From b7ea268c1adb92eb875207a99bcc9939ac1661b9 Mon Sep 17 00:00:00 2001 From: Mark van der Velden Date: Mon, 24 Apr 2017 18:03:57 +0200 Subject: [PATCH 1/2] White-listing actions (e.g.: Allow /crop and /resize, but not /enlarge) --- handlers/allowedactions.go | 33 +++++++++++++++++++++++++++++++++ main.go | 23 +++++++++++++++++------ 2 files changed, 50 insertions(+), 6 deletions(-) create mode 100644 handlers/allowedactions.go diff --git a/handlers/allowedactions.go b/handlers/allowedactions.go new file mode 100644 index 0000000..c3cf047 --- /dev/null +++ b/handlers/allowedactions.go @@ -0,0 +1,33 @@ +package handlers + +import ( + "net/http" + + "strings" + + "github.com/go-kit/kit/log" +) + +func NewAllowedActions(l log.Logger, allowedActions []string) func(h http.Handler) http.Handler { + var actions = make(map[string]bool, len(allowedActions)) + for _, p := range allowedActions { + if p == "" { + continue + } + + actions[p] = true + } + + return func(h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + action := r.URL.Path[1:] + if _, exists := actions[action]; !exists { + l.Log("error", "action is not white-listed", "action", action, "allowed", strings.Join(allowedActions, ",")) + http.Error(w, "Unregisterd action", http.StatusNotAcceptable) + return + } + + h.ServeHTTP(w, r) + }) + } +} diff --git a/main.go b/main.go index a849103..cfd4275 100644 --- a/main.go +++ b/main.go @@ -19,12 +19,13 @@ import ( ) var ( - allowedHosts argumentList - allowedImaginaryParams string - imaginaryURL string - listenPort int64 - bucketRate float64 - bucketSize int64 + allowedHosts argumentList + allowedImaginaryParams string + allowedImaginaryActions string + imaginaryURL string + listenPort int64 + bucketRate float64 + bucketSize int64 Version = "dev" logger = log.With( @@ -52,6 +53,7 @@ func init() { flag.Float64Var(&bucketRate, "bucket-rate", 20, "Rate limiter bucket fill rate (req/s)") flag.Int64Var(&bucketSize, "bucket-size", 500, "Rate limiter bucket size (burst capacity)") flag.StringVar(&allowedImaginaryParams, "allowed-params", "", "A comma seperated list of parameters allows to be sent upstream. If empty, everything is allowed.") + flag.StringVar(&allowedImaginaryActions, "allowed-actions", "", "A comma seperated list of actions allows to be sent upstream. If empty, everything is allowed.") } @@ -111,6 +113,15 @@ func decorateHandler(h http.Handler, b *ratelimit.Bucket) http.Handler { )) } + if allowedImaginaryActions != "" { + decorators = append( + decorators, + handlers.NewAllowedActions( + logger, + strings.Split(allowedImaginaryActions, ","), + )) + } + // Defining early needed handlers last decorators = append( decorators, From cde0d74d5febf24dcbfbf91437a9068ee22f0a18 Mon Sep 17 00:00:00 2001 From: Mark van der Velden Date: Wed, 26 Apr 2017 10:58:19 +0200 Subject: [PATCH 2/2] PR feedback --- handlers/allowedactions.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/allowedactions.go b/handlers/allowedactions.go index c3cf047..f837757 100644 --- a/handlers/allowedactions.go +++ b/handlers/allowedactions.go @@ -23,7 +23,7 @@ func NewAllowedActions(l log.Logger, allowedActions []string) func(h http.Handle action := r.URL.Path[1:] if _, exists := actions[action]; !exists { l.Log("error", "action is not white-listed", "action", action, "allowed", strings.Join(allowedActions, ",")) - http.Error(w, "Unregisterd action", http.StatusNotAcceptable) + http.Error(w, "Unregisterd action", http.StatusBadRequest) return }