httpmw

package
v0.26.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 21, 2023 License: AGPL-3.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Server headers.
	AccessControlAllowOriginHeader      = "Access-Control-Allow-Origin"
	AccessControlAllowCredentialsHeader = "Access-Control-Allow-Credentials"
	AccessControlAllowMethodsHeader     = "Access-Control-Allow-Methods"
	AccessControlAllowHeadersHeader     = "Access-Control-Allow-Headers"
	VaryHeader                          = "Vary"

	// Client headers.
	OriginHeader                      = "Origin"
	AccessControlRequestMethodsHeader = "Access-Control-Request-Methods"
	AccessControlRequestHeadersHeader = "Access-Control-Request-Headers"
)
View Source 
const (
	SignedOutErrorMessage = "You are signed out or your session has expired. Please sign in again to continue."
)
View Source 
const (
	// WorkspaceProxyAuthTokenHeader is the auth header used for requests from
	// external workspace proxies.
	//
	// The format of an external proxy token is:
	//     <proxy id>:<proxy secret>
	//
	//nolint:gosec
	WorkspaceProxyAuthTokenHeader = "Coder-External-Proxy-Token"
)

Variables

This section is empty.

Functions

func APIKey 

func APIKey(r *http.Request) database.APIKey

APIKey returns the API key from the ExtractAPIKey handler.

func APIKeyOptional added in v0.9.0 

func APIKeyOptional(r *http.Request) (database.APIKey, bool)

APIKeyOptional may return an API key from the ExtractAPIKey handler.

func APITokenFromRequest added in v0.23.0 

func APITokenFromRequest(r *http.Request) string

APITokenFromRequest returns the api token from the request. Find the session token from: 1: The cookie 1: The devurl cookie 3: The old cookie 4. The coder_session_token query parameter 5. The custom auth header

func AsAuthzSystem added in v0.17.2 

func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) http.Handler

AsAuthzSystem is a chained handler that temporarily sets the dbauthz context to System for the inner handlers, and resets the context afterwards.

TODO: Refactor the middleware functions to not require this. This is a bit of a kludge for now as some middleware functions require usage as a system user in some cases, but not all cases. To avoid large refactors, we use this middleware to temporarily set the context to a system.

func AttachRequestID added in v0.8.12 

func AttachRequestID(next http.Handler) http.Handler

AttachRequestID adds a request ID to each HTTP request.

func CSPHeaders added in v0.23.1 

func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Handler

CSPHeaders returns a middleware that sets the Content-Security-Policy header for coderd. It takes a function that allows adding supported external websocket hosts. This is primarily to support the terminal connecting to a workspace proxy.

func CSRF added in v0.8.15 

func CSRF(secureCookie bool) func(next http.Handler) http.Handler

CSRF is a middleware that verifies that a CSRF token is present in the request for non-GET requests.

func Cors added in v0.23.6 

func Cors(allowAll bool, origins ...string) func(next http.Handler) http.Handler

func EnsureXForwardedForHeader added in v0.11.0 

func EnsureXForwardedForHeader(req *http.Request) error

EnsureXForwardedForHeader ensures that the request has an X-Forwarded-For header. It uses the following logic:

  1. If we have a direct connection (remoteAddr == proxyAddr), then set it to remoteAddr
  2. If we have a proxied connection (remoteAddr != proxyAddr) and X-Forwarded-For doesn't begin with remoteAddr, then overwrite it with remoteAddr,proxyAddr
  3. If we have a proxied connection (remoteAddr != proxyAddr) and X-Forwarded-For begins with remoteAddr, then append proxyAddr to the original X-Forwarded-For header
  4. If X-Forwarded-Proto is not set, then it will be set to "https" if req.TLS != nil, otherwise it will be set to "http"

func ExtractAPIKeyMW added in v0.19.0 

func ExtractAPIKeyMW(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler

ExtractAPIKeyMW calls ExtractAPIKey with the given config on each request, storing the result in the request context.

func ExtractGitAuthParam added in v0.25.0 

func ExtractGitAuthParam(configs []*gitauth.Config) func(next http.Handler) http.Handler

func ExtractGroupByNameParam added in v0.12.0 

func ExtractGroupByNameParam(db database.Store) func(http.Handler) http.Handler

func ExtractGroupParam added in v0.9.9 

func ExtractGroupParam(db database.Store) func(http.Handler) http.Handler

ExtraGroupParam grabs a group from the "group" URL parameter.

func ExtractOAuth2 added in v0.4.4 

func ExtractOAuth2(config OAuth2Config, client *http.Client, authURLOpts map[string]string) func(http.Handler) http.Handler

ExtractOAuth2 is a middleware for automatically redirecting to OAuth URLs, and handling the exchange inbound. Any route that does not have a "code" URL parameter will be redirected. AuthURLOpts are passed to the AuthCodeURL function. If this is nil, the default option oauth2.AccessTypeOffline will be used.

func ExtractOrganizationMemberParam added in v0.6.0 

func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.Handler

ExtractOrganizationMemberParam grabs a user membership from the "organization" and "user" URL parameter. This middleware requires the ExtractUser and ExtractOrganization middleware higher in the stack

func ExtractOrganizationParam 

func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler

ExtractOrganizationParam grabs an organization from the "organization" URL parameter. This middleware requires the API key middleware higher in the call stack for authentication.

func ExtractRealIP added in v0.11.0 

func ExtractRealIP(config *RealIPConfig) func(next http.Handler) http.Handler

ExtractRealIP is a middleware that uses headers from reverse proxies to propagate origin IP address information, when configured to do so.

func ExtractRealIPAddress added in v0.11.0 

func ExtractRealIPAddress(config *RealIPConfig, req *http.Request) (net.IP, error)

ExtractRealIPAddress returns the original client address according to the configuration and headers. It does not mutate the original request.

func ExtractTemplateParam added in v0.4.0 

func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler

ExtractTemplateParam grabs a template from the "template" URL parameter.

func ExtractTemplateVersionParam added in v0.4.0 

func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Handler

ExtractTemplateVersionParam grabs template version from the "templateversion" URL parameter.

func ExtractUserParam 

func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Handler) http.Handler

ExtractUserParam extracts a user from an ID/username in the {user} URL parameter.

func ExtractWorkspaceAgent 

func ExtractWorkspaceAgent(opts ExtractWorkspaceAgentConfig) func(http.Handler) http.Handler

ExtractWorkspaceAgent requires authentication using a valid agent token.

func ExtractWorkspaceAgentParam added in v0.4.1 

func ExtractWorkspaceAgentParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceAgentParam grabs a workspace agent from the "workspaceagent" URL parameter.

func ExtractWorkspaceAndAgentParam added in v0.8.9 

func ExtractWorkspaceAndAgentParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceAndAgentParam grabs a workspace and an agent from the "workspace_and_agent" URL parameter. `ExtractUserParam` must be called before this. This can be in the form of:

  • "<workspace-name>.[workspace-agent]" : If multiple agents exist
  • "<workspace-name>" : If one agent exists

func ExtractWorkspaceBuildParam 

func ExtractWorkspaceBuildParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceBuildParam grabs workspace build from the "workspacebuild" URL parameter.

func ExtractWorkspaceParam 

func ExtractWorkspaceParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceParam grabs a workspace from the "workspace" URL parameter.

func ExtractWorkspaceProxy added in v0.23.0 

func ExtractWorkspaceProxy(opts ExtractWorkspaceProxyConfig) func(http.Handler) http.Handler

ExtractWorkspaceProxy extracts the external workspace proxy from the request using the external proxy auth token header.

func ExtractWorkspaceProxyParam added in v0.23.0 

func ExtractWorkspaceProxyParam(db database.Store, deploymentID string, fetchPrimaryProxy func(ctx context.Context) (database.WorkspaceProxy, error)) func(http.Handler) http.Handler

ExtractWorkspaceProxyParam extracts a workspace proxy from an ID/name in the {workspaceproxy} URL parameter.

func ExtractWorkspaceResourceParam 

func ExtractWorkspaceResourceParam(db database.Store) func(http.Handler) http.Handler

ExtractWorkspaceResourceParam grabs a workspace resource from the "provisionerjob" URL parameter.

func FilterUntrustedOriginHeaders added in v0.11.0 

func FilterUntrustedOriginHeaders(config *RealIPConfig, req *http.Request)

FilterUntrustedOriginHeaders removes all known proxy headers from the request for untrusted origins, and ensures that only one copy of each proxy header is set.

func GitAuthParam added in v0.25.0 

func GitAuthParam(r *http.Request) *gitauth.Config

func GroupParam added in v0.9.9 

func GroupParam(r *http.Request) database.Group

GroupParam returns the group extracted via the ExtraGroupParam middleware.

func HSTS added in v0.17.2 

func HSTS(next http.Handler, cfg HSTSConfig) http.Handler

HSTS will add the strict-transport-security header if enabled. This header forces a browser to always use https for the domain after it loads https once. Meaning: On first load of product.coder.com, they are redirected to https. On all subsequent loads, the client's local browser forces https. This prevents man in the middle.

This header only makes sense if the app is using tls.

Full header example: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

func Logger added in v0.8.10 

func Logger(log slog.Logger) func(next http.Handler) http.Handler

func OrganizationMemberParam 

func OrganizationMemberParam(r *http.Request) database.OrganizationMember

OrganizationMemberParam returns the organization membership that allowed the query from the ExtractOrganizationParam handler.

func OrganizationParam 

func OrganizationParam(r *http.Request) database.Organization

OrganizationParam returns the organization from the ExtractOrganizationParam handler.

func ParseUUIDParam added in v0.26.2 

func ParseUUIDParam(rw http.ResponseWriter, r *http.Request, param string) (uuid.UUID, bool)

ParseUUIDParam consumes a url parameter and parses it as a UUID.

func Prometheus added in v0.5.4 

func Prometheus(register prometheus.Registerer) func(http.Handler) http.Handler

func RateLimit added in v0.11.0 

func RateLimit(count int, window time.Duration) func(http.Handler) http.Handler

RateLimit returns a handler that limits requests per-minute based on IP, endpoint, and user ID (if available).

func Recover added in v0.8.10 

func Recover(log slog.Logger) func(h http.Handler) http.Handler

func RedirectToLogin added in v0.10.0 

func RedirectToLogin(rw http.ResponseWriter, r *http.Request, dashboardURL *url.URL, message string)

RedirectToLogin redirects the user to the login page with the `message` and `redirect` query parameters set.

If dashboardURL is nil, the redirect will be relative to the current request's host. If it is not nil, the redirect will be absolute with dashboard url as the host.

func ReportCLITelemetry added in v0.23.6 

func ReportCLITelemetry(log slog.Logger, rep telemetry.Reporter) func(http.Handler) http.Handler

func RequestID added in v0.8.12 

func RequestID(r *http.Request) uuid.UUID

RequestID returns the ID of the request.

func RequireAPIKeyOrWorkspaceAgent added in v0.25.0 

func RequireAPIKeyOrWorkspaceAgent() func(http.Handler) http.Handler

RequireAPIKeyOrWorkspaceAgent is middleware that should be inserted after optional ExtractAPIKey and ExtractWorkspaceAgent middlewares to ensure one of the two is provided.

If both are provided an error is returned to avoid misuse.

func RequireAPIKeyOrWorkspaceProxyAuth added in v0.23.0 

func RequireAPIKeyOrWorkspaceProxyAuth() func(http.Handler) http.Handler

RequireAPIKeyOrWorkspaceProxyAuth is middleware that should be inserted after optional ExtractAPIKey and ExtractWorkspaceProxy middlewares to ensure one of the two authentication methods is provided.

If both are provided, an error is returned to avoid misuse.

func SplitAPIToken added in v0.9.0 

func SplitAPIToken(token string) (id string, secret string, err error)

SplitAPIToken verifies the format of an API key and returns the split ID and secret.

APIKeys are formatted: ${ID}-${SECRET}

func TemplateParam added in v0.4.0 

func TemplateParam(r *http.Request) database.Template

TemplateParam returns the template from the ExtractTemplateParam handler.

func TemplateVersionParam added in v0.4.0 

func TemplateVersionParam(r *http.Request) database.TemplateVersion

TemplateVersionParam returns the template version from the ExtractTemplateVersionParam handler.

func UserParam 

func UserParam(r *http.Request) database.User

UserParam returns the user from the ExtractUserParam handler.

func WorkspaceAgent 

func WorkspaceAgent(r *http.Request) database.WorkspaceAgent

WorkspaceAgent returns the workspace agent from the ExtractAgent handler.

func WorkspaceAgentOptional added in v0.25.0 

func WorkspaceAgentOptional(r *http.Request) (database.WorkspaceAgent, bool)

func WorkspaceAgentParam added in v0.4.1 

func WorkspaceAgentParam(r *http.Request) database.WorkspaceAgent

WorkspaceAgentParam returns the workspace agent from the ExtractWorkspaceAgentParam handler.

func WorkspaceAppCors added in v0.24.0 

func WorkspaceAppCors(regex *regexp.Regexp, app httpapi.ApplicationURL) func(next http.Handler) http.Handler

func WorkspaceBuildParam 

func WorkspaceBuildParam(r *http.Request) database.WorkspaceBuild

WorkspaceBuildParam returns the workspace build from the ExtractWorkspaceBuildParam handler.

func WorkspaceParam 

func WorkspaceParam(r *http.Request) database.Workspace

WorkspaceParam returns the workspace from the ExtractWorkspaceParam handler.

func WorkspaceProxy added in v0.23.0 

func WorkspaceProxy(r *http.Request) database.WorkspaceProxy

WorkspaceProxy returns the workspace proxy from the ExtractWorkspaceProxy middleware.

func WorkspaceProxyOptional added in v0.23.0 

func WorkspaceProxyOptional(r *http.Request) (database.WorkspaceProxy, bool)

WorkspaceProxyOptional may return the workspace proxy from the ExtractWorkspaceProxy middleware.

func WorkspaceProxyParam added in v0.23.0 

func WorkspaceProxyParam(r *http.Request) database.WorkspaceProxy

WorkspaceProxyParam returns the worksace proxy from the ExtractWorkspaceProxyParam handler.

func WorkspaceResourceParam 

func WorkspaceResourceParam(r *http.Request) database.WorkspaceResource

ProvisionerJobParam returns the template from the ExtractTemplateParam handler.

Types

type Authorization added in v0.9.0 

type Authorization struct {
	Actor rbac.Subject
	// ActorName is required for logging and human friendly related identification.
	// It is usually the "username" of the user, but it can be the name of the
	// external workspace proxy or other service type actor.
	ActorName string
}

func ExtractAPIKey 

func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyConfig) (*database.APIKey, *Authorization, bool)

ExtractAPIKey requires authentication using a valid API key. It handles extending an API key if it comes close to expiry, updating the last used time in the database.

If the configuration specifies that the API key is optional, a nil API key and authz object may be returned. False is returned if a response was written to the request and the caller should give up. nolint:revive

func UserAuthorization added in v0.9.0 

func UserAuthorization(r *http.Request) Authorization

UserAuthorization returns the roles and scope used for authorization. Depends on the ExtractAPIKey handler.

func UserAuthorizationOptional added in v0.9.0 

func UserAuthorizationOptional(r *http.Request) (Authorization, bool)

UserAuthorizationOptional may return the roles and scope used for authorization. Depends on the ExtractAPIKey handler.

type CSPFetchDirective added in v0.23.1 

type CSPFetchDirective string

CSPFetchDirective is the list of all constant fetch directives that can be used/appended to.

type ExtractAPIKeyConfig added in v0.9.0 

type ExtractAPIKeyConfig struct {
	DB                          database.Store
	OAuth2Configs               *OAuth2Configs
	RedirectToLogin             bool
	DisableSessionExpiryRefresh bool

	// Optional governs whether the API key is optional. Use this if you want to
	// allow unauthenticated requests.
	//
	// If true and no session token is provided, nothing will be written to the
	// request context. Use the APIKeyOptional and UserAuthorizationOptional
	// functions to retrieve the API key and authorization instead of the
	// regular ones.
	//
	// If true and the API key is invalid (i.e. deleted, expired), the cookie
	// will be deleted and the request will continue. If the request is not a
	// cookie-based request, the request will be rejected with a 401.
	Optional bool

	// SessionTokenFunc is a custom function that can be used to extract the API
	// key. If nil, the default behavior is used.
	SessionTokenFunc func(r *http.Request) string
}

type ExtractWorkspaceAgentConfig added in v0.25.0 

type ExtractWorkspaceAgentConfig struct {
	DB database.Store
	// Optional indicates whether the middleware should be optional.  If true, any
	// requests without the a token or with an invalid token will be allowed to
	// continue and no workspace agent will be set on the request context.
	Optional bool
}

type ExtractWorkspaceProxyConfig added in v0.23.0 

type ExtractWorkspaceProxyConfig struct {
	DB database.Store
	// Optional indicates whether the middleware should be optional. If true,
	// any requests without the external proxy auth token header will be
	// allowed to continue and no workspace proxy will be set on the request
	// context.
	Optional bool
}

type HSTSConfig added in v0.17.2 

type HSTSConfig struct {
	// HeaderValue is an empty string if hsts header is disabled.
	HeaderValue string
}

func HSTSConfigOptions added in v0.17.2 

func HSTSConfigOptions(maxAge int, options []string) (HSTSConfig, error)

type OAuth2Config 

type OAuth2Config interface {
	AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string
	Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
	TokenSource(context.Context, *oauth2.Token) oauth2.TokenSource
}

OAuth2Config exposes a subset of *oauth2.Config functions for easier testing. *oauth2.Config should be used instead of implementing this in production.

type OAuth2Configs added in v0.4.4 

type OAuth2Configs struct {
	Github OAuth2Config
	OIDC   OAuth2Config
}

OAuth2Configs is a collection of configurations for OAuth-based authentication. This should be extended to support other authentication types in the future.

func (*OAuth2Configs) IsZero added in v0.26.1 

func (c *OAuth2Configs) IsZero() bool

type OAuth2State added in v0.4.4 

type OAuth2State struct {
	Token       *oauth2.Token
	Redirect    string
	StateString string
}

func OAuth2 added in v0.4.4 

func OAuth2(r *http.Request) OAuth2State

OAuth2 returns the state from an oauth request.

type RealIPConfig added in v0.11.0 

type RealIPConfig struct {
	// TrustedOrigins is a list of networks that will be trusted. If
	// any non-trusted address supplies these headers, they will be
	// ignored.
	TrustedOrigins []*net.IPNet

	// TrustedHeaders lists headers that are trusted for forwarding
	// IP addresses. e.g. "CF-Connecting-IP", "True-Client-IP", etc.
	TrustedHeaders []string
}

RealIPConfig configures the search order for the function, which controls which headers to consider trusted.

func ParseRealIPConfig added in v0.11.0 

func ParseRealIPConfig(headers, origins []string) (*RealIPConfig, error)

ParseRealIPConfig takes a raw string array of headers and origins to produce a config.

type RealIPState added in v0.11.0 

type RealIPState struct {
	// Config is the configuration applied in the middleware. Consider
	// this read-only and do not modify.
	Config *RealIPConfig

	// OriginalRemoteAddr is the original RemoteAddr for the request.
	OriginalRemoteAddr string
}

RealIPState is the original state prior to modification by this middleware, useful for getting information about the connecting client if needed.

func RealIP added in v0.11.0 

func RealIP(ctx context.Context) *RealIPState

FromContext retrieves the state from the given context.Context.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.