-
Notifications
You must be signed in to change notification settings - Fork 4
/
proxy.rb
148 lines (121 loc) · 4.3 KB
/
proxy.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
require "rack/proxy"
class Proxy < Rack::Proxy
attr_accessor :upstream_url
def initialize(app, upstream_url)
@upstream_url = URI(upstream_url)
super(app, backend: upstream_url, streaming: false)
end
def call(env)
path = env["PATH_INFO"]
if proxy?(path)
process_token_or_authenticate!(env)
debug_logging(env, "Proxing request: #{path}")
super.tap { |response| env["warden"].authenticate! if forbidden_response?(response) }
.then { |response| set_auth_bypass_cookie(response, env) }
else
debug_logging(env, "Request not being proxied: #{path}")
@app.call(env)
end
end
def proxy?(path)
!healthcheck_path?(path) && !gds_sso_path?(path)
end
def rewrite_env(env)
env["HTTP_X_FORWARDED_HOST"] = env["HTTP_HOST"]
# HTTP HOST header removed as it can supersede backend host
env.delete("HTTP_HOST")
add_authenticated_user_header(env)
add_authenticated_user_organisation_header(env)
env
end
def rewrite_response(response)
status, headers, body = response
allow_iframing(headers)
fix_content_length(headers, body)
[
status,
# Status doesn't belong in the headers in a rack response triplet.
headers.reject { |key, _| %w[status].include?(key) },
body,
]
end
private
def process_token_or_authenticate!(env)
request = Rack::Request.new(env)
if (token = request.params.fetch("token", get_auth_bypass_cookie(env)))
auth_bypass_id = process_token(token, env)
end
user = auth_bypass_id ? env["warden"].authenticate : env["warden"].authenticate!
debug_logging(env, "authenticated as #{user.email}") if user
end
def get_auth_bypass_cookie(env)
cookie = Rack::Utils.parse_cookies(env)
cookie["auth_bypass_token"] if cookie
end
def set_auth_bypass_cookie(response, env)
request = Rack::Request.new(env)
return response unless request.params["token"]
# Override any existing token, we don't really care at this point if the
# token is valid that's up to the consuming app to validate
Rack::Utils.set_cookie_header!(
response[1],
"auth_bypass_token",
{
value: request.params["token"],
path: "/",
domain: ".#{Plek.new.external_domain}",
},
)
response
end
def forbidden_response?(response)
response[0] == "403"
end
def process_token(token, env)
payload, _header = JWT.decode(token, ENV["JWT_AUTH_SECRET"], true, { algorithm: "HS256" })
env["HTTP_GOVUK_AUTH_BYPASS_ID"] = payload["sub"] if payload.key?("sub")
rescue JWT::DecodeError
nil
end
def add_authenticated_user_header(env)
env["HTTP_X_GOVUK_AUTHENTICATED_USER"] = if env["warden"].user
env["warden"].user.uid.to_s
else
"invalid"
end
end
def add_authenticated_user_organisation_header(env)
env["HTTP_X_GOVUK_AUTHENTICATED_USER_ORGANISATION"] = if env["warden"].user
env["warden"].user.organisation_content_id.to_s
else
"invalid"
end
end
def healthcheck_path?(path)
%w[/healthcheck/live /healthcheck/ready].include? path
end
def gds_sso_path?(path)
path.starts_with?("/auth/")
end
def debug_logging(env, message)
return unless env["action_dispatch.logger"]
env["action_dispatch.logger"].debug(message)
end
# Content-Length header can end up with an incorrect value as Net::HTTP will
# decompress a body of a gzipped request but pass throguh the Content-Length
# header of the compressed content.
def fix_content_length(headers, body)
content_length_header = headers.keys.find { |k| k.downcase == "content-length" }
return unless content_length_header
if body.all? { |b| b.respond_to?(:bytesize) }
bytesize = body.map(&:bytesize).sum
headers[content_length_header] = bytesize.to_s
else
headers.delete(content_length_header)
end
body.map(&:bytesize)
end
def allow_iframing(headers)
headers.delete("X-Frame-Options")
end
end