fix: add missing templates in docker image

chore: remove artefact Dockerfile
feat: templatized proxy error page
2024-06-26 15:00:23 +02:00 · 2024-06-26 15:00:07 +02:00 · 2024-06-26 14:36:28 +02:00 · 2024-06-26 13:53:52 +02:00 · 2024-06-26 13:53:22 +02:00 · 2024-06-26 13:52:49 +02:00
11 changed files with 238 additions and 146 deletions
--- a/.env.dist
+++ b/.env.dist
@ -0,0 +1 @@
+GODEBUG="http1debug=2 http2debug=2"
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -63,6 +63,9 @@ nfpms:
      - src: layers
        dst: /etc/bouncer/layers
        type: config
+      - src: templates
+        dst: /etc/bouncer/templates
+        type: config
      - dst: /etc/bouncer/bootstrap.d
        type: dir
        file_info:
--- a/2
+++ b/2
@ -22,6 +22,7 @@ RUN make GORELEASER_ARGS='build --rm-dist --single-target --snapshot' goreleaser

 # Patch config
 RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bouncer_linux_amd64_v1/config.yml \
+&& yq -i '.proxy.templates.dir = "/usr/share/bouncer/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.layers.queue.templateDir = "/usr/share/bouncer/layers/queue/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.layers.authn.templateDir = "/usr/share/bouncer/layers/authn/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.admin.auth.privateKey = "/etc/bouncer/admin-key.json"' /src/dist/bouncer_linux_amd64_v1/config.yml \
@ -42,6 +43,7 @@ RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer

 COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
 COPY --from=BUILD /src/layers /usr/share/bouncer/layers
+COPY --from=BUILD /src/templates /usr/share/bouncer/templates
 COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml

 RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer
--- a/doc/fr/references/layers/authn/README.md
+++ b/doc/fr/references/layers/authn/README.md
@ -36,16 +36,28 @@ Le comportement des règles par défaut est le suivant:

 Interdire l'accès à l'utilisateur.

-#### `set_header(name string, value string)`
+##### `add_header(name string, value string)`

-Définir la valeur d'une entête HTTP via son nom `name` et sa valeur `value`.
+Ajouter une valeur à un entête HTTP via son nom `name` et sa valeur `value`.

-#### `del_headers(pattern string)`
+##### `set_header(name string, value string)`
+
+Définir la valeur d'un entête HTTP via son nom `name` et sa valeur `value`. La valeur précédente est écrasée.
+
+##### `del_headers(pattern string)`

 Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `pattern`.

 Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.

+##### `set_host(host string)`
+
+Modifier la valeur de l'entête `Host` de la requête.
+
+##### `set_url(url string)`
+
+Modifier l'URL du serveur cible.
+
 ### Environnement

 Les règles ont accès aux variables suivantes pendant leur exécution.
--- a/internal/config/proxy_server.go
+++ b/internal/config/proxy_server.go
@ -7,22 +7,26 @@ import (
 )

 type ProxyServerConfig struct {
-	HTTP      HTTPConfig      `yaml:"http"`
-	Metrics   MetricsConfig   `yaml:"metrics"`
-	Transport TransportConfig `yaml:"transport"`
-	Dial      DialConfig      `yaml:"dial"`
-	Sentry    SentryConfig    `yaml:"sentry"`
-	Cache     CacheConfig     `yaml:"cache"`
+	Debug     InterpolatedBool `yaml:"debug"`
+	HTTP      HTTPConfig       `yaml:"http"`
+	Metrics   MetricsConfig    `yaml:"metrics"`
+	Transport TransportConfig  `yaml:"transport"`
+	Dial      DialConfig       `yaml:"dial"`
+	Sentry    SentryConfig     `yaml:"sentry"`
+	Cache     CacheConfig      `yaml:"cache"`
+	Templates TemplatesConfig  `yaml:"templates"`
 }

 func NewDefaultProxyServerConfig() ProxyServerConfig {
 	return ProxyServerConfig{
+		Debug:     false,
 		HTTP:      NewHTTPConfig("0.0.0.0", 8080),
 		Metrics:   NewDefaultMetricsConfig(),
 		Transport: NewDefaultTransportConfig(),
 		Dial:      NewDefaultDialConfig(),
 		Sentry:    NewDefaultSentryConfig(),
 		Cache:     NewDefaultCacheConfig(),
+		Templates: NewDefaultTemplatesConfig(),
 	}
 }

@ -115,3 +119,13 @@ func NewDefaultCacheConfig() CacheConfig {
 		TTL: *NewInterpolatedDuration(time.Second * 30),
 	}
 }
+
+type TemplatesConfig struct {
+	Dir InterpolatedString `yaml:"dir"`
+}
+
+func NewDefaultTemplatesConfig() TemplatesConfig {
+	return TemplatesConfig{
+		Dir: "./templates",
+	}
+}
--- a/internal/proxy/director/layer/authn/rules.go
+++ b/internal/proxy/director/layer/authn/rules.go
@ -1,70 +1,16 @@
 package authn

 import (
-	"fmt"
 	"net/http"
-	"strconv"
-	"strings"
-	"time"

-	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )

-func (l *Layer) getHeaderRuleOptions(r *http.Request) []expr.Option {
-	options := make([]expr.Option, 0)
-
-	setHeader := expr.Function(
-		"set_header",
-		func(params ...any) (any, error) {
-			name := params[0].(string)
-			rawValue := params[1]
-
-			var value string
-			switch v := rawValue.(type) {
-			case []string:
-				value = strings.Join(v, ",")
-			case time.Time:
-				value = strconv.FormatInt(v.UTC().Unix(), 10)
-			case time.Duration:
-				value = strconv.FormatInt(int64(v.Seconds()), 10)
-			default:
-				value = fmt.Sprintf("%v", rawValue)
-			}
-
-			r.Header.Set(name, value)
-
-			return true, nil
-		},
-		new(func(string, string) bool),
-	)
-
-	options = append(options, setHeader)
-
-	delHeaders := expr.Function(
-		"del_headers",
-		func(params ...any) (any, error) {
-			pattern := params[0].(string)
-			deleted := false
-
-			for key := range r.Header {
-				if !wildcard.Match(key, pattern) {
-					continue
-				}
-
-				r.Header.Del(key)
-				deleted = true
-			}
-
-			return deleted, nil
-		},
-		new(func(string) bool),
-	)
-
-	options = append(options, delHeaders)
-
-	return options
+type Env struct {
+	User *User `expr:"user"`
 }

 func (l *Layer) applyRules(r *http.Request, options *LayerOptions, user *User) error {
@ -73,38 +19,39 @@ func (l *Layer) applyRules(r *http.Request, options *LayerOptions, user *User) e
 		return nil
 	}

-	env := map[string]any{
-		"user": user,
+	engine, err := rule.NewEngine[*Env](
+		rule.WithRules(options.Rules...),
+		rule.WithExpr(getAuthnAPI()...),
+		ruleHTTP.WithRequestFuncs(r),
+	)
+	if err != nil {
+		return errors.WithStack(err)
 	}

-	rulesOptions := l.getHeaderRuleOptions(r)
+	env := &Env{
+		User: user,
+	}

-	var ruleErr error
-	forbidden := expr.Function(
-		"forbidden",
-		func(params ...any) (any, error) {
-			ruleErr = errors.WithStack(ErrForbidden)
-			return true, nil
-		},
-		new(func() bool),
-	)
-
-	rulesOptions = append(rulesOptions, forbidden)
-
-	for i, r := range rules {
-		program, err := expr.Compile(r, rulesOptions...)
-		if err != nil {
-			return errors.Wrapf(err, "could not compile rule #%d", i)
-		}
-
-		if _, err := expr.Run(program, env); err != nil {
-			return errors.Wrapf(err, "could not execute rule #%d", i)
-		}
-
-		if ruleErr != nil {
-			return errors.WithStack(ruleErr)
-		}
+	if _, err := engine.Apply(env); err != nil {
+		return errors.WithStack(err)
 	}

 	return nil
 }
+
+func getAuthnAPI() []expr.Option {
+	options := make([]expr.Option, 0)
+
+	// forbidden() allows the layer to hijack the current request and return a 403 Forbidden HTTP status
+	forbidden := expr.Function(
+		"forbidden",
+		func(params ...any) (any, error) {
+			return true, errors.WithStack(ErrForbidden)
+		},
+		new(func() bool),
+	)
+
+	options = append(options, forbidden)
+
+	return options
+}
--- a/internal/proxy/server.go
+++ b/internal/proxy/server.go
@ -3,11 +3,14 @@ package proxy
 import (
 	"context"
 	"fmt"
+	"html/template"
 	"log"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"path/filepath"
+	"strconv"
 	"time"

 	"forge.cadoles.com/Cadoles/go-proxy"
@ -17,6 +20,8 @@ import (
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+
+	"github.com/Masterminds/sprig/v3"
 	"github.com/getsentry/sentry-go"
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi/v5"
@ -191,7 +196,63 @@ func (s *Server) errorHandler(w http.ResponseWriter, r *http.Request, err error)
 	logger.Error(r.Context(), "proxy error", logger.E(err))
 	sentry.CaptureException(err)

-	http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
+}
+
+func (s *Server) renderErrorPage(w http.ResponseWriter, r *http.Request, err error, statusCode int, status string) {
+	templateData := struct {
+		StatusCode int
+		Status     string
+		Err        error
+		Debug      bool
+	}{
+		Debug:      bool(s.serverConfig.Debug),
+		StatusCode: statusCode,
+		Status:     status,
+		Err:        err,
+	}
+
+	w.WriteHeader(statusCode)
+	s.renderPage(w, r, "error", strconv.FormatInt(int64(statusCode), 10), templateData)
+}
+
+func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string, block string, templateData any) {
+	ctx := r.Context()
+
+	templatesConf := s.serverConfig.Templates
+
+	pattern := filepath.Join(string(templatesConf.Dir), page+".gohtml")
+
+	logger.Info(ctx, "loading proxy templates", logger.F("pattern", pattern))
+
+	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
+	if err != nil {
+		logger.Error(ctx, "could not load proxy templates", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	w.Header().Add("Cache-Control", "no-cache")
+
+	blockTmpl := tmpl.Lookup(block)
+	if blockTmpl == nil {
+		blockTmpl = tmpl.Lookup("default")
+	}
+
+	if blockTmpl == nil {
+		logger.Error(ctx, "could not find template block nor default one", logger.F("block", block))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	if err := blockTmpl.Execute(w, templateData); err != nil {
+		logger.Error(ctx, "could not render proxy page", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
 }

 func NewServer(funcs ...OptionFunc) *Server {
--- a/internal/rule/engine.go
+++ b/internal/rule/engine.go
@ -32,7 +32,6 @@ func NewEngine[E any](funcs ...OptionFunc) (*Engine[E], error) {
 	}

 	for i, r := range opts.Rules {
-
 		program, err := expr.Compile(r, opts.Expr...)
 		if err != nil {
 			return nil, errors.Wrapf(err, "could not compile rule #%d", i)
--- a/misc/images/bouncer/Dockerfile
+++ b/misc/images/bouncer/Dockerfile
@ -1,49 +0,0 @@
-FROM golang:1.20 AS BUILD
-
-RUN apt-get update \
-    && apt-get install -y make
-
-ARG YQ_VERSION=4.34.1
-
-RUN mkdir -p /usr/local/bin \
-    && wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 \
-    && chmod +x /usr/local/bin/yq
-
-COPY . /src
-
-WORKDIR /src
-
-RUN make GORELEASER_ARGS='build --rm-dist --single-target --snapshot' goreleaser
-
-# Patch config
-RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bouncer_linux_amd64_v1/config.yml \
-    && yq -i '.layers.queue.templateDir = "/usr/share/bouncer/layers/queue/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
-    && yq -i '.admin.auth.privateKey = "/etc/bouncer/admin-key.json"' /src/dist/bouncer_linux_amd64_v1/config.yml \
-    && yq -i '.redis.adresses = ["redis:6379"]' /src/dist/bouncer_linux_amd64_v1/config.yml
-
-FROM alpine:3.18 AS RUNTIME
-
-ARG DUMB_INIT_VERSION=1.2.5
-
-RUN apk add --no-cache ca-certificates
-
-RUN mkdir -p /usr/local/bin \
-    && wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_x86_64 \
-    && chmod +x /usr/local/bin/dumb-init
-
-ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
-
-RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer
-
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
-COPY --from=BUILD /src/layers /usr/share/bouncer/layers
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
-
-RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer
-
-EXPOSE 8080
-EXPOSE 8081
-
-ENV BOUNCER_CONFIG=/etc/bouncer/config.yml
-
-CMD ["bouncer"]
--- a/misc/packaging/common/config.yml
+++ b/misc/packaging/common/config.yml
@ -70,6 +70,12 @@ admin:

 # Configuration du service "proxy"
 proxy:
+  # Activer/désactiver le mode debug (affichage ou non des messages d'erreur)
+  debug: false
+  # Configuration des templates utilisés par le proxy
+  templates:
+    # Répertoire contenant les templates
+    dir: /etc/bouncer/templates
  http:
    # Hôte d'écoute du service,
    # 0.0.0.0 pour écouter sur toutes les interfaces
--- a/templates/error.gohtml
+++ b/templates/error.gohtml
@ -0,0 +1,96 @@
+{{ define "default" }}
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
+    {{ $title := print .StatusCode " - " .Status }}
+    <title>{{ $title }}</title>
+    <style>
+      html {
+        box-sizing: border-box;
+        font-size: 16px;
+      }
+
+      *,
+      *:before,
+      *:after {
+        box-sizing: inherit;
+      }
+
+      body,
+      h1,
+      h2,
+      h3,
+      h4,
+      h5,
+      h6,
+      p,
+      ol,
+      ul {
+        margin: 0;
+        padding: 0;
+        font-weight: normal;
+      }
+
+      html,
+      body {
+        width: 100%;
+        height: 100%;
+        font-family: Arial, Helvetica, sans-serif;
+        background-color: #ffe4e4;
+      }
+
+      #container {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        height: 100%;
+        flex-direction: column;
+      }
+
+      #card {
+        padding: 1.5em 1em;
+        border: 1px solid #d90202;
+        background-color: #feb0b0;
+        border-radius: 5px;
+        box-shadow: 2px 2px #cccccc1c;
+        color: #810000 !important;
+      }
+
+      .title {
+        margin-bottom: 1.2em;
+      }
+
+      p {
+        margin-bottom: 0.5em;
+      }
+
+      code,
+      pre {
+        font-family: monospace;
+      }
+
+      .footer {
+        font-size: 0.7em;
+        margin-top: 2em;
+        text-align: right;
+      }
+    </style>
+  </head>
+  <body>
+    <div id="container">
+      <div id="card">
+        <h2 class="title">{{ $title }}</h2>
+        {{ if .Debug }}
+        <pre>{{ .Err }}</pre>
+        {{ end }}
+        <p class="footer">
+          Propulsé par
+          <a href="https://forge.cadoles.com/Cadoles/bouncer">Bouncer</a>.
+        </p>
+      </div>
+    </div>
+  </body>
+</html>
+{{ end }}
Author	SHA1	Message	Date
William Petit	059af1b6ee	fix: add missing templates in docker image All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 15:00:23 +02:00
William Petit	532f30c155	chore: remove artefact Dockerfile Some checks reported errors Cadoles/bouncer/pipeline/head Something is wrong with the build of this commit Details	2024-06-26 15:00:07 +02:00
William Petit	49f2ccbc7a	feat: templatized proxy error page All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 14:36:28 +02:00
William Petit	8a751afc97	chore: add http debug env in default environment file All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-06-26 13:53:52 +02:00
William Petit	4907c0b51f	feat: return status 502 on proxy error	2024-06-26 13:53:22 +02:00
William Petit	1881f27928	refactor: use new rule engine package Some checks reported errors Cadoles/bouncer/pipeline/head Something is wrong with the build of this commit Details	2024-06-26 13:52:49 +02:00