httputil : wrap handlers for additional context (#413)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-06-25 14:08:09 +02:00 · 2019-12-06 11:07:45 -08:00 · 2019-12-06 11:07:45 -08:00 · b3d3159185
commit b3d3159185
parent 487fc655d6
27 changed files with 495 additions and 463 deletions
--- a/proxy/forward_auth.go
+++ b/proxy/forward_auth.go
@ -16,13 +16,13 @@ func (p *Proxy) registerFwdAuthHandlers() http.Handler {
 	r.StrictSlash(true)
 	r.Use(sessions.RetrieveSession(p.sessionStore))

-	r.Handle("/verify", http.HandlerFunc(p.nginxCallback)).
+	r.Handle("/verify", httputil.HandlerFunc(p.nginxCallback)).
 		Queries("uri", "{uri}", urlutil.QuerySessionEncrypted, "", urlutil.QueryRedirectURI, "")
-	r.Handle("/", http.HandlerFunc(p.postSessionSetNOP)).
+	r.Handle("/", httputil.HandlerFunc(p.postSessionSetNOP)).
 		Queries("uri", "{uri}",
 			urlutil.QuerySessionEncrypted, "",
 			urlutil.QueryRedirectURI, "")
-	r.Handle("/", http.HandlerFunc(p.traefikCallback)).
+	r.Handle("/", httputil.HandlerFunc(p.traefikCallback)).
 		HeadersRegexp(httputil.HeaderForwardedURI, urlutil.QuerySessionEncrypted)
 	r.Handle("/", p.Verify(false)).Queries("uri", "{uri}")
 	r.Handle("/verify", p.Verify(true)).Queries("uri", "{uri}")
@ -31,37 +31,39 @@ func (p *Proxy) registerFwdAuthHandlers() http.Handler {
 }

 // postSessionSetNOP after successfully setting the
-func (p *Proxy) postSessionSetNOP(w http.ResponseWriter, r *http.Request) {
+func (p *Proxy) postSessionSetNOP(w http.ResponseWriter, r *http.Request) error {
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 	httputil.Redirect(w, r, r.FormValue(urlutil.QueryRedirectURI), http.StatusFound)
+	return nil
 }

-func (p *Proxy) nginxCallback(w http.ResponseWriter, r *http.Request) {
+func (p *Proxy) nginxCallback(w http.ResponseWriter, r *http.Request) error {
 	encryptedSession := r.FormValue(urlutil.QuerySessionEncrypted)
 	if _, err := p.saveCallbackSession(w, r, encryptedSession); err != nil {
-		httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
-		return
+
+		return httputil.NewError(http.StatusBadRequest, err)
 	}
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 	w.WriteHeader(http.StatusUnauthorized)
+	return nil
 }

-func (p *Proxy) traefikCallback(w http.ResponseWriter, r *http.Request) {
+func (p *Proxy) traefikCallback(w http.ResponseWriter, r *http.Request) error {
 	forwardedURL, err := url.Parse(r.Header.Get(httputil.HeaderForwardedURI))
 	if err != nil {
-		httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
-		return
+		return httputil.NewError(http.StatusBadRequest, err)
 	}
 	q := forwardedURL.Query()
 	redirectURLString := q.Get(urlutil.QueryRedirectURI)
 	encryptedSession := q.Get(urlutil.QuerySessionEncrypted)

 	if _, err := p.saveCallbackSession(w, r, encryptedSession); err != nil {
-		httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusBadRequest, err))
-		return
+
+		return httputil.NewError(http.StatusBadRequest, err)
 	}
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 	httputil.Redirect(w, r, redirectURLString, http.StatusFound)
+	return nil
 }

 // Verify checks a user's credentials for an arbitrary host. If the user
@ -70,18 +72,16 @@ func (p *Proxy) traefikCallback(w http.ResponseWriter, r *http.Request) {
 // will be redirected to the authenticate service to sign in with their identity
 // provider. If the user is unauthorized, a `401` error is returned.
 func (p *Proxy) Verify(verifyOnly bool) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
 		uri, err := urlutil.ParseAndValidateURL(r.FormValue("uri"))
 		if err != nil {
-			httputil.ErrorResponse(w, r, httputil.Error("bad verification uri", http.StatusBadRequest, err))
-			return
+			return httputil.NewError(http.StatusBadRequest, err)
 		}

 		s, err := sessions.FromContext(r.Context())
 		if errors.Is(err, sessions.ErrNoSessionFound) || errors.Is(err, sessions.ErrExpired) {
 			if verifyOnly {
-				httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusUnauthorized, err))
-				return
+				return httputil.NewError(http.StatusUnauthorized, err)
 			}
 			authN := *p.authenticateSigninURL
 			q := authN.Query()
@ -90,25 +90,24 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
 			q.Set(urlutil.QueryForwardAuth, urlutil.StripPort(r.Host)) // add fwd auth to trusted audience
 			authN.RawQuery = q.Encode()
 			httputil.Redirect(w, r, urlutil.NewSignedURL(p.SharedKey, &authN).String(), http.StatusFound)
-			return
+			return nil
 		} else if err != nil {
-			httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusUnauthorized, err))
-			return
+			return httputil.NewError(http.StatusUnauthorized, err)
 		}
 		// depending on the configuration of the fronting proxy, the request Host
 		// and/or `X-Forwarded-Host` may be untrustd or change so we reverify
 		// the session's validity against the supplied uri
 		if err := s.Verify(uri.Hostname()); err != nil {
-			httputil.ErrorResponse(w, r, httputil.Error(err.Error(), http.StatusUnauthorized, err))
-			return
+			return httputil.NewError(http.StatusUnauthorized, err)
 		}
 		p.addPomeriumHeaders(w, r)
-		if err := p.authorize(uri.Host, w, r); err != nil {
-			return
+		if err := p.authorize(uri.Host, r); err != nil {
+			return err
 		}

 		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		w.WriteHeader(http.StatusOK)
 		fmt.Fprintf(w, "Access to %s is allowed.", uri.Host)
+		return nil
 	})
 }