feat: Allow specifying a custom CSP
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful

This commit is contained in:
PapaTutuWawa 2024-01-06 17:42:08 +01:00
parent fb54cc73f0
commit 308a72e1b5
5 changed files with 87 additions and 12 deletions

View File

@ -23,7 +23,7 @@ import (
"github.com/urfave/cli/v2"
)
func handleSubdomain(domain string, cname string, path, giteaUrl string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
func handleSubdomain(domain, cname, path, giteaUrl, defaultCsp string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
hostParts := strings.Split(domain, ".")
username := hostParts[0]
@ -45,16 +45,16 @@ func handleSubdomain(domain string, cname string, path, giteaUrl string, giteaCl
return
}
pages.ServeFile(username, repo.Name, path, giteaClient, w)
pages.ServeFile(username, repo.Name, path, defaultCsp, giteaClient, w)
}
func Handler(pagesDomain, giteaUrl string, giteaClient *repo.GiteaClient) http.HandlerFunc {
func Handler(pagesDomain, giteaUrl, defaultCsp string, giteaClient *repo.GiteaClient) http.HandlerFunc {
return func(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Server", "rio")
if strings.HasSuffix(req.Host, pagesDomain) {
log.Debug("Domain can be directly handled")
handleSubdomain(req.Host, "", req.URL.Path, giteaUrl, giteaClient, w)
handleSubdomain(req.Host, "", req.URL.Path, giteaUrl, defaultCsp, giteaClient, w)
return
}
@ -68,7 +68,7 @@ func Handler(pagesDomain, giteaUrl string, giteaClient *repo.GiteaClient) http.H
if strings.HasSuffix(cname, pagesDomain) {
log.Debugf("%s is alias of %s and can be handled after a CNAME query", req.Host, cname)
handleSubdomain(cname, cname, req.URL.Path, giteaUrl, giteaClient, w)
handleSubdomain(cname, cname, req.URL.Path, giteaUrl, defaultCsp, giteaClient, w)
return
}
@ -87,6 +87,7 @@ func runServer(ctx *cli.Context) error {
acmeHost := ctx.String("acme-host")
acmePort := ctx.String("acme-port")
acmeDisable := ctx.Bool("acme-disable")
defaultCsp := ctx.String("default-csp")
// Init Logging
if ctx.Bool("debug") {
@ -172,7 +173,7 @@ func runServer(ctx *cli.Context) error {
listener = tls.NewListener(listener, tlsConfig)
}
if err := http.Serve(listener, Handler(domain, giteaUrl, &giteaClient)); err != nil {
if err := http.Serve(listener, Handler(domain, giteaUrl, defaultCsp, &giteaClient)); err != nil {
fmt.Printf("Listening failed")
return err
}
@ -254,6 +255,12 @@ func main() {
Usage: "Whether to enable debug logging",
EnvVars: []string{"DEBUG_ENABLE"},
},
&cli.StringFlag{
Name: "default-csp",
Usage: "The default CSP to include when sending HTTP responses",
Value: "",
EnvVars: []string{"DEFAULT_CSP"},
},
},
}

View File

@ -1,5 +1,6 @@
package constants
const (
// The branch to serve.
PagesBranch = "pages"
)

View File

@ -27,10 +27,23 @@ func makePageContentCacheEntry(username, path string) string {
return username + ":" + path
}
func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
// Provide a default
if path == "" {
func addHeaders(csp, contentType string, w http.ResponseWriter) {
w.Header().Set("Content-Type", contentType)
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Strict-Transport-Security", "max-age=31536000")
if csp != "" {
w.Header().Set("Content-Security-Policy", csp)
}
}
func ServeFile(username, reponame, path, defaultCsp string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
// Provide a default file.
switch {
case path == "":
path = "/index.html"
case path[len(path)-1] == '/':
path = path + "index.html"
}
// Strip away a starting / as it messes with Gitea
@ -59,15 +72,17 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
path,
since,
)
csp := repo.GetCSPForRepository(username, reponame, "", giteaClient)
if err != nil {
if !found {
log.Errorf("Failed to get file %s/%s/%s (%s)", username, reponame, path, err)
addHeaders(csp, "text/html", w)
w.WriteHeader(404)
} else {
log.Debugf("Request failed but page %s is cached in memory", path)
addHeaders(csp, mimeType, w)
w.WriteHeader(200)
w.Header().Set("Content-Type", mimeType)
w.Write(content)
}
@ -76,8 +91,8 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
if found && !changed {
log.Debugf("Page %s is unchanged and cached in memory", path)
addHeaders(csp, mimeType, w)
w.WriteHeader(200)
w.Header().Set("Content-Type", mimeType)
w.Write(content)
return
}
@ -98,7 +113,7 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
)
log.Debugf("Page %s requested from Gitea and cached in memory at %v", path, now)
w.Header().Set("Content-Type", mimeType)
addHeaders(csp, mimeType, w)
w.WriteHeader(200)
w.Write(content)
}

View File

@ -18,6 +18,10 @@ var (
// Caching the existence of an user
userCache = cache.New(24*time.Hour, 12*time.Hour)
// Caches the existence of a Content-Security-Policy
// Mapping: Repository key -> CSPCacheEntry
cspCache = cache.New(24*time.Hour, 12*time.Hour)
)
type PageCacheEntry struct {
@ -25,10 +29,19 @@ type PageCacheEntry struct {
Path string
}
type CSPCacheEntry struct {
CSP string
LastRequested time.Time
}
func makePageCacheKey(domain, path string) string {
return domain + "/" + path
}
func makeCSPCacheKey(username, repositoryName string) string {
return username + ":" + repositoryName
}
// / Try to find the repository with name @reponame of the user @username. If @cname
// / is not "", then it also verifies that the repository contains a "CNAME" with
// / the value of @cname as its content. @host, @domain, and @path are passed for
@ -164,3 +177,41 @@ func CanRequestCertificate(username string, giteaClient *GiteaClient) bool {
}
return hasUser
}
// Checks the repository username/repository@PagesBranch for a file named CSP. If it exists,
// read it and return the value. If it does not exist, return defaultCsp.
func GetCSPForRepository(username, repositoryName, defaultCsp string, giteaClient *GiteaClient) string {
key := makeCSPCacheKey(username, repositoryName)
cachedCsp, found := cspCache.Get(key)
var since time.Time
if found {
since = cachedCsp.(CSPCacheEntry).LastRequested
}
fetchedCsp, changed, err := giteaClient.GetFile(
username,
repositoryName,
constants.PagesBranch,
"CSP",
&since,
)
csp := ""
if err != nil {
if found {
return cachedCsp.(CSPCacheEntry).CSP
}
csp = defaultCsp
} else {
csp = string(fetchedCsp)
if !found || changed {
cspCache.Set(key, CSPCacheEntry{
CSP: csp,
LastRequested: time.Now(),
}, cache.DefaultExpiration)
}
}
return csp
}

View File

@ -11,6 +11,7 @@ import (
func clearCache() {
pathCache.Flush()
userCache.Flush()
cspCache.Flush()
}
func TestPickingCorrectRepositoryDefault(t *testing.T) {