mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-22 11:46:40 +00:00
[chore] header filter improvements (#3329)
* add error message to gin context on header blocked or not allowed * remove the unused header filter tracking code (leaving OTEL TODOs in place) * appease the linter
This commit is contained in:
parent
862cc9e3c4
commit
964262b169
|
@ -18,7 +18,7 @@
|
||||||
package middleware
|
package middleware
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"sync"
|
"errors"
|
||||||
|
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
"github.com/superseriousbusiness/gotosocial/internal/config"
|
"github.com/superseriousbusiness/gotosocial/internal/config"
|
||||||
|
@ -29,25 +29,11 @@
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
allowMatches = matchstats{m: make(map[string]uint64)}
|
// errors set on gin context by header filter middleware.
|
||||||
blockMatches = matchstats{m: make(map[string]uint64)}
|
errHeaderNotAllowed = errors.New("header did not match allow filter")
|
||||||
|
errHeaderBlocked = errors.New("header matched block filter")
|
||||||
)
|
)
|
||||||
|
|
||||||
// matchstats is a simple statistics
|
|
||||||
// counter for header filter matches.
|
|
||||||
// TODO: replace with otel.
|
|
||||||
type matchstats struct {
|
|
||||||
m map[string]uint64
|
|
||||||
l sync.Mutex
|
|
||||||
}
|
|
||||||
|
|
||||||
func (m *matchstats) Add(hdr, regex string) {
|
|
||||||
m.l.Lock()
|
|
||||||
key := hdr + ":" + regex
|
|
||||||
m.m[key]++
|
|
||||||
m.l.Unlock()
|
|
||||||
}
|
|
||||||
|
|
||||||
// HeaderFilter returns a gin middleware handler that provides HTTP
|
// HeaderFilter returns a gin middleware handler that provides HTTP
|
||||||
// request blocking (filtering) based on database allow / block filters.
|
// request blocking (filtering) based on database allow / block filters.
|
||||||
func HeaderFilter(state *state.State) gin.HandlerFunc {
|
func HeaderFilter(state *state.State) gin.HandlerFunc {
|
||||||
|
@ -83,6 +69,7 @@ func headerFilterAllowMode(state *state.State) func(c *gin.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if block {
|
if block {
|
||||||
|
_ = c.Error(errHeaderBlocked)
|
||||||
respondBlocked(c)
|
respondBlocked(c)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -95,6 +82,7 @@ func headerFilterAllowMode(state *state.State) func(c *gin.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if notAllow {
|
if notAllow {
|
||||||
|
_ = c.Error(errHeaderNotAllowed)
|
||||||
respondBlocked(c)
|
respondBlocked(c)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -129,6 +117,7 @@ func headerFilterBlockMode(state *state.State) func(c *gin.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if block {
|
if block {
|
||||||
|
_ = c.Error(errHeaderBlocked)
|
||||||
respondBlocked(c)
|
respondBlocked(c)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -146,7 +135,7 @@ func isHeaderBlocked(state *state.State, c *gin.Context) (bool, error) {
|
||||||
)
|
)
|
||||||
|
|
||||||
// Perform an explicit is-blocked check on request header.
|
// Perform an explicit is-blocked check on request header.
|
||||||
key, expr, err := state.DB.BlockHeaderRegularMatch(ctx, hdr)
|
key, _, err := state.DB.BlockHeaderRegularMatch(ctx, hdr)
|
||||||
switch err {
|
switch err {
|
||||||
case nil:
|
case nil:
|
||||||
break
|
break
|
||||||
|
@ -161,12 +150,10 @@ func isHeaderBlocked(state *state.State, c *gin.Context) (bool, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if key != "" {
|
if key != "" {
|
||||||
if expr != "" {
|
// if expr != "" {
|
||||||
// Increment block matches stat.
|
// // TODO: replace expvar with build
|
||||||
// TODO: replace expvar with build
|
// // taggable metrics types in State{}.
|
||||||
// taggable metrics types in State{}.
|
// }
|
||||||
blockMatches.Add(key, expr)
|
|
||||||
}
|
|
||||||
|
|
||||||
// A header was matched against!
|
// A header was matched against!
|
||||||
// i.e. this request is blocked.
|
// i.e. this request is blocked.
|
||||||
|
@ -183,7 +170,7 @@ func isHeaderAllowed(state *state.State, c *gin.Context) (bool, error) {
|
||||||
)
|
)
|
||||||
|
|
||||||
// Perform an explicit is-allowed check on request header.
|
// Perform an explicit is-allowed check on request header.
|
||||||
key, expr, err := state.DB.AllowHeaderRegularMatch(ctx, hdr)
|
key, _, err := state.DB.AllowHeaderRegularMatch(ctx, hdr)
|
||||||
switch err {
|
switch err {
|
||||||
case nil:
|
case nil:
|
||||||
break
|
break
|
||||||
|
@ -198,12 +185,10 @@ func isHeaderAllowed(state *state.State, c *gin.Context) (bool, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if key != "" {
|
if key != "" {
|
||||||
if expr != "" {
|
// if expr != "" {
|
||||||
// Increment allow matches stat.
|
// // TODO: replace expvar with build
|
||||||
// TODO: replace expvar with build
|
// // taggable metrics types in State{}.
|
||||||
// taggable metrics types in State{}.
|
// }
|
||||||
allowMatches.Add(key, expr)
|
|
||||||
}
|
|
||||||
|
|
||||||
// A header was matched against!
|
// A header was matched against!
|
||||||
// i.e. this request is allowed.
|
// i.e. this request is allowed.
|
||||||
|
@ -220,7 +205,7 @@ func isHeaderNotAllowed(state *state.State, c *gin.Context) (bool, error) {
|
||||||
)
|
)
|
||||||
|
|
||||||
// Perform an explicit is-NOT-allowed check on request header.
|
// Perform an explicit is-NOT-allowed check on request header.
|
||||||
key, expr, err := state.DB.AllowHeaderInverseMatch(ctx, hdr)
|
key, _, err := state.DB.AllowHeaderInverseMatch(ctx, hdr)
|
||||||
switch err {
|
switch err {
|
||||||
case nil:
|
case nil:
|
||||||
break
|
break
|
||||||
|
@ -235,12 +220,10 @@ func isHeaderNotAllowed(state *state.State, c *gin.Context) (bool, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if key != "" {
|
if key != "" {
|
||||||
if expr != "" {
|
// if expr != "" {
|
||||||
// Increment allow matches stat.
|
// // TODO: replace expvar with build
|
||||||
// TODO: replace expvar with build
|
// // taggable metrics types in State{}.
|
||||||
// taggable metrics types in State{}.
|
// }
|
||||||
allowMatches.Add(key, expr)
|
|
||||||
}
|
|
||||||
|
|
||||||
// A header was matched against!
|
// A header was matched against!
|
||||||
// i.e. request is NOT allowed.
|
// i.e. request is NOT allowed.
|
||||||
|
|
Loading…
Reference in a new issue