Merge pull request #18 from signalsciences/allow-http-redirects

Allow http redirects

Author: brectanus-sigsci

.gitignore

@@ -26,3 +26,5 @@ _testmain.go
 *.exe
 *.test
 *.prof
+
+scripts/*/goroot/

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Unreleased
 
 * Deprecated the `AltResponseCodes` concept in favor of using all codes 300-599 as "blocking"
+* Added HTTP redirect support
 
 ## 1.7.1 2020-04-06
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.10.6-alpine3.8
+FROM golang:1.14-alpine
 
 COPY goroot/ /go/
 # this is used to lint and build tarball

Dockerfile.git

@@ -1,2 +1,2 @@
-FROM golang:1.10.6-alpine3.8
+FROM golang:1.14-alpine
 RUN apk --update add git

make.sh

@@ -6,23 +6,20 @@ set -ex
 find . -name "goroot" -type d | xargs rm -rf
 mkdir goroot
 
-
-docker build -f Dockerfile.git -t golang-git:1.10.6-alpine3.8 .
-docker run --user $(id -u ${USER}):$(id -g ${USER}) -v ${PWD}/goroot:/go/ --rm golang-git:1.10.6-alpine3.8 /bin/sh -c 'go get github.com/signalsciences/tlstext && go get github.com/tinylib/msgp && go get github.com/alecthomas/gometalinter'
+docker build -f Dockerfile.git -t golang-git:1.14-alpine .
+docker run --user $(id -u ${USER}):$(id -g ${USER}) -v ${PWD}/goroot:/go/ --rm golang-git:1.14-alpine /bin/sh -c 'go get github.com/signalsciences/tlstext && go get github.com/tinylib/msgp && go get github.com/alecthomas/gometalinter'
 ./scripts/build-docker.sh
 
 # run module tests
 ./scripts/test.sh
 
-
 BASE=$PWD
 ## setup our package properties by distro
 PKG_NAME="sigsci-module-golang"
 DEST_BUCKET="package-build-artifacts"
 DEST_KEY="${PKG_NAME}/${GITHUB_RUN_NUMBER}"
 VERSION=$(cat ./VERSION)
 
-
 cd ${BASE}
 echo "DONE"
 
@@ -51,9 +48,3 @@ aws s3api put-object \
   --body "CHANGELOG.md" \
   --key "${DEST_KEY}/CHANGELOG.md" \
   --grant-full-control id="${PROD_ID}"
-
-
-
-
-
-

module.go

@@ -122,14 +122,25 @@ func (m *Module) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	wafresponse := out.WAFResponse
 	switch {
 	case m.config.IsAllowCode(int(wafresponse)):
-		// continue with normal request
+		// Continue with normal request
 		m.handler.ServeHTTP(rw, req)
 	case m.config.IsBlockCode(int(wafresponse)):
 		status := int(wafresponse)
+
+		// Only redirect if it is a redirect status (3xx) AND there is a redirect URL
+		if status >= 300 && status <= 399 {
+			redirect := req.Header.Get("X-Sigsci-Redirect")
+			if len(redirect) > 0 {
+				http.Redirect(rw, req, redirect, status)
+				break
+			}
+		}
+
+		// Block
 		http.Error(rw, fmt.Sprintf("%d %s\n", status, http.StatusText(status)), status)
 	default:
 		log.Printf("ERROR: Received invalid response code from inspector (failing open): %d", wafresponse)
-		// continue with normal request
+		// Continue with normal request
 		m.handler.ServeHTTP(rw, req)
 	}
 
@@ -229,15 +240,25 @@ func (m *Module) inspectorPreRequest(req *http.Request) (inspin2 RPCMsgIn2, out
 		return
 	}
 
-	// set any request headers
 	if out.RequestID != "" {
-		req.Header.Add("X-Sigsci-Requestid", out.RequestID)
+		req.Header.Set("X-Sigsci-Requestid", out.RequestID)
+	} else {
+		req.Header.Del("X-Sigsci-Requestid")
 	}
 
 	wafresponse := out.WAFResponse
-	req.Header.Add("X-Sigsci-Agentresponse", strconv.Itoa(int(wafresponse)))
+	req.Header.Set("X-Sigsci-Agentresponse", strconv.Itoa(int(wafresponse)))
+
+	// Add request headers from the WAF response to the request
+	req.Header.Del("X-Sigsci-Tags")
+	req.Header.Del("X-Sigsci-Redirect")
 	for _, kv := range out.RequestHeaders {
-		req.Header.Add(kv[0], kv[1])
+		// For X-Sigsci-* headers, use Set to override, but for custom headers, use Add to append
+		if strings.HasPrefix(http.CanonicalHeaderKey(kv[0]), "X-Sigsci-") {
+			req.Header.Set(kv[0], kv[1])
+		} else {
+			req.Header.Add(kv[0], kv[1])
+		}
 	}
 
 	inspin2 = RPCMsgIn2{

scripts/test-golang114/Dockerfile

@@ -0,0 +1,7 @@
+FROM golang:1.14-alpine
+
+COPY goroot/ /go/
+
+# we will mount the current directory here
+VOLUME [ "/go/src/github.com/signalsciences/sigsci-module-golang" ]
+WORKDIR /go/src/github.com/signalsciences/sigsci-module-golang

scripts/test-golang114/docker-compose.override.yml

@@ -0,0 +1,15 @@
+version: "3"
+
+services:
+  # this defines our webserver uses our sigsci-module
+  # we only define it so it is attached to our fake network
+  # it will be run a few times with different options manually
+  #
+  # The volumes spec is a bit weird.. this script is run in scripts/test but
+  # needs stuff in ../../examples.  Consider moving.
+  web:
+    volumes:
+      - ../..:/go/src/github.com/signalsciences/sigsci-module-golang
+    command: [ "go", "run", "/go/src/github.com/signalsciences/sigsci-module-golang/examples/mtest/main.go" ]
+    environment:
+      - DEBUG=0

scripts/test-golang114/docker-compose.yml

@@ -0,0 +1,58 @@
+version: "3"
+networks:
+  mtest:
+
+services:
+  # this defines our webserver uses our sigsci-module
+  # we only define it so it is attached to our fake network
+  # it will be run a few times with different options manually
+  #
+  #
+  web:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    expose:
+      - "8085"
+    networks:
+      - mtest
+    depends_on:
+      - agent
+
+  # agent
+  agent:
+    image: 803688608479.dkr.ecr.us-west-2.amazonaws.com/local-dev/sigsci-agent:latest
+    command: [ "-debug-log-web-inputs", "2", "-rpc-address", "9090", "-debug-rpc-test-harness", "-debug-standalone", "3" ]
+    expose:
+      - "9090"
+      - "12345"
+    networks:
+      - mtest
+
+  # punching bag
+  punchingbag:
+    image: 803688608479.dkr.ecr.us-west-2.amazonaws.com/local-dev/module-testing:latest
+    networks:
+      - mtest
+    expose:
+      - "8086"
+    command: [ "/bin/punchingbag", "-addr", ":8086" ]
+
+  # mtest
+  #
+  mtest:
+    image: 803688608479.dkr.ecr.us-west-2.amazonaws.com/local-dev/module-testing:latest
+    networks:
+      - mtest
+    depends_on:
+      - web
+      - agent
+      - punchingbag
+    environment:
+      - DISABLE_HTTP_OPTIONS=1
+      - DISABLE_NOCOOKIE=1
+      - MTEST_BASEURL=web:8085
+      - MTEST_AGENT=agent:12345
+      - "MTEST_RUN_TEST_BLOCK_VIA_REDIRECT=true"
+    command: [ "/bin/wait-for", "web:8085", "--", "/bin/mtest", "-test.v" ]
+

scripts/test-golang114/test.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+set -e
+
+DOCKERCOMPOSE="docker-compose"
+
+# run at end no matter what
+cleanup() {
+  echo "shutting down"
+  # capture log output
+  $DOCKERCOMPOSE logs --no-color agent >& agent.log
+  $DOCKERCOMPOSE logs --no-color web >& web.log
+  $DOCKERCOMPOSE logs --no-color mtest >& mtest.log
+  $DOCKERCOMPOSE logs --no-color punchingbag >& punchingbag.log
+
+  # delete everything
+  $DOCKERCOMPOSE down
+
+  # show output of module testing
+  cat mtest.log
+}
+trap cleanup 0 1 2 3 6
+
+set -x
+
+# attempt to clean up any leftover junk
+$DOCKERCOMPOSE down
+
+$DOCKERCOMPOSE pull --ignore-pull-failures
+
+# start everything, run tests
+#
+# --no-color --> safe for ci
+# --build    --> alway build test server/module container
+# --abort-on-container-exit --> without this, the other servers keep the process running
+# --exit-code-from mtest -->  make exit code be the result of module test
+#
+# > /dev/null  --> output of all servers is mixed together and ugly
+#                  we get the individual logs at end
+#
+if [ -d "goroot" ]; then
+    rm -rf goroot
+fi
+docker run -v ${PWD}/goroot:/go/ --rm golang:1.14-alpine /bin/sh -c 'apk --update add git && go get github.com/signalsciences/tlstext && go get github.com/tinylib/msgp && go get github.com/alecthomas/gometalinter'
+$DOCKERCOMPOSE up --no-color --build  --abort-on-container-exit --exit-code-from mtest > /dev/null
+