Merge pull request 'feat: global error handler with template rendering' (#42 ) from error-handler into develop

Reviewed-on: #42
feat: global error handler with template rendering
2024-09-27 15:03:05 +02:00 · 2024-09-27 15:02:49 +02:00 · 2024-09-27 10:46:18 +02:00 · 2024-09-27 10:15:08 +02:00 · 2024-09-26 15:48:22 +02:00 · 2024-09-26 14:46:28 +02:00
33 changed files with 909 additions and 201 deletions
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-FROM reg.cadoles.com/proxy_cache/library/golang:1.22 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.23 AS BUILD

 RUN apt-get update \
    && apt-get install -y make
--- a/doc/fr/references/layers/rewriter.md
+++ b/doc/fr/references/layers/rewriter.md
@ -38,6 +38,33 @@ Supprimer un ou plusieurs entêtes HTTP dont le nom correspond au patron `patter

 Le patron est défini par une chaîne comprenant un ou plusieurs caractères `*`, signifiant un ou plusieurs caractères arbitraires.

+##### `get_cookie(ctx, name string) Cookie`
+
+Récupère un cookie depuis la requête/réponse (en fonction du contexte d'utilisation).
+Retourne `nil` si le cookie n'existe pas.
+
+**Cookie**
+
+```js
+// Plus d'informations sur https://pkg.go.dev/net/http#Cookie
+{
+  name: "string", // Nom du cookie
+  value: "string", // Valeur associée au cookie
+  path: "string", // Chemin associé au cookie (présent uniquement dans un contexte de réponse)
+  domain: "string", // Domaine associé au cookie (présent uniquement dans un contexte de réponse)
+  expires: "string", // Date d'expiration du cookie (présent uniquement dans un contexte de réponse)
+  max_age: "string", // Age maximum du cookie (présent uniquement dans un contexte de réponse)
+  secure: "boolean", // Le cookie doit-il être présent uniquement en HTTPS ? (présent uniquement dans un contexte de réponse)
+  http_only: "boolean", // Le cookie est il accessible en Javascript ? (présent uniquement dans un contexte de réponse)
+  same_site: "int" // Voir https://pkg.go.dev/net/http#SameSite (présent uniquement dans un contexte de réponse)
+}
+```
+
+##### `set_cookie(ctx, cookie Cookie)`
+
+Définit un cookie sur la requête/réponse (en fonction du contexte d'utilisation).
+Voir la méthode `get_cookie()` pour voir les attributs potentiels.
+
 #### Requête

 ##### `set_host(ctx, host string)`
@ -48,6 +75,12 @@ Modifier la valeur de l'entête `Host` de la requête.

 Modifier l'URL du serveur cible.

+##### `redirect(ctx, statusCode int, url string)`
+
+Interrompt la requête et retourne une redirection HTTP au client.
+
+Le code HTTP utilisé doit être supérieur ou égale à `300` et inférieur à `400` (non inclus).
+
 #### Réponse

 _Pas de fonctions spécifiques._
@ -72,7 +105,7 @@ L'URL originale, avant réécriture du `Host` par Bouncer.
    },
    host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
    path: "string", // Chemin de l'URL (format assaini)
-    rawPath: "string", // Chemin de l'URL (format brut)
+    raw_path: "string", // Chemin de l'URL (format brut)
    raw_query: "string", // Variables d'URL (format brut)
    fragment : "string", // Fragment d'URL (format assaini)
    raw_fragment : "string" // Fragment d'URL (format brut)
@ -96,7 +129,7 @@ La requête en cours de traitement.
        },
        host: "string", // Nom d'hôte (<domaine>:<port>) de l'URL
        path: "string", // Chemin de l'URL (format assaini)
-        rawPath: "string", // Chemin de l'URL (format brut)
+        raw_path: "string", // Chemin de l'URL (format brut)
        raw_query: "string", // Variables d'URL (format brut)
        fragment : "string", // Fragment d'URL (format assaini)
        raw_fragment : "string" // Fragment d'URL (format brut)
--- a/go.mod
+++ b/go.mod
@ -1,8 +1,8 @@
 module forge.cadoles.com/cadoles/bouncer

-go 1.22
+go 1.23

-toolchain go1.22.0
+toolchain go1.23.0

 require (
 	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926
--- a/internal/admin/authz.go
+++ b/internal/admin/authz.go
@ -70,7 +70,7 @@ func assertRequestUser(w http.ResponseWriter, r *http.Request) (auth.User, bool)
 	ctx := r.Context()
 	user, err := auth.CtxUser(ctx)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve user", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve user", logger.CapturedE(errors.WithStack(err)))

 		forbidden(w, r)

--- a/internal/admin/error.go
+++ b/internal/admin/error.go
@ -6,7 +6,6 @@ import (
 	"net/http"

 	"forge.cadoles.com/cadoles/bouncer/internal/schema"
-	"github.com/getsentry/sentry-go"
 	"gitlab.com/wpetit/goweb/api"
 	"gitlab.com/wpetit/goweb/logger"
 )
@ -29,11 +28,8 @@ func invalidDataErrorResponse(w http.ResponseWriter, r *http.Request, err *schem
 	}{
 		Message: message,
 	})
-
-	return
 }

 func logAndCaptureError(ctx context.Context, message string, err error) {
-	sentry.CaptureException(err)
-	logger.Error(ctx, message, logger.E(err))
+	logger.Error(ctx, message, logger.CapturedE(err))
 }
--- a/internal/admin/server.go
+++ b/internal/admin/server.go
@ -162,7 +162,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e

 		router.Group(func(r chi.Router) {
 			if profiling.BasicAuth != nil {
-				logger.Info(ctx, "enabling authentication on metrics endpoint")
+				logger.Info(ctx, "enabling authentication on profiling endpoint")

 				r.Use(middleware.BasicAuth(
 					"profiling",
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@ -52,7 +52,7 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 			for _, auth := range authenticators {
 				user, err = auth.Authenticate(ctx, r)
 				if err != nil {
-					logger.Debug(ctx, "could not authenticate request", logger.E(errors.WithStack(err)))
+					logger.Debug(ctx, "could not authenticate request", logger.CapturedE(errors.WithStack(err)))

 					continue
 				}
--- a/internal/command/server/dummy/run.go
+++ b/internal/command/server/dummy/run.go
@ -53,7 +53,7 @@ func RunCommand() *cli.Command {
 				}

 				if err := tmpl.Execute(w, data); err != nil {
-					logger.Error(ctx.Context, "could not execute template", logger.E(errors.WithStack(err)))
+					logger.Error(ctx.Context, "could not execute template", logger.CapturedE(errors.WithStack(err)))
 				}
 			})

--- a/internal/lock/redis/locker.go
+++ b/internal/lock/redis/locker.go
@ -38,7 +38,7 @@ func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration

 		defer func() {
 			if err := lock.Release(ctx); err != nil {
-				logger.Error(ctx, "could not release lock", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not release lock", logger.CapturedE(errors.WithStack(err)))
 			}

 			logger.Debug(ctx, "lock released")
--- a/internal/lock/redis/retry.go
+++ b/internal/lock/redis/retry.go
@ -30,7 +30,7 @@ func retryWithBackoff(ctx context.Context, attempts int, fn func(ctx context.Con
 			return errors.Wrapf(err, "execution failed after %d attempts", attempts)
 		}

-		logger.Error(ctx, "error while executing func, retrying with backoff", logger.E(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
+		logger.Error(ctx, "error while executing func, retrying with backoff", logger.CapturedE(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))

 		time.Sleep(backoffDelay)

--- a/internal/proxy/director/context.go
+++ b/internal/proxy/director/context.go
@ -2,10 +2,12 @@ package director

 import (
 	"context"
+	"net/http"
 	"net/url"

 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
 )

 type contextKey string
@ -14,6 +16,7 @@ const (
 	contextKeyProxy       contextKey = "proxy"
 	contextKeyLayers      contextKey = "layers"
 	contextKeyOriginalURL contextKey = "originalURL"
+	contextKeyHandleError contextKey = "handleError"
 )

 var (
@ -60,3 +63,22 @@ func ctxValue[T any](ctx context.Context, key contextKey) (T, error) {

 	return value, nil
 }
+
+type HandleErrorFunc func(w http.ResponseWriter, r *http.Request, status int, err error)
+
+func withHandleError(ctx context.Context, fn HandleErrorFunc) context.Context {
+	return context.WithValue(ctx, contextKeyHandleError, fn)
+}
+
+func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, status int, err error) {
+	err = errors.WithStack(err)
+
+	fn, ok := ctx.Value(contextKeyHandleError).(HandleErrorFunc)
+	if !ok {
+		logger.Error(ctx, err.Error(), logger.CapturedE(err))
+		http.Error(w, http.StatusText(status), status)
+		return
+	}
+
+	fn(w, r, status, err)
+}
--- a/internal/proxy/director/director.go
+++ b/internal/proxy/director/director.go
@ -8,6 +8,7 @@ import (
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache"
+	bouncersentry "forge.cadoles.com/cadoles/bouncer/internal/sentry"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
@ -21,6 +22,8 @@ type Director struct {

 	proxyCache cache.Cache[string, []*store.Proxy]
 	layerCache cache.Cache[string, []*store.Layer]
+
+	handleError HandleErrorFunc
 }

 func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
@ -32,7 +35,6 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	}

 	url := getRequestURL(r)
-
 	ctx = withOriginalURL(ctx, url)
 	ctx = logger.With(ctx, logger.F("url", url.String()))

@ -168,13 +170,14 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]
 func (d *Director) RequestTransformer() proxy.RequestTransformer {
 	return func(r *http.Request) {
 		ctx := r.Context()
+
 		layers, err := ctxLayers(ctx)
 		if err != nil {
 			if errors.Is(err, errContextKeyNotFound) {
 				return
 			}

-			logger.Error(ctx, "could not retrieve layers from context", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not retrieve layers from context", logger.CapturedE(errors.WithStack(err)))

 			return
 		}
@ -224,15 +227,16 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
 func (d *Director) Middleware() proxy.Middleware {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
+			ctx := withHandleError(r.Context(), d.handleError)
+			r = r.WithContext(ctx)
+
 			r, err := d.rewriteRequest(r)
 			if err != nil {
-				logger.Error(r.Context(), "could not rewrite request", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
 				return
 			}

-			ctx := r.Context()
+			ctx = r.Context()

 			layers, err := ctxLayers(ctx)
 			if err != nil {
@ -240,9 +244,7 @@ func (d *Director) Middleware() proxy.Middleware {
 					return
 				}

-				logger.Error(ctx, "could not retrieve proxy and layers from context", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
 				return
 			}

@ -257,6 +259,7 @@ func (d *Director) Middleware() proxy.Middleware {
 			}

 			handler := createMiddlewareChain(next, httpMiddlewares)
+			handler = bouncersentry.SpanHandler(handler, "director.proxy")

 			handler.ServeHTTP(w, r)
 		}
@ -276,5 +279,6 @@ func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepos
 		layerRegistry:   registry,
 		proxyCache:      opts.ProxyCache,
 		layerCache:      opts.LayerCache,
+		handleError:     opts.HandleError,
 	}
 }
--- a/internal/proxy/director/layer/authn/layer.go
+++ b/internal/proxy/director/layer/authn/layer.go
@ -1,7 +1,9 @@
 package authn

 import (
+	"bytes"
 	"html/template"
+	"io"
 	"net/http"
 	"path/filepath"

@ -29,9 +31,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {

 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				return
 			}

@ -42,7 +42,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					}

 					err = errors.WithStack(err)
-					logger.Error(ctx, "could not execute pre-auth hook", logger.E(err))
+					logger.Error(ctx, "could not execute pre-auth hook", logger.CapturedE(err))
 					l.renderErrorPage(w, r, layer, options, err)

 					return
@ -68,7 +68,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				}

 				err = errors.WithStack(err)
-				logger.Error(ctx, "could not authenticate user", logger.E(err))
+				logger.Error(ctx, "could not authenticate user", logger.CapturedE(err))
 				l.renderErrorPage(w, r, layer, options, err)

 				return
@ -81,7 +81,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				}

 				err = errors.WithStack(err)
-				logger.Error(ctx, "could not apply rules", logger.E(err))
+				logger.Error(ctx, "could not apply rules", logger.CapturedE(err))
 				l.renderErrorPage(w, r, layer, options, err)

 				return
@ -99,7 +99,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					}

 					err = errors.WithStack(err)
-					logger.Error(ctx, "could not execute post-auth hook", logger.E(err))
+					logger.Error(ctx, "could not execute post-auth hook", logger.CapturedE(err))
 					l.renderErrorPage(w, r, layer, options, err)

 					return
@ -162,20 +162,22 @@ func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, page string,

 	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 	if err != nil {
-		logger.Error(ctx, "could not load authn templates", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not load authn templates"))
 		return
 	}

 	w.Header().Add("Cache-Control", "no-cache")

-	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
-		logger.Error(ctx, "could not render authn page", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+	var buf bytes.Buffer

+	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render authn page"))
 		return
 	}
+
+	if _, err := io.Copy(w, &buf); err != nil {
+		logger.Error(ctx, "could not write authn page", logger.CapturedE(errors.WithStack(err)))
+	}
 }

 // LayerType implements director.MiddlewareLayer
--- a/internal/proxy/director/layer/authn/network/authenticator_test.go
+++ b/internal/proxy/director/layer/authn/network/authenticator_test.go
@ -39,6 +39,23 @@ func TestMatchAuthorizedCIDRs(t *testing.T) {
 			},
 			ExpectedResult: false,
 		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+				"192.168.1.6/32",
+				"192.168.1.7/32",
+			},
+			ExpectedResult: false,
+		},
 	}

 	auth := Authenticator{}
--- a/internal/proxy/director/layer/authn/oidc/authenticator.go
+++ b/internal/proxy/director/layer/authn/oidc/authenticator.go
@ -44,7 +44,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request

 	sess, err := a.store.Get(r, a.getCookieName(options.Cookie.Name, layer.Proxy, layer.Name))
 	if err != nil {
-		logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve session", logger.CapturedE(errors.WithStack(err)))
 	}

 	loginCallbackURL, err := a.getLoginCallbackURL(originalURL, layer.Proxy, layer.Name, options)
@ -86,7 +86,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 		if postLogoutRedirectURL != "" {
 			isAuthorized := slices.Contains(options.OIDC.PostLogoutRedirectURLs, postLogoutRedirectURL)
 			if !isAuthorized {
-				http.Error(w, "unauthorized post-logout redirect", http.StatusBadRequest)
+				director.HandleError(ctx, w, r, http.StatusBadRequest, errors.New("unauthorized post-logout redirect"))
 				return errors.WithStack(authn.ErrSkipRequest)
 			}
 		}
@ -128,7 +128,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay

 	defer func() {
 		if err := sess.Save(r, w); err != nil {
-			logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not save session", logger.CapturedE(errors.WithStack(err)))
 		}
 	}()

--- a/internal/proxy/director/layer/authn/oidc/client.go
+++ b/internal/proxy/director/layer/authn/oidc/client.go
@ -6,6 +6,7 @@ import (
 	"net/url"
 	"strings"

+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/dchest/uniuri"
 	"github.com/gorilla/sessions"
@ -47,7 +48,7 @@ func (c *Client) Provider() *oidc.Provider {
 func (c *Client) Authenticate(w http.ResponseWriter, r *http.Request, sess *sessions.Session, postLoginRedirectURL string) (*oidc.IDToken, error) {
 	idToken, err := c.getIDToken(r, sess)
 	if err != nil {
-		logger.Warn(r.Context(), "could not retrieve idtoken", logger.E(errors.WithStack(err)))
+		logger.Warn(r.Context(), "could not retrieve idtoken", logger.CapturedE(errors.WithStack(err)))

 		c.login(w, r, sess, postLoginRedirectURL)

@ -68,8 +69,7 @@ func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Se
 	sess.Values[sessionKeyPostLoginRedirectURL] = postLoginRedirectURL

 	if err := sess.Save(r, w); err != nil {
-		logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not save session"))

 		return
 	}
@ -127,7 +127,7 @@ func (c *Client) HandleLogout(w http.ResponseWriter, r *http.Request, sess *sess

 	rawIDToken, err := c.getRawIDToken(sess)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve raw id token", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve raw id token", logger.CapturedE(errors.WithStack(err)))
 	}

 	sess.Values[sessionKeyIDToken] = nil
--- a/internal/proxy/director/layer/queue/queue.go
+++ b/internal/proxy/director/layer/queue/queue.go
@ -1,9 +1,11 @@
 package queue

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"html/template"
+	"io"
 	"math/rand"
 	"net/http"
 	"path/filepath"
@ -52,9 +54,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {

 			options, err := fromStoreOptions(layer.Options, q.defaultKeepAlive)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not parse layer options"))
 				return
 			}

@ -71,7 +71,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {

 			cookie, err := r.Cookie(cookieName)
 			if err != nil && !errors.Is(err, http.ErrNoCookie) {
-				logger.Error(ctx, "could not retrieve cookie", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "could not retrieve cookie", logger.CapturedE(errors.WithStack(err)))
 			}

 			if cookie == nil {
@ -89,9 +89,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {

 			rank, err := q.adapter.Touch(ctx, queueName, sessionID)
 			if err != nil {
-				logger.Error(ctx, "could not retrieve session rank", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not retrieve session rank"))
 				return
 			}

@ -126,7 +124,7 @@ func (q *Queue) updateSessionsMetric(ctx context.Context, proxyName store.ProxyN

 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not retrieve queue status", logger.CapturedE(errors.WithStack(err)))

 		return
 	}
@ -144,9 +142,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam

 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		logger.Error(ctx, "could not retrieve queue status", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not retrieve queue status"))
 		return
 	}

@ -157,7 +153,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam

 		tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 		if err != nil {
-			logger.Error(ctx, "could not load queue templates", logger.E(errors.WithStack(err)))
+			logger.Error(ctx, "could not load queue templates", logger.CapturedE(errors.WithStack(err)))

 			return
 		}
@ -166,9 +162,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	})

 	if q.tmpl == nil {
-		logger.Error(ctx, "queue page templates not loaded", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("queue page templates not loaded"))
 		return
 	}

@ -194,12 +188,16 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	w.Header().Add("Retry-After", strconv.FormatInt(int64(refreshRate.Seconds()), 10))
 	w.WriteHeader(http.StatusServiceUnavailable)

-	if err := q.tmpl.ExecuteTemplate(w, "queue", templateData); err != nil {
-		logger.Error(ctx, "could not render queue page", logger.E(errors.WithStack(err)))
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+	var buf bytes.Buffer

+	if err := q.tmpl.ExecuteTemplate(&buf, "queue", templateData); err != nil {
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not render queue page"))
 		return
 	}
+
+	if _, err := io.Copy(w, &buf); err != nil {
+		logger.Error(ctx, "could not write queue page", logger.CapturedE(errors.WithStack(err)))
+	}
 }

 func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, keepAlive time.Duration) {
@ -211,7 +209,7 @@ func (q *Queue) refreshQueue(ctx context.Context, layerName store.LayerName, kee

 	if err := q.adapter.Refresh(ctx, string(layerName), keepAlive); err != nil {
 		logger.Error(ctx, "could not refresh queue",
-			logger.E(errors.WithStack(err)),
+			logger.CapturedE(errors.WithStack(err)),
 			logger.F("queue", layerName),
 		)
 	}
--- a/internal/proxy/director/layer/rewriter/api.go
+++ b/internal/proxy/director/layer/rewriter/api.go
@ -0,0 +1,79 @@
+package rewriter
+
+import (
+	"context"
+	"fmt"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	"github.com/expr-lang/expr"
+	"github.com/pkg/errors"
+)
+
+type errRedirect struct {
+	statusCode int
+	url        string
+}
+
+func (e *errRedirect) StatusCode() int {
+	return e.statusCode
+}
+
+func (e *errRedirect) URL() string {
+	return e.url
+}
+
+func (e *errRedirect) Error() string {
+	return fmt.Sprintf("redirect %d %s", e.statusCode, e.url)
+}
+
+func newErrRedirect(statusCode int, url string) *errRedirect {
+	return &errRedirect{
+		url:        url,
+		statusCode: statusCode,
+	}
+}
+
+var _ error = &errRedirect{}
+
+func redirectFunc() expr.Option {
+	return expr.Function(
+		"redirect",
+		func(params ...any) (any, error) {
+			_, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			statusCode, err := rule.Assert[int](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			if statusCode < 300 || statusCode >= 400 {
+				return nil, errors.Errorf("unexpected redirect status code '%d'", statusCode)
+			}
+
+			url, err := rule.Assert[string](params[2])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return nil, newErrRedirect(statusCode, url)
+		},
+		new(func(context.Context, int, string) bool),
+	)
+}
+
+func WithRewriterFuncs() rule.OptionFunc {
+	return func(opts *rule.Options) {
+		funcs := []expr.Option{
+			redirectFunc(),
+		}
+
+		if len(opts.Expr) == 0 {
+			opts.Expr = make([]expr.Option, 0)
+		}
+
+		opts.Expr = append(opts.Expr, funcs...)
+	}
+}
--- a/internal/proxy/director/layer/rewriter/layer.go
+++ b/internal/proxy/director/layer/rewriter/layer.go
@ -11,7 +11,6 @@ import (
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
-	"gitlab.com/wpetit/goweb/logger"
 )

 const LayerType store.LayerType = "rewriter"
@ -32,9 +31,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {

 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not parse layer options"))
 				return
 			}

@ -46,8 +43,13 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 			}

 			if err := l.applyRequestRules(ctx, r, layer.Revision, options); err != nil {
-				logger.Error(ctx, "could not apply request rules", logger.E(errors.WithStack(err)))
-				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				var redirect *errRedirect
+				if errors.As(err, &redirect) {
+					http.Redirect(w, r, redirect.URL(), redirect.StatusCode())
+					return
+				}
+
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not apply request rules"))

 				return
 			}
@ -88,6 +90,7 @@ func New(funcs ...OptionFunc) *Layer {
 			engine, err := rule.NewEngine[*RequestVars](
 				rule.WithRules(options.Rules.Request...),
 				ruleHTTP.WithRequestFuncs(),
+				WithRewriterFuncs(),
 			)
 			if err != nil {
 				return nil, errors.WithStack(err)
--- a/internal/proxy/director/layer/rewriter/rules.go
+++ b/internal/proxy/director/layer/rewriter/rules.go
@ -3,6 +3,7 @@ package rewriter
 import (
 	"context"
 	"net/http"
+	"net/url"

 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
@ -27,6 +28,26 @@ type URLVar struct {
 	RawFragment string  `expr:"raw_fragment"`
 }

+func fromURL(url *url.URL) URLVar {
+	return URLVar{
+		Scheme: url.Scheme,
+		Opaque: url.Opaque,
+		User: UserVar{
+			Username: url.User.Username(),
+			Password: func() string {
+				passwd, _ := url.User.Password()
+				return passwd
+			}(),
+		},
+		Host:        url.Host,
+		Path:        url.Path,
+		RawPath:     url.RawPath,
+		RawQuery:    url.RawQuery,
+		Fragment:    url.Fragment,
+		RawFragment: url.RawFragment,
+	}
+}
+
 type UserVar struct {
 	Username string `expr:"username"`
 	Password string `expr:"password"`
@ -48,6 +69,24 @@ type RequestVar struct {
 	RequestURI       string              `expr:"request_uri"`
 }

+func fromRequest(r *http.Request) RequestVar {
+	return RequestVar{
+		Method:           r.Method,
+		URL:              fromURL(r.URL),
+		RawURL:           r.URL.String(),
+		Proto:            r.Proto,
+		ProtoMajor:       r.ProtoMajor,
+		ProtoMinor:       r.ProtoMinor,
+		Header:           r.Header,
+		ContentLength:    r.ContentLength,
+		TransferEncoding: r.TransferEncoding,
+		Host:             r.Host,
+		Trailer:          r.Trailer,
+		RemoteAddr:       r.RemoteAddr,
+		RequestURI:       r.RequestURI,
+	}
+}
+
 func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layerRevision int, options *LayerOptions) error {
 	rules := options.Rules.Request
 	if len(rules) == 0 {
@ -65,54 +104,8 @@ func (l *Layer) applyRequestRules(ctx context.Context, r *http.Request, layerRev
 	}

 	vars := &RequestVars{
-		OriginalURL: URLVar{
-			Scheme: originalURL.Scheme,
-			Opaque: originalURL.Opaque,
-			User: UserVar{
-				Username: originalURL.User.Username(),
-				Password: func() string {
-					passwd, _ := originalURL.User.Password()
-					return passwd
-				}(),
-			},
-			Host:        originalURL.Host,
-			Path:        originalURL.Path,
-			RawPath:     originalURL.RawPath,
-			RawQuery:    originalURL.RawQuery,
-			Fragment:    originalURL.Fragment,
-			RawFragment: originalURL.RawFragment,
-		},
-		Request: RequestVar{
-			Method: r.Method,
-			URL: URLVar{
-				Scheme: r.URL.Scheme,
-				Opaque: r.URL.Opaque,
-				User: UserVar{
-					Username: r.URL.User.Username(),
-					Password: func() string {
-						passwd, _ := r.URL.User.Password()
-						return passwd
-					}(),
-				},
-				Host:        r.URL.Host,
-				Path:        r.URL.Path,
-				RawPath:     r.URL.RawPath,
-				RawQuery:    r.URL.RawQuery,
-				Fragment:    r.URL.Fragment,
-				RawFragment: r.URL.RawFragment,
-			},
-			RawURL:           r.URL.String(),
-			Proto:            r.Proto,
-			ProtoMajor:       r.ProtoMajor,
-			ProtoMinor:       r.ProtoMinor,
-			Header:           r.Header,
-			ContentLength:    r.ContentLength,
-			TransferEncoding: r.TransferEncoding,
-			Host:             r.Host,
-			Trailer:          r.Trailer,
-			RemoteAddr:       r.RemoteAddr,
-			RequestURI:       r.RequestURI,
-		},
+		OriginalURL: fromURL(originalURL),
+		Request:     fromRequest(r),
 	}

 	ctx = ruleHTTP.WithRequest(ctx, r)
@ -169,54 +162,8 @@ func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layerR
 	}

 	vars := &ResponseVars{
-		OriginalURL: URLVar{
-			Scheme: originalURL.Scheme,
-			Opaque: originalURL.Opaque,
-			User: UserVar{
-				Username: originalURL.User.Username(),
-				Password: func() string {
-					passwd, _ := originalURL.User.Password()
-					return passwd
-				}(),
-			},
-			Host:        originalURL.Host,
-			Path:        originalURL.Path,
-			RawPath:     originalURL.RawPath,
-			RawQuery:    originalURL.RawQuery,
-			Fragment:    originalURL.Fragment,
-			RawFragment: originalURL.RawFragment,
-		},
-		Request: RequestVar{
-			Method: r.Request.Method,
-			URL: URLVar{
-				Scheme: r.Request.URL.Scheme,
-				Opaque: r.Request.URL.Opaque,
-				User: UserVar{
-					Username: r.Request.URL.User.Username(),
-					Password: func() string {
-						passwd, _ := r.Request.URL.User.Password()
-						return passwd
-					}(),
-				},
-				Host:        r.Request.URL.Host,
-				Path:        r.Request.URL.Path,
-				RawPath:     r.Request.URL.RawPath,
-				RawQuery:    r.Request.URL.RawQuery,
-				Fragment:    r.Request.URL.Fragment,
-				RawFragment: r.Request.URL.RawFragment,
-			},
-			RawURL:           r.Request.URL.String(),
-			Proto:            r.Request.Proto,
-			ProtoMajor:       r.Request.ProtoMajor,
-			ProtoMinor:       r.Request.ProtoMinor,
-			Header:           r.Request.Header,
-			ContentLength:    r.Request.ContentLength,
-			TransferEncoding: r.Request.TransferEncoding,
-			Host:             r.Request.Host,
-			Trailer:          r.Request.Trailer,
-			RemoteAddr:       r.Request.RemoteAddr,
-			RequestURI:       r.Request.RequestURI,
-		},
+		OriginalURL: fromURL(originalURL),
+		Request:     fromRequest(r.Request),
 		Response: ResponseVar{
 			Proto:            r.Proto,
 			ProtoMajor:       r.ProtoMajor,
@ -231,6 +178,7 @@ func (l *Layer) applyResponseRules(ctx context.Context, r *http.Response, layerR
 	}

 	ctx = ruleHTTP.WithResponse(ctx, r)
+	ctx = ruleHTTP.WithRequest(ctx, r.Request)

 	if _, err := engine.Apply(ctx, vars); err != nil {
 		return errors.WithStack(err)
--- a/internal/proxy/director/options.go
+++ b/internal/proxy/director/options.go
@ -1,18 +1,21 @@
 package director

 import (
+	"net/http"
 	"time"

 	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"gitlab.com/wpetit/goweb/logger"
 )

 type Options struct {
-	Layers     []Layer
-	ProxyCache cache.Cache[string, []*store.Proxy]
-	LayerCache cache.Cache[string, []*store.Layer]
+	Layers      []Layer
+	ProxyCache  cache.Cache[string, []*store.Proxy]
+	LayerCache  cache.Cache[string, []*store.Layer]
+	HandleError HandleErrorFunc
 }

 type OptionFunc func(opts *Options)
@ -30,6 +33,10 @@ func NewOptions(funcs ...OptionFunc) *Options {
 			memory.NewCache[string, time.Time](),
 			30*time.Second,
 		),
+		HandleError: func(w http.ResponseWriter, r *http.Request, status int, err error) {
+			logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
+			http.Error(w, http.StatusText(status), status)
+		},
 	}

 	for _, fn := range funcs {
@ -56,3 +63,9 @@ func WithLayerCache(cache cache.Cache[string, []*store.Layer]) OptionFunc {
 		opts.LayerCache = cache
 	}
 }
+
+func WithHandleErrorFunc(fn HandleErrorFunc) OptionFunc {
+	return func(opts *Options) {
+		opts.HandleError = fn
+	}
+}
--- a/internal/proxy/server.go
+++ b/internal/proxy/server.go
@ -1,9 +1,11 @@
 package proxy

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"html/template"
+	"io"
 	"log"
 	"net"
 	"net/http"
@ -23,13 +25,14 @@ import (
 	"forge.cadoles.com/cadoles/bouncer/internal/store"

 	"github.com/Masterminds/sprig/v3"
-	"github.com/getsentry/sentry-go"
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"gitlab.com/wpetit/goweb/logger"
+
+	bouncersentry "forge.cadoles.com/cadoles/bouncer/internal/sentry"
 )

 type Server struct {
@ -110,6 +113,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 				s.directorCacheTTL,
 			),
 		),
+		director.WithHandleErrorFunc(s.handleError),
 	)

 	if s.serverConfig.HTTP.UseRealIP {
@ -153,7 +157,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e

 		router.Group(func(r chi.Router) {
 			if profiling.BasicAuth != nil {
-				logger.Info(ctx, "enabling authentication on metrics endpoint")
+				logger.Info(ctx, "enabling authentication on profiling endpoint")

 				r.Use(middleware.BasicAuth(
 					"profiling",
@ -189,7 +193,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 			proxy.WithDefaultHandler(http.HandlerFunc(s.handleDefault)),
 		)

-		r.Handle("/*", handler)
+		r.Handle("/*", bouncersentry.SpanHandler(handler, "http.proxy"))
 	})

 	if err := http.Serve(listener, router); err != nil && !errors.Is(err, net.ErrClosed) {
@ -215,27 +219,24 @@ func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httpu
 	httpTransport.DialContext = dialer.DialContext

 	reverseProxy.Transport = httpTransport
-	reverseProxy.ErrorHandler = s.handleError
+	reverseProxy.ErrorHandler = s.handleProxyError

 	return reverseProxy
 }

 func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
-	err := errors.Errorf("no proxy target found")
-
-	logger.Error(r.Context(), "proxy error", logger.E(err))
-	sentry.CaptureException(err)
-
-	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
+	s.handleError(w, r, http.StatusBadGateway, errors.Errorf("no proxy target found"))
 }

-func (s *Server) handleError(w http.ResponseWriter, r *http.Request, err error) {
+func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
 	err = errors.WithStack(err)
+	logger.Error(r.Context(), err.Error(), logger.CapturedE(err))

-	logger.Error(r.Context(), "proxy error", logger.E(err))
-	sentry.CaptureException(err)
+	s.renderErrorPage(w, r, err, status, http.StatusText(status))
+}

-	s.renderErrorPage(w, r, err, http.StatusBadGateway, http.StatusText(http.StatusBadGateway))
+func (s *Server) handleProxyError(w http.ResponseWriter, r *http.Request, err error) {
+	s.handleError(w, r, http.StatusBadGateway, err)
 }

 func (s *Server) renderErrorPage(w http.ResponseWriter, r *http.Request, err error, statusCode int, status string) {
@ -266,7 +267,7 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,

 	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
 	if err != nil {
-		logger.Error(ctx, "could not load proxy templates", logger.E(errors.WithStack(err)))
+		logger.Error(ctx, "could not load proxy templates", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)

 		return
@ -286,12 +287,18 @@ func (s *Server) renderPage(w http.ResponseWriter, r *http.Request, page string,
 		return
 	}

-	if err := blockTmpl.Execute(w, templateData); err != nil {
-		logger.Error(ctx, "could not render proxy page", logger.E(errors.WithStack(err)))
+	var buf bytes.Buffer
+
+	if err := blockTmpl.Execute(&buf, templateData); err != nil {
+		logger.Error(ctx, "could not render proxy page", logger.CapturedE(errors.WithStack(err)))
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)

 		return
 	}
+
+	if _, err := io.Copy(w, &buf); err != nil {
+		logger.Error(ctx, "could not write page", logger.CapturedE(errors.WithStack(err)))
+	}
 }

 func NewServer(funcs ...OptionFunc) *Server {
--- a/internal/rule/http/context.go
+++ b/internal/rule/http/context.go
@ -22,10 +22,10 @@ func WithResponse(ctx context.Context, r *http.Response) context.Context {
 	return context.WithValue(ctx, contextKeyResponse, r)
 }

-func ctxRequest(ctx context.Context) (*http.Request, bool) {
+func CtxRequest(ctx context.Context) (*http.Request, bool) {
 	return rule.Context[*http.Request](ctx, contextKeyRequest)
 }

-func ctxResponse(ctx context.Context) (*http.Response, bool) {
+func CtxResponse(ctx context.Context) (*http.Response, bool) {
 	return rule.Context[*http.Response](ctx, contextKeyResponse)
 }
--- a/internal/rule/http/option.go
+++ b/internal/rule/http/option.go
@ -13,6 +13,8 @@ func WithRequestFuncs() rule.OptionFunc {
 			addRequestHeaderFunc(),
 			delRequestHeadersFunc(),
 			setRequestHostFunc(),
+			getRequestCookieFunc(),
+			addRequestCookieFunc(),
 		}

 		if len(opts.Expr) == 0 {
@ -29,6 +31,8 @@ func WithResponseFuncs() rule.OptionFunc {
 			setResponseHeaderFunc(),
 			addResponseHeaderFunc(),
 			delResponseHeadersFunc(),
+			addResponseCookieFunc(),
+			getResponseCookieFunc(),
 		}

 		if len(opts.Expr) == 0 {
--- a/internal/rule/http/request.go
+++ b/internal/rule/http/request.go
@ -3,6 +3,7 @@ package http
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
@ -28,7 +29,7 @@ func setRequestHostFunc() expr.Option {
 				return nil, errors.WithStack(err)
 			}

-			r, ok := ctxRequest(ctx)
+			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
@ -60,7 +61,7 @@ func setRequestURLFunc() expr.Option {
 				return false, errors.WithStack(err)
 			}

-			r, ok := ctxRequest(ctx)
+			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
@ -89,7 +90,7 @@ func addRequestHeaderFunc() expr.Option {

 			value := formatValue(params[2])

-			r, ok := ctxRequest(ctx)
+			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
@ -118,7 +119,7 @@ func setRequestHeaderFunc() expr.Option {

 			value := formatValue(params[2])

-			r, ok := ctxRequest(ctx)
+			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
@ -145,7 +146,7 @@ func delRequestHeadersFunc() expr.Option {
 				return nil, errors.WithStack(err)
 			}

-			r, ok := ctxRequest(ctx)
+			r, ok := CtxRequest(ctx)
 			if !ok {
 				return nil, errors.New("could not find http request in context")
 			}
@ -167,6 +168,145 @@ func delRequestHeadersFunc() expr.Option {
 	)
 }

+type CookieVar struct {
+	Name     string        `expr:"name"`
+	Value    string        `expr:"value"`
+	Path     string        `expr:"path"`
+	Domain   string        `expr:"domain"`
+	Expires  time.Time     `expr:"expires"`
+	MaxAge   int           `expr:"max_age"`
+	Secure   bool          `expr:"secure"`
+	HttpOnly bool          `expr:"http_only"`
+	SameSite http.SameSite `expr:"same_site"`
+}
+
+func getRequestCookieFunc() expr.Option {
+	return expr.Function(
+		"get_cookie",
+		func(params ...any) (any, error) {
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			name, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			r, ok := CtxRequest(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
+			}
+
+			cookie, err := r.Cookie(name)
+			if err != nil && !errors.Is(err, http.ErrNoCookie) {
+				return nil, errors.WithStack(err)
+			}
+
+			if cookie == nil {
+				return nil, nil
+			}
+
+			return CookieVar{
+				Name:     cookie.Name,
+				Value:    cookie.Value,
+				Path:     cookie.Path,
+				Domain:   cookie.Domain,
+				Expires:  cookie.Expires,
+				MaxAge:   cookie.MaxAge,
+				Secure:   cookie.Secure,
+				HttpOnly: cookie.HttpOnly,
+				SameSite: cookie.SameSite,
+			}, nil
+		},
+		new(func(context.Context, string) CookieVar),
+	)
+}
+
+func addRequestCookieFunc() expr.Option {
+	return expr.Function(
+		"add_cookie",
+		func(params ...any) (any, error) {
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			values, err := rule.Assert[map[string]any](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			cookie, err := cookieFrom(values)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			r, ok := CtxRequest(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
+			}
+
+			r.AddCookie(cookie)
+
+			return true, nil
+		},
+		new(func(context.Context, map[string]any) bool),
+	)
+}
+
+func cookieFrom(values map[string]any) (*http.Cookie, error) {
+	cookie := &http.Cookie{}
+
+	if name, ok := values["name"].(string); ok {
+		cookie.Name = name
+	}
+
+	if value, ok := values["value"].(string); ok {
+		cookie.Value = value
+	}
+
+	if domain, ok := values["domain"].(string); ok {
+		cookie.Domain = domain
+	}
+
+	if path, ok := values["path"].(string); ok {
+		cookie.Path = path
+	}
+
+	if httpOnly, ok := values["http_only"].(bool); ok {
+		cookie.HttpOnly = httpOnly
+	}
+
+	if maxAge, ok := values["max_age"].(int); ok {
+		cookie.MaxAge = maxAge
+	}
+
+	if secure, ok := values["secure"].(bool); ok {
+		cookie.Secure = secure
+	}
+
+	if sameSite, ok := values["same_site"].(http.SameSite); ok {
+		cookie.SameSite = sameSite
+	} else if sameSite, ok := values["same_site"].(int); ok {
+		cookie.SameSite = http.SameSite(sameSite)
+	}
+
+	if expires, ok := values["expires"].(time.Time); ok {
+		cookie.Expires = expires
+	} else if rawExpires, ok := values["expires"].(string); ok {
+		expires, err := time.Parse(http.TimeFormat, rawExpires)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		cookie.Expires = expires
+	}
+
+	return cookie, nil
+}
+
 func formatValue(v any) string {
 	var value string
 	switch v := v.(type) {
--- a/internal/rule/http/request_test.go
+++ b/internal/rule/http/request_test.go
@ -2,6 +2,7 @@ package http

 import (
 	"context"
+	"fmt"
 	"net/http"
 	"testing"

@ -185,6 +186,134 @@ func TestDelRequestHeaders(t *testing.T) {
 	}
 }

+func TestAddRequestCookie(t *testing.T) {
+	type TestCase struct {
+		Cookie     map[string]any
+		Check      func(t *testing.T, tc TestCase, req *http.Request)
+		ShouldFail bool
+	}
+
+	testCases := []TestCase{
+		{
+			Cookie: map[string]any{
+				"name": "test",
+			},
+			Check: func(t *testing.T, tc TestCase, req *http.Request) {
+				cookie, err := req.Cookie(tc.Cookie["name"].(string))
+				if err != nil {
+					t.Errorf("%+v", errors.WithStack(err))
+					return
+				}
+
+				if e, g := tc.Cookie["name"], cookie.Name; e != g {
+					t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+		{
+			Cookie: map[string]any{
+				"name":  "foo",
+				"value": "test",
+			},
+			Check: func(t *testing.T, tc TestCase, req *http.Request) {
+				cookie, err := req.Cookie(tc.Cookie["name"].(string))
+				if err != nil {
+					t.Errorf("%+v", errors.WithStack(err))
+					return
+				}
+
+				if e, g := tc.Cookie["name"], cookie.Name; e != g {
+					t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["value"], cookie.Value; e != g {
+					t.Errorf("cookie.Value: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case_%d", idx), func(t *testing.T) {
+			type Vars struct {
+				NewCookie map[string]any `expr:"new_cookie"`
+			}
+
+			engine := createRuleEngine[Vars](t,
+				rule.WithExpr(addRequestCookieFunc()),
+				rule.WithRules(
+					`add_cookie(ctx, vars.new_cookie)`,
+				),
+			)
+
+			req, err := http.NewRequest("GET", "http://example.net", nil)
+			if err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			vars := Vars{
+				NewCookie: tc.Cookie,
+			}
+
+			ctx := context.Background()
+			ctx = WithRequest(ctx, req)
+
+			if _, err := engine.Apply(ctx, vars); err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.ShouldFail {
+				t.Error("engine.Apply() should have failed")
+			}
+
+			if tc.Check != nil {
+				tc.Check(t, tc, req)
+			}
+		})
+	}
+}
+
+func TestGetRequestCookie(t *testing.T) {
+	type Vars struct {
+		CookieName string `expr:"cookieName"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(getRequestCookieFunc()),
+		rule.WithRules(
+			"let cookie = get_cookie(ctx, vars.cookieName); cookie.value",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	vars := Vars{
+		CookieName: "foo",
+	}
+
+	cookie := &http.Cookie{
+		Name:  vars.CookieName,
+		Value: "bar",
+	}
+
+	req.AddCookie(cookie)
+
+	ctx := context.Background()
+	ctx = WithRequest(ctx, req)
+
+	results, err := engine.Apply(ctx, vars)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := cookie.Value, results[0]; e != g {
+		t.Errorf("result[0]: expected '%v', got '%v'", e, g)
+	}
+}
+
 func createRuleEngine[V any](t *testing.T, funcs ...rule.OptionFunc) *rule.Engine[V] {
 	engine, err := rule.NewEngine[V](funcs...)
 	if err != nil {
--- a/internal/rule/http/response.go
+++ b/internal/rule/http/response.go
@ -3,6 +3,7 @@ package http
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"strconv"
 	"strings"
 	"time"
@ -41,7 +42,7 @@ func addResponseHeaderFunc() expr.Option {
 				value = fmt.Sprintf("%v", rawValue)
 			}

-			r, ok := ctxResponse(ctx)
+			r, ok := CtxResponse(ctx)
 			if !ok {
 				return nil, errors.New("could not find http response in context")
 			}
@ -82,7 +83,7 @@ func setResponseHeaderFunc() expr.Option {
 				value = fmt.Sprintf("%v", rawValue)
 			}

-			r, ok := ctxResponse(ctx)
+			r, ok := CtxResponse(ctx)
 			if !ok {
 				return nil, errors.New("could not find http response in context")
 			}
@ -109,7 +110,7 @@ func delResponseHeadersFunc() expr.Option {
 				return nil, errors.WithStack(err)
 			}

-			r, ok := ctxResponse(ctx)
+			r, ok := CtxResponse(ctx)
 			if !ok {
 				return nil, errors.New("could not find http response in context")
 			}
@ -130,3 +131,84 @@ func delResponseHeadersFunc() expr.Option {
 		new(func(context.Context, string) bool),
 	)
 }
+
+func addResponseCookieFunc() expr.Option {
+	return expr.Function(
+		"add_cookie",
+		func(params ...any) (any, error) {
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			values, err := rule.Assert[map[string]any](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			cookie, err := cookieFrom(values)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			r, ok := CtxResponse(ctx)
+			if !ok {
+				return nil, errors.New("could not find http request in context")
+			}
+
+			r.Header.Add("Set-Cookie", cookie.String())
+
+			return true, nil
+		},
+		new(func(context.Context, map[string]any) bool),
+	)
+}
+
+func getResponseCookieFunc() expr.Option {
+	return expr.Function(
+		"get_cookie",
+		func(params ...any) (any, error) {
+			ctx, err := rule.Assert[context.Context](params[0])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			name, err := rule.Assert[string](params[1])
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			res, ok := CtxResponse(ctx)
+			if !ok {
+				return nil, errors.New("could not find http response in context")
+			}
+
+			var cookie *http.Cookie
+			for _, c := range res.Cookies() {
+				if c.Name != name {
+					continue
+				}
+
+				cookie = c
+				break
+			}
+
+			if cookie == nil {
+				return nil, nil
+			}
+
+			return CookieVar{
+				Name:     cookie.Name,
+				Value:    cookie.Value,
+				Path:     cookie.Path,
+				Domain:   cookie.Domain,
+				Expires:  cookie.Expires,
+				MaxAge:   cookie.MaxAge,
+				Secure:   cookie.Secure,
+				HttpOnly: cookie.HttpOnly,
+				SameSite: cookie.SameSite,
+			}, nil
+		},
+		new(func(context.Context, string) CookieVar),
+	)
+}
--- a/internal/rule/http/response_test.go
+++ b/internal/rule/http/response_test.go
@ -2,9 +2,11 @@ package http

 import (
 	"context"
+	"fmt"
 	"io"
 	"net/http"
 	"testing"
+	"time"

 	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	"github.com/pkg/errors"
@ -124,6 +126,182 @@ func TestResponseDelHeaders(t *testing.T) {
 	}
 }

+func TestAddResponseCookie(t *testing.T) {
+	type TestCase struct {
+		Cookie     map[string]any
+		Check      func(t *testing.T, tc TestCase, res *http.Response)
+		ShouldFail bool
+	}
+
+	testCases := []TestCase{
+		{
+			Cookie: map[string]any{
+				"name":      "foo",
+				"value":     "test",
+				"domain":    "example.net",
+				"path":      "/custom",
+				"same_site": http.SameSiteStrictMode,
+				"http_only": true,
+				"secure":    false,
+				"expires":   time.Now().UTC().Truncate(time.Second),
+			},
+			Check: func(t *testing.T, tc TestCase, res *http.Response) {
+				var cookie *http.Cookie
+				for _, c := range res.Cookies() {
+					if c.Name == tc.Cookie["name"] {
+						cookie = c
+						break
+					}
+				}
+				if cookie == nil {
+					t.Errorf("could not find cookie '%s'", tc.Cookie["name"])
+					return
+				}
+
+				if e, g := tc.Cookie["name"], cookie.Name; e != g {
+					t.Errorf("cookie.Name: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["value"], cookie.Value; e != g {
+					t.Errorf("cookie.Value: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["domain"], cookie.Domain; e != g {
+					t.Errorf("cookie.Domain: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["path"], cookie.Path; e != g {
+					t.Errorf("cookie.Path: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["secure"], cookie.Secure; e != g {
+					t.Errorf("cookie.Secure: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["http_only"], cookie.HttpOnly; e != g {
+					t.Errorf("cookie.HttpOnly: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["same_site"], cookie.SameSite; e != g {
+					t.Errorf("cookie.SameSite: expected '%v', got '%v'", e, g)
+				}
+
+				if e, g := tc.Cookie["expires"], cookie.Expires; e != g {
+					t.Errorf("cookie.Expires: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+		{
+			Cookie: map[string]any{
+				"name":    "foo",
+				"expires": time.Now().UTC().Format(http.TimeFormat),
+			},
+			Check: func(t *testing.T, tc TestCase, res *http.Response) {
+				var cookie *http.Cookie
+				for _, c := range res.Cookies() {
+					if c.Name == tc.Cookie["name"] {
+						cookie = c
+						break
+					}
+				}
+				if cookie == nil {
+					t.Errorf("could not find cookie '%s'", tc.Cookie["name"])
+					return
+				}
+
+				if e, g := tc.Cookie["expires"], cookie.Expires.Format(http.TimeFormat); e != g {
+					t.Errorf("cookie.Expires: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case_%d", idx), func(t *testing.T) {
+			type Vars struct {
+				NewCookie map[string]any `expr:"new_cookie"`
+			}
+
+			engine := createRuleEngine[Vars](t,
+				rule.WithExpr(addResponseCookieFunc()),
+				rule.WithRules(
+					`add_cookie(ctx, vars.new_cookie)`,
+				),
+			)
+
+			req, err := http.NewRequest("GET", "http://example.net", nil)
+			if err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			resp := createResponse(req, http.StatusOK, nil)
+
+			vars := Vars{
+				NewCookie: tc.Cookie,
+			}
+
+			ctx := context.Background()
+			ctx = WithRequest(ctx, req)
+			ctx = WithResponse(ctx, resp)
+
+			if _, err := engine.Apply(ctx, vars); err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.ShouldFail {
+				t.Error("engine.Apply() should have failed")
+			}
+
+			if tc.Check != nil {
+				tc.Check(t, tc, resp)
+			}
+		})
+	}
+}
+
+func TestGetResponseCookie(t *testing.T) {
+	type Vars struct {
+		CookieName string `expr:"cookieName"`
+	}
+
+	engine := createRuleEngine[Vars](t,
+		rule.WithExpr(getResponseCookieFunc()),
+		rule.WithRules(
+			"let cookie = get_cookie(ctx, vars.cookieName); cookie.value",
+		),
+	)
+
+	req, err := http.NewRequest("GET", "http://example.net", nil)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	resp := createResponse(req, http.StatusOK, nil)
+
+	vars := Vars{
+		CookieName: "foo",
+	}
+
+	cookie := &http.Cookie{
+		Name:  vars.CookieName,
+		Value: "bar",
+	}
+
+	resp.Header.Add("Set-Cookie", cookie.String())
+
+	ctx := context.Background()
+	ctx = WithResponse(ctx, resp)
+
+	results, err := engine.Apply(ctx, vars)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if e, g := cookie.Value, results[0]; e != g {
+		t.Errorf("result[0]: expected '%v', got '%v'", e, g)
+	}
+}
+
 func createResponse(req *http.Request, statusCode int, body io.Reader) *http.Response {
 	return &http.Response{
 		Status:        http.StatusText(statusCode),
--- a/internal/sentry/sentry.go
+++ b/internal/sentry/sentry.go
@ -0,0 +1,37 @@
+package sentry
+
+import (
+	"net/http"
+
+	"github.com/getsentry/sentry-go"
+)
+
+func SpanHandler(handler http.Handler, name string) http.Handler {
+	fn := func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+
+		hub := sentry.GetHubFromContext(ctx)
+		if hub == nil {
+			hub = sentry.CurrentHub().Clone()
+			ctx = sentry.SetHubOnContext(ctx, hub)
+		}
+
+		options := []sentry.SpanOption{
+			sentry.WithOpName(name),
+			sentry.ContinueFromRequest(r),
+			sentry.WithTransactionSource(sentry.SourceURL),
+		}
+
+		span := sentry.StartSpan(ctx,
+			name,
+			options...,
+		)
+		defer span.Finish()
+
+		r = r.WithContext(span.Context())
+
+		handler.ServeHTTP(w, r)
+	}
+
+	return http.HandlerFunc(fn)
+}
--- a/internal/setup/redis.go
+++ b/internal/setup/redis.go
@ -56,7 +56,7 @@ func newRedisClient(conf config.RedisConfig) redis.UniversalClient {

 		for range timer.C {
 			if _, err := client.Ping(ctx).Result(); err != nil {
-				logger.Error(ctx, "redis disconnected", logger.E(errors.WithStack(err)))
+				logger.Error(ctx, "redis disconnected", logger.CapturedE(errors.WithStack(err)))
 				connected = false
 				continue
 			}
--- a/internal/setup/sentry.go
+++ b/internal/setup/sentry.go
@ -34,6 +34,10 @@ func SetupSentry(ctx context.Context, conf config.SentryConfig, release string)
 		return nil, errors.WithStack(err)
 	}

+	logger.SetCaptureFunc(func(err error) {
+		sentry.CaptureException(err)
+	})
+
 	flush := func() {
 		sentry.Flush(time.Duration(*conf.FlushTimeout))
 	}
--- a/internal/store/redis/helper.go
+++ b/internal/store/redis/helper.go
@ -81,7 +81,7 @@ func WithRetry(ctx context.Context, client redis.UniversalClient, key string, fn
 	for attempt := 0; attempt < maxAttempts; attempt++ {
 		if err = WithTx(ctx, client, key, fn); err != nil {
 			err = errors.WithStack(err)
-			logger.Debug(ctx, "redis transaction failed", logger.E(err))
+			logger.Debug(ctx, "redis transaction failed", logger.CapturedE(err))

 			if errors.Is(err, redis.TxFailedErr) {
 				logger.Debug(ctx, "retrying redis transaction", logger.F("attempts", attempt), logger.F("delay", delay))
@ -97,7 +97,7 @@ func WithRetry(ctx context.Context, client redis.UniversalClient, key string, fn
 		return nil
 	}

-	logger.Error(ctx, "redis error", logger.E(errors.WithStack(err)))
+	logger.Error(ctx, "redis error", logger.CapturedE(errors.WithStack(err)))

 	return errors.WithStack(redis.TxFailedErr)
 }
--- a/templates/error.gohtml
+++ b/templates/error.gohtml
@ -76,14 +76,26 @@
        margin-top: 2em;
        text-align: right;
      }
+
+      .stacktrace {
+        max-height: 250px;
+        overflow-y: auto;
+        background-color: #dca0a0;
+        padding: 0 10px;
+        border-radius: 5px;
+        margin-top: 10px;
+      }
    </style>
  </head>
  <body>
    <div id="container">
      <div id="card">
-        <h2 class="title">{{ $title }}</h2>
+        <h2 class="title">⚠ {{ $title }}</h2>
        {{ if .Debug }}
-        <pre>{{ .Err }}</pre>
+        <h3>Stack Trace</h3>
+        <div class="stacktrace">
+          <pre>{{ printf "%+v" .Err }}</pre>
+        </div>
        {{ end }}
        <p class="footer">
          Propulsé par
Author	SHA1	Message	Date
wpetit	0ff9391a1b	Merge pull request 'feat: global error handler with template rendering' (#42 ) from error-handler into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #42	2024-09-27 15:03:05 +02:00
William Petit	d4c28b80d7	feat: global error handler with template rendering Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-09-27 15:02:49 +02:00
William Petit	590505e17a	feat: add sentry spans to evaluate proxy performances All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-27 10:46:18 +02:00
William Petit	867e7c549f	feat: capture logged errors and forward them to sentry when enabled All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-27 10:15:08 +02:00
William Petit	169578c25d	chore: fix log typo All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-26 15:48:22 +02:00
William Petit	b0a71fc599	feat: use go 1.23 for docker build All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-09-26 14:46:28 +02:00
wpetit	eea51c6030	Merge pull request 'feat(rewriter): add redirect(), get_cookie(), add_cookie() methods to rule engine (#36 )' (#41 ) from issue-36 into develop Some checks failed Cadoles/bouncer/pipeline/head There was a failure building this commit Details Reviewed-on: #41	2024-09-25 15:53:00 +02:00
William Petit	04b41baea3	feat(rewriter): add redirect(), get_cookie(), add_cookie() methods to rule engine (#36 ) Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-09-25 15:52:49 +02:00
wpetit	cb9260ac2b	Merge pull request 'feat(authn) : add case to test multiples CIDR #34 ' (#35 ) from issue-4 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #35	2024-09-25 15:15:11 +02:00
Matthieu Lamalle	5eac425fda	feat(authn) : add case to test multiples CIDR Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-09-25 15:15:04 +02:00