feat: Allow specifying a custom CSP
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
@@ -1,5 +1,6 @@
|
||||
package constants
|
||||
|
||||
const (
|
||||
// The branch to serve.
|
||||
PagesBranch = "pages"
|
||||
)
|
||||
|
||||
@@ -27,10 +27,23 @@ func makePageContentCacheEntry(username, path string) string {
|
||||
return username + ":" + path
|
||||
}
|
||||
|
||||
func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
|
||||
// Provide a default
|
||||
if path == "" {
|
||||
func addHeaders(csp, contentType string, w http.ResponseWriter) {
|
||||
w.Header().Set("Content-Type", contentType)
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Header().Set("Strict-Transport-Security", "max-age=31536000")
|
||||
|
||||
if csp != "" {
|
||||
w.Header().Set("Content-Security-Policy", csp)
|
||||
}
|
||||
}
|
||||
|
||||
func ServeFile(username, reponame, path, defaultCsp string, giteaClient *repo.GiteaClient, w http.ResponseWriter) {
|
||||
// Provide a default file.
|
||||
switch {
|
||||
case path == "":
|
||||
path = "/index.html"
|
||||
case path[len(path)-1] == '/':
|
||||
path = path + "index.html"
|
||||
}
|
||||
|
||||
// Strip away a starting / as it messes with Gitea
|
||||
@@ -59,15 +72,17 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
|
||||
path,
|
||||
since,
|
||||
)
|
||||
csp := repo.GetCSPForRepository(username, reponame, "", giteaClient)
|
||||
|
||||
if err != nil {
|
||||
if !found {
|
||||
log.Errorf("Failed to get file %s/%s/%s (%s)", username, reponame, path, err)
|
||||
addHeaders(csp, "text/html", w)
|
||||
w.WriteHeader(404)
|
||||
} else {
|
||||
log.Debugf("Request failed but page %s is cached in memory", path)
|
||||
addHeaders(csp, mimeType, w)
|
||||
w.WriteHeader(200)
|
||||
w.Header().Set("Content-Type", mimeType)
|
||||
w.Write(content)
|
||||
}
|
||||
|
||||
@@ -76,8 +91,8 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
|
||||
|
||||
if found && !changed {
|
||||
log.Debugf("Page %s is unchanged and cached in memory", path)
|
||||
addHeaders(csp, mimeType, w)
|
||||
w.WriteHeader(200)
|
||||
w.Header().Set("Content-Type", mimeType)
|
||||
w.Write(content)
|
||||
return
|
||||
}
|
||||
@@ -98,7 +113,7 @@ func ServeFile(username, reponame, path string, giteaClient *repo.GiteaClient, w
|
||||
)
|
||||
|
||||
log.Debugf("Page %s requested from Gitea and cached in memory at %v", path, now)
|
||||
w.Header().Set("Content-Type", mimeType)
|
||||
addHeaders(csp, mimeType, w)
|
||||
w.WriteHeader(200)
|
||||
w.Write(content)
|
||||
}
|
||||
|
||||
@@ -18,6 +18,10 @@ var (
|
||||
|
||||
// Caching the existence of an user
|
||||
userCache = cache.New(24*time.Hour, 12*time.Hour)
|
||||
|
||||
// Caches the existence of a Content-Security-Policy
|
||||
// Mapping: Repository key -> CSPCacheEntry
|
||||
cspCache = cache.New(24*time.Hour, 12*time.Hour)
|
||||
)
|
||||
|
||||
type PageCacheEntry struct {
|
||||
@@ -25,10 +29,19 @@ type PageCacheEntry struct {
|
||||
Path string
|
||||
}
|
||||
|
||||
type CSPCacheEntry struct {
|
||||
CSP string
|
||||
LastRequested time.Time
|
||||
}
|
||||
|
||||
func makePageCacheKey(domain, path string) string {
|
||||
return domain + "/" + path
|
||||
}
|
||||
|
||||
func makeCSPCacheKey(username, repositoryName string) string {
|
||||
return username + ":" + repositoryName
|
||||
}
|
||||
|
||||
// / Try to find the repository with name @reponame of the user @username. If @cname
|
||||
// / is not "", then it also verifies that the repository contains a "CNAME" with
|
||||
// / the value of @cname as its content. @host, @domain, and @path are passed for
|
||||
@@ -164,3 +177,41 @@ func CanRequestCertificate(username string, giteaClient *GiteaClient) bool {
|
||||
}
|
||||
return hasUser
|
||||
}
|
||||
|
||||
// Checks the repository username/repository@PagesBranch for a file named CSP. If it exists,
|
||||
// read it and return the value. If it does not exist, return defaultCsp.
|
||||
func GetCSPForRepository(username, repositoryName, defaultCsp string, giteaClient *GiteaClient) string {
|
||||
key := makeCSPCacheKey(username, repositoryName)
|
||||
cachedCsp, found := cspCache.Get(key)
|
||||
var since time.Time
|
||||
if found {
|
||||
since = cachedCsp.(CSPCacheEntry).LastRequested
|
||||
}
|
||||
|
||||
fetchedCsp, changed, err := giteaClient.GetFile(
|
||||
username,
|
||||
repositoryName,
|
||||
constants.PagesBranch,
|
||||
"CSP",
|
||||
&since,
|
||||
)
|
||||
csp := ""
|
||||
if err != nil {
|
||||
if found {
|
||||
return cachedCsp.(CSPCacheEntry).CSP
|
||||
}
|
||||
|
||||
csp = defaultCsp
|
||||
} else {
|
||||
csp = string(fetchedCsp)
|
||||
|
||||
if !found || changed {
|
||||
cspCache.Set(key, CSPCacheEntry{
|
||||
CSP: csp,
|
||||
LastRequested: time.Now(),
|
||||
}, cache.DefaultExpiration)
|
||||
}
|
||||
}
|
||||
|
||||
return csp
|
||||
}
|
||||
|
||||
@@ -11,6 +11,7 @@ import (
|
||||
func clearCache() {
|
||||
pathCache.Flush()
|
||||
userCache.Flush()
|
||||
cspCache.Flush()
|
||||
}
|
||||
|
||||
func TestPickingCorrectRepositoryDefault(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user