go-zero/rest/handler/contentsecurityhandler.go

package handler

import (
	"net/http"
	"time"

	"github.com/zeromicro/go-zero/core/codec"
	"github.com/zeromicro/go-zero/core/logx"
	"github.com/zeromicro/go-zero/rest/httpx"
	"github.com/zeromicro/go-zero/rest/internal/security"
)

const contentSecurity = "X-Content-Security"

// UnsignedCallback defines the method of the unsigned callback.
type UnsignedCallback func(w http.ResponseWriter, r *http.Request, next http.Handler, strict bool, code int)

// ContentSecurityHandler returns a middleware to verify content security.
func ContentSecurityHandler(decrypters map[string]codec.RsaDecrypter, tolerance time.Duration,
	strict bool, callbacks ...UnsignedCallback) func(http.Handler) http.Handler {
	if len(callbacks) == 0 {
		callbacks = append(callbacks, handleVerificationFailure)
	}

	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			switch r.Method {
			case http.MethodDelete, http.MethodGet, http.MethodPost, http.MethodPut:
				header, err := security.ParseContentSecurity(decrypters, r)
				if err != nil {
					logx.Errorf("Signature parse failed, X-Content-Security: %s, error: %s",
						r.Header.Get(contentSecurity), err.Error())
					executeCallbacks(w, r, next, strict, httpx.CodeSignatureInvalidHeader, callbacks)
				} else if code := security.VerifySignature(r, header, tolerance); code != httpx.CodeSignaturePass {
					logx.Errorf("Signature verification failed, X-Content-Security: %s",
						r.Header.Get(contentSecurity))
					executeCallbacks(w, r, next, strict, code, callbacks)
				} else if r.ContentLength > 0 && header.Encrypted() {
					CryptionHandler(header.Key)(next).ServeHTTP(w, r)
				} else {
					next.ServeHTTP(w, r)
				}
			default:
				next.ServeHTTP(w, r)
			}
		})
	}
}

func executeCallbacks(w http.ResponseWriter, r *http.Request, next http.Handler, strict bool,
	code int, callbacks []UnsignedCallback) {
	for _, callback := range callbacks {
		callback(w, r, next, strict, code)
	}
}

func handleVerificationFailure(w http.ResponseWriter, r *http.Request, next http.Handler, strict bool, code int) {
	if strict {
		w.WriteHeader(http.StatusForbidden)
	} else {
		next.ServeHTTP(w, r)
	}
}
refactor 2020-07-29 18:00:04 +08:00			`package handler`
initial import 2020-07-26 17:09:05 +08:00
			`import (`
			`"net/http"`
			`"time"`

feat: rename module from tal-tech to zeromicro (#1413) 2022-01-04 15:51:32 +08:00			`"github.com/zeromicro/go-zero/core/codec"`
			`"github.com/zeromicro/go-zero/core/logx"`
			`"github.com/zeromicro/go-zero/rest/httpx"`
			`"github.com/zeromicro/go-zero/rest/internal/security"`
initial import 2020-07-26 17:09:05 +08:00			`)`

			`const contentSecurity = "X-Content-Security"`

fix golint issues in rest (#529) 2021-03-01 19:15:35 +08:00			`// UnsignedCallback defines the method of the unsigned callback.`
initial import 2020-07-26 17:09:05 +08:00			`type UnsignedCallback func(w http.ResponseWriter, r *http.Request, next http.Handler, strict bool, code int)`

fix golint issues in rest (#529) 2021-03-01 19:15:35 +08:00			`// ContentSecurityHandler returns a middleware to verify content security.`
initial import 2020-07-26 17:09:05 +08:00			`func ContentSecurityHandler(decrypters map[string]codec.RsaDecrypter, tolerance time.Duration,`
			`strict bool, callbacks ...UnsignedCallback) func(http.Handler) http.Handler {`
			`if len(callbacks) == 0 {`
			`callbacks = append(callbacks, handleVerificationFailure)`
			`}`

			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`switch r.Method {`
			`case http.MethodDelete, http.MethodGet, http.MethodPost, http.MethodPut:`
refactor 2020-07-29 18:00:04 +08:00			`header, err := security.ParseContentSecurity(decrypters, r)`
initial import 2020-07-26 17:09:05 +08:00			`if err != nil {`
add redis geospatial (#209) * add redis geospatial * fix go test error 2020-11-16 19:45:43 +08:00			`logx.Errorf("Signature parse failed, X-Content-Security: %s, error: %s",`
initial import 2020-07-26 17:09:05 +08:00			`r.Header.Get(contentSecurity), err.Error())`
			`executeCallbacks(w, r, next, strict, httpx.CodeSignatureInvalidHeader, callbacks)`
refactor 2020-07-29 18:00:04 +08:00			`} else if code := security.VerifySignature(r, header, tolerance); code != httpx.CodeSignaturePass {`
add redis geospatial (#209) * add redis geospatial * fix go test error 2020-11-16 19:45:43 +08:00			`logx.Errorf("Signature verification failed, X-Content-Security: %s",`
initial import 2020-07-26 17:09:05 +08:00			`r.Header.Get(contentSecurity))`
			`executeCallbacks(w, r, next, strict, code, callbacks)`
			`} else if r.ContentLength > 0 && header.Encrypted() {`
			`CryptionHandler(header.Key)(next).ServeHTTP(w, r)`
			`} else {`
			`next.ServeHTTP(w, r)`
			`}`
			`default:`
			`next.ServeHTTP(w, r)`
			`}`
			`})`
			`}`
			`}`

			`func executeCallbacks(w http.ResponseWriter, r *http.Request, next http.Handler, strict bool,`
			`code int, callbacks []UnsignedCallback) {`
			`for _, callback := range callbacks {`
			`callback(w, r, next, strict, code)`
			`}`
			`}`

			`func handleVerificationFailure(w http.ResponseWriter, r *http.Request, next http.Handler, strict bool, code int) {`
			`if strict {`
add redis geospatial (#209) * add redis geospatial * fix go test error 2020-11-16 19:45:43 +08:00			`w.WriteHeader(http.StatusForbidden)`
initial import 2020-07-26 17:09:05 +08:00			`} else {`
			`next.ServeHTTP(w, r)`
			`}`
			`}`