forked from cloudfoundry/gorouter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
route_service_config.go
122 lines (102 loc) · 3.66 KB
/
route_service_config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package route_service
import (
"errors"
"net/http"
"net/url"
"time"
"code.cloudfoundry.org/gorouter/common/secure"
"code.cloudfoundry.org/gorouter/route_service/header"
"code.cloudfoundry.org/lager"
)
const (
RouteServiceSignature = "X-CF-Proxy-Signature"
RouteServiceForwardedUrl = "X-CF-Forwarded-Url"
RouteServiceMetadata = "X-CF-Proxy-Metadata"
)
var RouteServiceExpired = errors.New("Route service request expired")
var RouteServiceForwardedUrlMismatch = errors.New("Route service forwarded url mismatch")
type RouteServiceConfig struct {
routeServiceEnabled bool
routeServiceTimeout time.Duration
crypto secure.Crypto
cryptoPrev secure.Crypto
logger lager.Logger
recommendHttps bool
}
type RouteServiceArgs struct {
UrlString string
ParsedUrl *url.URL
Signature string
Metadata string
ForwardedUrlRaw string
RecommendHttps bool
}
func NewRouteServiceConfig(logger lager.Logger, enabled bool, timeout time.Duration, crypto secure.Crypto, cryptoPrev secure.Crypto, recommendHttps bool) *RouteServiceConfig {
return &RouteServiceConfig{
routeServiceEnabled: enabled,
routeServiceTimeout: timeout,
crypto: crypto,
cryptoPrev: cryptoPrev,
logger: logger,
recommendHttps: recommendHttps,
}
}
func (rs *RouteServiceConfig) RouteServiceEnabled() bool {
return rs.routeServiceEnabled
}
func (rs *RouteServiceConfig) GenerateSignatureAndMetadata(forwardedUrlRaw string) (string, string, error) {
signature := &header.Signature{
RequestedTime: time.Now(),
ForwardedUrl: forwardedUrlRaw,
}
signatureHeader, metadataHeader, err := header.BuildSignatureAndMetadata(rs.crypto, signature)
if err != nil {
return "", "", err
}
return signatureHeader, metadataHeader, nil
}
func (rs *RouteServiceConfig) SetupRouteServiceRequest(request *http.Request, args RouteServiceArgs) {
rs.logger.Debug("proxy.route-service")
request.Header.Set(RouteServiceSignature, args.Signature)
request.Header.Set(RouteServiceMetadata, args.Metadata)
request.Header.Set(RouteServiceForwardedUrl, args.ForwardedUrlRaw)
request.Host = args.ParsedUrl.Host
request.URL = args.ParsedUrl
}
func (rs *RouteServiceConfig) ValidateSignature(headers *http.Header, requestUrl string) error {
metadataHeader := headers.Get(RouteServiceMetadata)
signatureHeader := headers.Get(RouteServiceSignature)
signature, err := header.SignatureFromHeaders(signatureHeader, metadataHeader, rs.crypto)
if err != nil {
rs.logger.Info("proxy.route-service.current_key", lager.Data{"error": err.Error()})
// Decrypt the head again trying to use the old key.
if rs.cryptoPrev != nil {
rs.logger.Info("proxy.route-service.current_key", lager.Data{"error": err.Error()})
signature, err = header.SignatureFromHeaders(signatureHeader, metadataHeader, rs.cryptoPrev)
if err != nil {
rs.logger.Info("proxy.route-service.previous_key", lager.Data{"error": err.Error()})
}
}
return err
}
err = rs.validateSignatureTimeout(signature)
if err != nil {
return err
}
return rs.validateForwardedUrl(signature, requestUrl)
}
func (rs *RouteServiceConfig) validateSignatureTimeout(signature header.Signature) error {
if time.Since(signature.RequestedTime) > rs.routeServiceTimeout {
rs.logger.Debug("proxy.route-service.timeout")
return RouteServiceExpired
}
return nil
}
func (rs *RouteServiceConfig) validateForwardedUrl(signature header.Signature, requestUrl string) error {
if requestUrl != signature.ForwardedUrl {
var err = RouteServiceForwardedUrlMismatch
rs.logger.Info("proxy.route-service.forwarded-url.mismatch", lager.Data{"error": err.Error()})
return err
}
return nil
}