[chore] header filter improvements (#3329)

* add error message to gin context on header blocked or not allowed

* remove the unused header filter tracking code (leaving OTEL TODOs in place)

* appease the linter
This commit is contained in:
kim 2024-09-23 11:36:56 +00:00 committed by GitHub
parent 862cc9e3c4
commit 964262b169
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -18,7 +18,7 @@
package middleware package middleware
import ( import (
"sync" "errors"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/config"
@ -29,25 +29,11 @@ import (
) )
var ( var (
allowMatches = matchstats{m: make(map[string]uint64)} // errors set on gin context by header filter middleware.
blockMatches = matchstats{m: make(map[string]uint64)} errHeaderNotAllowed = errors.New("header did not match allow filter")
errHeaderBlocked = errors.New("header matched block filter")
) )
// matchstats is a simple statistics
// counter for header filter matches.
// TODO: replace with otel.
type matchstats struct {
m map[string]uint64
l sync.Mutex
}
func (m *matchstats) Add(hdr, regex string) {
m.l.Lock()
key := hdr + ":" + regex
m.m[key]++
m.l.Unlock()
}
// HeaderFilter returns a gin middleware handler that provides HTTP // HeaderFilter returns a gin middleware handler that provides HTTP
// request blocking (filtering) based on database allow / block filters. // request blocking (filtering) based on database allow / block filters.
func HeaderFilter(state *state.State) gin.HandlerFunc { func HeaderFilter(state *state.State) gin.HandlerFunc {
@ -83,6 +69,7 @@ func headerFilterAllowMode(state *state.State) func(c *gin.Context) {
} }
if block { if block {
_ = c.Error(errHeaderBlocked)
respondBlocked(c) respondBlocked(c)
return return
} }
@ -95,6 +82,7 @@ func headerFilterAllowMode(state *state.State) func(c *gin.Context) {
} }
if notAllow { if notAllow {
_ = c.Error(errHeaderNotAllowed)
respondBlocked(c) respondBlocked(c)
return return
} }
@ -129,6 +117,7 @@ func headerFilterBlockMode(state *state.State) func(c *gin.Context) {
} }
if block { if block {
_ = c.Error(errHeaderBlocked)
respondBlocked(c) respondBlocked(c)
return return
} }
@ -146,7 +135,7 @@ func isHeaderBlocked(state *state.State, c *gin.Context) (bool, error) {
) )
// Perform an explicit is-blocked check on request header. // Perform an explicit is-blocked check on request header.
key, expr, err := state.DB.BlockHeaderRegularMatch(ctx, hdr) key, _, err := state.DB.BlockHeaderRegularMatch(ctx, hdr)
switch err { switch err {
case nil: case nil:
break break
@ -161,12 +150,10 @@ func isHeaderBlocked(state *state.State, c *gin.Context) (bool, error) {
} }
if key != "" { if key != "" {
if expr != "" { // if expr != "" {
// Increment block matches stat. // // TODO: replace expvar with build
// TODO: replace expvar with build // // taggable metrics types in State{}.
// taggable metrics types in State{}. // }
blockMatches.Add(key, expr)
}
// A header was matched against! // A header was matched against!
// i.e. this request is blocked. // i.e. this request is blocked.
@ -183,7 +170,7 @@ func isHeaderAllowed(state *state.State, c *gin.Context) (bool, error) {
) )
// Perform an explicit is-allowed check on request header. // Perform an explicit is-allowed check on request header.
key, expr, err := state.DB.AllowHeaderRegularMatch(ctx, hdr) key, _, err := state.DB.AllowHeaderRegularMatch(ctx, hdr)
switch err { switch err {
case nil: case nil:
break break
@ -198,12 +185,10 @@ func isHeaderAllowed(state *state.State, c *gin.Context) (bool, error) {
} }
if key != "" { if key != "" {
if expr != "" { // if expr != "" {
// Increment allow matches stat. // // TODO: replace expvar with build
// TODO: replace expvar with build // // taggable metrics types in State{}.
// taggable metrics types in State{}. // }
allowMatches.Add(key, expr)
}
// A header was matched against! // A header was matched against!
// i.e. this request is allowed. // i.e. this request is allowed.
@ -220,7 +205,7 @@ func isHeaderNotAllowed(state *state.State, c *gin.Context) (bool, error) {
) )
// Perform an explicit is-NOT-allowed check on request header. // Perform an explicit is-NOT-allowed check on request header.
key, expr, err := state.DB.AllowHeaderInverseMatch(ctx, hdr) key, _, err := state.DB.AllowHeaderInverseMatch(ctx, hdr)
switch err { switch err {
case nil: case nil:
break break
@ -235,12 +220,10 @@ func isHeaderNotAllowed(state *state.State, c *gin.Context) (bool, error) {
} }
if key != "" { if key != "" {
if expr != "" { // if expr != "" {
// Increment allow matches stat. // // TODO: replace expvar with build
// TODO: replace expvar with build // // taggable metrics types in State{}.
// taggable metrics types in State{}. // }
allowMatches.Add(key, expr)
}
// A header was matched against! // A header was matched against!
// i.e. request is NOT allowed. // i.e. request is NOT allowed.