Exemple #1
0
func redirectToHTTPS(w http.ResponseWriter, r *http.Request, httpsOrigin *url.URL) {
	newurl, _ := url.Parse(r.URL.String())
	newurl.Scheme = "https"
	if httpsOrigin != nil {
		newurl.Host = httpsOrigin.Host
	}
	ab.LogTrace(r).Printf("redirecting to https: %s -> %s\n", r.URL.String(), newurl.String())
	http.Redirect(w, r, newurl.String(), http.StatusMovedPermanently)
}
Exemple #2
0
func domainEnforcerMiddleware(httpsHost, httpHost string) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			if httpsHost != "" && r.TLS != nil && r.Host != httpsHost {
				newUrl := "https://" + httpsHost + "/" + r.RequestURI
				ab.LogTrace(r).Printf("enforcing https domain: %s -> %s\n", r.URL.String(), newUrl)
				http.Redirect(w, r, newUrl, http.StatusMovedPermanently)
				return
			}
			if httpHost != "" && r.TLS == nil && r.Host != httpHost {
				newUrl := "http://" + httpHost + "/" + r.RequestURI
				ab.LogTrace(r).Printf("enforcing http domain: %s -> %s\n", r.URL.String(), newUrl)
				http.Redirect(w, r, newUrl, http.StatusMovedPermanently)
				return
			}

			next.ServeHTTP(w, r)
		})
	}
}
Exemple #3
0
func corsPreflightHandler(baseURL, httpOrigin string) http.Handler {
	baseurl, err := url.Parse(baseURL)
	if err != nil {
		panic(err)
	}

	httporigin, err := url.Parse(httpOrigin)
	if err != nil {
		panic(err)
	}

	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		origin := r.Header.Get("Origin")
		method := r.Header.Get("Access-Control-Request-Method")
		headers := r.Header.Get("Access-Control-Request-Headers")

		ab.LogTrace(r).Printf("CORS %s %s %s", method, origin, headers)

		w.Header().Add("Vary", "Origin")
		w.Header().Add("Vary", "Access-Control-Request-Method")
		w.Header().Add("Vary", "Access-Control-Request-Headers")

		if origin == "" || method == "" {
			ab.Fail(http.StatusBadRequest, nil)
		}

		originurl, err := url.Parse(origin)
		ab.MaybeFail(http.StatusBadRequest, err)

		if originurl.Host != baseurl.Host && originurl.Host != httporigin.Host {
			ab.Fail(http.StatusForbidden, nil)
		}

		w.Header().Set("Access-Control-Allow-Origin", origin)
		w.Header().Set("Access-Control-Allow-Methods", method)
		w.Header().Set("Access-Control-Allow-Headers", headers)
		w.Header().Set("Access-Control-Allow-Credentials", "true")
		w.Header().Set("Access-Control-Max-Age", "0")

		ab.Render(r).SetCode(http.StatusOK)
	})
}
func screeningService(ec *ab.EntityController) ab.Service {
	res := ab.EntityResource(ec, &Screening{}, ab.EntityResourceConfig{
		DisablePost:   true,
		DisableList:   true,
		DisableGet:    true,
		DisablePut:    true,
		DisableDelete: true,
	})

	res.ExtraEndpoints = func(srv *ab.Server) error {
		srv.Post("/api/walkthrough/:id/screening", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			wid := ab.GetParams(r).ByName("id")
			data := []string{}
			ab.MustDecode(r, &data)

			db := ab.GetDB(r)
			uid := ab.GetSession(r)["uid"]

			userEntity, err := ec.Load(db, "user", uid)
			ab.MaybeFail(http.StatusInternalServerError, err)
			user := userEntity.(*User)

			wt, err := LoadActualRevision(db, ec, wid)
			ab.MaybeFail(http.StatusBadRequest, err)

			if wt.UID != uid && !user.Admin {
				ab.Fail(http.StatusForbidden, nil)
			}

			if len(data) == 0 || len(data) != len(wt.Steps)-1 {
				ab.Fail(http.StatusBadRequest, fmt.Errorf("got %d images, expected: %d", len(data), len(wt.Steps)-1))
			}

			screening := &Screening{
				WID:       wid,
				UID:       uid,
				Steps:     uint(len(wt.Steps) - 1),
				Created:   time.Now(),
				Published: true,
			}

			err = ec.Insert(db, screening)
			ab.MaybeFail(http.StatusInternalServerError, err)

			images := map[string][]byte{}
			for i, d := range data {
				if d == "" {
					continue
				}
				dataurl, err := dataurl.DecodeString(d)
				if err != nil {
					ab.LogTrace(r).Printf("data url error: %s", dataurl)
					ab.Fail(http.StatusBadRequest, err)
				}
				if dataurl.ContentType() != "image/png" {
					ab.Fail(http.StatusBadRequest, errors.New("not a png"))
				}
				fn := screening.ScreenshotPath(uint(i))
				images[fn] = dataurl.Data
			}

			if len(images) == 0 {
				ab.Fail(http.StatusBadRequest, errors.New("no images sent"))
			}

			for name, content := range images {
				if err := ioutil.WriteFile(name, content, 0644); err != nil {
					ab.LogUser(r).Println(err)
				}
			}

			ab.Render(r).
				SetCode(http.StatusCreated).
				JSON(screening)
		}), userLoggedInMiddleware)

		lock := map[string]chan struct{}{}
		var mtx sync.Mutex

		srv.Get("/api/walkthrough/:id/screening", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			wid := ab.GetParams(r).ByName("id")
			db := ab.GetDB(r)

			screening, err := LoadActualScreeningForWalkthrough(db, ec, wid)
			ab.MaybeFail(http.StatusInternalServerError, err)
			if screening == nil {
				ab.Fail(http.StatusNotFound, nil)
			}

			fn := screening.GIFPath()

			reply := func() {
				filelist := make([]string, int(screening.Steps))
				for i := uint(0); i < screening.Steps; i++ {
					filelist[i] = "/" + screening.ScreenshotPath(i)
				}

				ab.Render(r).AddOffer("image/gif", func(w http.ResponseWriter) {
					f, err := os.Open(fn)
					ab.MaybeFail(http.StatusInternalServerError, err)
					defer f.Close()
					io.Copy(w, f)
				}).JSON(filelist)
			}

			if _, err := os.Stat(fn); err == nil {
				reply()
				return
			}

			// Short-circuits the gif generation process.
			// If the client wants JSON, there is no need
			// to go through the GIF generation, which is
			// an expensive process.
			if r.Header.Get("Accept") == "application/json" {
				reply()
				return
			}

			mtx.Lock()
			l, ok := lock[fn]
			if ok {
				mtx.Unlock()
				select {
				case <-l:
					reply()
				case <-time.After(5 * time.Second):
					w.Header().Set("Retry-After", "30")
					ab.Render(r).SetCode(http.StatusServiceUnavailable)
				}
				return
			}
			l = make(chan struct{})
			lock[fn] = l
			mtx.Unlock()

			err = screening.createGIF(false)

			defer func() {
				mtx.Lock()
				delete(lock, fn)
				mtx.Unlock()
			}()

			if err != nil {
				if _, ok := err.(*os.PathError); ok {
					ab.Fail(http.StatusNotFound, err)
				} else {
					ab.Fail(http.StatusInternalServerError, err)
				}
			}
			close(l)
			reply()
		}))
		return nil
	}

	return res
}