 +91,8 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
|
||||
|
||||
if found && !changed {
|
||||
log.Debugf("Page %s is unchanged and cached in memory", path)
|
||||
addHeaders(csp, mimeType, w)
|
||||
w.WriteHeader(200)
|
||||
w.Header().Set("Content-Type", mimeType)
|
||||
w.Write(content)
|
||||
return
|
||||
}
|
||||
@ -98,7 +113,7 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
|
||||
)
|
||||
|
||||
log.Debugf("Page %s requested from Gitea and cached in memory at %v", path, now)
|
||||
w.Header().Set("Content-Type", mimeType)
|
||||
addHeaders(csp, mimeType, w)
|
||||
w.WriteHeader(200)
|
||||
w.Write(content)
|
||||
}
|
||||
|
@ -18,6 +18,10 @@ var (
|
||||
|
||||
// Caching the existence of an user
|
||||
userCache = cache.New(24*time.Hour, 12*time.Hour)
|
||||
|
||||
// Caches the existence of a Content-Security-Policy
|
||||
// Mapping: Repository key -> CSPCacheEntry
|
||||
cspCache = cache.New(24*time.Hour, 12*time.Hour)
|
||||
)
|
||||
|
||||
type PageCacheEntry struct {
|
||||
@ -25,10 +29,19 @@ type PageCacheEntry struct {
|
||||
Path string
|
||||
}
|
||||
|
||||
type CSPCacheEntry struct {
|
||||
CSP string
|
||||
LastRequested time.Time
|
||||
}
|
||||
|
||||
func makePageCacheKey(domain, path string) string {
|
||||
return domain + "/" + path
|
||||
}
|
||||
|
||||
func makeCSPCacheKey(username, repositoryName string) string {
|
||||
return username + ":" + repositoryName
|
||||
}
|
||||
|
||||
// / Try to find the repository with name @reponame of the user @username. If @cname
|
||||
// / is not "", then it also verifies that the repository contains a "CNAME" with
|
||||
// / the value of @cname as its content. @host, @domain, and @path are passed for
|
||||
@ -164,3 +177,41 @@ func CanRequestCertificate(username string, giteaClient *GiteaClient) bool {
|
||||
}
|
||||
return hasUser
|
||||
}
|
||||
|
||||
// Checks the repository username/repository@PagesBranch for a file named CSP. If it exists,
|
||||
// read it and return the value. If it does not exist, return defaultCsp.
|
||||
func GetCSPForRepository(username, repositoryName, defaultCsp string, giteaClient *GiteaClient) string {
|
||||
key := makeCSPCacheKey(username, repositoryName)
|
||||
cachedCsp, found := cspCache.Get(key)
|
||||
var since time.Time
|
||||
if found {
|
||||
since = cachedCsp.(CSPCacheEntry).LastRequested
|
||||
}
|
||||
|
||||
fetchedCsp, changed, err := giteaClient.GetFile(
|
||||
username,
|
||||
repositoryName,
|
||||
constants.PagesBranch,
|
||||
"CSP",
|
||||
&since,
|
||||
)
|
||||
csp := ""
|
||||
if err != nil {
|
||||
if found {
|
||||
return cachedCsp.(CSPCacheEntry).CSP
|
||||
}
|
||||
|
||||
csp = defaultCsp
|
||||
} else {
|
||||
csp = string(fetchedCsp)
|
||||
|
||||
if !found || changed {
|
||||
cspCache.Set(key, CSPCacheEntry{
|
||||
CSP: csp,
|
||||
LastRequested: time.Now(),
|
||||
}, cache.DefaultExpiration)
|
||||
}
|
||||
}
|
||||
|
||||
return csp
|
||||
}
|
||||
|
@ -11,6 +11,7 @@ import (
|
||||
func clearCache() {
|
||||
pathCache.Flush()
|
||||
userCache.Flush()
|
||||
cspCache.Flush()
|
||||
}
|
||||
|
||||
func TestPickingCorrectRepositoryDefault(t *testing.T) {
|
||||
|
Loading…
Reference in New Issue
Block a user