Add API KEY support to allow CORS requests.

author Sebastien Douheret <sebastien.douheret@iot.bzh>

Tue, 23 May 2017 20:56:16 +0000 (22:56 +0200)

committer Sebastien Douheret <sebastien.douheret@iot.bzh>

Tue, 23 May 2017 21:04:10 +0000 (23:04 +0200)
author Sebastien Douheret <sebastien.douheret@iot.bzh>
Tue, 23 May 2017 20:56:16 +0000 (22:56 +0200)
committer Sebastien Douheret <sebastien.douheret@iot.bzh>
Tue, 23 May 2017 21:04:10 +0000 (23:04 +0200)
diff --git a/.vscode/settings.json b/.vscode/settings.json

index a6647f3..1bc5381 100644 (file)
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,20 +1,37 @@
  // Place your settings in this file to overwrite default and user settings.
  {
-    // Configure glob patterns for excluding files and folders.
-    "files.exclude": {
-        ".tmp": true,
-        ".git": true,
-        "glide.lock": true,
-        "vendor": true,
-        "debug": true,
-        "bin": true,
-        "tools": true
-    },
-
-    // Words to add to dictionary for a workspace.
-    "cSpell.words": [
-        "apiv", "gonic", "devel", "csrffound", "Syncthing", "STID",
-        "ISTCONFIG", "socketio", "ldflags", "SThg", "Intf", "dismissible",
-        "rpath", "WSID", "sess", "IXDS", "xdsconfig", "xdsserver", "Inot", "inotify", "cmdi"
-    ]
+  // Configure glob patterns for excluding files and folders.
+  "files.exclude": {
+    ".tmp": true,
+    ".git": true,
+    "glide.lock": true,
+    "vendor": true,
+    "debug": true,
+    "bin": true,
+    "tools": true
+  },
+  // Words to add to dictionary for a workspace.
+  "cSpell.words": [
+    "apiv",
+    "gonic",
+    "devel",
+    "csrffound",
+    "Syncthing",
+    "STID",
+    "ISTCONFIG",
+    "socketio",
+    "ldflags",
+    "SThg",
+    "Intf",
+    "dismissible",
+    "rpath",
+    "WSID",
+    "sess",
+    "IXDS",
+    "xdsconfig",
+    "xdsserver",
+    "Inot",
+    "inotify",
+    "cmdi"
+  ]
  }
 \ No newline at end of file
diff --git a/agent-config.json.in b/agent-config.json.in

index 9c7803f..499cada 100644 (file)
--- a/agent-config.json.in
+++ b/agent-config.json.in
@@ -1,5 +1,6 @@
  {
      "logsDir": "${HOME}/.xds/agent/logs",
+    "xds-apikey": "1234abcezam",
      "syncthing": {
          "home": "${HOME}/.xds/agent/syncthing-config",
          "gui-address": "http://localhost:8384"
diff --git a/lib/agent/agent.go b/lib/agent/agent.go

index 80c97f7..74872f7 100644 (file)
--- a/lib/agent/agent.go
+++ b/lib/agent/agent.go
@@ -11,7 +11,7 @@ import (
         "github.com/codegangsta/cli"
         "github.com/iotbzh/xds-agent/lib/syncthing"
         "github.com/iotbzh/xds-agent/lib/xdsconfig"
-       "github.com/iotbzh/xds-agent/lib/xdsserver"
+       "github.com/iotbzh/xds-agent/lib/webserver"
  )
  
  // Context holds the Agent context structure
@@ -22,7 +22,7 @@ type Context struct {
         SThg        *st.SyncThing
         SThgCmd     *exec.Cmd
         SThgInotCmd *exec.Cmd
-       WWWServer   *xdsserver.ServerService
+       WWWServer   *webserver.ServerService
         Exit        chan os.Signal
  }
  
diff --git a/lib/xdsserver/server.go b/lib/webserver/server.go

similarity index 67%

rename from lib/xdsserver/server.go

rename to lib/webserver/server.go

index 67b3e9a..b835a65 100644 (file)
--- a/lib/xdsserver/server.go
+++ b/lib/webserver/server.go
@@ -1,8 +1,9 @@
-package xdsserver
+package webserver
  
  import (
         "fmt"
         "net/http"
+       "strings"
  
         "github.com/Sirupsen/logrus"
         "github.com/gin-gonic/gin"
@@ -27,8 +28,8 @@ type ServerService struct {
  const indexFilename = "index.html"
  const cookieMaxAge = "3600"
  
-// NewServer creates an instance of ServerService
-func NewServer(conf *xdsconfig.Config, log *logrus.Logger) *ServerService {
+// New creates an instance of ServerService
+func New(conf *xdsconfig.Config, log *logrus.Logger) *ServerService {
  
         // Setup logging for gin router
         if log.Level == logrus.DebugLevel {
@@ -67,12 +68,15 @@ func (s *ServerService) Serve() error {
         // Setup middlewares
         s.router.Use(gin.Logger())
         s.router.Use(gin.Recovery())
-       s.router.Use(s.middlewareXDSDetails())
         s.router.Use(s.middlewareCORS())
+       s.router.Use(s.middlewareXDSDetails())
+       s.router.Use(s.middlewareCSRF())
  
         // Sessions manager
         s.sessions = session.NewClientSessions(s.router, s.log, cookieMaxAge)
  
+       s.router.GET("", s.slashHandler)
+
         // Create REST API
         s.api = apiv1.New(s.sessions, s.cfg, s.log, s.router)
  
@@ -117,6 +121,11 @@ func (s *ServerService) Stop() {
         close(s.stop)
  }
  
+// serveSlash provides response to GET "/"
+func (s *ServerService) slashHandler(c *gin.Context) {
+       c.String(200, "Hello from XDS agent!")
+}
+
  // Add details in Header
  func (s *ServerService) middlewareXDSDetails() gin.HandlerFunc {
         return func(c *gin.Context) {
@@ -126,20 +135,65 @@ func (s *ServerService) middlewareXDSDetails() gin.HandlerFunc {
         }
  }
  
+func (s *ServerService) isValidAPIKey(key string) bool {
+       return (key == s.cfg.FileConf.XDSAPIKey && key != "")
+}
+
+func (s *ServerService) middlewareCSRF() gin.HandlerFunc {
+       return func(c *gin.Context) {
+               // Allow requests carrying a valid API key
+               if s.isValidAPIKey(c.Request.Header.Get("X-API-Key")) {
+                       // Set the access-control-allow-origin header for CORS requests
+                       // since a valid API key has been provided
+                       c.Header("Access-Control-Allow-Origin", "*")
+                       c.Next()
+                       return
+               }
+
+               // Allow io.socket request
+               if strings.HasPrefix(c.Request.URL.Path, "/socket.io") {
+                       c.Next()
+                       return
+               }
+
+               /* FIXME Add really CSRF support
+
+               // Allow requests for anything not under the protected path prefix,
+               // and set a CSRF cookie if there isn't already a valid one.
+               if !strings.HasPrefix(c.Request.URL.Path, prefix) {
+                       cookie, err := c.Cookie("CSRF-Token-" + unique)
+                       if err != nil || !validCsrfToken(cookie.Value) {
+                               s.log.Debugln("new CSRF cookie in response to request for", c.Request.URL)
+                               c.SetCookie("CSRF-Token-"+unique, newCsrfToken(), 600, "/", "", false, false)
+                       }
+                       c.Next()
+                       return
+               }
+
+               // Verify the CSRF token
+               token := c.Request.Header.Get("X-CSRF-Token-" + unique)
+               if !validCsrfToken(token) {
+                       c.AbortWithError(403, "CSRF Error")
+                       return
+               }
+
+               c.Next()
+               */
+               c.AbortWithError(403, fmt.Errorf("Not valid API key"))
+       }
+}
+
  // CORS middleware
  func (s *ServerService) middlewareCORS() gin.HandlerFunc {
         return func(c *gin.Context) {
-
                 if c.Request.Method == "OPTIONS" {
                         c.Header("Access-Control-Allow-Origin", "*")
-                       c.Header("Access-Control-Allow-Headers", "Content-Type")
-                       c.Header("Access-Control-Allow-Methods", "POST, DELETE, GET, PUT")
-                       c.Header("Content-Type", "application/json")
+                       c.Header("Access-Control-Allow-Headers", "Content-Type, X-API-Key")
+                       c.Header("Access-Control-Allow-Methods", "GET, POST, DELETE")
                         c.Header("Access-Control-Max-Age", cookieMaxAge)
                         c.AbortWithStatus(204)
                         return
                 }
-
                 c.Next()
         }
  }
diff --git a/lib/xdsconfig/fileconfig.go b/lib/xdsconfig/fileconfig.go

index 535ee59..3c834fc 100644 (file)
--- a/lib/xdsconfig/fileconfig.go
+++ b/lib/xdsconfig/fileconfig.go
@@ -18,9 +18,10 @@ type SyncThingConf struct {
  }
  
  type FileConfig struct {
-       HTTPPort string         `json:"httpPort"`
-       LogsDir  string         `json:"logsDir"`
-       SThgConf *SyncThingConf `json:"syncthing"`
+       HTTPPort  string         `json:"httpPort"`
+       LogsDir   string         `json:"logsDir"`
+       XDSAPIKey string         `json:"xds-apikey"`
+       SThgConf  *SyncThingConf `json:"syncthing"`
  }
  
  // getConfigFromFile reads configuration from a config file.
diff --git a/main.go b/main.go

index eeb4036..44dda71 100644 (file)
--- a/main.go
+++ b/main.go
@@ -12,8 +12,8 @@ import (
         "github.com/codegangsta/cli"
         "github.com/iotbzh/xds-agent/lib/agent"
         "github.com/iotbzh/xds-agent/lib/syncthing"
+       "github.com/iotbzh/xds-agent/lib/webserver"
         "github.com/iotbzh/xds-agent/lib/xdsconfig"
-       "github.com/iotbzh/xds-agent/lib/xdsserver"
  )
  
  const (
@@ -87,7 +87,7 @@ func xdsAgent(cliCtx *cli.Context) error {
         ctx.Log.Infof("Local Syncthing ID: %s", id)
  
         // Create and start Web Server
-       ctx.WWWServer = xdsserver.NewServer(ctx.Config, ctx.Log)
+       ctx.WWWServer = webserver.New(ctx.Config, ctx.Log)
         if err = ctx.WWWServer.Serve(); err != nil {
                 log.Println(err)
                 return cli.NewExitError(err, 3)
author	Sebastien Douheret <sebastien.douheret@iot.bzh>
	Tue, 23 May 2017 20:56:16 +0000 (22:56 +0200)
committer	Sebastien Douheret <sebastien.douheret@iot.bzh>
	Tue, 23 May 2017 21:04:10 +0000 (23:04 +0200)
.vscode/settings.json		patch \| blob \| history
agent-config.json.in		patch \| blob \| history
lib/agent/agent.go		patch \| blob \| history
lib/webserver/server.go	[moved from lib/xdsserver/server.go with 67% similarity]	patch \| blob \| history
lib/xdsconfig/fileconfig.go		patch \| blob \| history
main.go		patch \| blob \| history