ing

2018-04-11 21:06:06 +09:00 · 2018-04-11 21:06:06 +09:00 · 4838bcba97
commit 4838bcba97
7 changed files with 543 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,68 @@
+# Created by .ignore support plugin (hsz.mobi)
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/dictionaries
+
+# Sensitive or high-churn files:
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.xml
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+
+# Gradle:
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Mongo Explorer plugin:
+.idea/**/mongoSettings.xml
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+### Go template
+# Binaries for programs and plugins
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
+.glide/
+.idea/
+*.iml
+
+vendor/
+glide.lock
+.DS_Store
+dist/
+debug
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -0,0 +1,32 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Debug",
+            "type": "go",
+            "request": "launch",
+            "mode": "debug",
+            "remotePath": "",
+            "port": 2345,
+            "host": "127.0.0.1",
+            "program": "${workspaceRoot}/main.go",
+            "env": {},
+            "args": [],
+            "showLog": true
+        },
+        {
+            "name": "File Debug",
+            "type": "go",
+            "request": "launch",
+            "mode": "debug",
+            "remotePath": "",
+            "port": 2345,
+            "host": "127.0.0.1",
+            "program": "${fileDirname}",
+            "env": {},
+            "args": [],
+            "showLog": true
+        }
+
+    ]
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,3 @@
+// Place your settings in this file to overwrite default and user settings.
+{
+}
--- a/fasthttp/fasthttp.go
+++ b/fasthttp/fasthttp.go
@ -0,0 +1,330 @@
+package fasthttp
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"git.loafle.net/commons/cors-go"
+	"git.loafle.net/commons/cors-go/internal"
+	"git.loafle.net/commons/logging-go"
+	"github.com/valyala/fasthttp"
+)
+
+// Cors http handler
+type Cors interface {
+	Handle(ctx *fasthttp.RequestCtx) (requestDone bool)
+	Handler(h fasthttp.RequestHandler) fasthttp.RequestHandler
+}
+
+// Cors http handler
+type fasthttpcors struct {
+	co cors.Options
+	// Set to true when allowed origins contains a "*"
+	allowedOriginsAll bool
+	// Normalized list of plain allowed origins
+	allowedOrigins []string
+	// List of allowed origins containing wildcards
+	allowedWOrigins []internal.Wildcard
+	// Set to true when allowed headers contains a "*"
+	allowedHeadersAll bool
+	// Normalized list of allowed headers
+	allowedHeaders []string
+	// Normalized list of allowed methods
+	allowedMethods []string
+	// Normalized list of exposed headers
+	exposedHeaders []string
+}
+
+// New creates a new Cors handler with the provided options.
+func New(co cors.Options) Cors {
+	c := &fasthttpcors{
+		co:             co,
+		exposedHeaders: internal.Convert(co.ExposedHeaders, http.CanonicalHeaderKey),
+	}
+
+	// Normalize options
+	// Note: for origins and methods matching, the spec requires a case-sensitive matching.
+	// As it may error prone, we chose to ignore the spec here.
+
+	// Allowed Origins
+	// Allowed Origins
+	if len(co.AllowedOrigins) == 0 {
+		if co.AllowOriginFunc == nil {
+			// Default is all origins
+			c.allowedOriginsAll = true
+		}
+	} else {
+		c.allowedOrigins = []string{}
+		c.allowedWOrigins = []internal.Wildcard{}
+		for _, origin := range co.AllowedOrigins {
+			// Normalize
+			origin = strings.ToLower(origin)
+			if origin == "*" {
+				// If "*" is present in the list, turn the whole list into a match all
+				c.allowedOriginsAll = true
+				c.allowedOrigins = nil
+				c.allowedWOrigins = nil
+				break
+			} else if i := strings.IndexByte(origin, '*'); i >= 0 {
+				// Split the origin in two: start and end string without the *
+				w := internal.Wildcard{origin[0:i], origin[i+1 : len(origin)]}
+				c.allowedWOrigins = append(c.allowedWOrigins, w)
+			} else {
+				c.allowedOrigins = append(c.allowedOrigins, origin)
+			}
+		}
+	}
+
+	// Allowed Headers
+	if len(co.AllowedHeaders) == 0 {
+		// Use sensible defaults
+		c.allowedHeaders = []string{"Origin", "Accept", "Content-Type"}
+	} else {
+		// Origin is always appended as some browsers will always request for this header at preflight
+		c.allowedHeaders = internal.Convert(append(co.AllowedHeaders, "Origin"), http.CanonicalHeaderKey)
+		for _, h := range co.AllowedHeaders {
+			if h == "*" {
+				c.allowedHeadersAll = true
+				c.allowedHeaders = nil
+				break
+			}
+		}
+	}
+
+	// Allowed Methods
+	if len(co.AllowedMethods) == 0 {
+		// Default is spec's "simple" methods
+		c.allowedMethods = []string{"GET", "POST", "HEAD"}
+	} else {
+		c.allowedMethods = internal.Convert(co.AllowedMethods, strings.ToUpper)
+	}
+
+	return c
+}
+
+// Default creates a new Cors handler with default options.
+func Default() Cors {
+	return New(cors.Options{})
+}
+
+// AllowAll create a new Cors handler with permissive configuration allowing all
+// origins with all standard methods with any header and credentials.
+func AllowAll() Cors {
+	return New(cors.Options{
+		AllowedOrigins:   []string{"*"},
+		AllowedMethods:   []string{"HEAD", "GET", "POST", "PUT", "PATCH", "DELETE"},
+		AllowedHeaders:   []string{"*"},
+		AllowCredentials: true,
+	})
+}
+
+func (c *fasthttpcors) Handle(ctx *fasthttp.RequestCtx) (requestDone bool) {
+	if string(ctx.Method()) == "OPTIONS" && ctx.Request.Header.Peek("Access-Control-Request-Method") != nil {
+		logging.Logger().Info("Handler: Preflight request")
+		c.handlePreflight(ctx)
+		// Preflight requests are standalone and should stop the chain as some other
+		// middleware may not handle OPTIONS requests correctly. One typical example
+		// is authentication middleware ; OPTIONS requests won't carry authentication
+		// headers (see #1)
+		if c.co.OptionsPassthrough {
+			return false
+		}
+
+		ctx.SetStatusCode(fasthttp.StatusOK)
+		return true
+	}
+
+	logging.Logger().Info("Handler: Actual request")
+	c.handleActualRequest(ctx)
+
+	return false
+}
+
+// Handler apply the CORS specification on the request, and add relevant CORS headers
+// as necessary.
+func (c *fasthttpcors) Handler(h fasthttp.RequestHandler) fasthttp.RequestHandler {
+	return fasthttp.RequestHandler(func(ctx *fasthttp.RequestCtx) {
+		if string(ctx.Method()) == "OPTIONS" && ctx.Request.Header.Peek("Access-Control-Request-Method") != nil {
+			logging.Logger().Info("Handler: Preflight request")
+			c.handlePreflight(ctx)
+			// Preflight requests are standalone and should stop the chain as some other
+			// middleware may not handle OPTIONS requests correctly. One typical example
+			// is authentication middleware ; OPTIONS requests won't carry authentication
+			// headers (see #1)
+			if c.co.OptionsPassthrough {
+				h(ctx)
+			} else {
+				ctx.SetStatusCode(fasthttp.StatusOK)
+			}
+		} else {
+			logging.Logger().Info("Handler: Actual request")
+			c.handleActualRequest(ctx)
+			h(ctx)
+		}
+	})
+}
+
+// handlePreflight handles pre-flight CORS requests
+func (c *fasthttpcors) handlePreflight(ctx *fasthttp.RequestCtx) {
+	origin := string(ctx.Request.Header.Peek("Origin"))
+
+	if string(ctx.Method()) != "OPTIONS" {
+		logging.Logger().Info(fmt.Sprintf("  Preflight aborted: %s!=OPTIONS", string(ctx.Method())))
+		return
+	}
+	// Always set Vary headers
+	// see https://github.com/rs/fasthttpcors/issues/10,
+	//     https://github.com/rs/fasthttpcors/commit/dbdca4d95feaa7511a46e6f1efb3b3aa505bc43f#commitcomment-12352001
+	ctx.Response.Header.Add("Vary", "Origin")
+	ctx.Response.Header.Add("Vary", "Access-Control-Request-Method")
+	ctx.Response.Header.Add("Vary", "Access-Control-Request-Headers")
+
+	if origin == "" {
+		logging.Logger().Info("  Preflight aborted: empty origin")
+		return
+	}
+	if !c.isOriginAllowed(origin) {
+		logging.Logger().Info(fmt.Sprintf("  Preflight aborted: origin '%s' not allowed", origin))
+		return
+	}
+
+	reqMethod := string(ctx.Request.Header.Peek("Access-Control-Request-Method"))
+	if !c.isMethodAllowed(reqMethod) {
+		logging.Logger().Info(fmt.Sprintf("  Preflight aborted: method '%s' not allowed", reqMethod))
+		return
+	}
+	reqHeaders := internal.ParseHeaderList(string(ctx.Request.Header.Peek("Access-Control-Request-Headers")))
+	if !c.areHeadersAllowed(reqHeaders) {
+		logging.Logger().Info(fmt.Sprintf("  Preflight aborted: headers '%v' not allowed", reqHeaders))
+		return
+	}
+	if c.allowedOriginsAll && !c.co.AllowCredentials {
+		ctx.Response.Header.Set("Access-Control-Allow-Origin", "*")
+	} else {
+		ctx.Response.Header.Set("Access-Control-Allow-Origin", origin)
+	}
+	// Spec says: Since the list of methods can be unbounded, simply returning the method indicated
+	// by Access-Control-Request-Method (if supported) can be enough
+	ctx.Response.Header.Set("Access-Control-Allow-Methods", strings.ToUpper(reqMethod))
+	if len(reqHeaders) > 0 {
+		// Spec says: Since the list of headers can be unbounded, simply returning supported headers
+		// from Access-Control-Request-Headers can be enough
+		ctx.Response.Header.Set("Access-Control-Allow-Headers", strings.Join(reqHeaders, ", "))
+	}
+	if c.co.AllowCredentials {
+		ctx.Response.Header.Set("Access-Control-Allow-Credentials", "true")
+	}
+	if c.co.MaxAge > 0 {
+		ctx.Response.Header.Set("Access-Control-Max-Age", strconv.Itoa(c.co.MaxAge))
+	}
+	// logging.Logger().Info(fmt.Sprintf("  Preflight response headers: %v", ctx.Response.Header.))
+}
+
+// handleActualRequest handles simple cross-origin requests, actual request or redirects
+func (c *fasthttpcors) handleActualRequest(ctx *fasthttp.RequestCtx) {
+	origin := string(ctx.Request.Header.Peek("Origin"))
+	method := string(ctx.Method())
+
+	if method == "OPTIONS" {
+		logging.Logger().Info(fmt.Sprintf("  Actual request no headers added: method == %s", method))
+		return
+	}
+	// Always set Vary, see https://github.com/rs/fasthttpcors/issues/10
+	ctx.Response.Header.Add("Vary", "Origin")
+	if origin == "" {
+		logging.Logger().Info("  Actual request no headers added: missing origin")
+		return
+	}
+	if !c.isOriginAllowed(origin) {
+		logging.Logger().Info(fmt.Sprintf("  Actual request no headers added: origin '%s' not allowed", origin))
+		return
+	}
+
+	// Note that spec does define a way to specifically disallow a simple method like GET or
+	// POST. Access-Control-Allow-Methods is only used for pre-flight requests and the
+	// spec doesn't instruct to check the allowed methods for simple cross-origin requests.
+	// We think it's a nice feature to be able to have control on those methods though.
+	if !c.isMethodAllowed(method) {
+		logging.Logger().Info(fmt.Sprintf("  Actual request no headers added: method '%s' not allowed", method))
+
+		return
+	}
+	if c.allowedOriginsAll && !c.co.AllowCredentials {
+		ctx.Response.Header.Set("Access-Control-Allow-Origin", "*")
+	} else {
+		ctx.Response.Header.Set("Access-Control-Allow-Origin", origin)
+	}
+	if len(c.exposedHeaders) > 0 {
+		ctx.Response.Header.Set("Access-Control-Expose-Headers", strings.Join(c.exposedHeaders, ", "))
+	}
+	if c.co.AllowCredentials {
+		ctx.Response.Header.Set("Access-Control-Allow-Credentials", "true")
+	}
+	// c.logf("  Actual response added headers: %v", headers)
+}
+
+// isOriginAllowed checks if a given origin is allowed to perform cross-domain requests
+// on the endpoint
+func (c *fasthttpcors) isOriginAllowed(origin string) bool {
+	if c.co.AllowOriginFunc != nil {
+		return c.co.AllowOriginFunc(origin)
+	}
+	if c.allowedOriginsAll {
+		return true
+	}
+	origin = strings.ToLower(origin)
+	for _, o := range c.allowedOrigins {
+		if o == origin {
+			return true
+		}
+	}
+	for _, w := range c.allowedWOrigins {
+		if w.Match(origin) {
+			return true
+		}
+	}
+	return false
+}
+
+// isMethodAllowed checks if a given method can be used as part of a cross-domain request
+// on the endpoing
+func (c *fasthttpcors) isMethodAllowed(method string) bool {
+	if len(c.allowedMethods) == 0 {
+		// If no method allowed, always return false, even for preflight request
+		return false
+	}
+	method = strings.ToUpper(method)
+	if method == "OPTIONS" {
+		// Always allow preflight requests
+		return true
+	}
+	for _, m := range c.allowedMethods {
+		if m == method {
+			return true
+		}
+	}
+	return false
+}
+
+// areHeadersAllowed checks if a given list of headers are allowed to used within
+// a cross-domain request.
+func (c *fasthttpcors) areHeadersAllowed(requestedHeaders []string) bool {
+	if c.allowedHeadersAll || len(requestedHeaders) == 0 {
+		return true
+	}
+	for _, header := range requestedHeaders {
+		header = http.CanonicalHeaderKey(header)
+		found := false
+		for _, h := range c.allowedHeaders {
+			if h == header {
+				found = true
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+	return true
+}
--- a/glide.yaml
+++ b/glide.yaml
@ -0,0 +1,5 @@
+package: git.loafle.net/commons/cors-go
+import:
+- package: git.loafle.net/commons/logging-go
+- package: github.com/valyala/fasthttp
+  version: ^20160617.0.0
--- a/internal/util.go
+++ b/internal/util.go
@ -0,0 +1,70 @@
+package internal
+
+import "strings"
+
+const toLower = 'a' - 'A'
+
+type converter func(string) string
+
+type Wildcard struct {
+	Prefix string
+	Suffix string
+}
+
+func (w Wildcard) Match(s string) bool {
+	return len(s) >= len(w.Prefix+w.Suffix) && strings.HasPrefix(s, w.Prefix) && strings.HasSuffix(s, w.Suffix)
+}
+
+// convert converts a list of string using the passed converter function
+func Convert(s []string, c converter) []string {
+	out := []string{}
+	for _, i := range s {
+		out = append(out, c(i))
+	}
+	return out
+}
+
+// parseHeaderList tokenize + normalize a string containing a list of headers
+func ParseHeaderList(headerList string) []string {
+	l := len(headerList)
+	h := make([]byte, 0, l)
+	upper := true
+	// Estimate the number headers in order to allocate the right splice size
+	t := 0
+	for i := 0; i < l; i++ {
+		if headerList[i] == ',' {
+			t++
+		}
+	}
+	headers := make([]string, 0, t)
+	for i := 0; i < l; i++ {
+		b := headerList[i]
+		if b >= 'a' && b <= 'z' {
+			if upper {
+				h = append(h, b-toLower)
+			} else {
+				h = append(h, b)
+			}
+		} else if b >= 'A' && b <= 'Z' {
+			if !upper {
+				h = append(h, b+toLower)
+			} else {
+				h = append(h, b)
+			}
+		} else if b == '-' || b == '_' || (b >= '0' && b <= '9') {
+			h = append(h, b)
+		}
+
+		if b == ' ' || b == ',' || i == l-1 {
+			if len(h) > 0 {
+				// Flush the found header
+				headers = append(headers, string(h))
+				h = h[:0]
+				upper = true
+			}
+		} else {
+			upper = b == '-' || b == '_'
+		}
+	}
+	return headers
+}
--- a/options.go
+++ b/options.go
@ -0,0 +1,35 @@
+package cors
+
+type Options struct {
+	// AllowedOrigins is a list of origins a cross-domain request can be executed from.
+	// If the special "*" value is present in the list, all origins will be allowed.
+	// An origin may contain a wildcard (*) to replace 0 or more characters
+	// (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penalty.
+	// Only one wildcard can be used per origin.
+	// Default value is ["*"]
+	AllowedOrigins []string
+	// AllowOriginFunc is a custom function to validate the origin. It take the origin
+	// as argument and returns true if allowed or false otherwise. If this option is
+	// set, the content of AllowedOrigins is ignored.
+	AllowOriginFunc func(origin string) bool
+	// AllowedMethods is a list of methods the client is allowed to use with
+	// cross-domain requests. Default value is simple methods (HEAD, GET and POST).
+	AllowedMethods []string
+	// AllowedHeaders is list of non simple headers the client is allowed to use with
+	// cross-domain requests.
+	// If the special "*" value is present in the list, all headers will be allowed.
+	// Default value is [] but "Origin" is always appended to the list.
+	AllowedHeaders []string
+	// ExposedHeaders indicates which headers are safe to expose to the API of a CORS
+	// API specification
+	ExposedHeaders []string
+	// AllowCredentials indicates whether the request can include user credentials like
+	// cookies, HTTP authentication or client side SSL certificates.
+	AllowCredentials bool
+	// MaxAge indicates how long (in seconds) the results of a preflight request
+	// can be cached
+	MaxAge int
+	// OptionsPassthrough instructs preflight to let other potential next handlers to
+	// process the OPTIONS method. Turn this on if your application handles OPTIONS.
+	OptionsPassthrough bool
+}