TUN-528: Move cloudflared into a separate repo

vendor/github.com/mholt/caddy/caddyhttp/internalsrv/internal.go

@@ -0,0 +1,111 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package internalsrv provides a simple middleware that (a) prevents access
+// to internal locations and (b) allows to return files from internal location
+// by setting a special header, e.g. in a proxy response.
+//
+// The package is named internalsrv so as not to conflict with Go tooling
+// convention which treats folders called "internal" differently.
+package internalsrv
+
+import (
+	"net/http"
+
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+// Internal middleware protects internal locations from external requests -
+// but allows access from the inside by using a special HTTP header.
+type Internal struct {
+	Next  httpserver.Handler
+	Paths []string
+}
+
+const (
+	redirectHeader        string = "X-Accel-Redirect"
+	contentLengthHeader   string = "Content-Length"
+	contentEncodingHeader string = "Content-Encoding"
+	maxRedirectCount      int    = 10
+)
+
+func isInternalRedirect(w http.ResponseWriter) bool {
+	return w.Header().Get(redirectHeader) != ""
+}
+
+// ServeHTTP implements the httpserver.Handler interface.
+func (i Internal) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
+	// Internal location requested? -> Not found.
+	for _, prefix := range i.Paths {
+		if httpserver.Path(r.URL.Path).Matches(prefix) {
+			return http.StatusNotFound, nil
+		}
+	}
+
+	// Use internal response writer to ignore responses that will be
+	// redirected to internal locations
+	iw := internalResponseWriter{ResponseWriterWrapper: &httpserver.ResponseWriterWrapper{ResponseWriter: w}}
+	status, err := i.Next.ServeHTTP(iw, r)
+
+	for c := 0; c < maxRedirectCount && isInternalRedirect(iw); c++ {
+		// Redirect - adapt request URL path and send it again
+		// "down the chain"
+		r.URL.Path = iw.Header().Get(redirectHeader)
+		iw.ClearHeader()
+		status, err = i.Next.ServeHTTP(iw, r)
+	}
+
+	if isInternalRedirect(iw) {
+		// Too many redirect cycles
+		iw.ClearHeader()
+		return http.StatusInternalServerError, nil
+	}
+
+	return status, err
+}
+
+// internalResponseWriter wraps the underlying http.ResponseWriter and ignores
+// calls to Write and WriteHeader if the response should be redirected to an
+// internal location.
+type internalResponseWriter struct {
+	*httpserver.ResponseWriterWrapper
+}
+
+// ClearHeader removes script headers that would interfere with follow up
+// redirect requests.
+func (w internalResponseWriter) ClearHeader() {
+	w.Header().Del(redirectHeader)
+	w.Header().Del(contentLengthHeader)
+	w.Header().Del(contentEncodingHeader)
+}
+
+// WriteHeader ignores the call if the response should be redirected to an
+// internal location.
+func (w internalResponseWriter) WriteHeader(code int) {
+	if !isInternalRedirect(w) {
+		w.ResponseWriterWrapper.WriteHeader(code)
+	}
+}
+
+// Write ignores the call if the response should be redirected to an internal
+// location.
+func (w internalResponseWriter) Write(b []byte) (int, error) {
+	if isInternalRedirect(w) {
+		return 0, nil
+	}
+	return w.ResponseWriterWrapper.Write(b)
+}
+
+// Interface guards
+var _ httpserver.HTTPInterfaces = internalResponseWriter{}

vendor/github.com/mholt/caddy/caddyhttp/internalsrv/internal_test.go

@@ -0,0 +1,137 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package internalsrv
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"strconv"
+
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+const (
+	internalProtectedData  = "~~~protected-data~~~"
+	contentTypeOctetStream = "application/octet-stream"
+)
+
+func TestInternal(t *testing.T) {
+	im := Internal{
+		Next:  httpserver.HandlerFunc(internalTestHandlerFunc),
+		Paths: []string{"/internal"},
+	}
+
+	tests := []struct {
+		url          string
+		expectedCode int
+		expectedBody string
+	}{
+		{"/internal", http.StatusNotFound, ""},
+
+		{"/public", 0, "/public"},
+		{"/public/internal", 0, "/public/internal"},
+
+		{"/redirect", 0, "/internal"},
+
+		{"/cycle", http.StatusInternalServerError, ""},
+	}
+
+	var i int
+	for i, test := range tests {
+		req, err := http.NewRequest("GET", test.url, nil)
+		if err != nil {
+			t.Fatalf("Test %d: Could not create HTTP request: %v", i, err)
+		}
+
+		rec := httptest.NewRecorder()
+		code, _ := im.ServeHTTP(rec, req)
+
+		if code != test.expectedCode {
+			t.Errorf("Test %d: Expected status code %d for %s, but got %d",
+				i, test.expectedCode, test.url, code)
+		}
+		if rec.Body.String() != test.expectedBody {
+			t.Errorf("Test %d: Expected body '%s' for %s, but got '%s'",
+				i, test.expectedBody, test.url, rec.Body.String())
+		}
+	}
+
+	{
+		req, err := http.NewRequest("GET", "/download", nil)
+		if err != nil {
+			t.Fatalf("Test %d: Could not create HTTP request: %v", i, err)
+		}
+
+		rec := httptest.NewRecorder()
+		code, _ := im.ServeHTTP(rec, req)
+
+		if code != 0 {
+			t.Errorf("Test %d: Expected status code %d for %s, but got %d",
+				i, 0, "/download", code)
+		}
+		if rec.Body.String() != internalProtectedData {
+			t.Errorf("Test %d: Expected body '%s' for %s, but got '%s'",
+				i, internalProtectedData, "/download", rec.Body.String())
+		}
+		contentLength, err := strconv.Atoi(rec.Header().Get("Content-Length"))
+		if err != nil || contentLength != len(internalProtectedData) {
+			t.Errorf("Test %d: Expected content-length %d for %s, but got %d",
+				i, len(internalProtectedData), "/download", contentLength)
+		}
+		if val := rec.Header().Get("Content-Type"); val != contentTypeOctetStream {
+			t.Errorf("Test %d: Expected content-type '%s' header for %s, but got '%s'",
+				i, contentTypeOctetStream, "/download", val)
+		}
+		if val := rec.Header().Get("Content-Disposition"); val == "" {
+			t.Errorf("Test %d: Expected content-disposition header for %s",
+				i, "/download")
+		}
+		if val := rec.Header().Get("Content-Encoding"); val != "" {
+			t.Errorf("Test %d: Expected removal of content-encoding header for %s",
+				i, "/download")
+		}
+	}
+}
+
+func internalTestHandlerFunc(w http.ResponseWriter, r *http.Request) (int, error) {
+	switch r.URL.Path {
+	case "/redirect":
+		w.Header().Set("X-Accel-Redirect", "/internal")
+
+	case "/cycle":
+		w.Header().Set("X-Accel-Redirect", "/cycle")
+
+	case "/download":
+		w.Header().Set("X-Accel-Redirect", "/internal/data")
+		w.Header().Set("Content-Disposition", "attachment; filename=test")
+		w.Header().Set("Content-Encoding", "magic")
+		w.Header().Set("Content-Length", "999")
+
+	case "/internal/data":
+		w.WriteHeader(http.StatusOK)
+		w.Header().Set("Content-Type", contentTypeOctetStream)
+		w.Header().Set("Content-Length", strconv.Itoa(len(internalProtectedData)))
+		w.Write([]byte(internalProtectedData))
+		return 0, nil
+	}
+
+	w.WriteHeader(http.StatusOK)
+	fmt.Fprintf(w, r.URL.String())
+
+	return 0, nil
+}

vendor/github.com/mholt/caddy/caddyhttp/internalsrv/setup.go

@@ -0,0 +1,56 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package internalsrv
+
+import (
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func init() {
+	caddy.RegisterPlugin("internal", caddy.Plugin{
+		ServerType: "http",
+		Action:     setup,
+	})
+}
+
+// Internal configures a new Internal middleware instance.
+func setup(c *caddy.Controller) error {
+	paths, err := internalParse(c)
+	if err != nil {
+		return err
+	}
+
+	httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+		return Internal{Next: next, Paths: paths}
+	})
+
+	return nil
+}
+
+func internalParse(c *caddy.Controller) ([]string, error) {
+	var paths []string
+
+	for c.Next() {
+		if c.NextArg() {
+			paths = append(paths, c.Val())
+		}
+		if c.NextArg() {
+			return nil, c.ArgErr()
+		}
+	}
+
+	return paths, nil
+}

vendor/github.com/mholt/caddy/caddyhttp/internalsrv/setup_test.go

@@ -0,0 +1,88 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package internalsrv
+
+import (
+	"testing"
+
+	"github.com/mholt/caddy"
+	"github.com/mholt/caddy/caddyhttp/httpserver"
+)
+
+func TestSetup(t *testing.T) {
+	c := caddy.NewTestController("http", `internal /internal`)
+	err := setup(c)
+	if err != nil {
+		t.Errorf("Expected no errors, got: %v", err)
+	}
+	mids := httpserver.GetConfig(c).Middleware()
+	if len(mids) == 0 {
+		t.Fatal("Expected middleware, got 0 instead")
+	}
+
+	handler := mids[0](httpserver.EmptyNext)
+	myHandler, ok := handler.(Internal)
+
+	if !ok {
+		t.Fatalf("Expected handler to be type Internal, got: %#v", handler)
+	}
+
+	if myHandler.Paths[0] != "/internal" {
+		t.Errorf("Expected internal in the list of internal Paths")
+	}
+
+	if !httpserver.SameNext(myHandler.Next, httpserver.EmptyNext) {
+		t.Error("'Next' field of handler was not set properly")
+	}
+
+}
+
+func TestInternalParse(t *testing.T) {
+	tests := []struct {
+		inputInternalPaths    string
+		shouldErr             bool
+		expectedInternalPaths []string
+	}{
+		{`internal`, false, []string{}},
+
+		{`internal /internal`, false, []string{"/internal"}},
+
+		{`internal /internal1
+		  internal /internal2`, false, []string{"/internal1", "/internal2"}},
+
+		{`internal /internal1 /internal2`, true, nil},
+	}
+	for i, test := range tests {
+		actualInternalPaths, err := internalParse(caddy.NewTestController("http", test.inputInternalPaths))
+
+		if err == nil && test.shouldErr {
+			t.Errorf("Test %d didn't error, but it should have", i)
+		} else if err != nil && !test.shouldErr {
+			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
+		}
+
+		if len(actualInternalPaths) != len(test.expectedInternalPaths) {
+			t.Fatalf("Test %d expected %d InternalPaths, but got %d",
+				i, len(test.expectedInternalPaths), len(actualInternalPaths))
+		}
+		for j, actualInternalPath := range actualInternalPaths {
+			if actualInternalPath != test.expectedInternalPaths[j] {
+				t.Fatalf("Test %d expected %dth Internal Path to be  %s  , but got %s",
+					i, j, test.expectedInternalPaths[j], actualInternalPath)
+			}
+		}
+	}
+
+}