Cadoles/bouncer
Cadoles/bouncer
10
0
Fork 0
Code Issues 1 Pull Requests Projects Releases 5 Wiki Activity

Compare commits

base: Cadoles:master
Branches Tags
Cadoles:master
Cadoles:develop
Cadoles:authn-oidc-redirect-url
Cadoles:feat/dockerfile
Cadoles:k8s
Cadoles:basicauth-tutorial
Cadoles:v2025.4.3-9d10a69
Cadoles:v2025.3.19-8b6e75a
Cadoles:v2025.3.18-692523e
Cadoles:v2025.3.18-59ecfa7
Cadoles:v2025.3.18-cc5cdce
Cadoles:v2025.3.18-1af7248
Cadoles:v2025.3.17-8b132dd
Cadoles:v2025.3.10-6a4a144
Cadoles:v2025.3.7-ac7b7e8
Cadoles:v2025.3.7-076a3d7
Cadoles:v2024.11.14-ce7415a
Cadoles:v2024.11.8-74c2a2c
Cadoles:v2024.11.8-239d457
Cadoles:v2024.11.8-cffe3ec
Cadoles:v2024.10.21-a686c52
Cadoles:v2024.10.11-8983a44
Cadoles:v2024.10.2-69501f6
Cadoles:v2024.9.27-0ff9391
Cadoles:v2024.9.27-590505e
Cadoles:v2024.9.27-867e7c5
Cadoles:v2024.9.26-169578c
Cadoles:v2024.9.26-b0a71fc
Cadoles:v2024.9.25-eea51c6
Cadoles:v2024.9.25-cb9260a
Cadoles:v2024.9.25-0b032fc
Cadoles:v2024.9.23-f374250
Cadoles:v2024.9.23-4801974
Cadoles:v2024.9.23-bf15732
Cadoles:v2024.6.28-f35384c
Cadoles:v2024.6.28-c73fe8c
Cadoles:v2024.6.27-3c1939f
Cadoles:v2024.6.27-3565618
Cadoles:v2024.6.27-d5669a4
Cadoles:v2024.6.27-f3aa8b9
Cadoles:v2024.6.27-2de5e28
Cadoles:v2024.6.27-87e1c65
Cadoles:v2024.6.26-f092520
Cadoles:v2024.6.26-9084b6e
Cadoles:v2024.6.26-059af1b
Cadoles:v2024.6.26-49f2ccb
Cadoles:v2024.6.26-8a751af
Cadoles:v2024.6.25-1146089
Cadoles:v2024.6.25-9d902a7
Cadoles:v2024.6.25-ea68724
Cadoles:v2024.6.24-1009eb1
Cadoles:v2024.6.5-19fda6a
Cadoles:v2024.6.5-65238f1
Cadoles:v2024.6.5-d4da9cb
Cadoles:v2024.5.29-2952f68
Cadoles:v2024.5.29-3e98901
Cadoles:v2024.5.28-d667bb0
Cadoles:v2024.5.28-42dab57
Cadoles:v2024.5.28-132bf1e
Cadoles:v2024.5.22-499bb36
Cadoles:v2024.5.22-920fc1a
Cadoles:v2024.5.22-5720935
Cadoles:v2024.5.21-0d4319f
Cadoles:v2024.5.21-c4dcf57
Cadoles:v2024.5.21-db09533
Cadoles:v2024.5.17-6d0a382
Cadoles:v2024.5.17-28ef57b
Cadoles:v2024.5.17-8b1c649
Cadoles:v2024.5.17-5ed1946
Cadoles:v2024.5.17-7456dba
Cadoles:v2024.5.17-af34ee2
Cadoles:v2024.4.19-bb5796a
Cadoles:v2024.4.5-83fcb9a
Cadoles:v2024.3.29-ad90757
Cadoles:v2024.3.29-3a89497
Cadoles:v2024.3.29-274bef1
Cadoles:v2024.3.28-f548c8c
Cadoles:v2024.3.28-a82fe46
Cadoles:v2024.3.28-3571742
Cadoles:v2024.3.27-1630546
Cadoles:v2024.3.27-d8b78ad
Cadoles:v2024.3.26-61012b0
Cadoles:v2024.3.26-441d3a6
Cadoles:v2024.3.25-734ed64
Cadoles:v2024.2.21-c8fc143
Cadoles:v2024.2.21-f91c14e
Cadoles:v2024.2.5-1602626
Cadoles:v2024.2.5-c23d8e3
Cadoles:v2024.2.5-5453988
Cadoles:v2023.7.8-b44ff2a
Cadoles:v2023.7.7-2b91c1e
Cadoles:v2023.7.7-cebf1da
Cadoles:v2023.7.7-fc983ea
Cadoles:v2023.7.7-6734cf6
Cadoles:v2023.7.6-33a9787
Cadoles:v2023.7.6-553513d
Cadoles:v2023.7.6-64b5182
Cadoles:v2023.7.5-ce2c19f
Cadoles:v2023.7.5-1ffec1f
Cadoles:v2023.7.5-aab5452
Cadoles:v2023.7.5-a176b75
Cadoles:v2023.7.5-7b04eb2
Cadoles:v2023.7.4-5bd7cbc
Cadoles:v2023.7.1-1b06f07
Cadoles:v2023.7.1-b78bcf0
Cadoles:v2023.7.1-82228fd
Cadoles:v2023.7.1-15daddb
Cadoles:v2023.7.1-5a7062d
Cadoles:v2023.6.30-74409f1
Cadoles:v2023.6.30-ab7f64a
Cadoles:v2023.6.30-5bf391b
Cadoles:v2023.6.30-74928fe
Cadoles:v2023.6.30-ff1d018
Cadoles:v2023.6.29-e0d81c0
Cadoles:v2023.6.26-440d467
Cadoles:v2023.6.26-f8d3329
Cadoles:v2023.6.26-6fed635
Cadoles:v2023.6.24-ef869a0
Cadoles:v2023.6.23-8d91f64
Cadoles:v2023.6.23-e32c72e
Cadoles:v2023.6.23-8d21e90
Cadoles:v2023.6.13-2a88494
Cadoles:v2023.5.28-830d4d3
Cadoles:v2023.5.28-7a45a5b
Cadoles:v2023.5.28-8f0501b
Cadoles:v2023.5.21-e66938f
Cadoles:v2023.5.21-b651fec
Cadoles:v2023.5.21-d56a3c6
Cadoles:v2023.5.18-59c0865
Cadoles:v2023.5.18-fe2ee90
Cadoles:v2023.5.16-f9a6a3a
Cadoles:v2023.5.15-b0f3cba
Cadoles:v2023.5.13-3e69a2f
Cadoles:v2023.5.12-af4e8e5
Cadoles:v2023.5.2-ac21629
Cadoles:v2023.5.2-ce8ff3c
..
compare: Cadoles:v2024.6.27-3565618
Branches Tags
Cadoles:develop
Cadoles:master
Cadoles:authn-oidc-redirect-url
Cadoles:feat/dockerfile
Cadoles:k8s
Cadoles:basicauth-tutorial
Cadoles:v2025.4.3-9d10a69
Cadoles:v2025.3.19-8b6e75a
Cadoles:v2025.3.18-692523e
Cadoles:v2025.3.18-59ecfa7
Cadoles:v2025.3.18-cc5cdce
Cadoles:v2025.3.18-1af7248
Cadoles:v2025.3.17-8b132dd
Cadoles:v2025.3.10-6a4a144
Cadoles:v2025.3.7-ac7b7e8
Cadoles:v2025.3.7-076a3d7
Cadoles:v2024.11.14-ce7415a
Cadoles:v2024.11.8-74c2a2c
Cadoles:v2024.11.8-239d457
Cadoles:v2024.11.8-cffe3ec
Cadoles:v2024.10.21-a686c52
Cadoles:v2024.10.11-8983a44
Cadoles:v2024.10.2-69501f6
Cadoles:v2024.9.27-0ff9391
Cadoles:v2024.9.27-590505e
Cadoles:v2024.9.27-867e7c5
Cadoles:v2024.9.26-169578c
Cadoles:v2024.9.26-b0a71fc
Cadoles:v2024.9.25-eea51c6
Cadoles:v2024.9.25-cb9260a
Cadoles:v2024.9.25-0b032fc
Cadoles:v2024.9.23-f374250
Cadoles:v2024.9.23-4801974
Cadoles:v2024.9.23-bf15732
Cadoles:v2024.6.28-f35384c
Cadoles:v2024.6.28-c73fe8c
Cadoles:v2024.6.27-3c1939f
Cadoles:v2024.6.27-3565618
Cadoles:v2024.6.27-d5669a4
Cadoles:v2024.6.27-f3aa8b9
Cadoles:v2024.6.27-2de5e28
Cadoles:v2024.6.27-87e1c65
Cadoles:v2024.6.26-f092520
Cadoles:v2024.6.26-9084b6e
Cadoles:v2024.6.26-059af1b
Cadoles:v2024.6.26-49f2ccb
Cadoles:v2024.6.26-8a751af
Cadoles:v2024.6.25-1146089
Cadoles:v2024.6.25-9d902a7
Cadoles:v2024.6.25-ea68724
Cadoles:v2024.6.24-1009eb1
Cadoles:v2024.6.5-19fda6a
Cadoles:v2024.6.5-65238f1
Cadoles:v2024.6.5-d4da9cb
Cadoles:v2024.5.29-2952f68
Cadoles:v2024.5.29-3e98901
Cadoles:v2024.5.28-d667bb0
Cadoles:v2024.5.28-42dab57
Cadoles:v2024.5.28-132bf1e
Cadoles:v2024.5.22-499bb36
Cadoles:v2024.5.22-920fc1a
Cadoles:v2024.5.22-5720935
Cadoles:v2024.5.21-0d4319f
Cadoles:v2024.5.21-c4dcf57
Cadoles:v2024.5.21-db09533
Cadoles:v2024.5.17-6d0a382
Cadoles:v2024.5.17-28ef57b
Cadoles:v2024.5.17-8b1c649
Cadoles:v2024.5.17-5ed1946
Cadoles:v2024.5.17-7456dba
Cadoles:v2024.5.17-af34ee2
Cadoles:v2024.4.19-bb5796a
Cadoles:v2024.4.5-83fcb9a
Cadoles:v2024.3.29-ad90757
Cadoles:v2024.3.29-3a89497
Cadoles:v2024.3.29-274bef1
Cadoles:v2024.3.28-f548c8c
Cadoles:v2024.3.28-a82fe46
Cadoles:v2024.3.28-3571742
Cadoles:v2024.3.27-1630546
Cadoles:v2024.3.27-d8b78ad
Cadoles:v2024.3.26-61012b0
Cadoles:v2024.3.26-441d3a6
Cadoles:v2024.3.25-734ed64
Cadoles:v2024.2.21-c8fc143
Cadoles:v2024.2.21-f91c14e
Cadoles:v2024.2.5-1602626
Cadoles:v2024.2.5-c23d8e3
Cadoles:v2024.2.5-5453988
Cadoles:v2023.7.8-b44ff2a
Cadoles:v2023.7.7-2b91c1e
Cadoles:v2023.7.7-cebf1da
Cadoles:v2023.7.7-fc983ea
Cadoles:v2023.7.7-6734cf6
Cadoles:v2023.7.6-33a9787
Cadoles:v2023.7.6-553513d
Cadoles:v2023.7.6-64b5182
Cadoles:v2023.7.5-ce2c19f
Cadoles:v2023.7.5-1ffec1f
Cadoles:v2023.7.5-aab5452
Cadoles:v2023.7.5-a176b75
Cadoles:v2023.7.5-7b04eb2
Cadoles:v2023.7.4-5bd7cbc
Cadoles:v2023.7.1-1b06f07
Cadoles:v2023.7.1-b78bcf0
Cadoles:v2023.7.1-82228fd
Cadoles:v2023.7.1-15daddb
Cadoles:v2023.7.1-5a7062d
Cadoles:v2023.6.30-74409f1
Cadoles:v2023.6.30-ab7f64a
Cadoles:v2023.6.30-5bf391b
Cadoles:v2023.6.30-74928fe
Cadoles:v2023.6.30-ff1d018
Cadoles:v2023.6.29-e0d81c0
Cadoles:v2023.6.26-440d467
Cadoles:v2023.6.26-f8d3329
Cadoles:v2023.6.26-6fed635
Cadoles:v2023.6.24-ef869a0
Cadoles:v2023.6.23-8d91f64
Cadoles:v2023.6.23-e32c72e
Cadoles:v2023.6.23-8d21e90
Cadoles:v2023.6.13-2a88494
Cadoles:v2023.5.28-830d4d3
Cadoles:v2023.5.28-7a45a5b
Cadoles:v2023.5.28-8f0501b
Cadoles:v2023.5.21-e66938f
Cadoles:v2023.5.21-b651fec
Cadoles:v2023.5.21-d56a3c6
Cadoles:v2023.5.18-59c0865
Cadoles:v2023.5.18-fe2ee90
Cadoles:v2023.5.16-f9a6a3a
Cadoles:v2023.5.15-b0f3cba
Cadoles:v2023.5.13-3e69a2f
Cadoles:v2023.5.12-af4e8e5
Cadoles:v2023.5.2-ac21629
Cadoles:v2023.5.2-ce8ff3c

No commits in common. "master" and "v2024.6.27-3565618" have entirely different histories.
master ... v2024.6.27

97 changed files with 713 additions and 3264 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -10,4 +10,4 @@
/out
.dockerconfigjson
*.prof
*.test
proxy.test

12
Dockerfile
View File

@ -1,4 +1,4 @@
FROM reg.cadoles.com/proxy_cache/library/golang:1.24.2 AS build
FROM reg.cadoles.com/proxy_cache/library/golang:1.22 AS BUILD
RUN apt-get update \
&& apt-get install -y make
@ -33,7 +33,7 @@ RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bounc
&& yq -i '.bootstrap.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
&& yq -i '.integrations.kubernetes.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml
FROM reg.cadoles.com/proxy_cache/library/alpine:3.21 AS runtime
FROM reg.cadoles.com/proxy_cache/library/alpine:3.20 AS RUNTIME
RUN apk add --no-cache ca-certificates dumb-init
@ -41,10 +41,10 @@ ENTRYPOINT ["/usr/bin/dumb-init", "--"]
RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer
COPY --from=build /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
COPY --from=build /src/layers /usr/share/bouncer/layers
COPY --from=build /src/templates /usr/share/bouncer/templates
COPY --from=build /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
COPY --from=BUILD /src/layers /usr/share/bouncer/layers
COPY --from=BUILD /src/templates /usr/share/bouncer/templates
COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer

9
Makefile
View File

@ -17,8 +17,7 @@ GOTEST_ARGS ?= -short
OPENWRT_DEVICE ?= 192.168.1.1
SIEGE_URLS_FILE ?= misc/siege/urls.txt
SIEGE_CONCURRENCY ?= 200
SIEGE_DURATION ?= 5M
SIEGE_CONCURRENCY ?= 100
data/bootstrap.d/dummy.yml:
mkdir -p data/bootstrap.d
@ -115,7 +114,7 @@ grafterm: tools/grafterm/bin/grafterm
siege:
$(eval TMP := $(shell mktemp))
cat $(SIEGE_URLS_FILE) | envsubst > $(TMP)
siege -R ./misc/siege/siege.conf -i -b -c $(SIEGE_CONCURRENCY) -t $(SIEGE_DURATION) -f $(TMP)
siege -i -b -c $(SIEGE_CONCURRENCY) -f $(TMP)
rm -rf $(TMP)
tools/gitea-release/bin/gitea-release.sh:
@ -132,7 +131,7 @@ tools/grafterm/bin/grafterm:
GOBIN=$(PWD)/tools/grafterm/bin go install github.com/slok/grafterm/cmd/grafterm@v0.2.0
bench:
go test -bench=. -run '^$$' -benchtime=10s ./internal/bench
go test -bench=. -run '^$$' -count=10 ./...
tools/benchstat/bin/benchstat:
mkdir -p tools/benchstat/bin
@ -151,7 +150,7 @@ run-redis:
-v $(PWD)/data/redis:/data \
-p 6379:6379 \
redis:alpine3.17 \
redis-server --save 60 1 --loglevel debug
redis-server --save 60 1 --loglevel warning
redis-shell:
docker exec -it \

1
doc/README.md
View File

@ -24,7 +24,6 @@
- [(FR) - Ajouter une authentification OpenID Connect](./fr/tutorials/add-oidc-authn-layer.md)
- [(FR) - Amorçage d'un serveur Bouncer via la configuration](./fr/tutorials/bootstrapping.md)
- [(FR) - Intégration avec Kubernetes](./fr/tutorials/kubernetes-integration.md)
- [(FR) - Profilage](./fr/tutorials/profiling.md)
### Développement

16
doc/fr/references/layers/authn/README.md
View File

@ -27,8 +27,8 @@ Bouncer utilise le projet [`expr`](https://expr-lang.org/) comme DSL. En plus de
Le comportement des règles par défaut est le suivant:
1. L'ensemble des entêtes HTTP correspondant au patron `Remote-*` sont supprimés ;
2. L'identifiant de l'utilisateur identifié (`vars.user.subject`) est exporté sous la forme de l'entête HTTP `Remote-User` ;
3. L'ensemble des attributs de l'utilisateur identifié (`vars.user.attrs`) sont exportés sous la forme `Remote-User-Attr-<name>``<name>` est le nom de l'attribut en minuscule, avec les `_` transformés en `-`.
2. L'identifiant de l'utilisateur identifié (`user.subject`) est exporté sous la forme de l'entête HTTP `Remote-User` ;
3. L'ensemble des attributs de l'utilisateur identifié (`user.attrs`) sont exportés sous la forme `Remote-User-Attr-<name>``<name>` est le nom de l'attribut en minuscule, avec les `_` transformés en `-`.
### Fonctions
@ -36,25 +36,25 @@ Le comportement des règles par défaut est le suivant:
Interdire l'accès à l'utilisateur.
##### `add_header(ctx, name string, value string)`
##### `add_header(name string, value string)`
Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.
##### `set_header(ctx, name string, value string)`
##### `set_header(name string, value string)`
Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
##### `del_headers(ctx, pattern string)`
##### `del_headers(pattern string)`
Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.
Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.
##### `set_host(ctx, host string)`
##### `set_host(host string)`
Modifier la valeur de l'entête `Host` de la requête.
##### `set_url(ctx, url string)`
##### `set_url(url string)`
Modifier l'URL du serveur cible.
@ -62,7 +62,7 @@ Modifier l'URL du serveur cible.
Les règles ont accès aux variables suivantes pendant leur exécution.
#### `vars.user`
#### `user`
L'utilisateur identifié par le layer.

6
doc/fr/references/layers/authn/basic.md
View File

@ -14,12 +14,12 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https
En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).
## Objet `vars.user` et attributs
## Objet `user` et attributs
L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
- `vars.user.subject` sera initialisé avec le nom d'utilisateur identifié ;
- `vars.user.attrs` sera composé des attributs associés à l'utilisation (voir les options).
- `user.subject` sera initialisé avec le nom d'utilisateur identifié ;
- `user.attrs` sera composé des attributs associés à l'utilisation (voir les options).
## Métriques

8
doc/fr/references/layers/authn/network.md
View File

@ -14,12 +14,12 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https
En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).
## Objet `vars.user` et attributs
## Objet `user` et attributs
L'objet `vars.user` exposé au moteur de règles sera construit de la manière suivante:
L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
- `vars.user.subject` sera initialisé avec le couple `<remote_address>:<remote_port>` ;
- `vars.user.attrs` sera vide.
- `user.subject` sera initialisé avec le couple `<remote_address>:<remote_port>` ;
- `user.attrs` sera vide.
## Métriques

18
doc/fr/references/layers/authn/oidc.md
View File

@ -16,18 +16,18 @@ Les options disponibles pour le layer sont décrites via un [schéma JSON](https
En plus de ces options spécifiques le layer peut également être configuré via [les options communes aux layers `authn-*`](../../../../../internal/proxy/director/layer/authn/layer-options.json).
## Objet `vars.user` et attributs
## Objet `user` et attributs
L'objet `vars.user` exposé au moteur de règles sera construit de la manière suivante:
L'objet `user` exposé au moteur de règles sera construit de la manière suivante:
- `vars.user.subject` sera initialisé avec la valeur du [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) `sub` extrait de l'`idToken` récupéré lors de l'authentification ;
- `vars.user.attrs` comportera les propriétés suivantes:
- `user.subject` sera initialisé avec la valeur du [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) `sub` extrait de l'`idToken` récupéré lors de l'authentification ;
- `user.attrs` comportera les propriétés suivantes:
- L'ensemble des `claims` provenant de l'`idToken` seront transposés en `claim_<name>` (ex: `idToken.iss` sera transposé en `vars.user.attrs.claim_iss`) ;
- `vars.user.attrs.access_token`: le jeton d'accès associé à l'authentification ;
- `vars.user.attrs.refresh_token`: le jeton de rafraîchissement associé à l'authentification (si disponible, en fonction des `scopes` demandés par le client) ;
- `vars.user.attrs.token_expiry`: Horodatage Unix (en secondes) associé à la date d'expiration du jeton d'accès ;
- `vars.user.attrs.logout_url`: URL de déconnexion pour la suppression de la session Bouncer.
- L'ensemble des `claims` provenant de l'`idToken` seront transposés en `claim_<name>` (ex: `idToken.iss` sera transposé en `user.attrs.claim_iss`) ;
- `user.attrs.access_token`: le jeton d'accès associé à l'authentification ;
- `user.attrs.refresh_token`: le jeton de rafraîchissement associé à l'authentification (si disponible, en fonction des `scopes` demandés par le client) ;
- `user.attrs.token_expiry`: Horodatage Unix (en secondes) associé à la date d'expiration du jeton d'accès ;
- `user.attrs.logout_url`: URL de déconnexion pour la suppression de la session Bouncer.
**Attention** Cette URL ne permet dans la plupart des cas que de supprimer la session côté Bouncer. La suppression de la session côté fournisseur d'identité est conditionné à la présence ou non de l'attribut [`end_session_endpoint`](https://openid.net/specs/openid-connect-session-1_0-17.html#OPMetadata) dans les données du point d'entrée de découverte de service (`.wellknown/openid-configuration`).

112
doc/fr/references/layers/rewriter.md
View File

@ -24,63 +24,30 @@ Bouncer utilise le projet [`expr`](https://expr-lang.org/) comme DSL. En plus de
#### Communes
##### `add_header(ctx, name string, value string)`
##### `add_header(name string, value string)`
Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.
##### `set_header(ctx, name string, value string)`
##### `set_header(name string, value string)`
Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
##### `del_headers(ctx, pattern string)`
##### `del_headers(pattern string)`
Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.
Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.
##### `get_cookie(ctx, name string) Cookie`
Récupère un cookie depuis la requête/réponse (en fonction du contexte d'utilisation).
Retourne `nil` si le cookie n'existe pas.
**Cookie**
```js
// Plus d'informations sur https://pkg.go.dev/net/http#Cookie
{
name: "string", // Nom du cookie
value: "string", // Valeur associée au cookie
path: "string", // Chemin associé au cookie (présent uniquement dans un contexte de réponse)
domain: "string", // Domaine associé au cookie (présent uniquement dans un contexte de réponse)
expires: "string", // Date d'expiration du cookie (présent uniquement dans un contexte de réponse)
max_age: "string", // Age maximum du cookie (présent uniquement dans un contexte de réponse)
secure: "boolean", // Le cookie doit-il être présent uniquement en HTTPS ? (présent uniquement dans un contexte de réponse)
http_only: "boolean", // Le cookie est il accessible en Javascript ? (présent uniquement dans un contexte de réponse)
same_site: "int" // Voir https://pkg.go.dev/net/http#SameSite (présent uniquement dans un contexte de réponse)
}
```
##### `add_cookie(ctx, cookie Cookie)`
Définit un cookie sur la requête/réponse (en fonction du contexte d'utilisation).
Voir la méthode `get_cookie()` pour voir les attributs potentiels.
#### Requête
##### `set_host(ctx, host string)`
##### `set_host(host string)`
Modifier la valeur de l'entête `Host` de la requête.
##### `set_url(ctx, url string)`
##### `set_url(url string)`
Modifier l'URL du serveur cible.
##### `redirect(ctx, statusCode int, url string)`
Interrompt la requête et retourne une redirection HTTP au client.
Le code HTTP utilisé doit être supérieur ou égale à `300` et inférieur à `400` (non inclus).
#### Réponse
_Pas de fonctions spécifiques._
@ -91,28 +58,7 @@ Les règles ont accès aux variables suivantes pendant leur exécution. **Ces do
#### Requête
##### `vars.original_url`
L'URL originale, avant réécriture du `Host` par Bouncer.
```js
{
scheme: "string", // Schéma HTTP de l'URL
opaque: "string", // Données opaque de l'URL
user: { // Identifiants d'URL (Basic Auth)
username: "",
password: ""
},
host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
path: "string", // Chemin de l'URL (format assaini)
raw_path: "string", // Chemin de l'URL (format brut)
raw_query: "string", // Variables d'URL (format brut)
fragment : "string", // Fragment d'URL (format assaini)
raw_fragment : "string" // Fragment d'URL (format brut)
}
```
##### `vars.request`
##### `request`
La requête en cours de traitement.
@ -120,66 +66,48 @@ La requête en cours de traitement.
{
method: "string", // Méthode HTTP
host: "string", // Nom d'hôte (`Host`) associé à la requête
url: { // URL associée à la requête sous sa forme structurée
scheme: "string", // Schéma HTTP de l'URL
opaque: "string", // Données opaque de l'URL
user: { // Identifiants d'URL (Basic Auth)
username: "",
password: ""
},
host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
path: "string", // Chemin de l'URL (format assaini)
raw_path: "string", // Chemin de l'URL (format brut)
raw_query: "string", // Variables d'URL (format brut)
fragment : "string", // Fragment d'URL (format assaini)
raw_fragment : "string" // Fragment d'URL (format brut)
},
raw_url: "string", // URL associée à la requête (format assaini)
url: "string", // URL associée à la requête
proto: "string", // Numéro de version du protocole utilisé
proto_major: "int", // Numéro de version majeure du protocole utilisé
proto_minor: "int", // Numéro de version mineur du protocole utilisé
protoMajor: "int", // Numéro de version majeure du protocole utilisé
protoMinor: "int", // Numéro de version mineur du protocole utilisé
header: { // Table associative des entêtes HTTP associés à la requête
"string": ["string"]
},
content_length: "int", // Taille du corps de la requête
transfer_encoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
contentLength: "int", // Taille du corps de la requête
transferEncoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
"string": ["string"]
},
remote_addr: "string", // Adresse du client HTTP à l'origine de la requête
request_uri: "string" // URL "brute" associée à la requêtes (avant opérations d'assainissement, utiliser "url" plutôt)
remoteAddr: "string", // Adresse du client HTTP à l'origine de la requête
requestUri: "string" // URL "brute" associée à la requêtes (avant opérations d'assainissement, utiliser "url" plutôt)
}
```
#### Réponse
##### `vars.response`
##### `response`
La réponse en cours de traitement.
```js
{
status_code: "int", // Code de statut de la réponse
statusCode: "int", // Code de statut de la réponse
status: "string", // Message associé au code de statut
proto: "string", // Numéro de version du protocole utilisé
proto_major: "int", // Numéro de version majeure du protocole utilisé
proto_minor: "int", // Numéro de version mineur du protocole utilisé
protoMajor: "int", // Numéro de version majeure du protocole utilisé
protoMinor: "int", // Numéro de version mineur du protocole utilisé
header: { // Table associative des entêtes HTTP associés à la requête
"string": ["string"]
},
content_length: "int", // Taille du corps de la réponse
transfer_encoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
contentLength: "int", // Taille du corps de la réponse
transferEncoding: ["string"], // MIME-Type(s) d'encodage du corps de la requête
trailer: { // Table associative des entêtes HTTP associés à la requête, transmises après le corps de la requête
"string": ["string"]
},
}
```
##### `vars.request`
_Voir section précédente._
##### `vars.original_url`
##### `request`
_Voir section précédente._

63
doc/fr/tutorials/profiling.md
View File

@ -1,68 +1,31 @@
# Étudier les performances de Bouncer
## In situ
Il est possible d'activer via la configuration de Bouncer de endpoints capable de générer des fichiers de profil au format [`pprof`](https://github.com/google/pprof). Par défaut, le point d'entrée est `.bouncer/profiling` (l'activation et la personnalisation de ce point d'entrée sont modifiables via la [configuration](../../../misc/packaging/common/config.yml)).
**Exemple:** Visualiser l'utilisation mémoire de Bouncer
```bash
go tool pprof -web http://<bouncer_proxy>/.bouncer/profiling/heap
```
L'ensemble des profils disponibles sont visibles à l'adresse `http://<bouncer_proxy>/.bouncer/profiling`.
## En développement
Le package `./internal` est dédié à l'étude des performances de Bouncer. Il contient une suite de benchmarks simulant de proxies avec différentes configurations de layers afin d'évaluer les points d'engorgement sur le traitement des requêtes.
Voir le répertoire `./internal/bench/testdata/proxies` pour voir les différentes configurations de cas.
### Lancer les benchmarks
Le plus simple est d'utiliser la commande `make bench` qui exécutera séquentiellement tous les benchmarks. Il est également possible de lancer un benchmark spécifique via la commande suivante:
```bash
go test -bench="BenchmarkProxies/$BENCH_CASE" -run='^$' ./internal/bench
```
Par exemple:
```bash
# Pour exécuter ./internal/bench/testdata/proxies/basic-auth.yml
go test -bench='BenchmarkProxies/basic-auth' -run='^$' ./internal/bench
```
### Visualiser les profils d'exécution
Vous pouvez visualiser les profils d'exécution via la commande suivante:
1. Lancer un benchmark du proxy
```shell
go tool pprof -web path/to/file.prof
go test -bench=. -run '^$' -count=5 -cpuprofile bench_proxy.prof ./internal/proxy
```
Par défaut l'exécution des benchmarks créera automatiquement des fichiers de profil dans le répertoire `./internal/bench/testdata/proxies`.
Par exemple:
2. Visualiser les temps d'exécution
```shell
go tool pprof -web ./internal/bench/testdata/proxies/basic-auth.prof
go tool pprof -web bench_proxy.prof
```
### Comparer les évolutions
3. Comparer les performances d'une exécution à l'autre
```bash
```shell
# Lancer un premier benchmark
go test -bench="BenchmarkProxies/$BENCH_CASE" -run='^$' ./internal/bench
# Faire une sauvegarde du fichier de profil
cp ./internal/bench/testdata/proxies/$BENCH_CASE.prof ./internal/bench/testdata/proxies/$BENCH_CASE-prev.prof
go test -bench=. -run '^$' -count=10 ./internal/proxy > bench_before.txt
# Faire des modifications sur les sources
# Lancer un second benchmark
go test -bench="BenchmarkProxies/$BENCH_CASE" -run='^$' ./internal/bench
go test -bench=. -run '^$' -count=10 ./internal/proxy > bench_after.txt
# Visualiser la différence entre les deux profils
go tool pprof -web -base=./internal/bench/testdata/proxies/$BENCH_CASE-prev.prof ./internal/bench/testdata/proxies/$BENCH_CASE.prof
# Installer l'outil benchstat
make tools/benchstat/bin/benchstat
# Comparer les rapports
tools/benchstat/bin/benchstat bench_before.txt bench_after.txt
```

4
go.mod
View File

@ -1,8 +1,8 @@
module forge.cadoles.com/cadoles/bouncer
go 1.23
go 1.22
toolchain go1.23.0
toolchain go1.22.0
require (
forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926

2
internal/admin/authz.go
View File

@ -70,7 +70,7 @@ func assertRequestUser(w http.ResponseWriter, r *http.Request) (auth.User, bool)
ctx := r.Context()
user, err := auth.CtxUser(ctx)
if err != nil {
logger.Error(ctx, "could not retrieve user", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not retrieve user", logger.E(errors.WithStack(err)))
forbidden(w, r)

6
internal/admin/error.go
View File

@ -6,6 +6,7 @@ import (
"net/http"
"forge.cadoles.com/cadoles/bouncer/internal/schema"
"github.com/getsentry/sentry-go"
"gitlab.com/wpetit/goweb/api"
"gitlab.com/wpetit/goweb/logger"
)
@ -28,8 +29,11 @@ func invalidDataErrorResponse(w http.ResponseWriter, r *http.Request, err *schem
}{
Message: message,
})
return
}
func logAndCaptureError(ctx context.Context, message string, err error) {
logger.Error(ctx, message, logger.CapturedE(err))
sentry.CaptureException(err)
logger.Error(ctx, message, logger.E(err))
}

2
internal/admin/init.go
View File

@ -27,7 +27,7 @@ func (s *Server) initRepositories(ctx context.Context) error {
}
func (s *Server) initRedisClient(ctx context.Context) error {
client := setup.NewSharedClient(s.redisConfig)
client := setup.NewRedisClient(ctx, s.redisConfig)
s.redisClient = client

33
internal/admin/server.go
View File

@ -2,12 +2,10 @@ package admin
import (
"context"
"expvar"
"fmt"
"log"
"net"
"net/http"
"net/http/pprof"
"forge.cadoles.com/cadoles/bouncer/internal/auth"
"forge.cadoles.com/cadoles/bouncer/internal/auth/jwt"
@ -116,9 +114,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
router.Use(middleware.RealIP)
}
router.Use(middleware.RequestID)
router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
router.Use(middleware.Recoverer)
if s.serverConfig.Sentry.DSN != "" {
logger.Info(ctx, "enabling sentry http middleware")
@ -159,35 +155,6 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
})
}
if s.serverConfig.Profiling.Enabled {
profiling := s.serverConfig.Profiling
logger.Info(ctx, "enabling profiling", logger.F("endpoint", profiling.Endpoint))
router.Group(func(r chi.Router) {
if profiling.BasicAuth != nil {
logger.Info(ctx, "enabling authentication on profiling endpoint")
r.Use(middleware.BasicAuth(
"profiling",
profiling.BasicAuth.CredentialsMap(),
))
}
r.Route(string(profiling.Endpoint), func(r chi.Router) {
r.HandleFunc("/", pprof.Index)
r.HandleFunc("/cmdline", pprof.Cmdline)
r.HandleFunc("/profile", pprof.Profile)
r.HandleFunc("/symbol", pprof.Symbol)
r.HandleFunc("/trace", pprof.Trace)
r.Handle("/vars", expvar.Handler())
r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
name := chi.URLParam(r, "name")
pprof.Handler(name).ServeHTTP(w, r)
})
})
})
}
router.Route("/api/v1", func(r chi.Router) {
r.Group(func(r chi.Router) {
r.Use(auth.Middleware(

2
internal/auth/middleware.go
View File

@ -52,7 +52,7 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
for _, auth := range authenticators {
user, err = auth.Authenticate(ctx, r)
if err != nil {
logger.Debug(ctx, "could not authenticate request", logger.CapturedE(errors.WithStack(err)))
logger.Debug(ctx, "could not authenticate request", logger.E(errors.WithStack(err)))
continue
}

318
internal/bench/proxy_test.go
View File

@ -1,318 +0,0 @@
package proxy_test
import (
"context"
"io"
"net/http"
"net/http/httptest"
"net/http/httputil"
"net/url"
"os"
"path/filepath"
"runtime/pprof"
"strings"
"testing"
"time"
"forge.cadoles.com/Cadoles/go-proxy"
"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
"forge.cadoles.com/cadoles/bouncer/internal/config"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"forge.cadoles.com/cadoles/bouncer/internal/store"
redisStore "forge.cadoles.com/cadoles/bouncer/internal/store/redis"
"github.com/pkg/errors"
"github.com/redis/go-redis/v9"
"gitlab.com/wpetit/goweb/logger"
"gopkg.in/yaml.v3"
"forge.cadoles.com/cadoles/bouncer/internal/setup"
)
func BenchmarkProxies(b *testing.B) {
proxyFiles, err := filepath.Glob("testdata/proxies/*.yml")
if err != nil {
b.Fatalf("%+v", errors.WithStack(err))
}
for _, f := range proxyFiles {
name := strings.TrimSuffix(filepath.Base(f), filepath.Ext(f))
b.Run(name, func(b *testing.B) {
heap, err := os.Create(filepath.Join("testdata", "proxies", name+"_heap.prof"))
if err != nil {
b.Fatalf("%+v", errors.Wrapf(err, "could not create heap profile"))
}
defer func() {
defer heap.Close()
if err := pprof.WriteHeapProfile(heap); err != nil {
b.Fatalf("%+v", errors.WithStack(err))
}
}()
conf, err := loadProxyBenchConfig(f)
if err != nil {
b.Fatalf("%+v", errors.Wrapf(err, "could notre load bench config"))
}
proxy, backend, err := createProxy(name, conf, b.Logf)
if err != nil {
b.Fatalf("%+v", errors.Wrapf(err, "could not create proxy"))
}
defer proxy.Close()
if backend != nil {
defer backend.Close()
}
client := proxy.Client()
proxyURL, err := url.Parse(proxy.URL)
if err != nil {
b.Fatalf("%+v", errors.Wrapf(err, "could not parse proxy url"))
}
if conf.Fetch.URL.Path != "" {
proxyURL.Path = conf.Fetch.URL.Path
}
if conf.Fetch.URL.RawQuery != "" {
proxyURL.RawQuery = conf.Fetch.URL.RawQuery
}
if conf.Fetch.URL.User.Username != "" || conf.Fetch.URL.User.Password != "" {
proxyURL.User = url.UserPassword(conf.Fetch.URL.User.Username, conf.Fetch.URL.User.Password)
}
rawProxyURL := proxyURL.String()
b.Logf("fetching url '%s'", rawProxyURL)
profile, err := os.Create(filepath.Join("testdata", "proxies", name+"_cpu.prof"))
if err != nil {
b.Fatalf("%+v", errors.Wrapf(err, "could not create cpu profile"))
}
defer profile.Close()
if err := pprof.StartCPUProfile(profile); err != nil {
b.Fatalf("%+v", errors.WithStack(err))
}
defer pprof.StopCPUProfile()
b.ResetTimer()
for i := 0; i < b.N; i++ {
res, err := client.Get(rawProxyURL)
if err != nil {
b.Errorf("could not fetch proxy url: %+v", errors.WithStack(err))
}
body, err := io.ReadAll(res.Body)
if err != nil {
b.Errorf("could not read response body: %+v", errors.WithStack(err))
}
b.Logf("%s \n %v", res.Status, string(body))
if err := res.Body.Close(); err != nil {
b.Errorf("could not close response body: %+v", errors.WithStack(err))
}
}
})
}
}
type proxyBenchConfig struct {
Proxy config.BootstrapProxyConfig `yaml:"proxy"`
Fetch fetchBenchConfig `yaml:"fetch"`
}
type fetchBenchConfig struct {
URL fetchURLBenchConfig `yaml:"url"`
}
type fetchURLBenchConfig struct {
Path string `yaml:"path"`
RawQuery string `yaml:"rawQuery"`
User fetchURLUserBenchConfig `yaml:"user"`
}
type fetchURLUserBenchConfig struct {
Username string `yaml:"username"`
Password string `yaml:"password"`
}
func loadProxyBenchConfig(filename string) (*proxyBenchConfig, error) {
data, err := os.ReadFile(filename)
if err != nil {
return nil, errors.Wrapf(err, "could not read file '%s'", filename)
}
conf := proxyBenchConfig{}
if err := yaml.Unmarshal(data, &conf); err != nil {
return nil, errors.Wrapf(err, "could not unmarshal config")
}
return &conf, nil
}
func createProxy(name string, conf *proxyBenchConfig, logf func(format string, a ...any)) (*httptest.Server, *httptest.Server, error) {
redisEndpoint := os.Getenv("BOUNCER_BENCH_REDIS_ADDR")
if redisEndpoint == "" {
redisEndpoint = "127.0.0.1:6379"
}
client := redis.NewUniversalClient(&redis.UniversalOptions{
Addrs: []string{redisEndpoint},
})
proxyRepository := redisStore.NewProxyRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay)
layerRepository := redisStore.NewLayerRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay)
var backend *httptest.Server
if conf.Proxy.To == "" {
backend = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
if _, err := w.Write([]byte("Hello, world.")); err != nil {
logf("[ERROR] %+v", errors.WithStack(err))
}
}))
if err := waitFor(backend.URL, 5*time.Second); err != nil {
return nil, nil, errors.WithStack(err)
}
logf("started backend '%s'", backend.URL)
}
ctx := context.Background()
proxyName := store.ProxyName("bench-" + name)
proxies, err := proxyRepository.QueryProxy(ctx)
if err != nil {
return nil, nil, errors.WithStack(err)
}
// Cleanup existing proxies
for _, p := range proxies {
if err := proxyRepository.DeleteProxy(ctx, p.Name); err != nil {
return nil, nil, errors.WithStack(err)
}
}
logf("creating proxy '%s'", proxyName)
to := string(conf.Proxy.To)
if to == "" {
to = backend.URL
}
if _, err := proxyRepository.CreateProxy(ctx, proxyName, to, conf.Proxy.From...); err != nil {
return nil, nil, errors.WithStack(err)
}
if _, err := proxyRepository.UpdateProxy(ctx, proxyName, store.WithProxyUpdateEnabled(true)); err != nil {
return nil, nil, errors.WithStack(err)
}
for layerName, layerConf := range conf.Proxy.Layers {
if err := layerRepository.DeleteLayer(ctx, proxyName, store.LayerName(layerName)); err != nil {
return nil, nil, errors.WithStack(err)
}
_, err := layerRepository.CreateLayer(ctx, proxyName, store.LayerName(layerName), store.LayerType(layerConf.Type), layerConf.Options.Data)
if err != nil {
return nil, nil, errors.WithStack(err)
}
_, err = layerRepository.UpdateLayer(ctx, proxyName, store.LayerName(layerName), store.WithLayerUpdateEnabled(bool(layerConf.Enabled)))
if err != nil {
return nil, nil, errors.WithStack(err)
}
}
appConf := config.NewDefault()
appConf.Logger.Level = config.InterpolatedInt(logger.LevelError)
appConf.Layers.Authn.TemplateDir = "../../layers/authn/templates"
appConf.Layers.Queue.TemplateDir = "../../layers/queue/templates"
layers, err := setup.GetLayers(context.Background(), appConf)
if err != nil {
return nil, nil, errors.WithStack(err)
}
director := director.New(
proxyRepository, layerRepository,
director.WithLayerCache(
ttl.NewCache(
memory.NewCache[string, []*store.Layer](),
memory.NewCache[string, time.Time](),
30*time.Second,
),
),
director.WithProxyCache(
ttl.NewCache(
memory.NewCache[string, []*store.Proxy](),
memory.NewCache[string, time.Time](),
30*time.Second,
),
),
director.WithLayers(layers...),
)
directorMiddleware := director.Middleware()
handler := proxy.New(
proxy.WithRequestTransformers(
director.RequestTransformer(),
),
proxy.WithResponseTransformers(
director.ResponseTransformer(),
),
proxy.WithReverseProxyFactory(func(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
reverse := httputil.NewSingleHostReverseProxy(target)
reverse.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
logf("[ERROR] %s", errors.WithStack(err))
}
return reverse
}),
)
server := httptest.NewServer(directorMiddleware(handler))
return server, backend, nil
}
func waitFor(url string, ttl time.Duration) error {
var lastErr error
timeout := time.After(ttl)
for {
select {
case <-timeout:
if lastErr != nil {
return lastErr
}
return errors.New("wait timed out")
default:
res, err := http.Get(url)
if err != nil {
lastErr = errors.WithStack(err)
continue
}
if res.StatusCode >= 200 && res.StatusCode < 400 {
return nil
}
}
}
}

20
internal/bench/testdata/proxies/basic-auth.yml vendored
View File

@ -1,20 +0,0 @@
proxy:
from: ["*"]
to: ""
layers:
basic-auth:
type: authn-basic
enabled: true
options:
users:
- username: foo
passwordHash: "$2y$10$ShTc856wMB8PCxyr46qJRO8z06MpV4UejAVRDJ/bixhu0XTGn7Giy"
attributes:
email: foo@bar.com
rules:
- set_header(ctx, "Remote-User-Attr-Email", vars.user.attrs.email)
fetch:
url:
user:
username: foo
password: bar

3
internal/bench/testdata/proxies/noop.yml vendored
View File

@ -1,3 +0,0 @@
proxy:
from: ["*"]
to: ""

10
internal/bench/testdata/proxies/queue.yml vendored
View File

@ -1,10 +0,0 @@
proxy:
from: ["*"]
to: ""
layers:
queue:
type: queue
enabled: true
options:
capacity: 100
keepAlive: 10s

12
internal/bench/testdata/proxies/rewriter.yml vendored
View File

@ -1,12 +0,0 @@
proxy:
from: ["*"]
to: ""
layers:
host-rewriter:
type: rewriter
enabled: true
options:
rules:
request:
- set_host(ctx, vars.request.url.host)
- set_header(ctx, "X-Proxied-With", "bouncer")

1
internal/cache/cache.go vendored
View File

@ -3,5 +3,4 @@ package cache
type Cache[K comparable, V any] interface {
Get(key K) (V, bool)
Set(key K, value V)
Clear()
}

4
internal/cache/memory/cache.go vendored
View File

@ -25,10 +25,6 @@ func (c *Cache[K, V]) Set(key K, value V) {
c.store.Store(key, value)
}
func (c *Cache[K, V]) Clear() {
c.store.Clear()
}
func NewCache[K comparable, V any]() *Cache[K, V] {
return &Cache[K, V]{
store: new(sync.Map),

5
internal/cache/ttl/cache.go vendored
View File

@ -28,11 +28,6 @@ func (c *Cache[K, V]) Set(key K, value V) {
c.values.Set(key, value)
}
func (c *Cache[K, V]) Clear() {
c.timestamps.Clear()
c.values.Clear()
}
func NewCache[K comparable, V any](values cache.Cache[K, V], timestamps cache.Cache[K, time.Time], ttl time.Duration) *Cache[K, V] {
return &Cache[K, V]{
values: values,

12
internal/chi/log_formatter.go
View File

@ -2,6 +2,7 @@ package chi
import (
"context"
"fmt"
"net/http"
"time"
@ -36,19 +37,12 @@ type LogEntry struct {
// Panic implements middleware.LogEntry
func (e *LogEntry) Panic(v interface{}, stack []byte) {
logger.Error(
e.ctx, "http panic",
logger.F("stack", string(stack)),
logger.F("host", e.host),
logger.F("method", e.method),
logger.F("path", e.path),
)
logger.Error(e.ctx, fmt.Sprintf("%s %s", e.method, e.path), logger.F("stack", string(stack)))
}
// Write implements middleware.LogEntry
func (e *LogEntry) Write(status int, bytes int, header http.Header, elapsed time.Duration, extra interface{}) {
logger.Info(
e.ctx, "http request",
logger.Info(e.ctx, fmt.Sprintf("%s %s - %d", e.method, e.path, status),
logger.F("host", e.host),
logger.F("status", status),
logger.F("bytes", bytes),

2
internal/command/admin/layer/util.go
View File

@ -13,7 +13,6 @@ func layerHeaderHints(outputMode format.OutputMode) format.Hints {
format.NewProp("Type", "Type"),
format.NewProp("Enabled", "Enabled"),
format.NewProp("Weight", "Weight"),
format.NewProp("Revision", "Revision"),
},
}
}
@ -26,7 +25,6 @@ func layerHints(outputMode format.OutputMode) format.Hints {
format.NewProp("Type", "Type"),
format.NewProp("Enabled", "Enabled"),
format.NewProp("Weight", "Weight"),
format.NewProp("Revision", "Revision"),
format.NewProp("Options", "Options"),
format.NewProp("CreatedAt", "CreatedAt", table.WithCompactModeMaxColumnWidth(20)),
format.NewProp("UpdatedAt", "UpdatedAt", table.WithCompactModeMaxColumnWidth(20)),

2
internal/command/admin/proxy/util.go
View File

@ -12,7 +12,6 @@ func proxyHeaderHints(outputMode format.OutputMode) format.Hints {
format.NewProp("Name", "Name"),
format.NewProp("Enabled", "Enabled"),
format.NewProp("Weight", "Weight"),
format.NewProp("Revision", "Revision"),
},
}
}
@ -26,7 +25,6 @@ func proxyHints(outputMode format.OutputMode) format.Hints {
format.NewProp("To", "To"),
format.NewProp("Enabled", "Enabled"),
format.NewProp("Weight", "Weight"),
format.NewProp("Revision", "Revision"),
format.NewProp("CreatedAt", "CreatedAt", table.WithCompactModeMaxColumnWidth(20)),
format.NewProp("UpdatedAt", "UpdatedAt", table.WithCompactModeMaxColumnWidth(20)),
},

15
internal/command/server/admin/run.go
View File

@ -12,8 +12,14 @@ import (
"gitlab.com/wpetit/goweb/logger"
)
const (
flagPrintDefaultToken = "print-default-token"
)
func RunCommand() *cli.Command {
flags := common.Flags()
flags := append(
common.Flags(),
)
return &cli.Command{
Name: "run",
@ -28,18 +34,13 @@ func RunCommand() *cli.Command {
logger.SetFormat(logger.Format(conf.Logger.Format))
logger.SetLevel(logger.Level(conf.Logger.Level))
logger.Debug(ctx.Context, "using config", logger.F("config", conf))
projectVersion := ctx.String("projectVersion")
if conf.Proxy.Sentry.DSN != "" {
flushSentry, err := setup.SetupSentry(ctx.Context, conf.Proxy.Sentry, projectVersion)
flushSentry, err := setup.SetupSentry(ctx.Context, conf.Admin.Sentry, projectVersion)
if err != nil {
return errors.Wrap(err, "could not initialize sentry client")
}
defer flushSentry()
}
integrations, err := setup.SetupIntegrations(ctx.Context, conf)
if err != nil {

8
internal/command/server/dummy/index.gohtml
View File

@ -4,14 +4,14 @@
<h2>Incoming headers</h2>
<table style="width: 100%">
<thead>
<tr style="text-align: left">
<tr>
<th>Key</th>
<th>Value</th>
</tr>
</thead>
<tbody>
{{ range $key, $val := .Request.Header }}
<tr style="text-align: left">
<tr>
<td>
<b>{{ $key }}</b>
</td>
@ -27,7 +27,7 @@
<h2>Incoming cookies</h2>
<table style="width: 100%">
<thead>
<tr style="text-align: left">
<tr>
<th>Name</th>
<th>Domain</th>
<th>Path</th>
@ -41,7 +41,7 @@
</thead>
<tbody>
{{ range $cookie := .Request.Cookies }}
<tr style="text-align: left">
<tr>
<td>
<b>{{ $cookie.Name }}</b>
</td>

2
internal/command/server/dummy/run.go
View File

@ -53,7 +53,7 @@ func RunCommand() *cli.Command {
}
if err := tmpl.Execute(w, data); err != nil {
logger.Error(ctx.Context, "could not execute template", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx.Context, "could not execute template", logger.E(errors.WithStack(err)))
}
})

7
internal/command/server/proxy/run.go
View File

@ -29,18 +29,13 @@ func RunCommand() *cli.Command {
logger.SetFormat(logger.Format(conf.Logger.Format))
logger.SetLevel(logger.Level(conf.Logger.Level))
logger.Debug(ctx.Context, "using config", logger.F("config", conf))
projectVersion := ctx.String("projectVersion")
if conf.Proxy.Sentry.DSN != "" {
flushSentry, err := setup.SetupSentry(ctx.Context, conf.Proxy.Sentry, projectVersion)
if err != nil {
return errors.Wrap(err, "could not initialize sentry client")
}
defer flushSentry()
}
layers, err := setup.GetLayers(ctx.Context, conf)
if err != nil {
@ -51,7 +46,7 @@ func RunCommand() *cli.Command {
proxy.WithServerConfig(conf.Proxy),
proxy.WithRedisConfig(conf.Redis),
proxy.WithDirectorLayers(layers...),
proxy.WithDirectorCacheTTL(time.Duration(*conf.Proxy.Cache.TTL)),
proxy.WithDirectorCacheTTL(time.Duration(conf.Proxy.Cache.TTL)),
)
addrs, srvErrs := srv.Start(ctx.Context)

2
internal/config/admin_server.go
View File

@ -5,7 +5,6 @@ type AdminServerConfig struct {
CORS CORSConfig `yaml:"cors"`
Auth AuthConfig `yaml:"auth"`
Metrics MetricsConfig `yaml:"metrics"`
Profiling ProfilingConfig `yaml:"profiling"`
Sentry SentryConfig `yaml:"sentry"`
}
@ -16,7 +15,6 @@ func NewDefaultAdminServerConfig() AdminServerConfig {
Auth: NewDefaultAuthConfig(),
Metrics: NewDefaultMetricsConfig(),
Sentry: NewDefaultSentryConfig(),
Profiling: NewDefaultProfilingConfig(),
}
}

23
internal/config/bootstrap.go
View File

@ -80,22 +80,9 @@ func loadBootstrapDir(dir string) (map[store.ProxyName]BootstrapProxyConfig, err
proxies := make(map[store.ProxyName]BootstrapProxyConfig)
for _, f := range files {
proxy, err := loadBootstrappedProxyConfig(f)
data, err := os.ReadFile(f)
if err != nil {
return nil, errors.Wrapf(err, "could not load proxy bootstrap file '%s'", f)
}
name := store.ProxyName(strings.TrimSuffix(filepath.Base(f), filepath.Ext(f)))
proxies[name] = *proxy
}
return proxies, nil
}
func loadBootstrappedProxyConfig(filename string) (*BootstrapProxyConfig, error) {
data, err := os.ReadFile(filename)
if err != nil {
return nil, errors.Wrapf(err, "could not read file '%s'", filename)
return nil, errors.Wrapf(err, "could not read file '%s'", f)
}
proxy := BootstrapProxyConfig{}
@ -104,7 +91,11 @@ func loadBootstrappedProxyConfig(filename string) (*BootstrapProxyConfig, error)
return nil, errors.Wrapf(err, "could not unmarshal proxy")
}
return &proxy, nil
name := store.ProxyName(strings.TrimSuffix(filepath.Base(f), filepath.Ext(f)))
proxies[name] = proxy
}
return proxies, nil
}
func overrideProxies(base map[store.ProxyName]BootstrapProxyConfig, proxies map[store.ProxyName]BootstrapProxyConfig) map[store.ProxyName]BootstrapProxyConfig {

23
internal/config/environment.go
View File

@ -19,7 +19,7 @@ func (is *InterpolatedString) UnmarshalYAML(value *yaml.Node) error {
return errors.WithStack(err)
}
str, err := envsubst.Eval(str, getEnv)
str, err := envsubst.EvalEnv(str)
if err != nil {
return errors.WithStack(err)
}
@ -38,7 +38,7 @@ func (ii *InterpolatedInt) UnmarshalYAML(value *yaml.Node) error {
return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
}
str, err := envsubst.Eval(str, getEnv)
str, err := envsubst.EvalEnv(str)
if err != nil {
return errors.WithStack(err)
}
@ -62,7 +62,7 @@ func (ifl *InterpolatedFloat) UnmarshalYAML(value *yaml.Node) error {
return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
}
str, err := envsubst.Eval(str, getEnv)
str, err := envsubst.EvalEnv(str)
if err != nil {
return errors.WithStack(err)
}
@ -86,7 +86,7 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
}
str, err := envsubst.Eval(str, getEnv)
str, err := envsubst.EvalEnv(str)
if err != nil {
return errors.WithStack(err)
}
@ -101,10 +101,9 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
return nil
}
var getEnv = os.Getenv
type InterpolatedMap struct {
Data map[string]any
getEnv func(string) string
}
func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
@ -114,6 +113,10 @@ func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line)
}
if im.getEnv == nil {
im.getEnv = os.Getenv
}
interpolated, err := im.interpolateRecursive(data)
if err != nil {
return errors.WithStack(err)
@ -124,7 +127,7 @@ func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
return nil
}
func (im InterpolatedMap) interpolateRecursive(data any) (any, error) {
func (im *InterpolatedMap) interpolateRecursive(data any) (any, error) {
switch typ := data.(type) {
case map[string]any:
for key, value := range typ {
@ -137,7 +140,7 @@ func (im InterpolatedMap) interpolateRecursive(data any) (any, error) {
}
case string:
value, err := envsubst.Eval(typ, getEnv)
value, err := envsubst.Eval(typ, im.getEnv)
if err != nil {
return nil, errors.WithStack(err)
}
@ -168,7 +171,7 @@ func (iss *InterpolatedStringSlice) UnmarshalYAML(value *yaml.Node) error {
}
for index, value := range data {
value, err := envsubst.Eval(value, getEnv)
value, err := envsubst.EvalEnv(value)
if err != nil {
return errors.WithStack(err)
}
@ -190,7 +193,7 @@ func (id *InterpolatedDuration) UnmarshalYAML(value *yaml.Node) error {
return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
}
str, err := envsubst.Eval(str, getEnv)
str, err := envsubst.EvalEnv(str)
if err != nil {
return errors.WithStack(err)
}

54
internal/config/environment_test.go
View File

@ -4,7 +4,6 @@ import (
"fmt"
"os"
"testing"
"time"
"github.com/pkg/errors"
"gopkg.in/yaml.v3"
@ -66,7 +65,7 @@ func TestInterpolatedMap(t *testing.T) {
var interpolatedMap InterpolatedMap
if tc.Env != nil {
getEnv = func(key string) string {
interpolatedMap.getEnv = func(key string) string {
return tc.Env[key]
}
}
@ -81,54 +80,3 @@ func TestInterpolatedMap(t *testing.T) {
})
}
}
func TestInterpolatedDuration(t *testing.T) {
type testCase struct {
Path string
Env map[string]string
Assert func(t *testing.T, parsed *InterpolatedDuration)
}
testCases := []testCase{
{
Path: "testdata/environment/interpolated-duration.yml",
Env: map[string]string{
"MY_DURATION": "30s",
},
Assert: func(t *testing.T, parsed *InterpolatedDuration) {
if e, g := 30*time.Second, parsed; e != time.Duration(*g) {
t.Errorf("parsed: expected '%v', got '%v'", e, g)
}
},
},
}
for idx, tc := range testCases {
t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
data, err := os.ReadFile(tc.Path)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if tc.Env != nil {
getEnv = func(key string) string {
return tc.Env[key]
}
}
config := struct {
Duration *InterpolatedDuration `yaml:"duration"`
}{
Duration: NewInterpolatedDuration(-1),
}
if err := yaml.Unmarshal(data, &config); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if tc.Assert != nil {
tc.Assert(t, config.Duration)
}
})
}
}

10
internal/config/layers.go
View File

@ -20,10 +20,6 @@ func NewDefaultLayersConfig() LayersConfig {
TransportConfig: NewDefaultTransportConfig(),
Timeout: NewInterpolatedDuration(10 * time.Second),
},
ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
},
Sessions: AuthnLayerSessionConfig{
TTL: NewInterpolatedDuration(time.Hour),
},
},
}
@ -38,16 +34,10 @@ type AuthnLayerConfig struct {
Debug InterpolatedBool `yaml:"debug"`
TemplateDir InterpolatedString `yaml:"templateDir"`
OIDC AuthnOIDCLayerConfig `yaml:"oidc"`
Sessions AuthnLayerSessionConfig `yaml:"sessions"`
}
type AuthnLayerSessionConfig struct {
TTL *InterpolatedDuration `yaml:"ttl"`
}
type AuthnOIDCLayerConfig struct {
HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
ProviderCacheTimeout *InterpolatedDuration `yaml:"providerCacheTimeout"`
}
type AuthnOIDCHTTPClientConfig struct {

15
internal/config/profiling.go
View File

@ -1,15 +0,0 @@
package config
type ProfilingConfig struct {
Enabled InterpolatedBool `yaml:"enabled"`
Endpoint InterpolatedString `yaml:"endpoint"`
BasicAuth *BasicAuthConfig `yaml:"basicAuth"`
}
func NewDefaultProfilingConfig() ProfilingConfig {
return ProfilingConfig{
Enabled: true,
Endpoint: "/.bouncer/profiling",
BasicAuth: nil,
}
}

6
internal/config/proxy_server.go
View File

@ -10,7 +10,6 @@ type ProxyServerConfig struct {
Debug InterpolatedBool `yaml:"debug"`
HTTP HTTPConfig `yaml:"http"`
Metrics MetricsConfig `yaml:"metrics"`
Profiling ProfilingConfig `yaml:"profiling"`
Transport TransportConfig `yaml:"transport"`
Dial DialConfig `yaml:"dial"`
Sentry SentryConfig `yaml:"sentry"`
@ -28,7 +27,6 @@ func NewDefaultProxyServerConfig() ProxyServerConfig {
Sentry: NewDefaultSentryConfig(),
Cache: NewDefaultCacheConfig(),
Templates: NewDefaultTemplatesConfig(),
Profiling: NewDefaultProfilingConfig(),
}
}
@ -113,12 +111,12 @@ func NewDefaultDialConfig() DialConfig {
}
type CacheConfig struct {
TTL *InterpolatedDuration `yaml:"ttl"`
TTL InterpolatedDuration `yaml:"ttl"`
}
func NewDefaultCacheConfig() CacheConfig {
return CacheConfig{
TTL: NewInterpolatedDuration(time.Second * 30),
TTL: *NewInterpolatedDuration(time.Second * 30),
}
}

14
internal/config/redis.go
View File

@ -15,16 +15,6 @@ type RedisConfig struct {
WriteTimeout InterpolatedDuration `yaml:"writeTimeout"`
DialTimeout InterpolatedDuration `yaml:"dialTimeout"`
LockMaxRetries InterpolatedInt `yaml:"lockMaxRetries"`
RouteByLatency InterpolatedBool `yaml:"routeByLatency"`
ContextTimeoutEnabled InterpolatedBool `yaml:"contextTimeoutEnabled"`
MaxRetries InterpolatedInt `yaml:"maxRetries"`
PingInterval InterpolatedDuration `yaml:"pingInterval"`
PoolSize InterpolatedInt `yaml:"poolSize"`
PoolTimeout InterpolatedDuration `yaml:"poolTimeout"`
MinIdleConns InterpolatedInt `yaml:"minIdleConns"`
MaxIdleConns InterpolatedInt `yaml:"maxIdleConns"`
ConnMaxIdleTime InterpolatedDuration `yaml:"connMaxIdleTime"`
ConnMaxLifetime InterpolatedDuration `yaml:"connMaxLifeTime"`
}
func NewDefaultRedisConfig() RedisConfig {
@ -35,9 +25,5 @@ func NewDefaultRedisConfig() RedisConfig {
WriteTimeout: InterpolatedDuration(30 * time.Second),
DialTimeout: InterpolatedDuration(30 * time.Second),
LockMaxRetries: 10,
MaxRetries: 3,
PingInterval: InterpolatedDuration(30 * time.Second),
ContextTimeoutEnabled: true,
RouteByLatency: true,
}
}

8
internal/config/sentry.go
View File

@ -29,10 +29,10 @@ func NewDefaultSentryConfig() SentryConfig {
FlushTimeout: NewInterpolatedDuration(2 * time.Second),
AttachStacktrace: true,
SampleRate: 1,
EnableTracing: false,
TracesSampleRate: 0.1,
ProfilesSampleRate: 0.1,
IgnoreErrors: []string{"context canceled", "net/http: abort"},
EnableTracing: true,
TracesSampleRate: 0.2,
ProfilesSampleRate: 1,
IgnoreErrors: []string{},
SendDefaultPII: false,
ServerName: "",
Environment: "",

1
internal/config/testdata/environment/interpolated-duration.yml vendored
View File

@ -1 +0,0 @@
duration: ${MY_DURATION}

2
internal/lock/redis/locker.go
View File

@ -38,7 +38,7 @@ func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration
defer func() {
if err := lock.Release(ctx); err != nil {
logger.Error(ctx, "could not release lock", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not release lock", logger.E(errors.WithStack(err)))
}
logger.Debug(ctx, "lock released")

2
internal/lock/redis/retry.go
View File

@ -30,7 +30,7 @@ func retryWithBackoff(ctx context.Context, attempts int, fn func(ctx context.Con
return errors.Wrapf(err, "execution failed after %d attempts", attempts)
}
logger.Error(ctx, "error while executing func, retrying with backoff", logger.CapturedE(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
logger.Error(ctx, "error while executing func, retrying with backoff", logger.E(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
time.Sleep(backoffDelay)

37
internal/proxy/director/context.go
View File

@ -2,13 +2,10 @@ package director
import (
"context"
"net/http"
"net/url"
"forge.cadoles.com/cadoles/bouncer/internal/store"
"github.com/getsentry/sentry-go"
"github.com/pkg/errors"
"gitlab.com/wpetit/goweb/logger"
)
type contextKey string
@ -17,8 +14,6 @@ const (
contextKeyProxy contextKey = "proxy"
contextKeyLayers contextKey = "layers"
contextKeyOriginalURL contextKey = "originalURL"
contextKeyHandleError contextKey = "handleError"
contextKeySentryScope contextKey = "sentryScope"
)
var (
@ -65,35 +60,3 @@ func ctxValue[T any](ctx context.Context, key contextKey) (T, error) {
return value, nil
}
type HandleErrorFunc func(w http.ResponseWriter, r *http.Request, status int, err error)
func withHandleError(ctx context.Context, fn HandleErrorFunc) context.Context {
return context.WithValue(ctx, contextKeyHandleError, fn)
}
func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, status int, err error) {
err = errors.WithStack(err)
fn, ok := ctx.Value(contextKeyHandleError).(HandleErrorFunc)
if !ok {
logger.Error(ctx, err.Error(), logger.CapturedE(err))
http.Error(w, http.StatusText(status), status)
return
}
fn(w, r, status, err)
}
func withSentryScope(ctx context.Context, scope *sentry.Scope) context.Context {
return context.WithValue(ctx, contextKeySentryScope, scope)
}
func SentryScope(ctx context.Context) (*sentry.Scope, error) {
scope, err := ctxValue[*sentry.Scope](ctx, contextKeySentryScope)
if err != nil {
return nil, errors.WithStack(err)
}
return scope, nil
}

95
internal/proxy/director/director.go
View File

@ -7,9 +7,8 @@ import (
"forge.cadoles.com/Cadoles/go-proxy"
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
"forge.cadoles.com/cadoles/bouncer/internal/cache"
"forge.cadoles.com/cadoles/bouncer/internal/store"
"forge.cadoles.com/cadoles/bouncer/internal/syncx"
"github.com/getsentry/sentry-go"
"github.com/pkg/errors"
"github.com/prometheus/client_golang/prometheus"
"gitlab.com/wpetit/goweb/logger"
@ -20,23 +19,20 @@ type Director struct {
layerRepository store.LayerRepository
layerRegistry *LayerRegistry
cachedProxies *syncx.CachedResource[string, []*store.Proxy]
cachedLayers *syncx.CachedResource[string, []*store.Layer]
handleError HandleErrorFunc
proxyCache cache.Cache[string, []*store.Proxy]
layerCache cache.Cache[string, []*store.Layer]
}
const proxiesCacheKey = "proxies"
func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
ctx := r.Context()
proxies, _, err := d.cachedProxies.Get(ctx, proxiesCacheKey)
proxies, err := d.getProxies(ctx)
if err != nil {
return r, errors.WithStack(err)
}
url := getRequestURL(r)
ctx = withOriginalURL(ctx, url)
ctx = logger.With(ctx, logger.F("url", url.String()))
@ -44,11 +40,21 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
for _, p := range proxies {
for _, from := range p.From {
logger.Debug(
ctx, "matching request with proxy's from",
logger.F("from", from),
)
if matches := wildcard.Match(url.String(), from); !matches {
continue
}
proxyCtx := logger.With(ctx,
logger.Debug(
ctx, "proxy's from matched",
logger.F("from", from),
)
ctx = logger.With(ctx,
logger.F("proxy", p.Name),
logger.F("host", r.Host),
logger.F("remoteAddr", r.RemoteAddr),
@ -56,7 +62,7 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(p.Name)}).Add(1)
proxyLayers, _, err := d.cachedLayers.Get(proxyCtx, string(p.Name))
proxyLayers, err := d.getLayers(ctx, p.Name)
if err != nil {
return r, errors.WithStack(err)
}
@ -76,16 +82,8 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
r.URL.Scheme = toURL.Scheme
r.URL.Path = toURL.JoinPath(r.URL.Path).Path
proxyCtx = withLayers(proxyCtx, layers)
r = r.WithContext(proxyCtx)
if sentryScope, _ := SentryScope(ctx); sentryScope != nil {
sentryScope.SetTags(map[string]string{
"bouncer.proxy.name": string(p.Name),
"bouncer.proxy.target.url": r.URL.String(),
"bouncer.proxy.target.host": r.URL.Host,
})
}
ctx = withLayers(ctx, layers)
r = r.WithContext(ctx)
return r, nil
}
@ -97,8 +95,13 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
return r, nil
}
func (d *Director) getProxies(ctx context.Context, key string) ([]*store.Proxy, error) {
logger.Debug(ctx, "querying fresh proxies")
const proxiesCacheKey = "proxies"
func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
proxies, exists := d.proxyCache.Get(proxiesCacheKey)
if exists {
return proxies, nil
}
headers, err := d.proxyRepository.QueryProxy(ctx, store.WithProxyQueryEnabled(true))
if err != nil {
@ -107,7 +110,7 @@ func (d *Director) getProxies(ctx context.Context, key string) ([]*store.Proxy,
sort.Sort(store.ByProxyWeight(headers))
proxies := make([]*store.Proxy, 0, len(headers))
proxies = make([]*store.Proxy, 0, len(headers))
for _, h := range headers {
if !h.Enabled {
@ -122,13 +125,18 @@ func (d *Director) getProxies(ctx context.Context, key string) ([]*store.Proxy,
proxies = append(proxies, proxy)
}
d.proxyCache.Set(proxiesCacheKey, proxies)
return proxies, nil
}
func (d *Director) getLayers(ctx context.Context, rawProxyName string) ([]*store.Layer, error) {
proxyName := store.ProxyName(rawProxyName)
func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]*store.Layer, error) {
cacheKey := "layers-" + string(proxyName)
logger.Debug(ctx, "querying fresh layers")
layers, exists := d.layerCache.Get(cacheKey)
if exists {
return layers, nil
}
headers, err := d.layerRepository.QueryLayers(ctx, proxyName, store.WithLayerQueryEnabled(true))
if err != nil {
@ -137,7 +145,7 @@ func (d *Director) getLayers(ctx context.Context, rawProxyName string) ([]*store
sort.Sort(store.ByLayerWeight(headers))
layers := make([]*store.Layer, 0, len(headers))
layers = make([]*store.Layer, 0, len(headers))
for _, h := range headers {
if !h.Enabled {
@ -152,20 +160,21 @@ func (d *Director) getLayers(ctx context.Context, rawProxyName string) ([]*store
layers = append(layers, layer)
}
d.layerCache.Set(cacheKey, layers)
return layers, nil
}
func (d *Director) RequestTransformer() proxy.RequestTransformer {
return func(r *http.Request) {
ctx := r.Context()
layers, err := ctxLayers(ctx)
if err != nil {
if errors.Is(err, errContextKeyNotFound) {
return
}
logger.Error(ctx, "could not retrieve layers from context", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not retrieve layers from context", logger.E(errors.WithStack(err)))
return
}
@ -215,18 +224,15 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
func (d *Director) Middleware() proxy.Middleware {
return func(next http.Handler) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) {
sentry.ConfigureScope(func(scope *sentry.Scope) {
ctx := withHandleError(r.Context(), d.handleError)
ctx = withSentryScope(ctx, scope)
r = r.WithContext(ctx)
r, err := d.rewriteRequest(r)
if err != nil {
HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
logger.Error(r.Context(), "could not rewrite request", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
ctx = r.Context()
ctx := r.Context()
layers, err := ctxLayers(ctx)
if err != nil {
@ -234,7 +240,9 @@ func (d *Director) Middleware() proxy.Middleware {
return
}
HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
logger.Error(ctx, "could not retrieve proxy and layers from context", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
@ -251,7 +259,6 @@ func (d *Director) Middleware() proxy.Middleware {
handler := createMiddlewareChain(next, httpMiddlewares)
handler.ServeHTTP(w, r)
})
}
return http.HandlerFunc(fn)
@ -263,15 +270,11 @@ func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepos
registry := NewLayerRegistry(opts.Layers...)
director := &Director{
return &Director{
proxyRepository: proxyRepository,
layerRepository: layerRepository,
layerRegistry: registry,
handleError: opts.HandleError,
proxyCache: opts.ProxyCache,
layerCache: opts.LayerCache,
}
director.cachedProxies = syncx.NewCachedResource(opts.ProxyCache, director.getProxies)
director.cachedLayers = syncx.NewCachedResource(opts.LayerCache, director.getLayers)
return director
}

47
internal/proxy/director/layer/authn/layer.go
View File

@ -1,18 +1,13 @@
package authn
import (
"bytes"
"html/template"
"io"
"net/http"
"path/filepath"
"forge.cadoles.com/Cadoles/go-proxy"
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
"forge.cadoles.com/cadoles/bouncer/internal/store"
"github.com/Masterminds/sprig/v3"
"github.com/pkg/errors"
@ -24,8 +19,6 @@ type Layer struct {
auth Authenticator
debug bool
ruleEngineCache *util.RuleEngineCache[*Vars, *LayerOptions]
templateDir string
}
@ -36,7 +29,9 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
options, err := fromStoreOptions(layer.Options)
if err != nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
@ -47,7 +42,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
}
err = errors.WithStack(err)
logger.Error(ctx, "could not execute pre-auth hook", logger.CapturedE(err))
logger.Error(ctx, "could not execute pre-auth hook", logger.E(err))
l.renderErrorPage(w, r, layer, options, err)
return
@ -73,20 +68,20 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
}
err = errors.WithStack(err)
logger.Error(ctx, "could not authenticate user", logger.CapturedE(err))
logger.Error(ctx, "could not authenticate user", logger.E(err))
l.renderErrorPage(w, r, layer, options, err)
return
}
if err := l.applyRules(ctx, r, layer, options, user); err != nil {
if err := l.applyRules(r, options, user); err != nil {
if errors.Is(err, ErrForbidden) {
l.renderForbiddenPage(w, r, layer, options, user)
return
}
err = errors.WithStack(err)
logger.Error(ctx, "could not apply rules", logger.CapturedE(err))
logger.Error(ctx, "could not apply rules", logger.E(err))
l.renderErrorPage(w, r, layer, options, err)
return
@ -104,7 +99,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
}
err = errors.WithStack(err)
logger.Error(ctx, "could not execute post-auth hook", logger.CapturedE(err))
logger.Error(ctx, "could not execute post-auth hook", logger.E(err))
l.renderErrorPage(w, r, layer, options, err)
return
@ -167,21 +162,19 @@ func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, page string,
tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
if err != nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not load authn templates"))
logger.Error(ctx, "could not load authn templates", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
w.Header().Add("Cache-Control", "no-cache")
var buf bytes.Buffer
if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render authn page"))
return
}
logger.Error(ctx, "could not render authn page", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
if _, err := io.Copy(w, &buf); err != nil {
logger.Error(ctx, "could not write authn page", logger.CapturedE(errors.WithStack(err)))
return
}
}
@ -194,18 +187,6 @@ func NewLayer(layerType store.LayerType, auth Authenticator, funcs ...OptionFunc
opts := NewOptions(funcs...)
return &Layer{
ruleEngineCache: util.NewInMemoryRuleEngineCache[*Vars, *LayerOptions](func(options *LayerOptions) (*rule.Engine[*Vars], error) {
engine, err := rule.NewEngine[*Vars](
rule.WithRules(options.Rules...),
rule.WithExpr(getAuthnAPI()...),
ruleHTTP.WithRequestFuncs(),
)
if err != nil {
return nil, errors.WithStack(err)
}
return engine, nil
}),
layerType: layerType,
auth: auth,
templateDir: opts.TemplateDir,

7
internal/proxy/director/layer/authn/layer_options.go
View File

@ -28,13 +28,12 @@ func DefaultLayerOptions() LayerOptions {
return LayerOptions{
MatchURLs: []string{"*"},
Rules: []string{
"del_headers(ctx, 'Remote-*')",
"set_header(ctx,'Remote-User', vars.user.subject)",
"del_headers('Remote-*')",
"set_header('Remote-User', user.subject)",
`map(
toPairs(vars.user.attrs), {
toPairs(user.attrs), {
let name = replace(lower(string(get(#, 0))), '_', '-');
set_header(
ctx,
'Remote-User-Attr-' + name,
get(#, 1)
)

17
internal/proxy/director/layer/authn/network/authenticator_test.go
View File

@ -39,23 +39,6 @@ func TestMatchAuthorizedCIDRs(t *testing.T) {
},
ExpectedResult: false,
},
{
RemoteHostPort: "192.168.1.15:43349",
AuthorizedCIDRs: []string{
"192.168.1.5/32",
"192.168.1.0/24",
},
ExpectedResult: true,
},
{
RemoteHostPort: "192.168.1.15:43349",
AuthorizedCIDRs: []string{
"192.168.1.5/32",
"192.168.1.6/32",
"192.168.1.7/32",
},
ExpectedResult: false,
},
}
auth := Authenticator{}

56
internal/proxy/director/layer/authn/oidc/authenticator.go
View File

@ -13,12 +13,9 @@ import (
"time"
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
"forge.cadoles.com/cadoles/bouncer/internal/store"
"forge.cadoles.com/cadoles/bouncer/internal/syncx"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/gorilla/sessions"
"github.com/pkg/errors"
@ -30,7 +27,6 @@ type Authenticator struct {
store sessions.Store
httpTransport *http.Transport
httpClientTimeout time.Duration
cachedOIDCProvider *syncx.CachedResource[string, *oidc.Provider]
}
func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@ -48,7 +44,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Proxy, layer.Name))
if err != nil {
logger.Error(ctx, "could not retrieve session", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
}
loginCallbackURL, err := a.getLoginCallbackURL(originalURL, layer.Proxy, layer.Name, options)
@ -56,7 +52,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
return errors.WithStack(err)
}
client, err := a.getClient(ctx, options, loginCallbackURL.String())
client, err := a.getClient(options, loginCallbackURL.String())
if err != nil {
return errors.WithStack(err)
}
@ -90,7 +86,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
if postLogoutRedirectURL != "" {
isAuthorized := slices.Contains(options.OIDC.PostLogoutRedirectURLs, postLogoutRedirectURL)
if !isAuthorized {
director.HandleError(ctx, w, r, http.StatusBadRequest, errors.New("unauthorized post-logout redirect"))
http.Error(w, "unauthorized post-logout redirect", http.StatusBadRequest)
return errors.WithStack(authn.ErrSkipRequest)
}
}
@ -132,7 +128,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
defer func() {
if err := sess.Save(r, w); err != nil {
logger.Error(ctx, "could not save session", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
}
}()
@ -162,7 +158,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
return nil, errors.WithStack(err)
}
client, err := a.getClient(ctx, options, loginCallbackURL.String())
client, err := a.getClient(options, loginCallbackURL.String())
if err != nil {
return nil, errors.WithStack(err)
}
@ -364,7 +360,9 @@ func (a *Authenticator) templatize(rawTemplate string, proxyName store.ProxyName
return raw.String(), nil
}
func (a *Authenticator) getClient(ctx context.Context, options *LayerOptions, redirectURL string) (*Client, error) {
func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*Client, error) {
ctx := context.Background()
transport := a.httpTransport.Clone()
if options.OIDC.TLSInsecureSkipVerify {
@ -375,10 +373,6 @@ func (a *Authenticator) getClient(ctx context.Context, options *LayerOptions, re
transport.TLSClientConfig.InsecureSkipVerify = true
}
if options.OIDC.SkipIssuerVerification {
ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
}
httpClient := &http.Client{
Timeout: a.httpClientTimeout,
Transport: transport,
@ -390,9 +384,9 @@ func (a *Authenticator) getClient(ctx context.Context, options *LayerOptions, re
ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
}
provider, _, err := a.cachedOIDCProvider.Get(ctx, options.OIDC.IssuerURL)
provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
if err != nil {
return nil, errors.Wrap(err, "could not retrieve oidc provider")
return nil, errors.Wrap(err, "could not create oidc provider")
}
client := NewClient(
@ -407,17 +401,6 @@ func (a *Authenticator) getClient(ctx context.Context, options *LayerOptions, re
return client, nil
}
func (a *Authenticator) getOIDCProvider(ctx context.Context, issuerURL string) (*oidc.Provider, error) {
logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", issuerURL))
provider, err := oidc.NewProvider(ctx, issuerURL)
if err != nil {
return nil, errors.Wrap(err, "could not create oidc provider")
}
return provider, nil
}
const defaultCookieNamePrefix = "_bouncer_authn_oidc"
func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyName, layerName store.LayerName) string {
@ -428,25 +411,6 @@ func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyNa
return strings.ToLower(fmt.Sprintf("%s_%s_%s", defaultCookieNamePrefix, proxyName, layerName))
}
func NewAuthenticator(httpTransport *http.Transport, clientTimeout time.Duration, store sessions.Store, oidcProviderCacheTimeout time.Duration) *Authenticator {
authenticator := &Authenticator{
httpTransport: httpTransport,
httpClientTimeout: clientTimeout,
store: store,
}
authenticator.cachedOIDCProvider = syncx.NewCachedResource(
ttl.NewCache(
memory.NewCache[string, *oidc.Provider](),
memory.NewCache[string, time.Time](),
oidcProviderCacheTimeout,
),
authenticator.getOIDCProvider,
)
return authenticator
}
var (
_ authn.PreAuthentication = &Authenticator{}
_ authn.Authenticator = &Authenticator{}

6
internal/proxy/director/layer/authn/oidc/client.go
View File

@ -6,7 +6,6 @@ import (
"net/url"
"strings"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/dchest/uniuri"
"github.com/gorilla/sessions"
@ -69,7 +68,8 @@ func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Se
sess.Values[sessionKeyPostLoginRedirectURL] = postLoginRedirectURL
if err := sess.Save(r, w); err != nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))
logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
@ -127,7 +127,7 @@ func (c *Client) HandleLogout(w http.ResponseWriter, r *http.Request, sess *sess
rawIDToken, err := c.getRawIDToken(sess)
if err != nil {
logger.Error(ctx, "could not retrieve raw id token", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not retrieve raw id token", logger.E(errors.WithStack(err)))
}
sess.Values[sessionKeyIDToken] = nil

12
internal/proxy/director/layer/authn/oidc/layer.go
View File

@ -10,11 +10,9 @@ const LayerType store.LayerType = "authn-oidc"
func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
opts := NewOptions(funcs...)
authenticator := NewAuthenticator(
opts.HTTPTransport,
opts.HTTPClientTimeout,
store,
opts.OIDCProviderCacheTimeout,
)
return authn.NewLayer(LayerType, authenticator, opts.AuthnOptions...)
return authn.NewLayer(LayerType, &Authenticator{
httpTransport: opts.HTTPTransport,
httpClientTimeout: opts.HTTPClientTimeout,
store: store,
}, opts.AuthnOptions...)
}

8
internal/proxy/director/layer/authn/oidc/options.go
View File

@ -11,7 +11,6 @@ type Options struct {
HTTPTransport *http.Transport
HTTPClientTimeout time.Duration
AuthnOptions []authn.OptionFunc
OIDCProviderCacheTimeout time.Duration
}
type OptionFunc func(opts *Options)
@ -34,18 +33,11 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
}
}
func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
return func(opts *Options) {
opts.OIDCProviderCacheTimeout = timeout
}
}
func NewOptions(funcs ...OptionFunc) *Options {
opts := &Options{
HTTPTransport: http.DefaultTransport.(*http.Transport),
HTTPClientTimeout: 30 * time.Second,
AuthnOptions: make([]authn.OptionFunc, 0),
OIDCProviderCacheTimeout: time.Hour,
}
for _, fn := range funcs {

25
internal/proxy/director/layer/authn/rules.go
View File

@ -1,35 +1,38 @@
package authn
import (
"context"
"net/http"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
"forge.cadoles.com/cadoles/bouncer/internal/store"
"github.com/expr-lang/expr"
"github.com/pkg/errors"
)
type Vars struct {
type Env struct {
User *User `expr:"user"`
}
func (l *Layer) applyRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) error {
key := string(layer.Proxy) + "-" + string(layer.Name)
revisionedEngine := l.ruleEngineCache.Get(key)
func (l *Layer) applyRules(r *http.Request, options *LayerOptions, user *User) error {
rules := options.Rules
if len(rules) == 0 {
return nil
}
engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
engine, err := rule.NewEngine[*Env](
rule.WithRules(options.Rules...),
rule.WithExpr(getAuthnAPI()...),
ruleHTTP.WithRequestFuncs(r),
)
if err != nil {
return errors.WithStack(err)
}
vars := &Vars{
env := &Env{
User: user,
}
ctx = ruleHTTP.WithRequest(ctx, r)
if _, err := engine.Apply(ctx, vars); err != nil {
if _, err := engine.Apply(env); err != nil {
return errors.WithStack(err)
}

42
internal/proxy/director/layer/queue/queue.go
View File

@ -1,11 +1,9 @@
package queue
import (
"bytes"
"context"
"fmt"
"html/template"
"io"
"math/rand"
"net/http"
"path/filepath"
@ -54,7 +52,9 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
options, err := fromStoreOptions(layer.Options, q.defaultKeepAlive)
if err != nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
@ -65,13 +65,13 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
return
}
defer q.updateMetrics(layer.Proxy, layer.Name, options)
defer q.updateMetrics(ctx, layer.Proxy, layer.Name, options)
cookieName := q.getCookieName(layer.Name)
cookie, err := r.Cookie(cookieName)
if err != nil && !errors.Is(err, http.ErrNoCookie) {
logger.Error(ctx, "could not retrieve cookie", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not retrieve cookie", logger.E(errors.WithStack(err)))
}
if cookie == nil {
@ -89,7 +89,9 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
rank, err := q.adapter.Touch(ctx, queueName, sessionID)
if err != nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not update queue session rank"))
logger.Error(ctx, "could not retrieve session rank", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
@ -124,7 +126,7 @@ func (q *Queue) updateSessionsMetric(ctx context.Context, proxyName store.ProxyN
status, err := q.adapter.Status(ctx, queueName)
if err != nil {
logger.Error(ctx, "could not retrieve queue status", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
return
}
@ -142,7 +144,9 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
status, err := q.adapter.Status(ctx, queueName)
if err != nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve queue status"))
logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
@ -153,7 +157,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
if err != nil {
logger.Error(ctx, "could not load queue templates", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not load queue templates", logger.E(errors.WithStack(err)))
return
}
@ -162,7 +166,9 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
})
if q.tmpl == nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("queue page templates not loaded"))
logger.Error(ctx, "queue page templates not loaded", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
@ -188,16 +194,12 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
w.Header().Add("Retry-After", strconv.FormatInt(int64(refreshRate.Seconds()), 10))
w.WriteHeader(http.StatusServiceUnavailable)
var buf bytes.Buffer
if err := q.tmpl.ExecuteTemplate(w, "queue", templateData); err != nil {
logger.Error(ctx, "could not render queue page", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
if err := q.tmpl.ExecuteTemplate(&buf, "queue", templateData); err != nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render queue page"))
return
}
if _, err := io.Copy(w, &buf); err != nil {
logger.Error(ctx, "could not write queue page", logger.CapturedE(errors.WithStack(err)))
}
}
func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, keepAlive time.Duration) {
@ -209,15 +211,13 @@ func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, kee
if err := q.adapter.Refresh(ctx, string(layerName), keepAlive); err != nil {
logger.Error(ctx, "could not refresh queue",
logger.CapturedE(errors.WithStack(err)),
logger.E(errors.WithStack(err)),
logger.F("queue", layerName),
)
}
}
func (q *Queue) updateMetrics(proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) {
ctx := context.Background()
func (q *Queue) updateMetrics(ctx context.Context, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) {
// Update queue capacity metric
metricQueueCapacity.With(
prometheus.Labels{

79
internal/proxy/director/layer/rewriter/api.go
View File

@ -1,79 +0,0 @@
package rewriter
import (
"context"
"fmt"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
"github.com/expr-lang/expr"
"github.com/pkg/errors"
)
type errRedirect struct {
statusCode int
url string
}
func (e *errRedirect) StatusCode() int {
return e.statusCode
}
func (e *errRedirect) URL() string {
return e.url
}
func (e *errRedirect) Error() string {
return fmt.Sprintf("redirect %d %s", e.statusCode, e.url)
}
func newErrRedirect(statusCode int, url string) *errRedirect {
return &errRedirect{
url: url,
statusCode: statusCode,
}
}
var _ error = &errRedirect{}
func redirectFunc() expr.Option {
return expr.Function(
"redirect",
func(params ...any) (any, error) {
_, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
statusCode, err := rule.Assert[int](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
if statusCode < 300 || statusCode >= 400 {
return nil, errors.Errorf("unexpected redirect status code '%d'", statusCode)
}
url, err := rule.Assert[string](params[2])
if err != nil {
return nil, errors.WithStack(err)
}
return nil, newErrRedirect(statusCode, url)
},
new(func(context.Context, int, string) bool),
)
}
func WithRewriterFuncs() rule.OptionFunc {
return func(opts *rule.Options) {
funcs := []expr.Option{
redirectFunc(),
}
if len(opts.Expr) == 0 {
opts.Expr = make([]expr.Option, 0)
}
opts.Expr = append(opts.Expr, funcs...)
}
}

56
internal/proxy/director/layer/rewriter/layer.go
View File

@ -6,19 +6,14 @@ import (
proxy "forge.cadoles.com/Cadoles/go-proxy"
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
"forge.cadoles.com/cadoles/bouncer/internal/store"
"github.com/pkg/errors"
"gitlab.com/wpetit/goweb/logger"
)
const LayerType store.LayerType = "rewriter"
type Layer struct {
requestRuleEngineCache *util.RuleEngineCache[*RequestVars, *LayerOptions]
responseRuleEngineCache *util.RuleEngineCache[*ResponseVars, *LayerOptions]
}
type Layer struct{}
func (l *Layer) LayerType() store.LayerType {
return LayerType
@ -31,7 +26,9 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
options, err := fromStoreOptions(layer.Options)
if err != nil {
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
@ -42,14 +39,9 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
return
}
if err := l.applyRequestRules(ctx, r, layer, options); err != nil {
var redirect *errRedirect
if errors.As(err, &redirect) {
http.Redirect(w, r, redirect.URL(), redirect.StatusCode())
return
}
director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not apply request rules"))
if err := l.applyRequestRules(r, options); err != nil {
logger.Error(ctx, "could not apply request rules", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
@ -74,9 +66,7 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme
return nil
}
ctx := r.Request.Context()
if err := l.applyResponseRules(ctx, r, layer, options); err != nil {
if err := l.applyResponseRules(r, options); err != nil {
return errors.WithStack(err)
}
@ -84,32 +74,8 @@ func (l *Layer) ResponseTransformer(layer *store.Layer) proxy.ResponseTransforme
}
}
func New(funcs ...OptionFunc) *Layer {
return &Layer{
requestRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*RequestVars], error) {
engine, err := rule.NewEngine[*RequestVars](
rule.WithRules(options.Rules.Request...),
ruleHTTP.WithRequestFuncs(),
WithRewriterFuncs(),
)
if err != nil {
return nil, errors.WithStack(err)
}
return engine, nil
}),
responseRuleEngineCache: util.NewInMemoryRuleEngineCache(func(options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
engine, err := rule.NewEngine[*ResponseVars](
rule.WithRules(options.Rules.Response...),
ruleHTTP.WithResponseFuncs(),
)
if err != nil {
return nil, errors.WithStack(err)
}
return engine, nil
}),
}
func New() *Layer {
return &Layer{}
}
var (

16
internal/proxy/director/layer/rewriter/options.go
View File

@ -1,16 +0,0 @@
package rewriter
type Options struct {
}
type OptionFunc func(opts *Options)
func NewOptions(funcs ...OptionFunc) *Options {
opts := &Options{}
for _, fn := range funcs {
fn(opts)
}
return opts
}

221
internal/proxy/director/layer/rewriter/rules.go
View File

@ -1,80 +1,50 @@
package rewriter
import (
"context"
"net/http"
"net/url"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
"forge.cadoles.com/cadoles/bouncer/internal/store"
"github.com/pkg/errors"
)
type RequestVars struct {
Request RequestVar `expr:"request"`
OriginalURL URLVar `expr:"original_url"`
type RequestEnv struct {
Request RequestInfo `expr:"request"`
}
type URLVar struct {
Scheme string `expr:"scheme"`
Opaque string `expr:"opaque"`
User UserVar `expr:"user"`
Host string `expr:"host"`
Path string `expr:"path"`
RawPath string `expr:"raw_path"`
RawQuery string `expr:"raw_query"`
Fragment string `expr:"fragment"`
RawFragment string `expr:"raw_fragment"`
}
func fromURL(url *url.URL) URLVar {
return URLVar{
Scheme: url.Scheme,
Opaque: url.Opaque,
User: UserVar{
Username: url.User.Username(),
Password: func() string {
passwd, _ := url.User.Password()
return passwd
}(),
},
Host: url.Host,
Path: url.Path,
RawPath: url.RawPath,
RawQuery: url.RawQuery,
Fragment: url.Fragment,
RawFragment: url.RawFragment,
}
}
type UserVar struct {
Username string `expr:"username"`
Password string `expr:"password"`
}
type RequestVar struct {
type RequestInfo struct {
Method string `expr:"method"`
URL URLVar `expr:"url"`
RawURL string `expr:"raw_url"`
URL string `expr:"url"`
Proto string `expr:"proto"`
ProtoMajor int `expr:"proto_major"`
ProtoMinor int `expr:"proto_minor"`
ProtoMajor int `expr:"protoMajor"`
ProtoMinor int `expr:"protoMinor"`
Header map[string][]string `expr:"header"`
ContentLength int64 `expr:"content_length"`
TransferEncoding []string `expr:"transfer_encoding"`
ContentLength int64 `expr:"contentLength"`
TransferEncoding []string `expr:"transferEncoding"`
Host string `expr:"host"`
Trailer map[string][]string `expr:"trailer"`
RemoteAddr string `expr:"remote_addr"`
RequestURI string `expr:"request_uri"`
RemoteAddr string `expr:"remoteAddr"`
RequestURI string `expr:"requestUri"`
}
func fromRequest(r *http.Request) RequestVar {
return RequestVar{
func (l *Layer) applyRequestRules(r *http.Request, options *LayerOptions) error {
rules := options.Rules.Request
if len(rules) == 0 {
return nil
}
engine, err := rule.NewEngine[*RequestEnv](
ruleHTTP.WithRequestFuncs(r),
rule.WithRules(options.Rules.Request...),
)
if err != nil {
return errors.WithStack(err)
}
env := &RequestEnv{
Request: RequestInfo{
Method: r.Method,
URL: fromURL(r.URL),
RawURL: r.URL.String(),
URL: r.URL.String(),
Proto: r.Proto,
ProtoMajor: r.ProtoMajor,
ProtoMinor: r.ProtoMinor,
@ -85,90 +55,64 @@ func fromRequest(r *http.Request) RequestVar {
Trailer: r.Trailer,
RemoteAddr: r.RemoteAddr,
RequestURI: r.RequestURI,
}
},
}
func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions) error {
if _, err := engine.Apply(env); err != nil {
return errors.WithStack(err)
}
return nil
}
type ResponseEnv struct {
Request RequestInfo `expr:"request"`
Response ResponseInfo `expr:"response"`
}
type ResponseInfo struct {
Status string `expr:"status"`
StatusCode int `expr:"statusCode"`
Proto string `expr:"proto"`
ProtoMajor int `expr:"protoMajor"`
ProtoMinor int `expr:"protoMinor"`
Header map[string][]string `expr:"header"`
ContentLength int64 `expr:"contentLength"`
TransferEncoding []string `expr:"transferEncoding"`
Uncompressed bool `expr:"uncompressed"`
Trailer map[string][]string `expr:"trailer"`
}
func (l *Layer) applyResponseRules(r *http.Response, options *LayerOptions) error {
rules := options.Rules.Request
if len(rules) == 0 {
return nil
}
engine, err := l.getRequestRuleEngine(ctx, layer, options)
engine, err := rule.NewEngine[*ResponseEnv](
rule.WithRules(options.Rules.Response...),
ruleHTTP.WithResponseFuncs(r),
)
if err != nil {
return errors.WithStack(err)
}
originalURL, err := director.OriginalURL(ctx)
if err != nil {
return errors.WithStack(err)
}
vars := &RequestVars{
OriginalURL: fromURL(originalURL),
Request: fromRequest(r),
}
ctx = ruleHTTP.WithRequest(ctx, r)
if _, err := engine.Apply(ctx, vars); err != nil {
return errors.WithStack(err)
}
return nil
}
func (l *Layer) getRequestRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*RequestVars], error) {
key := string(layer.Proxy) + "-" + string(layer.Name)
revisionedEngine := l.requestRuleEngineCache.Get(key)
engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
if err != nil {
return nil, errors.WithStack(err)
}
return engine, nil
}
type ResponseVars struct {
OriginalURL URLVar `expr:"original_url"`
Request RequestVar `expr:"request"`
Response ResponseVar `expr:"response"`
}
type ResponseVar struct {
Status string `expr:"status"`
StatusCode int `expr:"status_code"`
Proto string `expr:"proto"`
ProtoMajor int `expr:"proto_major"`
ProtoMinor int `expr:"proto_minor"`
Header map[string][]string `expr:"header"`
ContentLength int64 `expr:"content_length"`
TransferEncoding []string `expr:"transfer_encoding"`
Uncompressed bool `expr:"uncompressed"`
Trailer map[string][]string `expr:"trailer"`
}
func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layer *store.Layer, options *LayerOptions) error {
rules := options.Rules.Response
if len(rules) == 0 {
return nil
}
engine, err := l.getResponseRuleEngine(ctx, layer, options)
if err != nil {
return errors.WithStack(err)
}
originalURL, err := director.OriginalURL(ctx)
if err != nil {
return errors.WithStack(err)
}
vars := &ResponseVars{
OriginalURL: fromURL(originalURL),
Request: fromRequest(r.Request),
Response: ResponseVar{
env := &ResponseEnv{
Request: RequestInfo{
Method: r.Request.Method,
URL: r.Request.URL.String(),
Proto: r.Request.Proto,
ProtoMajor: r.Request.ProtoMajor,
ProtoMinor: r.Request.ProtoMinor,
Header: r.Request.Header,
ContentLength: r.Request.ContentLength,
TransferEncoding: r.Request.TransferEncoding,
Host: r.Request.Host,
Trailer: r.Request.Trailer,
RemoteAddr: r.Request.RemoteAddr,
RequestURI: r.Request.RequestURI,
},
Response: ResponseInfo{
Proto: r.Proto,
ProtoMajor: r.ProtoMajor,
ProtoMinor: r.ProtoMinor,
@ -181,24 +125,9 @@ func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layer
},
}
ctx = ruleHTTP.WithResponse(ctx, r)
ctx = ruleHTTP.WithRequest(ctx, r.Request)
if _, err := engine.Apply(ctx, vars); err != nil {
if _, err := engine.Apply(env); err != nil {
return errors.WithStack(err)
}
return nil
}
func (l *Layer) getResponseRuleEngine(ctx context.Context, layer *store.Layer, options *LayerOptions) (*rule.Engine[*ResponseVars], error) {
key := string(layer.Proxy) + "-" + string(layer.Name)
revisionedEngine := l.responseRuleEngineCache.Get(key)
engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
if err != nil {
return nil, errors.WithStack(err)
}
return engine, nil
}

51
internal/proxy/director/layer/util/revisioned_rule_engine.go
View File

@ -1,51 +0,0 @@
package util
import (
"context"
"sync"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
"github.com/pkg/errors"
"gitlab.com/wpetit/goweb/logger"
)
type RuleEngineFactoryFunc[V any, O any] func(ops O) (*rule.Engine[V], error)
type RevisionedRuleEngine[V any, O any] struct {
mutex sync.RWMutex
revision int
engine *rule.Engine[V]
factory RuleEngineFactoryFunc[V, O]
}
func (e *RevisionedRuleEngine[V, O]) Get(ctx context.Context, revision int, opts O) (*rule.Engine[V], error) {
e.mutex.RLock()
if revision == e.revision {
logger.Debug(ctx, "using cached rule engine", logger.F("layerRevision", revision))
defer e.mutex.RUnlock()
return e.engine, nil
}
e.mutex.RUnlock()
e.mutex.Lock()
defer e.mutex.Unlock()
logger.Debug(ctx, "creating rule engine", logger.F("layerRevision", revision))
engine, err := e.factory(opts)
if err != nil {
return nil, errors.WithStack(err)
}
e.engine = engine
e.revision = revision
return engine, nil
}
func NewRevisionedRuleEngine[V any, O any](factory RuleEngineFactoryFunc[V, O]) *RevisionedRuleEngine[V, O] {
return &RevisionedRuleEngine[V, O]{
factory: factory,
}
}

28
internal/proxy/director/layer/util/rule_engine_cache.go
View File

@ -1,28 +0,0 @@
package util
import (
"forge.cadoles.com/cadoles/bouncer/internal/cache"
"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
)
type RuleEngineCache[V any, O any] struct {
cache cache.Cache[string, *RevisionedRuleEngine[V, O]]
factory RuleEngineFactoryFunc[V, O]
}
func (c *RuleEngineCache[V, O]) Get(key string) *RevisionedRuleEngine[V, O] {
revisionedRuleEngine, exists := c.cache.Get(key)
if !exists {
revisionedRuleEngine = NewRevisionedRuleEngine(c.factory)
c.cache.Set(key, revisionedRuleEngine)
}
return revisionedRuleEngine
}
func NewInMemoryRuleEngineCache[V any, O any](factory RuleEngineFactoryFunc[V, O]) *RuleEngineCache[V, O] {
return &RuleEngineCache[V, O]{
factory: factory,
cache: memory.NewCache[string, *RevisionedRuleEngine[V, O]](),
}
}

13
internal/proxy/director/options.go
View File

@ -1,21 +1,18 @@
package director
import (
"net/http"
"time"
"forge.cadoles.com/cadoles/bouncer/internal/cache"
"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
"forge.cadoles.com/cadoles/bouncer/internal/store"
"gitlab.com/wpetit/goweb/logger"
)
type Options struct {
Layers []Layer
ProxyCache cache.Cache[string, []*store.Proxy]
LayerCache cache.Cache[string, []*store.Layer]
HandleError HandleErrorFunc
}
type OptionFunc func(opts *Options)
@ -33,10 +30,6 @@ func NewOptions(funcs ...OptionFunc) *Options {
memory.NewCache[string, time.Time](),
30*time.Second,
),
HandleError: func(w http.ResponseWriter, r *http.Request, status int, err error) {
logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
http.Error(w, http.StatusText(status), status)
},
}
for _, fn := range funcs {
@ -63,9 +56,3 @@ func WithLayerCache(cache cache.Cache[string, []*store.Layer]) OptionFunc {
opts.LayerCache = cache
}
}
func WithHandleErrorFunc(fn HandleErrorFunc) OptionFunc {
return func(opts *Options) {
opts.HandleError = fn
}
}

2
internal/proxy/init.go
View File

@ -9,7 +9,7 @@ import (
)
func (s *Server) initRepositories(ctx context.Context) error {
client := setup.NewSharedClient(s.redisConfig)
client := setup.NewRedisClient(ctx, s.redisConfig)
if err := s.initProxyRepository(ctx, client); err != nil {
return errors.WithStack(err)

156
internal/proxy/proxy_test.go Normal file
View File

@ -0,0 +1,156 @@
package proxy_test
import (
"context"
"io"
"net/http"
"net/http/httptest"
"net/http/httputil"
"net/url"
"os"
"testing"
"time"
"forge.cadoles.com/Cadoles/go-proxy"
"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"forge.cadoles.com/cadoles/bouncer/internal/store"
redisStore "forge.cadoles.com/cadoles/bouncer/internal/store/redis"
"github.com/pkg/errors"
"github.com/redis/go-redis/v9"
)
func BenchmarkProxy(b *testing.B) {
redisEndpoint := os.Getenv("BOUNCER_BENCH_REDIS_ADDR")
if redisEndpoint == "" {
redisEndpoint = "127.0.0.1:6379"
}
client := redis.NewUniversalClient(&redis.UniversalOptions{
Addrs: []string{redisEndpoint},
})
proxyRepository := redisStore.NewProxyRepository(client)
layerRepository := redisStore.NewLayerRepository(client)
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
if _, err := w.Write([]byte("Hello, world.")); err != nil {
b.Logf("[ERROR] %+v", errors.WithStack(err))
}
}))
defer backend.Close()
if err := waitFor(backend.URL, 5*time.Second); err != nil {
b.Fatalf("[FATAL] %+v", errors.WithStack(err))
}
b.Logf("started backend '%s'", backend.URL)
ctx := context.Background()
proxyName := store.ProxyName(b.Name())
b.Logf("creating proxy '%s'", proxyName)
if err := proxyRepository.DeleteProxy(ctx, proxyName); err != nil {
b.Fatalf("[FATAL] %+v", errors.WithStack(err))
}
if _, err := proxyRepository.CreateProxy(ctx, proxyName, backend.URL, "*"); err != nil {
b.Fatalf("[FATAL] %+v", errors.WithStack(err))
}
if _, err := proxyRepository.UpdateProxy(ctx, proxyName, store.WithProxyUpdateEnabled(true)); err != nil {
b.Fatalf("[FATAL] %+v", errors.WithStack(err))
}
director := director.New(
proxyRepository, layerRepository,
director.WithLayerCache(
ttl.NewCache(
memory.NewCache[string, []*store.Layer](),
memory.NewCache[string, time.Time](),
30*time.Second,
),
),
director.WithProxyCache(
ttl.NewCache(
memory.NewCache[string, []*store.Proxy](),
memory.NewCache[string, time.Time](),
30*time.Second,
),
),
)
directorMiddleware := director.Middleware()
handler := proxy.New(
proxy.WithRequestTransformers(
director.RequestTransformer(),
),
proxy.WithResponseTransformers(
director.ResponseTransformer(),
),
proxy.WithReverseProxyFactory(func(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
reverse := httputil.NewSingleHostReverseProxy(target)
reverse.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
b.Logf("[ERROR] %s", errors.WithStack(err))
}
return reverse
}),
)
server := httptest.NewServer(directorMiddleware(handler))
defer server.Close()
b.Logf("started proxy '%s'", server.URL)
httpClient := server.Client()
b.ResetTimer()
for i := 0; i < b.N; i++ {
res, err := httpClient.Get(server.URL)
if err != nil {
b.Errorf("could not fetch server url: %+v", errors.WithStack(err))
}
body, err := io.ReadAll(res.Body)
if err != nil {
b.Errorf("could not read response body: %+v", errors.WithStack(err))
}
b.Logf("%s - %v", res.Status, string(body))
if err := res.Body.Close(); err != nil {
b.Errorf("could not close response body: %+v", errors.WithStack(err))
}
}
}
func waitFor(url string, ttl time.Duration) error {
var lastErr error
timeout := time.After(ttl)
for {
select {
case <-timeout:
if lastErr != nil {
return lastErr
}
return errors.New("wait timed out")
default:
res, err := http.Get(url)
if err != nil {
lastErr = errors.WithStack(err)
continue
}
if res.StatusCode >= 200 && res.StatusCode < 400 {
return nil
}
}
}
}

131
internal/proxy/server.go
View File

@ -1,23 +1,16 @@
package proxy
import (
"bytes"
"context"
"expvar"
"fmt"
"html/template"
"io"
"log"
"net"
"net/http"
"net/http/httputil"
"net/http/pprof"
"net/url"
"os"
"os/signal"
"path/filepath"
"strconv"
"syscall"
"time"
"forge.cadoles.com/Cadoles/go-proxy"
@ -29,6 +22,7 @@ import (
"forge.cadoles.com/cadoles/bouncer/internal/store"
"github.com/Masterminds/sprig/v3"
"github.com/getsentry/sentry-go"
sentryhttp "github.com/getsentry/sentry-go/http"
"github.com/go-chi/chi/v5"
"github.com/go-chi/chi/v5/middleware"
@ -97,25 +91,31 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
logger.Info(ctx, "http server listening")
layerCache, proxyCache, cancel := s.createDirectorCaches(ctx)
defer cancel()
director := director.New(
s.proxyRepository,
s.layerRepository,
director.WithLayers(s.directorLayers...),
director.WithLayerCache(layerCache),
director.WithProxyCache(proxyCache),
director.WithHandleErrorFunc(s.handleError),
director.WithLayerCache(
ttl.NewCache(
memory.NewCache[string, []*store.Layer](),
memory.NewCache[string, time.Time](),
s.directorCacheTTL,
),
),
director.WithProxyCache(
ttl.NewCache(
memory.NewCache[string, []*store.Proxy](),
memory.NewCache[string, time.Time](),
s.directorCacheTTL,
),
),
)
if s.serverConfig.HTTP.UseRealIP {
router.Use(middleware.RealIP)
}
router.Use(middleware.RequestID)
router.Use(middleware.RequestLogger(bouncerChi.NewLogFormatter()))
router.Use(middleware.Recoverer)
if s.serverConfig.Sentry.DSN != "" {
logger.Info(ctx, "enabling sentry http middleware")
@ -146,35 +146,6 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
})
}
if s.serverConfig.Profiling.Enabled {
profiling := s.serverConfig.Profiling
logger.Info(ctx, "enabling profiling", logger.F("endpoint", profiling.Endpoint))
router.Group(func(r chi.Router) {
if profiling.BasicAuth != nil {
logger.Info(ctx, "enabling authentication on profiling endpoint")
r.Use(middleware.BasicAuth(
"profiling",
profiling.BasicAuth.CredentialsMap(),
))
}
r.Route(string(profiling.Endpoint), func(r chi.Router) {
r.HandleFunc("/", pprof.Index)
r.HandleFunc("/cmdline", pprof.Cmdline)
r.HandleFunc("/profile", pprof.Profile)
r.HandleFunc("/symbol", pprof.Symbol)
r.HandleFunc("/trace", pprof.Trace)
r.Handle("/vars", expvar.Handler())
r.HandleFunc("/{name}", func(w http.ResponseWriter, r *http.Request) {
name := chi.URLParam(r, "name")
pprof.Handler(name).ServeHTTP(w, r)
})
})
})
}
router.Group(func(r chi.Router) {
r.Use(director.Middleware())
@ -199,44 +170,6 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
logger.Info(ctx, "http server exiting")
}
func (s *Server) createDirectorCaches(ctx context.Context) (*ttl.Cache[string, []*store.Layer], *ttl.Cache[string, []*store.Proxy], func()) {
layerCache := ttl.NewCache(
memory.NewCache[string, []*store.Layer](),
memory.NewCache[string, time.Time](),
s.directorCacheTTL,
)
proxyCache := ttl.NewCache(
memory.NewCache[string, []*store.Proxy](),
memory.NewCache[string, time.Time](),
s.directorCacheTTL,
)
sig := make(chan os.Signal, 1)
signal.Notify(sig, syscall.SIGUSR2)
go func() {
for {
_, ok := <-sig
if !ok {
return
}
logger.Info(ctx, "received sigusr2 signal, clearing proxies and layers cache")
layerCache.Clear()
proxyCache.Clear()
}
}()
cancel := func() {
close(sig)
}
return layerCache, proxyCache, cancel
}
func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
reverseProxy := httputil.NewSingleHostReverseProxy(target)
@ -253,27 +186,27 @@ func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httpu
httpTransport.DialContext = dialer.DialContext
reverseProxy.Transport = httpTransport
reverseProxy.ErrorHandler = s.handleProxyError
reverseProxy.ErrorHandler = s.handleError
return reverseProxy
}
func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
s.handleError(w, r, http.StatusBadGateway, errors.Errorf("no proxy target found"))
err := errors.Errorf("no proxy target found")
logger.Error(r.Context(), "proxy error", logger.E(err))
sentry.CaptureException(err)
s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
}
func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
func (s *Server) handleError(w http.ResponseWriter, r *http.Request, err error) {
err = errors.WithStack(err)
if !errors.Is(err, context.Canceled) {
logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
}
logger.Error(r.Context(), "proxy error", logger.E(err))
sentry.CaptureException(err)
s.renderErrorPage(w, r, err, status, http.StatusText(status))
}
func (s *Server) handleProxyError(w http.ResponseWriter, r *http.Request, err error) {
s.handleError(w, r, http.StatusBadGateway, err)
s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
}
func (s *Server) renderErrorPage(w http.ResponseWriter, r *http.Request, err error, statusCode int, status string) {
@ -304,7 +237,7 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,
tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
if err != nil {
logger.Error(ctx, "could not load proxy templates", logger.CapturedE(errors.WithStack(err)))
logger.Error(ctx, "could not load proxy templates", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
@ -324,18 +257,12 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,
return
}
var buf bytes.Buffer
if err := blockTmpl.Execute(&buf, templateData); err != nil {
logger.Error(ctx, "could not render proxy page", logger.CapturedE(errors.WithStack(err)))
if err := blockTmpl.Execute(w, templateData); err != nil {
logger.Error(ctx, "could not render proxy page", logger.E(errors.WithStack(err)))
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
if _, err := io.Copy(w, &buf); err != nil {
logger.Error(ctx, "could not write page", logger.CapturedE(errors.WithStack(err)))
}
}
func NewServer(funcs ...OptionFunc) *Server {

39
internal/rule/engine.go
View File

@ -1,28 +1,16 @@
package rule
import (
"context"
"github.com/expr-lang/expr"
"github.com/expr-lang/expr/vm"
"github.com/pkg/errors"
)
type Engine[V any] struct {
type Engine[E any] struct {
rules []*vm.Program
}
func (e *Engine[V]) Apply(ctx context.Context, vars V) ([]any, error) {
type Env[V any] struct {
Context context.Context `expr:"ctx"`
Vars V `expr:"vars"`
}
env := Env[V]{
Context: ctx,
Vars: vars,
}
func (e *Engine[E]) Apply(env E) ([]any, error) {
results := make([]any, 0, len(e.rules))
for i, r := range e.rules {
result, err := expr.Run(r, env)
@ -54,26 +42,3 @@ func NewEngine[E any](funcs ...OptionFunc) (*Engine[E], error) {
return engine, nil
}
func Context[T any](ctx context.Context, key any) (T, bool) {
raw := ctx.Value(key)
if raw == nil {
return *new(T), false
}
value, err := Assert[T](raw)
if err != nil {
return *new(T), false
}
return value, true
}
func Assert[T any](raw any) (T, error) {
value, ok := raw.(T)
if !ok {
return *new(T), errors.Errorf("unexpected value '%T'", value)
}
return value, nil
}

31
internal/rule/http/context.go
View File

@ -1,31 +0,0 @@
package http
import (
"context"
"net/http"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
)
type contextKey string
const (
contextKeyRequest contextKey = "request"
contextKeyResponse contextKey = "response"
)
func WithRequest(ctx context.Context, r *http.Request) context.Context {
return context.WithValue(ctx, contextKeyRequest, r)
}
func WithResponse(ctx context.Context, r *http.Response) context.Context {
return context.WithValue(ctx, contextKeyResponse, r)
}
func CtxRequest(ctx context.Context) (*http.Request, bool) {
return rule.Context[*http.Request](ctx, contextKeyRequest)
}
func CtxResponse(ctx context.Context) (*http.Response, bool) {
return rule.Context[*http.Response](ctx, contextKeyResponse)
}

26
internal/rule/http/option.go
View File

@ -1,20 +1,20 @@
package http
import (
"net/http"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
"github.com/expr-lang/expr"
)
func WithRequestFuncs() rule.OptionFunc {
func WithRequestFuncs(r *http.Request) rule.OptionFunc {
return func(opts *rule.Options) {
funcs := []expr.Option{
setRequestURLFunc(),
setRequestHeaderFunc(),
addRequestHeaderFunc(),
delRequestHeadersFunc(),
setRequestHostFunc(),
getRequestCookieFunc(),
addRequestCookieFunc(),
setRequestURL(r),
setRequestHeaderFunc(r),
addRequestHeaderFunc(r),
delRequestHeadersFunc(r),
setRequestHostFunc(r),
}
if len(opts.Expr) == 0 {
@ -25,14 +25,12 @@ func WithRequestFuncs() rule.OptionFunc {
}
}
func WithResponseFuncs() rule.OptionFunc {
func WithResponseFuncs(r *http.Response) rule.OptionFunc {
return func(opts *rule.Options) {
funcs := []expr.Option{
setResponseHeaderFunc(),
addResponseHeaderFunc(),
delResponseHeadersFunc(),
addResponseCookieFunc(),
getResponseCookieFunc(),
setResponseHeaderFunc(r),
addResponseHeaderFunc(r),
delResponseHeadersFunc(r),
}
if len(opts.Expr) == 0 {

275
internal/rule/http/request.go
View File

@ -1,7 +1,6 @@
package http
import (
"context"
"fmt"
"net/http"
"net/url"
@ -10,147 +9,101 @@ import (
"time"
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
"github.com/expr-lang/expr"
"github.com/pkg/errors"
)
func setRequestHostFunc() expr.Option {
func setRequestHostFunc(r *http.Request) expr.Option {
return expr.Function(
"set_host",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
host, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
r, ok := CtxRequest(ctx)
if !ok {
return nil, errors.New("could not find http request in context")
}
host := params[0].(string)
r.Host = host
return true, nil
},
new(func(context.Context, string) bool),
new(func(string) bool),
)
}
func setRequestURLFunc() expr.Option {
func setRequestURL(r *http.Request) expr.Option {
return expr.Function(
"set_url",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
rawURL, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
rawURL := params[0].(string)
url, err := url.Parse(rawURL)
if err != nil {
return false, errors.WithStack(err)
}
r, ok := CtxRequest(ctx)
if !ok {
return nil, errors.New("could not find http request in context")
}
r.URL = url
return true, nil
},
new(func(context.Context, string) bool),
new(func(string) bool),
)
}
func addRequestHeaderFunc() expr.Option {
func addRequestHeaderFunc(r *http.Request) expr.Option {
return expr.Function(
"add_header",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
name := params[0].(string)
rawValue := params[1]
name, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
value := formatValue(params[2])
r, ok := CtxRequest(ctx)
if !ok {
return nil, errors.New("could not find http request in context")
var value string
switch v := rawValue.(type) {
case []string:
value = strings.Join(v, ",")
case time.Time:
value = strconv.FormatInt(v.UTC().Unix(), 10)
case time.Duration:
value = strconv.FormatInt(int64(v.Seconds()), 10)
default:
value = fmt.Sprintf("%v", rawValue)
}
r.Header.Add(name, value)
return true, nil
},
new(func(context.Context, string, string) bool),
new(func(string, string) bool),
)
}
func setRequestHeaderFunc() expr.Option {
func setRequestHeaderFunc(r *http.Request) expr.Option {
return expr.Function(
"set_header",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
name := params[0].(string)
rawValue := params[1]
name, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
value := formatValue(params[2])
r, ok := CtxRequest(ctx)
if !ok {
return nil, errors.New("could not find http request in context")
var value string
switch v := rawValue.(type) {
case []string:
value = strings.Join(v, ",")
case time.Time:
value = strconv.FormatInt(v.UTC().Unix(), 10)
case time.Duration:
value = strconv.FormatInt(int64(v.Seconds()), 10)
default:
value = fmt.Sprintf("%v", rawValue)
}
r.Header.Set(name, value)
return true, nil
},
new(func(context.Context, string, string) bool),
new(func(string, string) bool),
)
}
func delRequestHeadersFunc() expr.Option {
func delRequestHeadersFunc(r *http.Request) expr.Option {
return expr.Function(
"del_headers",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
pattern, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
r, ok := CtxRequest(ctx)
if !ok {
return nil, errors.New("could not find http request in context")
}
pattern := params[0].(string)
deleted := false
for key := range r.Header {
@ -164,160 +117,6 @@ func delRequestHeadersFunc() expr.Option {
return deleted, nil
},
new(func(context.Context, string) bool),
new(func(string) bool),
)
}
type CookieVar struct {
Name string `expr:"name"`
Value string `expr:"value"`
Path string `expr:"path"`
Domain string `expr:"domain"`
Expires time.Time `expr:"expires"`
MaxAge int `expr:"max_age"`
Secure bool `expr:"secure"`
HttpOnly bool `expr:"http_only"`
SameSite http.SameSite `expr:"same_site"`
}
func getRequestCookieFunc() expr.Option {
return expr.Function(
"get_cookie",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
name, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
r, ok := CtxRequest(ctx)
if !ok {
return nil, errors.New("could not find http request in context")
}
cookie, err := r.Cookie(name)
if err != nil && !errors.Is(err, http.ErrNoCookie) {
return nil, errors.WithStack(err)
}
if cookie == nil {
return nil, nil
}
return CookieVar{
Name: cookie.Name,
Value: cookie.Value,
Path: cookie.Path,
Domain: cookie.Domain,
Expires: cookie.Expires,
MaxAge: cookie.MaxAge,
Secure: cookie.Secure,
HttpOnly: cookie.HttpOnly,
SameSite: cookie.SameSite,
}, nil
},
new(func(context.Context, string) CookieVar),
)
}
func addRequestCookieFunc() expr.Option {
return expr.Function(
"add_cookie",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
values, err := rule.Assert[map[string]any](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
cookie, err := cookieFrom(values)
if err != nil {
return nil, errors.WithStack(err)
}
r, ok := CtxRequest(ctx)
if !ok {
return nil, errors.New("could not find http request in context")
}
r.AddCookie(cookie)
return true, nil
},
new(func(context.Context, map[string]any) bool),
)
}
func cookieFrom(values map[string]any) (*http.Cookie, error) {
cookie := &http.Cookie{}
if name, ok := values["name"].(string); ok {
cookie.Name = name
}
if value, ok := values["value"].(string); ok {
cookie.Value = value
}
if domain, ok := values["domain"].(string); ok {
cookie.Domain = domain
}
if path, ok := values["path"].(string); ok {
cookie.Path = path
}
if httpOnly, ok := values["http_only"].(bool); ok {
cookie.HttpOnly = httpOnly
}
if maxAge, ok := values["max_age"].(int); ok {
cookie.MaxAge = maxAge
}
if secure, ok := values["secure"].(bool); ok {
cookie.Secure = secure
}
if sameSite, ok := values["same_site"].(http.SameSite); ok {
cookie.SameSite = sameSite
} else if sameSite, ok := values["same_site"].(int); ok {
cookie.SameSite = http.SameSite(sameSite)
}
if expires, ok := values["expires"].(time.Time); ok {
cookie.Expires = expires
} else if rawExpires, ok := values["expires"].(string); ok {
expires, err := time.Parse(http.TimeFormat, rawExpires)
if err != nil {
return nil, errors.WithStack(err)
}
cookie.Expires = expires
}
return cookie, nil
}
func formatValue(v any) string {
var value string
switch v := v.(type) {
case []string:
value = strings.Join(v, ",")
case time.Time:
value = strconv.FormatInt(v.UTC().Unix(), 10)
case time.Duration:
value = strconv.FormatInt(int64(v.Seconds()), 10)
default:
value = fmt.Sprintf("%v", v)
}
return value
}

324
internal/rule/http/request_test.go
View File

@ -1,324 +0,0 @@
package http
import (
"context"
"fmt"
"net/http"
"testing"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
"github.com/pkg/errors"
)
func TestSetRequestHost(t *testing.T) {
type Vars struct {
NewHost string `expr:"newHost"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(setRequestHostFunc()),
rule.WithRules(
"set_host(ctx, vars.newHost)",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
ctx := context.Background()
ctx = WithRequest(ctx, req)
vars := Vars{
NewHost: "foobar",
}
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if e, g := vars.NewHost, req.Host; e != g {
t.Errorf("req.Host: expected '%v', got '%v'", e, g)
}
}
func TestSetRequestURL(t *testing.T) {
type Vars struct {
NewURL string `expr:"newURL"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(setRequestURLFunc()),
rule.WithRules(
"set_url(ctx, vars.newURL)",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
ctx := context.Background()
ctx = WithRequest(ctx, req)
vars := Vars{
NewURL: "http://localhost",
}
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if e, g := vars.NewURL, req.URL.String(); e != g {
t.Errorf("req.URL.String(): expected '%v', got '%v'", e, g)
}
}
func TestAddRequestHeader(t *testing.T) {
type Vars struct {
NewHeaderKey string `expr:"newHeaderKey"`
NewHeaderValue string `expr:"newHeaderValue"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(addRequestHeaderFunc()),
rule.WithRules(
"add_header(ctx, vars.newHeaderKey, vars.newHeaderValue)",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
ctx := context.Background()
ctx = WithRequest(ctx, req)
vars := Vars{
NewHeaderKey: "X-My-Header",
NewHeaderValue: "foobar",
}
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if e, g := vars.NewHeaderValue, req.Header.Get(vars.NewHeaderKey); e != g {
t.Errorf("req.Header.Get(vars.NewHeaderKey): expected '%v', got '%v'", e, g)
}
}
func TestSetRequestHeader(t *testing.T) {
type Vars struct {
HeaderKey string `expr:"headerKey"`
HeaderValue string `expr:"headerValue"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(setRequestHeaderFunc()),
rule.WithRules(
"set_header(ctx, vars.headerKey, vars.headerValue)",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
vars := Vars{
HeaderKey: "X-My-Header",
HeaderValue: "foobar",
}
req.Header.Set(vars.HeaderKey, "test")
ctx := context.Background()
ctx = WithRequest(ctx, req)
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if e, g := vars.HeaderValue, req.Header.Get(vars.HeaderKey); e != g {
t.Errorf("req.Header.Get(vars.HeaderKey): expected '%v', got '%v'", e, g)
}
}
func TestDelRequestHeaders(t *testing.T) {
type Vars struct {
HeaderPattern string `expr:"headerPattern"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(delRequestHeadersFunc()),
rule.WithRules(
"del_headers(ctx, vars.headerPattern)",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
vars := Vars{
HeaderPattern: "X-My-*",
}
req.Header.Set("X-My-Header", "test")
ctx := context.Background()
ctx = WithRequest(ctx, req)
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if val := req.Header.Get("X-My-Header"); val != "" {
t.Errorf("req.Header.Get(\"X-My-Header\") should be empty, got '%v'", val)
}
}
func TestAddRequestCookie(t *testing.T) {
type TestCase struct {
Cookie map[string]any
Check func(t *testing.T, tc TestCase, req *http.Request)
ShouldFail bool
}
testCases := []TestCase{
{
Cookie: map[string]any{
"name": "test",
},
Check: func(t *testing.T, tc TestCase, req *http.Request) {
cookie, err := req.Cookie(tc.Cookie["name"].(string))
if err != nil {
t.Errorf("%+v", errors.WithStack(err))
return
}
if e, g := tc.Cookie["name"], cookie.Name; e != g {
t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
}
},
},
{
Cookie: map[string]any{
"name": "foo",
"value": "test",
},
Check: func(t *testing.T, tc TestCase, req *http.Request) {
cookie, err := req.Cookie(tc.Cookie["name"].(string))
if err != nil {
t.Errorf("%+v", errors.WithStack(err))
return
}
if e, g := tc.Cookie["name"], cookie.Name; e != g {
t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
}
if e, g := tc.Cookie["value"], cookie.Value; e != g {
t.Errorf("cookie.Value: expected '%v', got '%v'", e, g)
}
},
},
}
for idx, tc := range testCases {
t.Run(fmt.Sprintf("Case_%d", idx), func(t *testing.T) {
type Vars struct {
NewCookie map[string]any `expr:"new_cookie"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(addRequestCookieFunc()),
rule.WithRules(
`add_cookie(ctx, vars.new_cookie)`,
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
vars := Vars{
NewCookie: tc.Cookie,
}
ctx := context.Background()
ctx = WithRequest(ctx, req)
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if tc.ShouldFail {
t.Error("engine.Apply() should have failed")
}
if tc.Check != nil {
tc.Check(t, tc, req)
}
})
}
}
func TestGetRequestCookie(t *testing.T) {
type Vars struct {
CookieName string `expr:"cookieName"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(getRequestCookieFunc()),
rule.WithRules(
"let cookie = get_cookie(ctx, vars.cookieName); cookie.value",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
vars := Vars{
CookieName: "foo",
}
cookie := &http.Cookie{
Name: vars.CookieName,
Value: "bar",
}
req.AddCookie(cookie)
ctx := context.Background()
ctx = WithRequest(ctx, req)
results, err := engine.Apply(ctx, vars)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if e, g := cookie.Value, results[0]; e != g {
t.Errorf("result[0]: expected '%v', got '%v'", e, g)
}
}
func createRuleEngine[V any](t *testing.T, funcs ...rule.OptionFunc) *rule.Engine[V] {
engine, err := rule.NewEngine[V](funcs...)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
return engine
}

148
internal/rule/http/response.go
View File

@ -1,7 +1,6 @@
package http
import (
"context"
"fmt"
"net/http"
"strconv"
@ -9,26 +8,15 @@ import (
"time"
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
"github.com/expr-lang/expr"
"github.com/pkg/errors"
)
func addResponseHeaderFunc() expr.Option {
func addResponseHeaderFunc(r *http.Response) expr.Option {
return expr.Function(
"add_header",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
name, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
rawValue := params[2]
name := params[0].(string)
rawValue := params[1]
var value string
switch v := rawValue.(type) {
@ -42,34 +30,20 @@ func addResponseHeaderFunc() expr.Option {
value = fmt.Sprintf("%v", rawValue)
}
r, ok := CtxResponse(ctx)
if !ok {
return nil, errors.New("could not find http response in context")
}
r.Header.Add(name, value)
return true, nil
},
new(func(context.Context, string, string) bool),
new(func(string, string) bool),
)
}
func setResponseHeaderFunc() expr.Option {
func setResponseHeaderFunc(r *http.Response) expr.Option {
return expr.Function(
"set_header",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
name, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
rawValue := params[2]
name := params[0].(string)
rawValue := params[1]
var value string
switch v := rawValue.(type) {
@ -83,38 +57,19 @@ func setResponseHeaderFunc() expr.Option {
value = fmt.Sprintf("%v", rawValue)
}
r, ok := CtxResponse(ctx)
if !ok {
return nil, errors.New("could not find http response in context")
}
r.Header.Set(name, value)
return true, nil
},
new(func(context.Context, string, string) bool),
new(func(string, string) bool),
)
}
func delResponseHeadersFunc() expr.Option {
func delResponseHeadersFunc(r *http.Response) expr.Option {
return expr.Function(
"del_headers",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
pattern, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
r, ok := CtxResponse(ctx)
if !ok {
return nil, errors.New("could not find http response in context")
}
pattern := params[0].(string)
deleted := false
for key := range r.Header {
@ -128,87 +83,6 @@ func delResponseHeadersFunc() expr.Option {
return deleted, nil
},
new(func(context.Context, string) bool),
)
}
func addResponseCookieFunc() expr.Option {
return expr.Function(
"add_cookie",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
values, err := rule.Assert[map[string]any](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
cookie, err := cookieFrom(values)
if err != nil {
return nil, errors.WithStack(err)
}
r, ok := CtxResponse(ctx)
if !ok {
return nil, errors.New("could not find http request in context")
}
r.Header.Add("Set-Cookie", cookie.String())
return true, nil
},
new(func(context.Context, map[string]any) bool),
)
}
func getResponseCookieFunc() expr.Option {
return expr.Function(
"get_cookie",
func(params ...any) (any, error) {
ctx, err := rule.Assert[context.Context](params[0])
if err != nil {
return nil, errors.WithStack(err)
}
name, err := rule.Assert[string](params[1])
if err != nil {
return nil, errors.WithStack(err)
}
res, ok := CtxResponse(ctx)
if !ok {
return nil, errors.New("could not find http response in context")
}
var cookie *http.Cookie
for _, c := range res.Cookies() {
if c.Name != name {
continue
}
cookie = c
break
}
if cookie == nil {
return nil, nil
}
return CookieVar{
Name: cookie.Name,
Value: cookie.Value,
Path: cookie.Path,
Domain: cookie.Domain,
Expires: cookie.Expires,
MaxAge: cookie.MaxAge,
Secure: cookie.Secure,
HttpOnly: cookie.HttpOnly,
SameSite: cookie.SameSite,
}, nil
},
new(func(context.Context, string) CookieVar),
new(func(string) bool),
)
}

317
internal/rule/http/response_test.go
View File

@ -1,317 +0,0 @@
package http
import (
"context"
"fmt"
"io"
"net/http"
"testing"
"time"
"forge.cadoles.com/cadoles/bouncer/internal/rule"
"github.com/pkg/errors"
)
func TestAddResponseHeader(t *testing.T) {
type Vars struct {
NewHeaderKey string `expr:"newHeaderKey"`
NewHeaderValue string `expr:"newHeaderValue"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(addResponseHeaderFunc()),
rule.WithRules(
"add_header(ctx, vars.newHeaderKey, vars.newHeaderValue)",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
resp := createResponse(req, http.StatusOK, nil)
ctx := context.Background()
ctx = WithResponse(ctx, resp)
vars := Vars{
NewHeaderKey: "X-My-Header",
NewHeaderValue: "foobar",
}
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if e, g := vars.NewHeaderValue, resp.Header.Get(vars.NewHeaderKey); e != g {
t.Errorf("resp.Header.Get(vars.NewHeaderKey): expected '%v', got '%v'", e, g)
}
}
func TestResponseSetHeader(t *testing.T) {
type Vars struct {
HeaderKey string `expr:"headerKey"`
HeaderValue string `expr:"headerValue"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(setResponseHeaderFunc()),
rule.WithRules(
"set_header(ctx, vars.headerKey, vars.headerValue)",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
resp := createResponse(req, http.StatusOK, nil)
vars := Vars{
HeaderKey: "X-My-Header",
HeaderValue: "foobar",
}
resp.Header.Set(vars.HeaderKey, "test")
ctx := context.Background()
ctx = WithResponse(ctx, resp)
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if e, g := vars.HeaderValue, resp.Header.Get(vars.HeaderKey); e != g {
t.Errorf("resp.Header.Get(vars.HeaderKey): expected '%v', got '%v'", e, g)
}
}
func TestResponseDelHeaders(t *testing.T) {
type Vars struct {
HeaderPattern string `expr:"headerPattern"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(delResponseHeadersFunc()),
rule.WithRules(
"del_headers(ctx, vars.headerPattern)",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
resp := createResponse(req, http.StatusOK, nil)
vars := Vars{
HeaderPattern: "X-My-*",
}
resp.Header.Set("X-My-Header", "test")
ctx := context.Background()
ctx = WithResponse(ctx, resp)
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if val := resp.Header.Get("X-My-Header"); val != "" {
t.Errorf("resp.Header.Get(\"X-My-Header\") should be empty, got '%v'", val)
}
}
func TestAddResponseCookie(t *testing.T) {
type TestCase struct {
Cookie map[string]any
Check func(t *testing.T, tc TestCase, res *http.Response)
ShouldFail bool
}
testCases := []TestCase{
{
Cookie: map[string]any{
"name": "foo",
"value": "test",
"domain": "example.net",
"path": "/custom",
"same_site": http.SameSiteStrictMode,
"http_only": true,
"secure": false,
"expires": time.Now().UTC().Truncate(time.Second),
},
Check: func(t *testing.T, tc TestCase, res *http.Response) {
var cookie *http.Cookie
for _, c := range res.Cookies() {
if c.Name == tc.Cookie["name"] {
cookie = c
break
}
}
if cookie == nil {
t.Errorf("could not find cookie '%s'", tc.Cookie["name"])
return
}
if e, g := tc.Cookie["name"], cookie.Name; e != g {
t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
}
if e, g := tc.Cookie["value"], cookie.Value; e != g {
t.Errorf("cookie.Value: expected '%v', got '%v'", e, g)
}
if e, g := tc.Cookie["domain"], cookie.Domain; e != g {
t.Errorf("cookie.Domain: expected '%v', got '%v'", e, g)
}
if e, g := tc.Cookie["path"], cookie.Path; e != g {
t.Errorf("cookie.Path: expected '%v', got '%v'", e, g)
}
if e, g := tc.Cookie["secure"], cookie.Secure; e != g {
t.Errorf("cookie.Secure: expected '%v', got '%v'", e, g)
}
if e, g := tc.Cookie["http_only"], cookie.HttpOnly; e != g {
t.Errorf("cookie.HttpOnly: expected '%v', got '%v'", e, g)
}
if e, g := tc.Cookie["same_site"], cookie.SameSite; e != g {
t.Errorf("cookie.SameSite: expected '%v', got '%v'", e, g)
}
if e, g := tc.Cookie["expires"], cookie.Expires; e != g {
t.Errorf("cookie.Expires: expected '%v', got '%v'", e, g)
}
},
},
{
Cookie: map[string]any{
"name": "foo",
"expires": time.Now().UTC().Format(http.TimeFormat),
},
Check: func(t *testing.T, tc TestCase, res *http.Response) {
var cookie *http.Cookie
for _, c := range res.Cookies() {
if c.Name == tc.Cookie["name"] {
cookie = c
break
}
}
if cookie == nil {
t.Errorf("could not find cookie '%s'", tc.Cookie["name"])
return
}
if e, g := tc.Cookie["expires"], cookie.Expires.Format(http.TimeFormat); e != g {
t.Errorf("cookie.Expires: expected '%v', got '%v'", e, g)
}
},
},
}
for idx, tc := range testCases {
t.Run(fmt.Sprintf("Case_%d", idx), func(t *testing.T) {
type Vars struct {
NewCookie map[string]any `expr:"new_cookie"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(addResponseCookieFunc()),
rule.WithRules(
`add_cookie(ctx, vars.new_cookie)`,
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
resp := createResponse(req, http.StatusOK, nil)
vars := Vars{
NewCookie: tc.Cookie,
}
ctx := context.Background()
ctx = WithRequest(ctx, req)
ctx = WithResponse(ctx, resp)
if _, err := engine.Apply(ctx, vars); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if tc.ShouldFail {
t.Error("engine.Apply() should have failed")
}
if tc.Check != nil {
tc.Check(t, tc, resp)
}
})
}
}
func TestGetResponseCookie(t *testing.T) {
type Vars struct {
CookieName string `expr:"cookieName"`
}
engine := createRuleEngine[Vars](t,
rule.WithExpr(getResponseCookieFunc()),
rule.WithRules(
"let cookie = get_cookie(ctx, vars.cookieName); cookie.value",
),
)
req, err := http.NewRequest("GET", "http://example.net", nil)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
resp := createResponse(req, http.StatusOK, nil)
vars := Vars{
CookieName: "foo",
}
cookie := &http.Cookie{
Name: vars.CookieName,
Value: "bar",
}
resp.Header.Add("Set-Cookie", cookie.String())
ctx := context.Background()
ctx = WithResponse(ctx, resp)
results, err := engine.Apply(ctx, vars)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if e, g := cookie.Value, results[0]; e != g {
t.Errorf("result[0]: expected '%v', got '%v'", e, g)
}
}
func createResponse(req *http.Request, statusCode int, body io.Reader) *http.Response {
return &http.Response{
Status: http.StatusText(statusCode),
StatusCode: statusCode,
Proto: "HTTP/1.1",
ProtoMajor: 1,
ProtoMinor: 1,
Body: io.NopCloser(body),
ContentLength: -1,
Request: req,
Header: make(http.Header, 0),
}
}

8
internal/session/options.go
View File

@ -10,7 +10,6 @@ import (
type Options struct {
Session sessions.Options
KeyPrefix string
TTL time.Duration
}
type OptionFunc func(opts *Options)
@ -26,7 +25,6 @@ func NewOptions(funcs ...OptionFunc) *Options {
SameSite: http.SameSiteDefaultMode,
},
KeyPrefix: "session:",
TTL: time.Hour,
}
for _, fn := range funcs {
@ -47,9 +45,3 @@ func WithKeyPrefix(prefix string) OptionFunc {
opts.KeyPrefix = prefix
}
}
func WithTTL(ttl time.Duration) OptionFunc {
return func(opts *Options) {
opts.TTL = ttl
}
}

14
internal/session/store.go
View File

@ -31,7 +31,6 @@ type Store struct {
keyPrefix string
keyGen KeyGenFunc
serializer SessionSerializer
ttl time.Duration
}
type KeyGenFunc func() (string, error)
@ -44,7 +43,6 @@ func NewStore(adapter StoreAdapter, funcs ...OptionFunc) *Store {
keyPrefix: opts.KeyPrefix,
keyGen: generateRandomKey,
serializer: GobSerializer{},
ttl: opts.TTL,
}
return rs
@ -64,21 +62,20 @@ func (s *Store) New(r *http.Request, name string) (*sessions.Session, error) {
if err != nil {
return session, nil
}
session.ID = c.Value
err = s.load(r.Context(), session)
if err == nil {
session.IsNew = false
} else if !errors.Is(err, ErrNotFound) {
return session, errors.WithStack(err)
return nil, errors.WithStack(err)
}
return session, nil
}
func (s *Store) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
if session.Options.MaxAge < 0 {
if session.Options.MaxAge <= 0 {
if err := s.delete(r.Context(), session); err != nil {
return errors.WithStack(err)
}
@ -123,12 +120,7 @@ func (s *Store) save(ctx context.Context, session *sessions.Session) error {
return errors.WithStack(err)
}
ttl := time.Duration(session.Options.MaxAge) * time.Second
if s.ttl < ttl || ttl == 0 {
ttl = s.ttl
}
if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, ttl); err != nil {
if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, time.Duration(session.Options.MaxAge)*time.Second); err != nil {
return errors.WithStack(err)
}

3
internal/setup/authn_oidc_layer.go
View File

@ -23,7 +23,7 @@ func init() {
}
func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
rdb := NewSharedClient(conf.Redis)
rdb := newRedisClient(conf.Redis)
adapter := redis.NewStoreAdapter(rdb)
store := session.NewStore(adapter)
@ -37,6 +37,5 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
authn.WithDebug(bool(conf.Layers.Authn.Debug)),
),
oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
), nil
}

2
internal/setup/integrations.go
View File

@ -27,7 +27,7 @@ func SetupIntegrations(ctx context.Context, conf *config.Config) ([]integration.
}
func setupKubernetesIntegration(ctx context.Context, conf *config.Config) (*kubernetes.Integration, error) {
client := NewSharedClient(conf.Redis)
client := newRedisClient(conf.Redis)
locker := redis.NewLocker(client, 10)
integration := kubernetes.NewIntegration(

2
internal/setup/lock.go
View File

@ -9,7 +9,7 @@ import (
)
func SetupLocker(ctx context.Context, conf *config.Config) (lock.Locker, error) {
client := NewSharedClient(conf.Redis)
client := newRedisClient(conf.Redis)
locker := redis.NewLocker(client, int(conf.Redis.LockMaxRetries))
return locker, nil
}

12
internal/setup/proxy_repository.go
View File

@ -3,15 +3,23 @@ package setup
import (
"context"
"forge.cadoles.com/cadoles/bouncer/internal/config"
"forge.cadoles.com/cadoles/bouncer/internal/store"
redisStore "forge.cadoles.com/cadoles/bouncer/internal/store/redis"
"github.com/redis/go-redis/v9"
)
func NewRedisClient(ctx context.Context, conf config.RedisConfig) redis.UniversalClient {
return redis.NewUniversalClient(&redis.UniversalOptions{
Addrs: conf.Adresses,
MasterName: string(conf.Master),
})
}
func NewProxyRepository(ctx context.Context, client redis.UniversalClient) (store.ProxyRepository, error) {
return redisStore.NewProxyRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay), nil
return redisStore.NewProxyRepository(client), nil
}
func NewLayerRepository(ctx context.Context, client redis.UniversalClient) (store.LayerRepository, error) {
return redisStore.NewLayerRepository(client, redisStore.DefaultTxMaxAttempts, redisStore.DefaultTxBaseDelay), nil
return redisStore.NewLayerRepository(client), nil
}

2
internal/setup/queue_layer.go
View File

@ -35,6 +35,6 @@ func setupQueueLayer(conf *config.Config) (director.Layer, error) {
}
func newQueueAdapter(redisConf config.RedisConfig) (queue.Adapter, error) {
rdb := NewSharedClient(redisConf)
rdb := newRedisClient(redisConf)
return queueRedis.NewAdapter(rdb, 2), nil
}

64
internal/setup/redis.go
View File

@ -1,78 +1,20 @@
package setup
import (
"context"
"strings"
"sync"
"time"
"forge.cadoles.com/cadoles/bouncer/internal/config"
"github.com/pkg/errors"
"github.com/redis/go-redis/v9"
"gitlab.com/wpetit/goweb/logger"
)
var clients sync.Map
func NewSharedClient(conf config.RedisConfig) redis.UniversalClient {
key := strings.Join(conf.Adresses, "|") + "|" + string(conf.Master)
value, exists := clients.Load(key)
if exists {
if client, ok := (value).(redis.UniversalClient); ok {
return client
}
}
client := newRedisClient(conf)
clients.Store(key, client)
return client
}
func newRedisClient(conf config.RedisConfig) redis.UniversalClient {
client := redis.NewUniversalClient(&redis.UniversalOptions{
return redis.NewUniversalClient(&redis.UniversalOptions{
Addrs: conf.Adresses,
MasterName: string(conf.Master),
ReadTimeout: time.Duration(conf.ReadTimeout),
WriteTimeout: time.Duration(conf.WriteTimeout),
DialTimeout: time.Duration(conf.DialTimeout),
RouteByLatency: bool(conf.RouteByLatency),
ContextTimeoutEnabled: bool(conf.ContextTimeoutEnabled),
MaxRetries: int(conf.MaxRetries),
PoolSize: int(conf.PoolSize),
PoolTimeout: time.Duration(conf.PoolTimeout),
MinIdleConns: int(conf.MinIdleConns),
MaxIdleConns: int(conf.MaxIdleConns),
ConnMaxIdleTime: time.Duration(conf.ConnMaxIdleTime),
ConnMaxLifetime: time.Duration(conf.ConnMaxLifetime),
RouteByLatency: true,
ContextTimeoutEnabled: true,
})
go func() {
ctx := logger.With(context.Background(),
logger.F("adresses", conf.Adresses),
logger.F("master", conf.Master),
)
timer := time.NewTicker(time.Duration(conf.PingInterval))
defer timer.Stop()
connected := true
for range timer.C {
if _, err := client.Ping(ctx).Result(); err != nil {
logger.Error(ctx, "redis disconnected", logger.CapturedE(errors.WithStack(err)))
connected = false
continue
}
if !connected {
logger.Info(ctx, "redis reconnected")
connected = true
}
}
}()
return client
}

4
internal/setup/sentry.go
View File

@ -34,10 +34,6 @@ func SetupSentry(ctx context.Context, conf config.SentryConfig, release string)
return nil, errors.WithStack(err)
}
logger.SetCaptureFunc(func(err error) {
sentry.CaptureException(err)
})
flush := func() {
sentry.Flush(time.Duration(*conf.FlushTimeout))
}

1
internal/store/layer.go
View File

@ -13,7 +13,6 @@ type (
type LayerHeader struct {
Proxy ProxyName `json:"proxy"`
Name LayerName `json:"name"`
Revision int `json:"revision"`
Type LayerType `json:"type"`
Weight int `json:"weight"`

2
internal/store/proxy.go
View File

@ -8,7 +8,7 @@ type ProxyName Name
type ProxyHeader struct {
Name ProxyName `json:"name"`
Revision int `json:"revision"`
Weight int `json:"weight"`
Enabled bool `json:"enabled"`
}

37
internal/store/redis/helper.go
View File

@ -3,18 +3,10 @@ package redis
import (
"context"
"encoding/json"
"math/rand"
"strings"
"time"
"github.com/pkg/errors"
"github.com/redis/go-redis/v9"
"gitlab.com/wpetit/goweb/logger"
)
var (
DefaultTxMaxAttempts = 20
DefaultTxBaseDelay = 100 * time.Millisecond
)
type jsonWrapper[T any] struct {
@ -73,35 +65,6 @@ func key(parts ...string) string {
return strings.Join(parts, ":")
}
func WithRetry(ctx context.Context, client redis.UniversalClient, key string, fn func(ctx context.Context, tx *redis.Tx) error, maxAttempts int, baseDelay time.Duration) error {
var err error
delay := baseDelay
for attempt := 0; attempt < maxAttempts; attempt++ {
if err = WithTx(ctx, client, key, fn); err != nil {
err = errors.WithStack(err)
logger.Debug(ctx, "redis transaction failed", logger.CapturedE(err))
if errors.Is(err, redis.TxFailedErr) {
logger.Debug(ctx, "retrying redis transaction", logger.F("attempts", attempt), logger.F("delay", delay))
time.Sleep(delay)
delay = delay*2 + time.Duration(rand.Int63n(int64(baseDelay)))
continue
}
return errors.WithStack(err)
}
return nil
}
logger.Error(ctx, "redis error", logger.CapturedE(errors.WithStack(err)))
return errors.WithStack(redis.TxFailedErr)
}
func WithTx(ctx context.Context, client redis.UniversalClient, key string, fn func(ctx context.Context, tx *redis.Tx) error) error {
txf := func(tx *redis.Tx) error {
if err := fn(ctx, tx); err != nil {

2
internal/store/redis/layer_item.go
View File

@ -10,7 +10,6 @@ import (
type layerHeaderItem struct {
Proxy string `redis:"proxy"`
Name string `redis:"name"`
Revision int `redis:"revision"`
Type string `redis:"type"`
Weight int `redis:"weight"`
@ -21,7 +20,6 @@ func (i *layerHeaderItem) ToLayerHeader() (*store.LayerHeader, error) {
layerHeader := &store.LayerHeader{
Proxy: store.ProxyName(i.Proxy),
Name: store.LayerName(i.Name),
Revision: i.Revision,
Type: store.LayerType(i.Type),
Weight: i.Weight,
Enabled: i.Enabled,

39
internal/store/redis/layer_repository.go
View File

@ -15,8 +15,6 @@ const (
type LayerRepository struct {
client redis.UniversalClient
txMaxAttempts int
txRetryBaseDelay time.Duration
}
// CreateLayer implements store.LayerRepository
@ -30,13 +28,12 @@ func (r *LayerRepository) CreateLayer(ctx context.Context, proxyName store.Proxy
Name: string(layerName),
Type: string(layerType),
Weight: 0,
Revision: 0,
Enabled: false,
},
CreatedAt: wrap(now),
UpdatedAt: wrap(now),
Options: wrap(options),
Options: wrap(store.LayerOptions{}),
}
txf := func(tx *redis.Tx) error {
@ -60,11 +57,6 @@ func (r *LayerRepository) CreateLayer(ctx context.Context, proxyName store.Proxy
return errors.WithStack(err)
}
layerItem, err = r.txGetLayerItem(ctx, tx, proxyName, layerName)
if err != nil {
return errors.WithStack(err)
}
return nil
}
@ -75,16 +67,16 @@ func (r *LayerRepository) CreateLayer(ctx context.Context, proxyName store.Proxy
return &store.Layer{
LayerHeader: store.LayerHeader{
Name: store.LayerName(layerItem.Name),
Proxy: store.ProxyName(layerItem.Proxy),
Type: store.LayerType(layerItem.Type),
Weight: layerItem.Weight,
Enabled: layerItem.Enabled,
Name: layerName,
Proxy: proxyName,
Type: layerType,
Weight: 0,
Enabled: false,
},
CreatedAt: layerItem.CreatedAt.Value(),
UpdatedAt: layerItem.UpdatedAt.Value(),
Options: layerItem.Options.Value(),
CreatedAt: now,
UpdatedAt: now,
Options: store.LayerOptions{},
}, nil
}
@ -104,7 +96,7 @@ func (r *LayerRepository) GetLayer(ctx context.Context, proxyName store.ProxyNam
key := layerKey(proxyName, layerName)
var layerItem *layerItem
err := WithRetry(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
err := WithTx(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
pItem, err := r.txGetLayerItem(ctx, tx, proxyName, layerName)
if err != nil {
return errors.WithStack(err)
@ -113,7 +105,7 @@ func (r *LayerRepository) GetLayer(ctx context.Context, proxyName store.ProxyNam
layerItem = pItem
return nil
}, r.txMaxAttempts, r.txRetryBaseDelay)
})
if err != nil {
return nil, errors.WithStack(err)
}
@ -205,7 +197,7 @@ func (r *LayerRepository) UpdateLayer(ctx context.Context, proxyName store.Proxy
key := layerKey(proxyName, layerName)
var layerItem layerItem
err := WithRetry(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
err := WithTx(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
item, err := r.txGetLayerItem(ctx, tx, proxyName, layerName)
if err != nil {
return errors.WithStack(err)
@ -224,7 +216,6 @@ func (r *LayerRepository) UpdateLayer(ctx context.Context, proxyName store.Proxy
}
item.UpdatedAt = wrap(time.Now().UTC())
item.Revision = item.Revision + 1
_, err = tx.TxPipelined(ctx, func(p redis.Pipeliner) error {
p.HMSet(ctx, key, item.layerHeaderItem)
@ -239,7 +230,7 @@ func (r *LayerRepository) UpdateLayer(ctx context.Context, proxyName store.Proxy
layerItem = *item
return nil
}, r.txMaxAttempts, r.txRetryBaseDelay)
})
if err != nil {
return nil, errors.WithStack(err)
}
@ -252,11 +243,9 @@ func (r *LayerRepository) UpdateLayer(ctx context.Context, proxyName store.Proxy
return layer, nil
}
func NewLayerRepository(client redis.UniversalClient, txMaxAttempts int, txRetryBaseDelay time.Duration) *LayerRepository {
func NewLayerRepository(client redis.UniversalClient) *LayerRepository {
return &LayerRepository{
client: client,
txMaxAttempts: txMaxAttempts,
txRetryBaseDelay: txRetryBaseDelay,
}
}

2
internal/store/redis/layer_repository_test.go
View File

@ -7,6 +7,6 @@ import (
)
func TestLayerRepository(t *testing.T) {
repository := NewLayerRepository(client, DefaultTxMaxAttempts, DefaultTxBaseDelay)
repository := NewLayerRepository(client)
testsuite.TestLayerRepository(t, repository)
}

2
internal/store/redis/proxy_item.go
View File

@ -9,7 +9,6 @@ import (
type proxyHeaderItem struct {
Name string `redis:"name"`
Revision int `redis:"revision"`
Weight int `redis:"weight"`
Enabled bool `redis:"enabled"`
@ -21,7 +20,6 @@ type proxyHeaderItem struct {
func (i *proxyHeaderItem) ToProxyHeader() (*store.ProxyHeader, error) {
proxyHeader := &store.ProxyHeader{
Name: store.ProxyName(i.Name),
Revision: i.Revision,
Weight: i.Weight,
Enabled: i.Enabled,
}

16
internal/store/redis/proxy_repository.go
View File

@ -15,8 +15,6 @@ const (
type ProxyRepository struct {
client redis.UniversalClient
txMaxAttempts int
txRetryBaseDelay time.Duration
}
// GetProxy implements store.ProxyRepository
@ -24,7 +22,7 @@ func (r *ProxyRepository) GetProxy(ctx context.Context, name store.ProxyName) (*
key := proxyKey(name)
var proxyItem *proxyItem
err := WithRetry(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
err := WithTx(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
pItem, err := r.txGetProxyItem(ctx, tx, name)
if err != nil {
return errors.WithStack(err)
@ -33,7 +31,7 @@ func (r *ProxyRepository) GetProxy(ctx context.Context, name store.ProxyName) (*
proxyItem = pItem
return nil
}, r.txMaxAttempts, r.txRetryBaseDelay)
})
if err != nil {
return nil, errors.WithStack(err)
}
@ -91,7 +89,6 @@ func (r *ProxyRepository) CreateProxy(ctx context.Context, name store.ProxyName,
CreatedAt: wrap(now),
UpdatedAt: wrap(now),
Weight: 0,
Revision: 0,
Enabled: false,
},
To: to,
@ -194,7 +191,7 @@ func (r *ProxyRepository) UpdateProxy(ctx context.Context, name store.ProxyName,
key := proxyKey(name)
var proxyItem proxyItem
err := WithRetry(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
err := WithTx(ctx, r.client, key, func(ctx context.Context, tx *redis.Tx) error {
item, err := r.txGetProxyItem(ctx, tx, name)
if err != nil {
return errors.WithStack(err)
@ -217,7 +214,6 @@ func (r *ProxyRepository) UpdateProxy(ctx context.Context, name store.ProxyName,
}
item.UpdatedAt = wrap(time.Now().UTC())
item.Revision = item.Revision + 1
_, err = tx.TxPipelined(ctx, func(p redis.Pipeliner) error {
p.HMSet(ctx, key, item.proxyHeaderItem)
@ -232,7 +228,7 @@ func (r *ProxyRepository) UpdateProxy(ctx context.Context, name store.ProxyName,
proxyItem = *item
return nil
}, r.txMaxAttempts, r.txRetryBaseDelay)
})
if err != nil {
return nil, errors.WithStack(err)
}
@ -245,11 +241,9 @@ func (r *ProxyRepository) UpdateProxy(ctx context.Context, name store.ProxyName,
return proxy, nil
}
func NewProxyRepository(client redis.UniversalClient, txMaxAttempts int, txRetryBaseDelay time.Duration) *ProxyRepository {
func NewProxyRepository(client redis.UniversalClient) *ProxyRepository {
return &ProxyRepository{
client: client,
txMaxAttempts: 20,
txRetryBaseDelay: txRetryBaseDelay,
}
}

2
internal/store/redis/proxy_repository_test.go
View File

@ -7,6 +7,6 @@ import (
)
func TestProxyRepository(t *testing.T) {
repository := NewProxyRepository(client, DefaultTxMaxAttempts, DefaultTxBaseDelay)
repository := NewProxyRepository(client)
testsuite.TestProxyRepository(t, repository)
}

85
internal/store/testsuite/layer_repository.go
View File

@ -3,7 +3,6 @@ package testsuite
import (
"context"
"reflect"
"sync"
"testing"
"forge.cadoles.com/cadoles/bouncer/internal/store"
@ -50,10 +49,6 @@ var layerRepositoryTestCases = []layerRepositoryTestCase{
return errors.Errorf("layer.UpdatedAt should not be zero value")
}
if layer.Revision != 0 {
return errors.Errorf("layer.Revision should be zero")
}
return nil
},
},
@ -235,86 +230,6 @@ var layerRepositoryTestCases = []layerRepositoryTestCase{
return errors.New("could not find created layer in query results")
}
return nil
},
},
{
Name: "Create then update layer",
Do: func(repo store.LayerRepository) error {
ctx := context.Background()
var layerName store.LayerName = "create_then_update_layer"
var proxyName store.ProxyName = store.ProxyName(string(layerName) + "_proxy")
var layerType store.LayerType = "dummy"
var layerOptions store.LayerOptions = store.LayerOptions{}
createdLayer, err := repo.CreateLayer(ctx, proxyName, layerName, layerType, layerOptions)
if err != nil {
return errors.WithStack(err)
}
if e, g := 0, createdLayer.Revision; e != g {
return errors.Errorf("createdLayer.Revision: expected '%v', got '%v'", e, g)
}
updatedLayer, err := repo.UpdateLayer(ctx, proxyName, layerName)
if err != nil {
return errors.Wrap(err, "err should be nil")
}
if e, g := 1, updatedLayer.Revision; e != g {
return errors.Errorf("updatedLayer.Revision: expected '%v', got '%v'", e, g)
}
return nil
},
},
{
Name: "Update layer concurrently",
Do: func(repo store.LayerRepository) error {
ctx := context.Background()
var layerName store.LayerName = "update_layer_concurrently"
var proxyName store.ProxyName = store.ProxyName(string(layerName) + "_proxy")
var layerType store.LayerType = "dummy"
var layerOptions store.LayerOptions = store.LayerOptions{}
createdLayer, err := repo.CreateLayer(ctx, proxyName, layerName, layerType, layerOptions)
if err != nil {
return errors.WithStack(err)
}
if createdLayer.Revision != 0 {
return errors.Errorf("createdLayer.Revision should be zero")
}
var wg sync.WaitGroup
total := 100
wg.Add(total)
for i := 0; i < total; i++ {
go func(i int) {
defer wg.Done()
if _, err := repo.UpdateLayer(ctx, createdLayer.Proxy, createdLayer.Name); err != nil {
panic(errors.Wrap(err, "err should be nil"))
}
}(i)
}
wg.Wait()
layer, err := repo.GetLayer(ctx, createdLayer.Proxy, createdLayer.Name)
if err != nil {
return errors.Wrap(err, "err should be nil")
}
if e, g := total, layer.Revision; e != g {
return errors.Errorf("layer.Revision: expected '%v', got '%v'", e, g)
}
return nil
},
},

87
internal/store/testsuite/proxy_repository.go
View File

@ -3,7 +3,6 @@ package testsuite
import (
"context"
"reflect"
"sync"
"testing"
"forge.cadoles.com/cadoles/bouncer/internal/store"
@ -52,10 +51,6 @@ var proxyRepositoryTestCases = []proxyRepositoryTestCase{
return errors.Errorf("proxy.UpdatedAt should not be zero value")
}
if proxy.Revision != 0 {
return errors.Errorf("proxy.Revision should be zero")
}
return nil
},
},
@ -104,10 +99,6 @@ var proxyRepositoryTestCases = []proxyRepositoryTestCase{
return errors.Errorf("foundProxy.UpdatedAt: expected '%v', got '%v'", createdProxy.UpdatedAt, foundProxy.UpdatedAt)
}
if foundProxy.Revision != 0 {
return errors.Errorf("foundProxy.Revision should be zero")
}
return nil
},
},
@ -203,84 +194,6 @@ var proxyRepositoryTestCases = []proxyRepositoryTestCase{
return errors.Errorf("err: expected store.ErrAlreadyExists, got '%+v'", err)
}
return nil
},
},
{
Name: "Create then update proxy",
Do: func(repo store.ProxyRepository) error {
ctx := context.Background()
to := "http://example.com"
var name store.ProxyName = "create_then_update_proxy"
createdProxy, err := repo.CreateProxy(ctx, name, to, "127.0.0.1:*", "localhost:*")
if err != nil {
return errors.Wrap(err, "err should be nil")
}
if createdProxy.Revision != 0 {
return errors.Errorf("createdProxy.Revision should be zero")
}
updatedProxy, err := repo.UpdateProxy(ctx, name)
if err != nil {
return errors.Wrap(err, "err should be nil")
}
if e, g := 1, updatedProxy.Revision; e != g {
return errors.Errorf("updatedProxy.Revision: expected '%v', got '%v'", e, g)
}
return nil
},
},
{
Name: "Update proxy concurrently",
Do: func(repo store.ProxyRepository) error {
ctx := context.Background()
to := "http://example.com"
var name store.ProxyName = "update_proxy_concurrently"
createdProxy, err := repo.CreateProxy(ctx, name, to, "127.0.0.1:*", "localhost:*")
if err != nil {
return errors.Wrap(err, "err should be nil")
}
if createdProxy.Revision != 0 {
return errors.Errorf("createdProxy.Revision should be zero")
}
var wg sync.WaitGroup
total := 100
wg.Add(total)
for i := 0; i < total; i++ {
go func(i int) {
defer wg.Done()
if _, err := repo.UpdateProxy(ctx, name); err != nil {
panic(errors.Wrap(err, "err should be nil"))
}
}(i)
}
wg.Wait()
proxy, err := repo.GetProxy(ctx, name)
if err != nil {
return errors.Wrap(err, "err should be nil")
}
if e, g := total, proxy.Revision; e != g {
return errors.Errorf("proxy.Revision: expected '%v', got '%v'", e, g)
}
return nil
},
},

63
internal/syncx/cached_resource.go
View File

@ -1,63 +0,0 @@
package syncx
import (
"context"
"sync"
"forge.cadoles.com/cadoles/bouncer/internal/cache"
"github.com/pkg/errors"
)
type RefreshFunc[K comparable, V any] func(ctx context.Context, key K) (V, error)
type CachedResource[K comparable, V any] struct {
cache cache.Cache[K, V]
lock sync.RWMutex
refresh RefreshFunc[K, V]
}
func (r *CachedResource[K, V]) Clear() {
r.cache.Clear()
}
func (r *CachedResource[K, V]) Get(ctx context.Context, key K) (V, bool, error) {
value, exists := r.cache.Get(key)
if exists {
return value, false, nil
}
locked := r.lock.TryLock()
if !locked {
r.lock.RLock()
value, exists := r.cache.Get(key)
if exists {
r.lock.RUnlock()
return value, false, nil
}
r.lock.RUnlock()
}
if !locked {
r.lock.Lock()
}
defer r.lock.Unlock()
value, err := r.refresh(ctx, key)
if err != nil {
return *new(V), false, errors.WithStack(err)
}
r.cache.Set(key, value)
return value, true, nil
}
func NewCachedResource[K comparable, V any](cache cache.Cache[K, V], refresh RefreshFunc[K, V]) *CachedResource[K, V] {
return &CachedResource[K, V]{
cache: cache,
refresh: refresh,
}
}

66
internal/syncx/cached_resource_test.go
View File

@ -1,66 +0,0 @@
package syncx
import (
"context"
"math"
"sync"
"testing"
"time"
"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
"github.com/pkg/errors"
)
func TestCachedResource(t *testing.T) {
refreshCalls := 0
cacheTTL := 1*time.Second + 500*time.Millisecond
duration := 2 * time.Second
expectedCalls := math.Ceil(float64(duration) / float64(cacheTTL))
resource := NewCachedResource(
ttl.NewCache(
memory.NewCache[string, string](),
memory.NewCache[string, time.Time](),
cacheTTL,
),
func(ctx context.Context, key string) (string, error) {
refreshCalls++
return "bar", nil
},
)
concurrents := 50
key := "foo"
var wg sync.WaitGroup
wg.Add(concurrents)
for i := range concurrents {
go func(i int) {
done := time.After(duration)
defer wg.Done()
for {
select {
case <-done:
return
default:
value, fresh, err := resource.Get(context.Background(), key)
if err != nil {
t.Errorf("%+v", errors.WithStack(err))
}
t.Logf("resource retrieved for goroutine #%d: (%s, %s, %v)", i, key, value, fresh)
}
}
}(i)
}
wg.Wait()
if e, g := int(expectedCalls), refreshCalls; e != g {
t.Errorf("refreshCalls: expected '%d', got '%d'", e, g)
}
}

4
layers/authn/templates/error.gohtml
View File

@ -55,8 +55,6 @@
border-radius: 5px;
box-shadow: 2px 2px #cccccc1c;
color: #810000 !important;
max-width: 80%;
overflow-x: hidden;
}
.title {
@ -83,7 +81,7 @@
<div id="card">
<h2 class="title">Une erreur est survenue !</h2>
{{ if .Debug }}
<pre style="overflow-x: auto">{{ .Err }}</pre>
<pre>{{ .Err }}</pre>
{{ end }}
{{/* if a public base url is provided, show navigation link */}}
{{ $oidc := ( index .Layer.Options "oidc" ) }}

41
misc/packaging/common/config.yml
View File

@ -49,19 +49,6 @@ admin:
# Mettre à null pour désactiver l'authentification
basicAuth: null
# Profiling
profiling:
# Activer ou désactiver les endpoints de profiling
enabled: true
# Route de publication des endpoints de profiling
endpoint: /.bouncer/profiling
# Authentification "basic auth" sur les endpoints
# de profiling
# Mettre à null pour désactiver l'authentification
basicAuth:
credentials:
prof: iling
# Configuration de l'intégration Sentry
# Voir https://pkg.go.dev/github.com/getsentry/sentry-go?utm_source=godoc#ClientOptions
sentry:
@ -72,7 +59,7 @@ admin:
sampleRate: 1
enableTracing: true
tracesSampleRate: 0.2
profilesSampleRate: 0.2
profilesSampleRate: 1
ignoreErrors: []
sendDefaultPII: false
serverName: ""
@ -112,31 +99,12 @@ proxy:
credentials:
prom: etheus
# Profiling
profiling:
# Activer ou désactiver les endpoints de profiling
enabled: true
# Route de publication des endpoints de profiling
endpoint: /.bouncer/profiling
# Authentification "basic auth" sur les endpoints
# de profiling
# Mettre à null pour désactiver l'authentification
basicAuth:
credentials:
prof: iling
# Configuration de la mise en cache
# locale des données proxy/layers
cache:
# Les proxys/layers sont mis en cache local pour une durée de 30s
# par défaut. Si les modifications sont rares, vous pouvez augmenter
# cette valeur pour réduire la "pression" sur le serveur Redis.
# Il est possible de forcer la réinitialisation du cache en envoyant
# le signal SIGUSR2 au processus Bouncer.
#
# Exemple
#
# kill -s USR2 $(pgrep bouncer)
ttl: 30s
# Configuration du transport HTTP(S)
@ -196,8 +164,6 @@ redis:
writeTimeout: 30s
readTimeout: 30s
dialTimeout: 30s
maxRetries: 3
pingInterval: 30s
# Configuration des logs
logger:
@ -224,11 +190,6 @@ layers:
authn:
# Répertoire contenant les templates
templateDir: "/etc/bouncer/layers/authn/templates"
# Configuration des sessions
sessions:
# Temps de persistence sans actualisation des sessions dans le store
# (prévalent sur le MaxAge de la session)
ttl: "1h"
# Configuration d'une série de proxy/layers
# à créer par défaut par le serveur d'administration

79
misc/siege/siege.conf
View File

@ -1,79 +0,0 @@
# Updated by Siege %_VERSION%, %_DATE%
# Copyright 2000-2016 by %_AUTHOR%
#
# Siege configuration file -- edit as necessary
# For more information about configuring and running this program,
# visit: http://www.joedog.org/
#
#
# Verbose mode: With this feature enabled, siege will print the
# result of each transaction to stdout. (Enabled by default)
#
# ex: verbose = true|false
#
verbose = true
#
# Color mode: This option works in conjunction with verbose mode.
# It tells siege whether or not it should display its output in
# color-coded output. (Enabled by default)
#
# ex: color = on | off
#
color = on
#
# Cache revalidation. Siege supports cache revalidation for both ETag
# and Last-modified headers. If a copy is still fresh, the server
# responds with 304. While this feature is required for HTTP/1.1, it
# may not be welcomed for load testing. We allow you to breach the
# protocol and turn off caching
#
# HTTP/1.1 200 0.00 secs: 2326 bytes ==> /apache_pb.gif
# HTTP/1.1 304 0.00 secs: 0 bytes ==> /apache_pb.gif
# HTTP/1.1 304 0.00 secs: 0 bytes ==> /apache_pb.gif
#
# Siege also supports Cache-control headers. Consider this server
# response: Cache-Control: max-age=3
# That tells siege to cache the file for three seconds. While it
# doesn't actually store the file, it will logically grab it from
# its cache. In verbose output, it designates a cached resource
# with (c):
#
# HTTP/1.1 200 0.25 secs: 159 bytes ==> GET /expires/
# HTTP/1.1 200 1.48 secs: 498419 bytes ==> GET /expires/Otter_in_Southwold.jpg
# HTTP/1.1 200 0.24 secs: 159 bytes ==> GET /expires/
# HTTP/1.1 200(C) 0.00 secs: 0 bytes ==> GET /expires/Otter_in_Southwold.jpg
#
# NOTE: with color enabled, cached URLs appear in green
#
# ex: cache = true
#
cache = true
#
# Cookie support: by default siege accepts cookies. This directive is
# available to disable that support. Set cookies to 'false' to refuse
# cookies. Set it to 'true' to accept them. The default value is true.
# If you want to maintain state with the server, then this MUST be set
# to true.
#
# ex: cookies = false
#
cookies = true
#
# Failures: This is the number of total connection failures allowed
# before siege aborts. Connection failures (timeouts, socket failures,
# etc.) are combined with 400 and 500 level errors in the final stats,
# but those errors do not count against the abort total. If you set
# this total to 10, then siege will abort after ten socket timeouts,
# but it will NOT abort after ten 404s. This is designed to prevent a
# run-away mess on an unattended siege.
#
# The default value is 1024
#
# ex: failures = 50
#
failures = -1

16
templates/error.gohtml
View File

@ -76,26 +76,14 @@
margin-top: 2em;
text-align: right;
}
.stacktrace {
max-height: 250px;
overflow-y: auto;
background-color: #dca0a0;
padding: 0 10px;
border-radius: 5px;
margin-top: 10px;
}
</style>
</head>
<body>
<div id="container">
<div id="card">
<h2 class="title">{{ $title }}</h2>
<h2 class="title">{{ $title }}</h2>
{{ if .Debug }}
<h3>Stack Trace</h3>
<div class="stacktrace">
<pre>{{ printf "%+v" .Err }}</pre>
</div>
<pre>{{ .Err }}</pre>
{{ end }}
<p class="footer">
Propulsé par