baseapp

package
v0.0.0-...-b95a7b5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 25, 2024 License: BSD-3-Clause Imports: 13 Imported by: 1

Documentation

Index

Constants

View Source
const (
	SERVER_READ_TIMEOUT  = 5 * time.Minute
	SERVER_WRITE_TIMEOUT = 5 * time.Minute
)

Variables

View Source
var (
	Local        = flag.Bool("local", false, "Running locally if true. As opposed to in production.")
	Port         = flag.String("port", ":8000", "HTTP service address (e.g., ':8000')")
	PromPort     = flag.String("prom_port", ":20000", "Metrics service address (e.g., ':10110')")
	ResourcesDir = flag.String("resources_dir", "", "The directory to find templates, JS, and CSS files. If blank the current directory will be used.")
)

Functions

func SecurityMiddleware

func SecurityMiddleware(allowedHosts []string, local bool, options []Option) func(http.Handler) http.Handler

SecurityMiddleware sets the CPS headers.

func Serve

func Serve(constructor Constructor, allowedHosts []string, options ...Option)

Serve builds and runs the App in a secure manner in our kubernetes cluster.

The constructor builds an App instance. Note that we don't pass in an App instance directly, because we want the constructor called after the common.Init*() functions are called, i.e. after flags are parsed.

The allowedHosts are the list of domains that are allowed to make requests to this app. Make sure to include the domain name of the app itself. For example; []string{"am.skia.org"}.

See https://csp.withgoogle.com/docs/strict-csp.html for more information on Strict CSP in general.

For this to work every script and style tag must have a nonce attribute whose value matches the one sent in the Content-Security-Policy: header. You can have Bazel inject an attribute with a template for the nonce to all <script> and <link> tags via the sk_page rule's nonce attribute, e.g.

load("//infra-sk:index.bzl", "sk_page")

sk_page(
    name = "index",
    html_file = "index.html",
    nonce = "{% .Nonce %}",
    ...
)

And then include that nonce when expanding any pages:

if err := srv.templates.ExecuteTemplate(w, "index.html", map[string]string{
  "Nonce": secure.CSPNonce(r.Context()),
}); err != nil {
 sklog.Errorf("Failed to expand template: %s", err)
}

Since our audience is small and only uses modern browsers we shouldn't need any further XSS protection. For example, even if a user is logged into another Google site that is compromised, while they can request the main index page and get both the csrf token and value, they couldn't POST it back to the site we are serving since that site wouldn't be listed in allowedHosts.

CSP failures will be logged as structured log events.

Static resources, e.g. Bazel-built HTML, CSS and JS files, will be served at '/dist/' and will serve the contents of the '/dist' directory.

Types

type AllowAnyImage

type AllowAnyImage struct{}

AllowAnyImage allows images to be loaded from all sources, not just self.

type AllowWASM

type AllowWASM struct{}

AllowWASM allows 'unsafe-eval' for scripts, which is needed for WASM.

type App

type App interface {
	// AddHandlers is called by Serve and the receiver must add all handlers
	// to the passed in chi.Router.
	AddHandlers(chi.Router)

	// AddMiddleware returns a list of middleware functions to add to the router.
	// This is a good place to add auth middleware.
	AddMiddleware() []func(http.Handler) http.Handler
}

App is the interface that Constructor returns.

type Constructor

type Constructor func() (App, error)

Constructor is a function that builds an App instance.

Used as a parameter to Serve.

type DisableLoggingRequestResponse

type DisableLoggingRequestResponse struct{}

DisableLoggingRequestResponse disables LoggingRequestResponse, which doesn't work with Server-Sent Events.

type DisableResponseGZip

type DisableResponseGZip struct{}

DisableResponseGZip disables the automatic gzipping of responses regardless of the contents of the "Accept-Encoding" header. Required for services like verdaccio- https://verdaccio.org/docs/reverse-proxy/#invalid-checksum

type Option

type Option interface{}

Option is the base type for options passed to Serve().

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL