NOISSUE - Add WebSocket support to HTTP Proxy

pkg/http/bypasschecker.go

@@ -0,0 +1,51 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package http
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"regexp"
+)
+
+const errNotByPassed = "route - %s is not in bypass list"
+
+var errByPassDisabled = errors.New("bypass disabled")
+
+type byPassChecker struct {
+	enabled        bool
+	byPassPatterns []*regexp.Regexp
+}
+
+var _ Checker = (*byPassChecker)(nil)
+
+func NewByPassChecker(byPassPatterns []string) (Checker, error) {
+	enabled := len(byPassPatterns) != 0
+	var byp []*regexp.Regexp
+	for _, expr := range byPassPatterns {
+		re, err := regexp.Compile(expr)
+		if err != nil {
+			return nil, err
+		}
+		byp = append(byp, re)
+	}
+
+	return &byPassChecker{
+		enabled:        enabled,
+		byPassPatterns: byp,
+	}, nil
+}
+
+func (bpc *byPassChecker) Check(r *http.Request) error {
+	if !bpc.enabled {
+		return errByPassDisabled
+	}
+	for _, pattern := range bpc.byPassPatterns {
+		if pattern.MatchString(r.URL.Path) {
+			return nil
+		}
+	}
+	return fmt.Errorf(errNotByPassed, r.URL.Path)
+}

pkg/http/http.go

@@ -35,6 +35,10 @@ const (
 	upgradeHeaderVal = "websocket"
 )
 
+type Checker interface {
+	Check(r *http.Request) error
+}
+
 func isWebSocketRequest(r *http.Request) bool {
 	return strings.EqualFold(r.Header.Get(connHeaderKey), connHeaderVal) &&
 		strings.EqualFold(r.Header.Get(upgradeHeaderKey), upgradeHeaderVal)
@@ -45,8 +49,8 @@ func (p Proxy) getUserPass(r *http.Request) (string, string) {
 	switch {
 	case ok:
 		return username, password
-	case len(r.URL.Query()[authzQueryKey]) != 0:
-		password = r.URL.Query()[authzQueryKey][0]
+	case len(r.URL.Query().Get(authzQueryKey)) != 0:
+		password = r.URL.Query().Get(authzQueryKey)
 		return username, password
 	case r.Header.Get(authzHeaderKey) != "":
 		password = r.Header.Get(authzHeaderKey)
@@ -63,7 +67,7 @@ func (p Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	r.URL.Path = strings.TrimPrefix(r.URL.Path, p.config.PathPrefix)
 
-	if err := p.checkers.ShouldBypass(r); err == nil {
+	if err := p.bypass.Check(r); err == nil {
 		p.target.ServeHTTP(w, r)
 		return
 	}
@@ -109,9 +113,10 @@ func (p Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	p.target.ServeHTTP(w, r)
 }
 
-func checkOrigin(oc Checkers) func(r *http.Request) bool {
+func checkOrigin(allowedOrigins []string) func(r *http.Request) bool {
+	oc := NewOriginChecker(allowedOrigins)
 	return func(r *http.Request) bool {
-		return oc.CheckOrigin(r) == nil
+		return oc.Check(r) == nil
 	}
 }
 
@@ -134,7 +139,7 @@ type Proxy struct {
 	session    session.Handler
 	logger     *slog.Logger
 	wsUpgrader websocket.Upgrader
-	checkers   Checkers
+	bypass     Checker
 }
 
 func NewProxy(config mgate.Config, handler session.Handler, logger *slog.Logger, allowedOrigins []string, bypassPaths []string) (Proxy, error) {
@@ -143,19 +148,20 @@ func NewProxy(config mgate.Config, handler session.Handler, logger *slog.Logger,
 		Host:   net.JoinHostPort(config.TargetHost, config.TargetPort),
 	}
 
-	c, err := NewCheckers(allowedOrigins, bypassPaths)
+	bpc, err := NewByPassChecker(bypassPaths)
 	if err != nil {
 		return Proxy{}, err
 	}
-	wsUpgrader := websocket.Upgrader{CheckOrigin: checkOrigin(c)}
+
+	wsUpgrader := websocket.Upgrader{CheckOrigin: checkOrigin(allowedOrigins)}
 
 	return Proxy{
 		config:     config,
 		target:     httputil.NewSingleHostReverseProxy(targetUrl),
 		session:    handler,
 		logger:     logger,
 		wsUpgrader: wsUpgrader,
-		checkers:   c,
+		bypass:     bpc,
 	}, nil
 }
 

pkg/http/originchecker.go

@@ -0,0 +1,43 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package http
+
+import (
+	"fmt"
+	"net/http"
+)
+
+var errNotAllowed = "origin - %s is not allowed"
+
+type originChecker struct {
+	enabled        bool
+	allowedOrigins map[string]struct{}
+}
+
+var _ Checker = (*originChecker)(nil)
+
+func NewOriginChecker(allowedOrigins []string) Checker {
+	enabled := len(allowedOrigins) != 0
+	ao := make(map[string]struct{})
+	for _, allowedOrigin := range allowedOrigins {
+		ao[allowedOrigin] = struct{}{}
+	}
+
+	return &originChecker{
+		enabled:        enabled,
+		allowedOrigins: ao,
+	}
+}
+
+func (oc *originChecker) Check(r *http.Request) error {
+	if !oc.enabled {
+		return nil
+	}
+	origin := r.Header.Get("Origin")
+	_, allowed := oc.allowedOrigins[origin]
+	if allowed {
+		return nil
+	}
+	return fmt.Errorf(errNotAllowed, origin)
+}