zrok/endpoints/publicProxy/http.go

package publicProxy

import (
	"context"
	"fmt"
	"github.com/openziti/sdk-golang/ziti"
	"github.com/openziti/zrok/endpoints"
	"github.com/openziti/zrok/endpoints/publicProxy/healthUi"
	"github.com/openziti/zrok/endpoints/publicProxy/notFoundUi"
	"github.com/openziti/zrok/model"
	"github.com/openziti/zrok/util"
	"github.com/openziti/zrok/zrokdir"
	"github.com/pkg/errors"
	"github.com/sirupsen/logrus"
	"net"
	"net/http"
	"net/http/httputil"
	"net/url"
	"strings"
)

type httpFrontend struct {
	cfg     *Config
	zCtx    ziti.Context
	handler http.Handler
}

func NewHTTP(cfg *Config) (*httpFrontend, error) {
	zCfgPath, err := zrokdir.ZitiIdentityFile(cfg.Identity)
	if err != nil {
		return nil, errors.Wrapf(err, "error getting ziti identity '%v' from zrokdir", cfg.Identity)
	}
	zCfg, err := ziti.NewConfigFromFile(zCfgPath)
	if err != nil {
		return nil, errors.Wrap(err, "error loading config")
	}
	zCfg.ConfigTypes = []string{model.ZrokProxyConfig}
	zCtx, err := ziti.NewContext(zCfg)
	if err != nil {
		return nil, errors.Wrap(err, "error loading ziti context")
	}
	zDialCtx := zitiDialContext{ctx: zCtx}
	zTransport := http.DefaultTransport.(*http.Transport).Clone()
	zTransport.DialContext = zDialCtx.Dial

	proxy, err := newServiceProxy(cfg, zCtx)
	if err != nil {
		return nil, err
	}
	proxy.Transport = zTransport

	handler := authHandler(util.NewProxyHandler(proxy), "zrok", cfg, zCtx)
	return &httpFrontend{
		cfg:     cfg,
		zCtx:    zCtx,
		handler: handler,
	}, nil
}

func (self *httpFrontend) Run() error {
	return http.ListenAndServe(self.cfg.Address, self.handler)
}

type zitiDialContext struct {
	ctx ziti.Context
}

func (self *zitiDialContext) Dial(_ context.Context, _ string, addr string) (net.Conn, error) {
	shrToken := strings.Split(addr, ":")[0] // ignore :port (we get passed 'host:port')
	conn, err := self.ctx.Dial(shrToken)
	if err != nil {
		return conn, err
	}
	return conn, nil
}

func newServiceProxy(cfg *Config, ctx ziti.Context) (*httputil.ReverseProxy, error) {
	proxy := hostTargetReverseProxy(cfg, ctx)
	director := proxy.Director
	proxy.Director = func(req *http.Request) {
		director(req)
		req.Header.Set("X-Proxy", "zrok")
	}
	proxy.ModifyResponse = func(resp *http.Response) error {
		return nil
	}
	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
		logrus.Errorf("error proxying: %v", err)
		notFoundUi.WriteNotFound(w)
	}
	return proxy, nil
}

func hostTargetReverseProxy(cfg *Config, ctx ziti.Context) *httputil.ReverseProxy {
	director := func(req *http.Request) {
		targetShrToken := resolveService(cfg.HostMatch, req.Host)
		if svc, found := endpoints.GetRefreshedService(targetShrToken, ctx); found {
			if cfg, found := svc.Config[model.ZrokProxyConfig]; found {
				logrus.Debugf("auth model: %v", cfg)
			} else {
				logrus.Warn("no config!")
			}
			if target, err := url.Parse(fmt.Sprintf("http://%v", targetShrToken)); err == nil {
				logrus.Infof("[%v] -> %v", targetShrToken, req.URL)

				targetQuery := target.RawQuery
				req.URL.Scheme = target.Scheme
				req.URL.Host = target.Host
				req.URL.Path, req.URL.RawPath = endpoints.JoinURLPath(target, req.URL)
				if targetQuery == "" || req.URL.RawQuery == "" {
					req.URL.RawQuery = targetQuery + req.URL.RawQuery
				} else {
					req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
				}
				if _, ok := req.Header["User-Agent"]; !ok {
					// explicitly disable User-Agent so it's not set to default value
					req.Header.Set("User-Agent", "")
				}
			} else {
				logrus.Errorf("error proxying: %v", err)
			}
		}
	}
	return &httputil.ReverseProxy{Director: director}
}

func authHandler(handler http.Handler, realm string, cfg *Config, ctx ziti.Context) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		shrToken := resolveService(cfg.HostMatch, r.Host)
		if shrToken != "" {
			if svc, found := endpoints.GetRefreshedService(shrToken, ctx); found {
				if cfg, found := svc.Config[model.ZrokProxyConfig]; found {
					if scheme, found := cfg["auth_scheme"]; found {
						switch scheme {
						case string(model.None):
							logrus.Debugf("auth scheme none '%v'", shrToken)
							handler.ServeHTTP(w, r)
							return

						case string(model.Basic):
							logrus.Debugf("auth scheme basic '%v", shrToken)
							inUser, inPass, ok := r.BasicAuth()
							if !ok {
								writeUnauthorizedResponse(w, realm)
								return
							}
							authed := false
							if v, found := cfg["basic_auth"]; found {
								if basicAuth, ok := v.(map[string]interface{}); ok {
									if v, found := basicAuth["users"]; found {
										if arr, ok := v.([]interface{}); ok {
											for _, v := range arr {
												if um, ok := v.(map[string]interface{}); ok {
													username := ""
													if v, found := um["username"]; found {
														if un, ok := v.(string); ok {
															username = un
														}
													}
													password := ""
													if v, found := um["password"]; found {
														if pw, ok := v.(string); ok {
															password = pw
														}
													}
													if username == inUser && password == inPass {
														authed = true
														break
													}
												}
											}
										}
									}
								}
							}

							if !authed {
								writeUnauthorizedResponse(w, realm)
								return
							}

							handler.ServeHTTP(w, r)

						default:
							logrus.Infof("invalid auth scheme '%v'", scheme)
							writeUnauthorizedResponse(w, realm)
							return
						}
					} else {
						logrus.Warnf("%v -> no auth scheme for '%v'", r.RemoteAddr, shrToken)
						notFoundUi.WriteNotFound(w)
					}
				} else {
					logrus.Warnf("%v -> no proxy config for '%v'", r.RemoteAddr, shrToken)
					notFoundUi.WriteNotFound(w)
				}
			} else {
				logrus.Warnf("%v -> service '%v' not found", r.RemoteAddr, shrToken)
				notFoundUi.WriteNotFound(w)
			}
		} else {
			logrus.Debugf("host '%v' did not match host match, returning health check", r.Host)
			healthUi.WriteHealthOk(w)
		}
	}
}

func writeUnauthorizedResponse(w http.ResponseWriter, realm string) {
	w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
	w.WriteHeader(401)
	w.Write([]byte("No Authorization\n"))
}

func resolveService(hostMatch string, host string) string {
	logrus.Debugf("host = '%v'", host)
	if hostMatch == "" || strings.Contains(host, hostMatch) {
		tokens := strings.Split(host, ".")
		if len(tokens) > 0 {
			return tokens[0]
		}
	}
	return ""
}
publicProxyFrontend -> publicProxy (#170) 2023-04-18 19:38:32 +02:00			`package publicProxy`
more scaffolding 2022-07-19 22:15:54 +02:00
			`import (`
proxy lint 2022-08-10 21:15:35 +02:00			`"context"`
			`"fmt"`
mvc... minimum viable curl 2022-07-20 20:16:01 +02:00			`"github.com/openziti/sdk-golang/ziti"`
openziti-rest-kitchen -> openziti (#158) 2023-01-13 21:01:34 +01:00			`"github.com/openziti/zrok/endpoints"`
publicProxyFrontend -> publicProxy (#170) 2023-04-18 19:38:32 +02:00			`"github.com/openziti/zrok/endpoints/publicProxy/healthUi"`
			`"github.com/openziti/zrok/endpoints/publicProxy/notFoundUi"`
openziti-rest-kitchen -> openziti (#158) 2023-01-13 21:01:34 +01:00			`"github.com/openziti/zrok/model"`
			`"github.com/openziti/zrok/util"`
			`"github.com/openziti/zrok/zrokdir"`
mvc... minimum viable curl 2022-07-20 20:16:01 +02:00			`"github.com/pkg/errors"`
adjust reverse proxy infrastructure to selectively proxy based on host header (#7) 2022-07-26 19:30:19 +02:00			`"github.com/sirupsen/logrus"`
Format changes 2023-05-25 20:59:39 +02:00			`"net"`
			`"net/http"`
			`"net/http/httputil"`
			`"net/url"`
			`"strings"`
more scaffolding 2022-07-19 22:15:54 +02:00			`)`

frontend framework refactoring (public+private); private_frontend strawman (#109) 2022-11-23 17:58:45 +01:00			`type httpFrontend struct {`
code improvements; http listener (#32) 2022-08-18 22:57:38 +02:00			`cfg *Config`
			`zCtx ziti.Context`
			`handler http.Handler`
			`}`

frontend framework refactoring (public+private); private_frontend strawman (#109) 2022-11-23 17:58:45 +01:00			`func NewHTTP(cfg Config) (httpFrontend, error) {`
better http frontend configuration semantics (#48) 2022-09-06 21:01:38 +02:00			`zCfgPath, err := zrokdir.ZitiIdentityFile(cfg.Identity)`
			`if err != nil {`
			`return nil, errors.Wrapf(err, "error getting ziti identity '%v' from zrokdir", cfg.Identity)`
			`}`
update deps 2023-05-25 17:50:38 +02:00			`zCfg, err := ziti.NewConfigFromFile(zCfgPath)`
mvc... minimum viable curl 2022-07-20 20:16:01 +02:00			`if err != nil {`
code improvements; http listener (#32) 2022-08-18 22:57:38 +02:00			`return nil, errors.Wrap(err, "error loading config")`
mvc... minimum viable curl 2022-07-20 20:16:01 +02:00			`}`
zrok proxy config v1 (#12) 2022-08-15 23:29:31 +02:00			`zCfg.ConfigTypes = []string{model.ZrokProxyConfig}`
update deps 2023-05-25 17:50:38 +02:00			`zCtx, err := ziti.NewContext(zCfg)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "error loading ziti context")`
			`}`
remove legacy v0.3 metrics infrastructure (#128) 2023-03-07 18:57:35 +01:00			`zDialCtx := zitiDialContext{ctx: zCtx}`
more proxy debugging 2022-07-21 21:26:44 +02:00			`zTransport := http.DefaultTransport.(*http.Transport).Clone()`
			`zTransport.DialContext = zDialCtx.Dial`
httputil.ReverseProxy version skeleton 2022-07-21 21:46:14 +02:00
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`proxy, err := newServiceProxy(cfg, zCtx)`
mvp... minimum viable proxy 2022-07-20 20:36:14 +02:00			`if err != nil {`
code improvements; http listener (#32) 2022-08-18 22:57:38 +02:00			`return nil, err`
mvp... minimum viable proxy 2022-07-20 20:36:14 +02:00			`}`
httputil.ReverseProxy version skeleton 2022-07-21 21:46:14 +02:00			`proxy.Transport = zTransport`
adjust reverse proxy infrastructure to selectively proxy based on host header (#7) 2022-07-26 19:30:19 +02:00
health_ui; health check handler (#48) 2022-09-07 18:22:22 +02:00			`handler := authHandler(util.NewProxyHandler(proxy), "zrok", cfg, zCtx)`
frontend framework refactoring (public+private); private_frontend strawman (#109) 2022-11-23 17:58:45 +01:00			`return &httpFrontend{`
code improvements; http listener (#32) 2022-08-18 22:57:38 +02:00			`cfg: cfg,`
			`zCtx: zCtx,`
			`handler: handler,`
			`}, nil`
			`}`
adjust reverse proxy infrastructure to selectively proxy based on host header (#7) 2022-07-26 19:30:19 +02:00
frontend framework refactoring (public+private); private_frontend strawman (#109) 2022-11-23 17:58:45 +01:00			`func (self *httpFrontend) Run() error {`
code improvements; http listener (#32) 2022-08-18 22:57:38 +02:00			`return http.ListenAndServe(self.cfg.Address, self.handler)`
adjust reverse proxy infrastructure to selectively proxy based on host header (#7) 2022-07-26 19:30:19 +02:00			`}`
proxy lint 2022-08-10 21:15:35 +02:00
more http listen improvements (#32) 2022-08-18 23:09:38 +02:00			`type zitiDialContext struct {`
remove legacy v0.3 metrics infrastructure (#128) 2023-03-07 18:57:35 +01:00			`ctx ziti.Context`
proxy lint 2022-08-10 21:15:35 +02:00			`}`

more http listen improvements (#32) 2022-08-18 23:09:38 +02:00			`func (self *zitiDialContext) Dial(_ context.Context, _ string, addr string) (net.Conn, error) {`
service -> share (#144) 2023-01-04 20:42:58 +01:00			`shrToken := strings.Split(addr, ":")[0] // ignore :port (we get passed 'host:port')`
			`conn, err := self.ctx.Dial(shrToken)`
'metricsConn' net.Conn wrapper to capture service metrics in the frontend (#74) 2022-10-10 22:15:40 +02:00			`if err != nil {`
			`return conn, err`
			`}`
remove legacy v0.3 metrics infrastructure (#128) 2023-03-07 18:57:35 +01:00			`return conn, nil`
proxy lint 2022-08-10 21:15:35 +02:00			`}`

host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`func newServiceProxy(cfg Config, ctx ziti.Context) (httputil.ReverseProxy, error) {`
			`proxy := hostTargetReverseProxy(cfg, ctx)`
proxy lint 2022-08-10 21:15:35 +02:00			`director := proxy.Director`
			`proxy.Director = func(req *http.Request) {`
			`director(req)`
			`req.Header.Set("X-Proxy", "zrok")`
			`}`
			`proxy.ModifyResponse = func(resp *http.Response) error {`
			`return nil`
			`}`
			`proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {`
			`logrus.Errorf("error proxying: %v", err)`
more camelCase 2022-12-14 20:41:54 +01:00			`notFoundUi.WriteNotFound(w)`
proxy lint 2022-08-10 21:15:35 +02:00			`}`
			`return proxy, nil`
			`}`

host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`func hostTargetReverseProxy(cfg Config, ctx ziti.Context) httputil.ReverseProxy {`
proxy lint 2022-08-10 21:15:35 +02:00			`director := func(req *http.Request) {`
service -> share (#144) 2023-01-04 20:42:58 +01:00			`targetShrToken := resolveService(cfg.HostMatch, req.Host)`
			`if svc, found := endpoints.GetRefreshedService(targetShrToken, ctx); found {`
update deps 2023-05-25 17:50:38 +02:00			`if cfg, found := svc.Config[model.ZrokProxyConfig]; found {`
zrok http listen logging improvements (#32) 2022-08-19 20:20:55 +02:00			`logrus.Debugf("auth model: %v", cfg)`
proxy lint 2022-08-10 21:15:35 +02:00			`} else {`
revamping proxy internals (#12) 2022-08-15 23:52:24 +02:00			`logrus.Warn("no config!")`
proxy lint 2022-08-10 21:15:35 +02:00			`}`
service -> share (#144) 2023-01-04 20:42:58 +01:00			`if target, err := url.Parse(fmt.Sprintf("http://%v", targetShrToken)); err == nil {`
			`logrus.Infof("[%v] -> %v", targetShrToken, req.URL)`
zrok http listen logging improvements (#32) 2022-08-19 20:20:55 +02:00
revamping proxy internals (#12) 2022-08-15 23:52:24 +02:00			`targetQuery := target.RawQuery`
			`req.URL.Scheme = target.Scheme`
			`req.URL.Host = target.Host`
frontend framework refactoring (public+private); private_frontend strawman (#109) 2022-11-23 17:58:45 +01:00			`req.URL.Path, req.URL.RawPath = endpoints.JoinURLPath(target, req.URL)`
revamping proxy internals (#12) 2022-08-15 23:52:24 +02:00			`if targetQuery == "" \|\| req.URL.RawQuery == "" {`
			`req.URL.RawQuery = targetQuery + req.URL.RawQuery`
			`} else {`
			`req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery`
			`}`
			`if _, ok := req.Header["User-Agent"]; !ok {`
			`// explicitly disable User-Agent so it's not set to default value`
			`req.Header.Set("User-Agent", "")`
			`}`
			`} else {`
			`logrus.Errorf("error proxying: %v", err)`
proxy lint 2022-08-10 21:15:35 +02:00			`}`
			`}`
			`}`
			`return &httputil.ReverseProxy{Director: director}`
			`}`

health_ui; health check handler (#48) 2022-09-07 18:22:22 +02:00			`func authHandler(handler http.Handler, realm string, cfg *Config, ctx ziti.Context) http.HandlerFunc {`
very basic basic auth (#12) 2022-08-16 17:27:31 +02:00			`return func(w http.ResponseWriter, r *http.Request) {`
service -> share (#144) 2023-01-04 20:42:58 +01:00			`shrToken := resolveService(cfg.HostMatch, r.Host)`
			`if shrToken != "" {`
			`if svc, found := endpoints.GetRefreshedService(shrToken, ctx); found {`
update deps 2023-05-25 17:50:38 +02:00			`if cfg, found := svc.Config[model.ZrokProxyConfig]; found {`
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`if scheme, found := cfg["auth_scheme"]; found {`
			`switch scheme {`
			`case string(model.None):`
service -> share (#144) 2023-01-04 20:42:58 +01:00			`logrus.Debugf("auth scheme none '%v'", shrToken)`
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`handler.ServeHTTP(w, r)`
switchable auth scheme based on service config (#12) 2022-08-16 17:41:04 +02:00			`return`
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00
			`case string(model.Basic):`
service -> share (#144) 2023-01-04 20:42:58 +01:00			`logrus.Debugf("auth scheme basic '%v", shrToken)`
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`inUser, inPass, ok := r.BasicAuth()`
			`if !ok {`
			`writeUnauthorizedResponse(w, realm)`
			`return`
			`}`
			`authed := false`
			`if v, found := cfg["basic_auth"]; found {`
			`if basicAuth, ok := v.(map[string]interface{}); ok {`
			`if v, found := basicAuth["users"]; found {`
			`if arr, ok := v.([]interface{}); ok {`
			`for _, v := range arr {`
			`if um, ok := v.(map[string]interface{}); ok {`
			`username := ""`
			`if v, found := um["username"]; found {`
			`if un, ok := v.(string); ok {`
			`username = un`
			`}`
fully roughed in auth models; none, basic (#12) 2022-08-16 19:16:44 +02:00			`}`
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`password := ""`
			`if v, found := um["password"]; found {`
			`if pw, ok := v.(string); ok {`
			`password = pw`
			`}`
			`}`
			`if username == inUser && password == inPass {`
			`authed = true`
			`break`
fully roughed in auth models; none, basic (#12) 2022-08-16 19:16:44 +02:00			`}`
			`}`
			`}`
			`}`
			`}`
			`}`
switchable auth scheme based on service config (#12) 2022-08-16 17:41:04 +02:00			`}`
fully roughed in auth models; none, basic (#12) 2022-08-16 19:16:44 +02:00
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`if !authed {`
			`writeUnauthorizedResponse(w, realm)`
			`return`
			`}`
health_ui; health check handler (#48) 2022-09-07 18:22:22 +02:00
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`handler.ServeHTTP(w, r)`

			`default:`
			`logrus.Infof("invalid auth scheme '%v'", scheme)`
switchable auth scheme based on service config (#12) 2022-08-16 17:41:04 +02:00			`writeUnauthorizedResponse(w, realm)`
			`return`
			`}`
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`} else {`
service -> share (#144) 2023-01-04 20:42:58 +01:00			`logrus.Warnf("%v -> no auth scheme for '%v'", r.RemoteAddr, shrToken)`
more camelCase 2022-12-14 20:41:54 +01:00			`notFoundUi.WriteNotFound(w)`
switchable auth scheme based on service config (#12) 2022-08-16 17:41:04 +02:00			`}`
fully roughed in auth models; none, basic (#12) 2022-08-16 19:16:44 +02:00			`} else {`
service -> share (#144) 2023-01-04 20:42:58 +01:00			`logrus.Warnf("%v -> no proxy config for '%v'", r.RemoteAddr, shrToken)`
more camelCase 2022-12-14 20:41:54 +01:00			`notFoundUi.WriteNotFound(w)`
switchable auth scheme based on service config (#12) 2022-08-16 17:41:04 +02:00			`}`
fully roughed in auth models; none, basic (#12) 2022-08-16 19:16:44 +02:00			`} else {`
service -> share (#144) 2023-01-04 20:42:58 +01:00			`logrus.Warnf("%v -> service '%v' not found", r.RemoteAddr, shrToken)`
more camelCase 2022-12-14 20:41:54 +01:00			`notFoundUi.WriteNotFound(w)`
very basic basic auth (#12) 2022-08-16 17:27:31 +02:00			`}`
fully roughed in auth models; none, basic (#12) 2022-08-16 19:16:44 +02:00			`} else {`
http frontend log spam fix 2022-09-09 16:01:24 +02:00			`logrus.Debugf("host '%v' did not match host match, returning health check", r.Host)`
more camelCase 2022-12-14 20:41:54 +01:00			`healthUi.WriteHealthOk(w)`
very basic basic auth (#12) 2022-08-16 17:27:31 +02:00			`}`
			`}`
			`}`

			`func writeUnauthorizedResponse(w http.ResponseWriter, realm string) {`
			w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
			`w.WriteHeader(401)`
			`w.Write([]byte("No Authorization\n"))`
			`}`
code improvements; http listener (#32) 2022-08-18 22:57:38 +02:00
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`func resolveService(hostMatch string, host string) string {`
code improvements; http listener (#32) 2022-08-18 22:57:38 +02:00			`logrus.Debugf("host = '%v'", host)`
health_ui; health check handler (#48) 2022-09-07 18:22:22 +02:00			`if hostMatch == "" \|\| strings.Contains(host, hostMatch) {`
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`tokens := strings.Split(host, ".")`
			`if len(tokens) > 0 {`
			`return tokens[0]`
			`}`
code improvements; http listener (#32) 2022-08-18 22:57:38 +02:00			`}`
host match control in http frontend (#48) 2022-09-06 21:23:36 +02:00			`return ""`
code improvements; http listener (#32) 2022-08-18 22:57:38 +02:00			`}`