forked from notaryproject/notary
-
Notifications
You must be signed in to change notification settings - Fork 0
/
http.go
210 lines (186 loc) · 6.68 KB
/
http.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
package utils
import (
"fmt"
"net/http"
"time"
ctxu "github.com/docker/distribution/context"
"github.com/docker/distribution/registry/api/errcode"
"github.com/docker/distribution/registry/auth"
"github.com/docker/notary/tuf/signed"
"github.com/gorilla/mux"
"golang.org/x/net/context"
)
// ContextHandler defines an alterate HTTP handler interface which takes in
// a context for authorization and returns an HTTP application error.
type ContextHandler func(ctx context.Context, w http.ResponseWriter, r *http.Request) error
// rootHandler is an implementation of an HTTP request handler which handles
// authorization and calling out to the defined alternate http handler.
type rootHandler struct {
handler ContextHandler
auth auth.AccessController
actions []string
context context.Context
trust signed.CryptoService
//cachePool redis.Pool
}
// RootHandlerFactory creates a new rootHandler factory using the given
// Context creator and authorizer. The returned factory allows creating
// new rootHandlers from the alternate http handler contextHandler and
// a scope.
func RootHandlerFactory(auth auth.AccessController, ctx context.Context, trust signed.CryptoService) func(ContextHandler, ...string) *rootHandler {
return func(handler ContextHandler, actions ...string) *rootHandler {
return &rootHandler{
handler: handler,
auth: auth,
actions: actions,
context: ctx,
trust: trust,
}
}
}
// ServeHTTP serves an HTTP request and implements the http.Handler interface.
func (root *rootHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
ctx := ctxu.WithRequest(root.context, r)
log := ctxu.GetRequestLogger(ctx)
ctx, w = ctxu.WithResponseWriter(ctx, w)
ctx = ctxu.WithLogger(ctx, log)
ctx = context.WithValue(ctx, "repo", vars["imageName"])
ctx = context.WithValue(ctx, "cryptoService", root.trust)
defer func() {
ctxu.GetResponseLogger(ctx).Info("response completed")
}()
if root.auth != nil {
access := buildAccessRecords(vars["imageName"], root.actions...)
var authCtx context.Context
var err error
if authCtx, err = root.auth.Authorized(ctx, access...); err != nil {
if challenge, ok := err.(auth.Challenge); ok {
// Let the challenge write the response.
challenge.SetHeaders(w)
if err := errcode.ServeJSON(w, errcode.ErrorCodeUnauthorized.WithDetail(access)); err != nil {
log.Errorf("failed to serve challenge response: %s", err.Error())
}
return
}
errcode.ServeJSON(w, errcode.ErrorCodeUnauthorized)
return
}
ctx = authCtx
}
if err := root.handler(ctx, w, r); err != nil {
if httpErr, ok := err.(errcode.ErrorCoder); ok {
// info level logging for non-5XX http errors
httpErrCode := httpErr.ErrorCode().Descriptor().HTTPStatusCode
if httpErrCode >= http.StatusInternalServerError {
// error level logging for 5XX http errors
log.Error(httpErr)
} else {
log.Info(httpErr)
}
}
e := errcode.ServeJSON(w, err)
if e != nil {
log.Error(e)
}
return
}
}
func buildAccessRecords(repo string, actions ...string) []auth.Access {
requiredAccess := make([]auth.Access, 0, len(actions))
for _, action := range actions {
requiredAccess = append(requiredAccess, auth.Access{
Resource: auth.Resource{
Type: "repository",
Name: repo,
},
Action: action,
})
}
return requiredAccess
}
// CacheControlConfig is an interface for something that knows how to set cache
// control headers
type CacheControlConfig interface {
// SetHeaders will actually set the cache control headers on a Headers object
SetHeaders(headers http.Header)
}
// NewCacheControlConfig returns CacheControlConfig interface for either setting
// cache control or disabling cache control entirely
func NewCacheControlConfig(maxAgeInSeconds int, mustRevalidate bool) CacheControlConfig {
if maxAgeInSeconds > 0 {
return PublicCacheControl{MustReValidate: mustRevalidate, MaxAgeInSeconds: maxAgeInSeconds}
}
return NoCacheControl{}
}
// PublicCacheControl is a set of options that we will set to enable cache control
type PublicCacheControl struct {
MustReValidate bool
MaxAgeInSeconds int
}
// SetHeaders sets the public headers with an optional must-revalidate header
func (p PublicCacheControl) SetHeaders(headers http.Header) {
cacheControlValue := fmt.Sprintf("public, max-age=%v, s-maxage=%v",
p.MaxAgeInSeconds, p.MaxAgeInSeconds)
if p.MustReValidate {
cacheControlValue = fmt.Sprintf("%s, must-revalidate", cacheControlValue)
}
headers.Set("Cache-Control", cacheControlValue)
// delete the Pragma directive, because the only valid value in HTTP is
// "no-cache"
headers.Del("Pragma")
if headers.Get("Last-Modified") == "" {
SetLastModifiedHeader(headers, time.Time{})
}
}
// NoCacheControl is an object which represents a directive to cache nothing
type NoCacheControl struct{}
// SetHeaders sets the public headers cache-control headers and pragma to no-cache
func (n NoCacheControl) SetHeaders(headers http.Header) {
headers.Set("Cache-Control", "max-age=0, no-cache, no-store")
headers.Set("Pragma", "no-cache")
}
// cacheControlResponseWriter wraps an existing response writer, and if Write is
// called, will try to set the cache control headers if it can
type cacheControlResponseWriter struct {
http.ResponseWriter
config CacheControlConfig
statusCode int
}
// WriteHeader stores the header before writing it, so we can tell if it's been set
// to a non-200 status code
func (c *cacheControlResponseWriter) WriteHeader(statusCode int) {
c.statusCode = statusCode
c.ResponseWriter.WriteHeader(statusCode)
}
// Write will set the cache headers if they haven't already been set and if the status
// code has either not been set or set to 200
func (c *cacheControlResponseWriter) Write(data []byte) (int, error) {
if c.statusCode == http.StatusOK || c.statusCode == 0 {
headers := c.ResponseWriter.Header()
if headers.Get("Cache-Control") == "" {
c.config.SetHeaders(headers)
}
}
return c.ResponseWriter.Write(data)
}
type cacheControlHandler struct {
http.Handler
config CacheControlConfig
}
func (c cacheControlHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
c.Handler.ServeHTTP(&cacheControlResponseWriter{ResponseWriter: w, config: c.config}, r)
}
// WrapWithCacheHandler wraps another handler in one that can add cache control headers
// given a 200 response
func WrapWithCacheHandler(ccc CacheControlConfig, handler http.Handler) http.Handler {
if ccc != nil {
return cacheControlHandler{Handler: handler, config: ccc}
}
return handler
}
// SetLastModifiedHeader takes a time and uses it to set the LastModified header using
// the right date format
func SetLastModifiedHeader(headers http.Header, lmt time.Time) {
headers.Set("Last-Modified", lmt.Format(time.RFC1123))
}