feat: Add wildcard auth middleware paths (#24)

* chore: add concurrent route health check requests * feat: Add wildcard auth middleware paths * fix: bind privileged port permission denied on Kubernetes for nonroot user
2024-11-02 11:55:37 +01:00
parent 778a098bdc
commit fe81ac7324
14 changed files with 243 additions and 17 deletions
--- a/pkg/middleware/access-middleware.go
+++ b/pkg/middleware/access-middleware.go
@@ -30,13 +30,13 @@ func (blockList AccessListMiddleware) AccessMiddleware(next http.Handler) http.H
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		for _, block := range blockList.List {
 			if isPathBlocked(r.URL.Path, util.ParseURLPath(blockList.Path+block)) {
-				logger.Debug("%s: %s access forbidden", getRealIP(r), r.URL.Path)
+				logger.Error("%s: %s access forbidden", getRealIP(r), r.URL.Path)
 				w.Header().Set("Content-Type", "application/json")
-				w.WriteHeader(http.StatusNotFound)
+				w.WriteHeader(http.StatusForbidden)
 				err := json.NewEncoder(w).Encode(ProxyResponseError{
 					Success: false,
-					Code:    http.StatusNotFound,
-					Message: fmt.Sprintf("Not found: %s", r.URL.Path),
+					Code:    http.StatusForbidden,
+					Message: fmt.Sprintf("You do not have permission to access this resource"),
 				})
 				if err != nil {
 					return
--- a/pkg/middleware/error-interceptor.go
+++ b/pkg/middleware/error-interceptor.go
@@ -57,11 +57,9 @@ func (intercept InterceptErrors) ErrorInterceptor(next http.Handler) http.Handle
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		rec := newResponseRecorder(w)
 		next.ServeHTTP(rec, r)
-		//Set Server name
-		w.Header().Set("Server", "Goma")
 		if canIntercept(rec.statusCode, intercept.Errors) {
-			logger.Debug("Backend error intercepted")
-			logger.Debug("An error occurred in the backend, %d", rec.statusCode)
+			logger.Error("Backend error")
+			logger.Error("An error occurred in the backend, %d", rec.statusCode)
 			w.Header().Set("Content-Type", "application/json")
 			w.WriteHeader(rec.statusCode)
 			err := json.NewEncoder(w).Encode(ProxyResponseError{
--- a/pkg/middleware/middleware.go
+++ b/pkg/middleware/middleware.go
@@ -104,10 +104,10 @@ func (jwtAuth JwtAuth) AuthMiddleware(next http.Handler) http.Handler {
 			if r.Header.Get(header) == "" {
 				logger.Error("Proxy error, missing %s header", header)
 				w.Header().Set("Content-Type", "application/json")
-				w.WriteHeader(http.StatusForbidden)
+				w.WriteHeader(http.StatusUnauthorized)
 				err := json.NewEncoder(w).Encode(ProxyResponseError{
-					Message: "Missing Authorization header",
-					Code:    http.StatusForbidden,
+					Message: http.StatusText(http.StatusUnauthorized),
+					Code:    http.StatusUnauthorized,
 					Success: false,
 				})
 				if err != nil {
--- a/pkg/middleware/rate-limiter.go
+++ b/pkg/middleware/rate-limiter.go
@@ -66,7 +66,7 @@ func (rl *RateLimiter) RateLimitMiddleware() mux.MiddlewareFunc {
 			rl.mu.Unlock()

 			if client.RequestCount > rl.Requests {
-				logger.Debug("Too many request from IP: %s %s %s", clientID, r.URL, r.UserAgent())
+				logger.Error("Too many request from IP: %s %s %s", clientID, r.URL, r.UserAgent())
 				w.Header().Set("Content-Type", "application/json")
 				w.WriteHeader(http.StatusTooManyRequests)
 				err := json.NewEncoder(w).Encode(ProxyResponseError{
--- a/pkg/proxy.go
+++ b/pkg/proxy.go
@@ -88,6 +88,8 @@ func (proxyRoute ProxyRoute) ProxyHandler() http.HandlerFunc {
 				r.URL.Path = strings.Replace(r.URL.Path, fmt.Sprintf("%s/", proxyRoute.path), proxyRoute.rewrite, 1)
 			}
 		}
+		w.Header().Set("Proxied-By", gatewayName) //Set Server name
+		w.Header().Set("Server", serverName)
 		// Custom error handler for proxy errors
 		proxy.ErrorHandler = ProxyErrorHandler
 		proxy.ServeHTTP(w, r)
--- a/pkg/route.go
+++ b/pkg/route.go
@@ -76,7 +76,7 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router {
 								disableXForward: route.DisableHeaderXForward,
 								cors:            route.Cors,
 							}
-							secureRouter := r.PathPrefix(util.ParseURLPath(route.Path + midPath)).Subrouter()
+							secureRouter := r.PathPrefix(util.ParseRoutePath(route.Path, midPath)).Subrouter()
 							//Check Authentication middleware
 							switch rMiddleware.Type {
 							case BasicAuth:
--- a/pkg/var.go
+++ b/pkg/var.go
@@ -3,6 +3,7 @@ package pkg
 const ConfigFile = "/config/goma.yml"                          // Default configuration file
 const accessControlAllowOrigin = "Access-Control-Allow-Origin" // Cors
 const serverName = "Goma"
+const gatewayName = "Goma Gateway"
 const AccessMiddleware = "access" // access middleware
 const BasicAuth = "basic"         // basic authentication middleware
 const JWTAuth = "jwt"             // JWT authentication middleware