middleware

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2019 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package middleware provides a standard set of middleware implementations for pomerium.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AccessHandler added in v0.0.2 

func AccessHandler(f func(r *http.Request, status, size int, duration time.Duration)) func(next http.Handler) http.Handler

AccessHandler returns a handler that call f after each request.

func ForwardedAddrHandler added in v0.0.2 

func ForwardedAddrHandler(fieldKey string) func(next http.Handler) http.Handler

ForwardedAddrHandler returns the client IP address from a request. If present, the X-Forwarded-For header is assumed to be set by a load balancer, and its rightmost entry (the client IP that connected to the LB) is returned.

func FromRequest added in v0.0.2 

func FromRequest(r *http.Request) *zerolog.Logger

FromRequest gets the logger in the request's context. This is a shortcut for log.Ctx(r.Context())

func Healthcheck added in v0.0.2 

func Healthcheck(endpoint, msg string) func(http.Handler) http.Handler

Healthcheck endpoint middleware useful to setting up a path like `/ping` that load balancers or uptime testing external services can make a request before hitting any routes. It's also convenient to place this above ACL middlewares as well.

func IDFromCtx added in v0.0.2 

func IDFromCtx(ctx context.Context) (id string, ok bool)

IDFromCtx returns the unique id associated to the context if any.

func IDFromRequest added in v0.0.2 

func IDFromRequest(r *http.Request) (id string, ok bool)

IDFromRequest returns the unique id associated to the request if any.

func MethodHandler added in v0.0.2 

func MethodHandler(fieldKey string) func(next http.Handler) http.Handler

MethodHandler adds the request method as a field to the context's logger using fieldKey as field key.

func NewHandler added in v0.0.2 

func NewHandler(log zerolog.Logger) func(http.Handler) http.Handler

NewHandler injects log into requests context.

func RefererHandler added in v0.0.2 

func RefererHandler(fieldKey string) func(next http.Handler) http.Handler

RefererHandler adds the request's referer as a field to the context's logger using fieldKey as field key.

func RemoteAddrHandler added in v0.0.2 

func RemoteAddrHandler(fieldKey string) func(next http.Handler) http.Handler

RemoteAddrHandler adds the request's remote address as a field to the context's logger using fieldKey as field key.

func RequestHandler added in v0.0.2 

func RequestHandler(fieldKey string) func(next http.Handler) http.Handler

RequestHandler adds the request method and URL as a field to the context's logger using fieldKey as field key.

func RequestIDHandler added in v0.0.2 

func RequestIDHandler(fieldKey, headerName string) func(next http.Handler) http.Handler

RequestIDHandler returns a handler setting a unique id to the request which can be gathered using IDFromRequest(req). This generated id is added as a field to the logger using the passed fieldKey as field name. The id is also added as a response header if the headerName is not empty.

func RequireHTTPS 

func RequireHTTPS(next http.Handler) http.Handler

RequireHTTPS reroutes a HTTP request to HTTPS todo(bdd) : this is unreliable unless behind another reverser proxy todo(bdd) : header age seems extreme

func SetHeaders 

func SetHeaders(securityHeaders map[string]string) func(next http.Handler) http.Handler

SetHeaders ensures that every response includes some basic security headers

func URLHandler added in v0.0.2 

func URLHandler(fieldKey string) func(next http.Handler) http.Handler

URLHandler adds the requested URL as a field to the context's logger using fieldKey as field key.

func UserAgentHandler added in v0.0.2 

func UserAgentHandler(fieldKey string) func(next http.Handler) http.Handler

UserAgentHandler adds the request's user-agent as a field to the context's logger using fieldKey as field key.

func ValidRedirectURI added in v0.0.2 

func ValidRedirectURI(uri string, rootDomains []string) bool

ValidRedirectURI checks if a URL's domain is one in the list of proxy root domains.

func ValidSignature added in v0.0.2 

func ValidSignature(redirectURI, sigVal, timestamp, secret string) bool

ValidSignature checks to see if a signature is valid. Compares hmac of redirect uri, timestamp, and secret and signature.

func ValidateClientSecret 

func ValidateClientSecret(sharedSecret string) func(next http.Handler) http.Handler

ValidateClientSecret checks the request header for the client secret and returns an error if it does not match the proxy client secret

func ValidateHost 

func ValidateHost(mux map[string]http.Handler) func(next http.Handler) http.Handler

ValidateHost ensures that each request's host is valid

func ValidateRedirectURI 

func ValidateRedirectURI(proxyRootDomains []string) func(next http.Handler) http.Handler

ValidateRedirectURI checks the redirect uri in the query parameters and ensures that the its domain is in the list of proxy root domains.

func ValidateSignature 

func ValidateSignature(sharedSecret string) func(next http.Handler) http.Handler

ValidateSignature ensures the request is valid and has been signed with the correspdoning client secret key

Types

type Chain added in v0.0.2 

type Chain struct {
	// contains filtered or unexported fields
}

Chain acts as a list of http.Handler constructors. Chain is effectively immutable: once created, it will always hold the same set of constructors in the same order.

func NewChain added in v0.0.2 

func NewChain(constructors ...Constructor) Chain

NewChain creates a new chain, memorizing the given list of middleware constructors. New serves no other function, constructors are only called upon a call to Then().

func (Chain) Append added in v0.0.2 

func (c Chain) Append(constructors ...Constructor) Chain

Append extends a chain, adding the specified constructors as the last ones in the request flow.

Append returns a new chain, leaving the original one untouched. 

stdChain := middleware.NewChain(m1, m2)
extChain := stdChain.Append(m3, m4)
// requests in stdChain go m1 -> m2
// requests in extChain go m1 -> m2 -> m3 -> m4

func (Chain) Extend added in v0.0.2 

func (c Chain) Extend(chain Chain) Chain

Extend extends a chain by adding the specified chain as the last one in the request flow.

Extend returns a new chain, leaving the original one untouched. 

stdChain := middleware.NewChain(m1, m2)
ext1Chain := middleware.NewChain(m3, m4)
ext2Chain := stdChain.Extend(ext1Chain)
// requests in stdChain go  m1 -> m2
// requests in ext1Chain go m3 -> m4
// requests in ext2Chain go m1 -> m2 -> m3 -> m4

Another example: 

 aHtmlAfterNosurf := middleware.NewChain(m2)
	aHtml := middleware.NewChain(m1, func(h http.Handler) http.Handler {
		csrf := nosurf.NewChain(h)
		csrf.SetFailureHandler(aHtmlAfterNosurf.ThenFunc(csrfFail))
		return csrf
	}).Extend(aHtmlAfterNosurf)
		// requests to aHtml hitting nosurfs success handler go m1 -> nosurf -> m2 -> target-handler
		// requests to aHtml hitting nosurfs failure handler go m1 -> nosurf -> m2 -> csrfFail

func (Chain) Then added in v0.0.2 

func (c Chain) Then(h http.Handler) http.Handler

Then chains the middleware and returns the final http.Handler. 

NewChain(m1, m2, m3).Then(h)

is equivalent to: 

m1(m2(m3(h)))

When the request comes in, it will be passed to m1, then m2, then m3 and finally, the given handler (assuming every middleware calls the following one).

A chain can be safely reused by calling Then() several times. 

stdStack := middleware.NewChain(ratelimitHandler, csrfHandler)
indexPipe = stdStack.Then(indexHandler)
authPipe = stdStack.Then(authHandler)

Note that constructors are called on every call to Then() and thus several instances of the same middleware will be created when a chain is reused in this way. For proper middleware, this should cause no problems.

Then() treats nil as http.DefaultServeMux.

func (Chain) ThenFunc added in v0.0.2 

func (c Chain) ThenFunc(fn http.HandlerFunc) http.Handler

ThenFunc works identically to Then, but takes a HandlerFunc instead of a Handler.

The following two statements are equivalent: 

c.Then(http.HandlerFunc(fn))
c.ThenFunc(fn)

ThenFunc provides all the guarantees of Then.

type Constructor added in v0.0.2 

type Constructor func(http.Handler) http.Handler

Constructor is a type alias for func(http.Handler) http.Handler

type SharedSecretCred added in v0.0.2 

type SharedSecretCred struct {
	// contains filtered or unexported fields
}

SharedSecretCred is a simple token-based method of mutual authentication.

func NewSharedSecretCred added in v0.0.2 

func NewSharedSecretCred(secret string) *SharedSecretCred

NewSharedSecretCred returns a new instance of shared secret credential middleware for gRPC clients

func (SharedSecretCred) GetRequestMetadata added in v0.0.2 

func (s SharedSecretCred) GetRequestMetadata(context.Context, ...string) (map[string]string, error)

GetRequestMetadata sets the value for "authorization" key

func (SharedSecretCred) RequireTransportSecurity added in v0.0.2 

func (s SharedSecretCred) RequireTransportSecurity() bool

RequireTransportSecurity should be true as we want to have it encrypted over the wire.

func (SharedSecretCred) ValidateRequest added in v0.0.2 

func (s SharedSecretCred) ValidateRequest(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)

ValidateRequest ensures a valid token exists within a request's metadata. If the token is missing or invalid, the interceptor blocks execution of the handler and returns an error. Otherwise, the interceptor invokes the unary handler.

type WrapResponseWriter added in v0.0.2 

type WrapResponseWriter interface {
	http.ResponseWriter
	// Status returns the HTTP status of the request, or 0 if one has not
	// yet been sent.
	Status() int
	// BytesWritten returns the total number of bytes sent to the client.
	BytesWritten() int
	// Tee causes the response body to be written to the given io.Writer in
	// addition to proxying the writes through. Only one io.Writer can be
	// tee'd to at once: setting a second one will overwrite the first.
	// Writes will be sent to the proxy before being written to this
	// io.Writer. It is illegal for the tee'd writer to be modified
	// concurrently with writes.
	Tee(io.Writer)
	// Unwrap returns the original proxied target.
	Unwrap() http.ResponseWriter
}

WrapResponseWriter is a proxy around an http.ResponseWriter that allows you to hook into various parts of the response process.

func NewWrapResponseWriter added in v0.0.2 

func NewWrapResponseWriter(w http.ResponseWriter, protoMajor int) WrapResponseWriter

NewWrapResponseWriter wraps an http.ResponseWriter, returning a proxy that allows you to hook into various parts of the response process.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.