diff options
author | Vivien Kraus <vivien@planete-kraus.eu> | 2021-10-13 17:08:30 +0200 |
---|---|---|
committer | Vivien Kraus <vivien@planete-kraus.eu> | 2021-10-19 11:33:00 +0200 |
commit | c2f4994c20072c11d407d506e7416e2c609d0ca3 (patch) | |
tree | 86d20c1f2cf608c60c23d808c0a22346a81a84a7 | |
parent | a219bf64933d3313aebe0e5576b291e32e93d93f (diff) |
server: add a reverse proxy endpoint
-rw-r--r-- | doc/disfluid.texi | 26 | ||||
-rw-r--r-- | po/POTFILES.in | 1 | ||||
-rw-r--r-- | po/disfluid.pot | 33 | ||||
-rw-r--r-- | po/fr.po | 35 | ||||
-rw-r--r-- | src/scm/webid-oidc/reverse-proxy.scm | 56 | ||||
-rw-r--r-- | src/scm/webid-oidc/server/endpoint/Makefile.am | 6 | ||||
-rw-r--r-- | src/scm/webid-oidc/server/endpoint/reverse-proxy.scm | 144 | ||||
-rw-r--r-- | tests/Makefile.am | 5 | ||||
-rw-r--r-- | tests/reverse-proxy-502.scm | 62 | ||||
-rw-r--r-- | tests/reverse-proxy-anonymous.scm | 124 | ||||
-rw-r--r-- | tests/reverse-proxy.scm | 125 |
11 files changed, 571 insertions, 46 deletions
diff --git a/doc/disfluid.texi b/doc/disfluid.texi index 6b9ad08..17a985c 100644 --- a/doc/disfluid.texi +++ b/doc/disfluid.texi @@ -1546,6 +1546,7 @@ the user. @menu * Error signalling:: * Router endpoint:: +* Reverse proxy:: @end menu @node Error signalling @@ -1632,6 +1633,31 @@ turn, or return a 404 Not Found response if no endpoint is relevant. Return the list of endpoints for @var{router}. @end deffn +@node Reverse proxy +@section Reverse proxy +The @emph{(webid-oidc server endpoint reverse-proxy)} module defines a +@dfn{reverse proxy}, an endpoint that passes the incoming request to a +backend server with added metadata. + +@deftp {Class} <reverse-proxy> (<endpoint>) @var{backend-uri} @var{authentication-header} +This endpoint will handle the incoming requests by adding a header, +named @var{authentication-header} (a symbol), to hold the webid of the +authentified user, and passing it to the server listening at +@var{backend-uri} (an URI). + +You can construct it with @code{#:@var{backend-uri}} and +@code{#:@var{authentication-header}}. +@end deftp + +@deffn {Generic} backend-uri @var{reverse-proxy} +Return the URI where requests are passed. +@end deffn + +@deffn {Generic} authentication-header @var{reverse-proxy} +Return the header set by the reverse proxy to hold the authenticated +webid. +@end deffn + @node Running an Identity Provider @chapter Running an Identity Provider diff --git a/po/POTFILES.in b/po/POTFILES.in index 99578f5..13ec133 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -79,6 +79,7 @@ src/scm/webid-oidc/serve.scm src/scm/webid-oidc/server/create.scm src/scm/webid-oidc/server/delete.scm src/scm/webid-oidc/server/endpoint.scm +src/scm/webid-oidc/server/endpoint/reverse-proxy.scm src/scm/webid-oidc/server/log.scm src/scm/webid-oidc/server/precondition.scm src/scm/webid-oidc/server/read.scm diff --git a/po/disfluid.pot b/po/disfluid.pot index c4468f3..a4070f9 100644 --- a/po/disfluid.pot +++ b/po/disfluid.pot @@ -282,6 +282,7 @@ msgstr "" #: src/scm/webid-oidc/hello-world.scm:167 #: src/scm/webid-oidc/hello-world.scm:187 #: src/scm/webid-oidc/identity-provider.scm:136 +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:125 #: src/scm/webid-oidc/token-endpoint.scm:113 #: src/scm/webid-oidc/token-endpoint.scm:139 #: src/scm/webid-oidc/token-endpoint.scm:166 @@ -2184,7 +2185,7 @@ msgstr "" msgid "reason-phrase|Not Acceptable" msgstr "" -#: src/scm/webid-oidc/reverse-proxy.scm:58 +#: src/scm/webid-oidc/reverse-proxy.scm:60 msgid "#:endpoint argument is not present or not an URI." msgstr "" @@ -2251,6 +2252,36 @@ msgstr "" msgid "The resource could not be found." msgstr "" +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:77 +msgid "#:backend-uri should be an URI" +msgstr "" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:82 +msgid "#:authentication-header should be a symbol" +msgstr "" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:109 +#, scheme-format +msgid "~a: reverse proxy failure: ~a\n" +msgstr "" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:113 +#, scheme-format +msgid "~a: reverse proxy failure\n" +msgstr "" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:118 +msgid "reason-phrase|Bad Gateway" +msgstr "" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:127 +msgid "page-title|Bad Gateway" +msgstr "" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:129 +msgid "The backend server could not be contacted." +msgstr "" + #: src/scm/webid-oidc/server/read.scm:101 #, scheme-format msgid "the auxiliary resource of type ~s at ~s is absent" @@ -3,7 +3,7 @@ msgstr "" "Project-Id-Version: webid-oidc 0.0.0\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" "POT-Creation-Date: 2021-10-19 11:31+0200\n" -"PO-Revision-Date: 2021-10-19 11:31+0200\n" +"PO-Revision-Date: 2021-10-19 11:32+0200\n" "Last-Translator: Vivien Kraus <vivien@planete-kraus.eu>\n" "Language-Team: French <vivien@planete-kraus.eu>\n" "Language: fr\n" @@ -313,6 +313,7 @@ msgstr "" #: src/scm/webid-oidc/hello-world.scm:167 #: src/scm/webid-oidc/hello-world.scm:187 #: src/scm/webid-oidc/identity-provider.scm:136 +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:125 #: src/scm/webid-oidc/token-endpoint.scm:113 #: src/scm/webid-oidc/token-endpoint.scm:139 #: src/scm/webid-oidc/token-endpoint.scm:166 @@ -2579,7 +2580,7 @@ msgstr "Type de Média Non Supporté" msgid "reason-phrase|Not Acceptable" msgstr "Inacceptable" -#: src/scm/webid-oidc/reverse-proxy.scm:58 +#: src/scm/webid-oidc/reverse-proxy.scm:60 msgid "#:endpoint argument is not present or not an URI." msgstr "l’argument de #:endpoint n’est pas présent, ou pas une URI." @@ -2648,6 +2649,36 @@ msgstr "Non Trouvé" msgid "The resource could not be found." msgstr "La ressource n’a pas été trouvée." +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:77 +msgid "#:backend-uri should be an URI" +msgstr "#:backend-uri doit être une URI" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:82 +msgid "#:authentication-header should be a symbol" +msgstr "#:authentication-header doit être un symbole" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:109 +#, scheme-format +msgid "~a: reverse proxy failure: ~a\n" +msgstr "~a : échec de proxy inversé : ~a\n" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:113 +#, scheme-format +msgid "~a: reverse proxy failure\n" +msgstr "~a : échec de proxy inversé\n" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:118 +msgid "reason-phrase|Bad Gateway" +msgstr "Passerelle Invalide" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:127 +msgid "page-title|Bad Gateway" +msgstr "Passerelle Invalide" + +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:129 +msgid "The backend server could not be contacted." +msgstr "Le serveur de sortie n’a pas pu être contacté." + #: src/scm/webid-oidc/server/read.scm:101 #, scheme-format msgid "the auxiliary resource of type ~s at ~s is absent" diff --git a/src/scm/webid-oidc/reverse-proxy.scm b/src/scm/webid-oidc/reverse-proxy.scm index ee4878e..4221fa5 100644 --- a/src/scm/webid-oidc/reverse-proxy.scm +++ b/src/scm/webid-oidc/reverse-proxy.scm @@ -34,6 +34,8 @@ #:use-module (webid-oidc cache) #:use-module (webid-oidc web-i18n) #:use-module (web server) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint reverse-proxy) #:declarative? #t #:export ( @@ -56,6 +58,10 @@ #:server-uri server-uri)) (unless (and endpoint (uri? endpoint)) (fail (G_ "#:endpoint argument is not present or not an URI."))) + (define backend + (make <reverse-proxy> + #:backend-uri endpoint + #:authentication-header auth-header)) (lambda (request request-body) (let ((agent (catch #t @@ -72,43 +78,13 @@ (request-time ((p:current-date)))) (parameterize ((p:current-date request-time) (web-locale request)) - ;; The time is now set for the duration of the request - (let ((raw-headers (request-headers request))) - (let ((modified-headers - (append - (if agent - (list (cons auth-header (uri->string agent))) - '()) - (filter - (lambda (h) - (not (eq? (car h) auth-header))) - raw-headers)))) - (let ((modified-request - (build-request - (request-uri request) - #:method (request-method request) - #:headers modified-headers))) - (let ((port (open-socket-for-uri endpoint))) - (let ((request-with-port - (write-request modified-request port))) - (when request-body - (unless (bytevector? request-body) - (set! request-body (string->utf8 request-body))) - (write-request-body request-with-port request-body)) - (force-output (request-port request-with-port)) - (let ((response (read-response port))) - (let ((response-body - (or (response-must-not-include-body? response) - (read-response-body response)))) - (let ((adapted-response - (build-response - #:code (response-code response) - #:reason-phrase (response-reason-phrase response) - #:headers - (append - (if (eqv? (response-code response) 401) - (list (cons 'www-authenticate '((DPoP)))) - '()) - (response-headers response))))) - (close-port port) - (values adapted-response response-body))))))))))))) + (set! request + (build-request (request-uri request) + #:method (request-method request) + #:version (request-version request) + #:headers (request-headers request) + #:port (request-port request) + #:meta `((user . ,agent) ,@(request-meta request)))) + (receive (response response-body response-meta) + (handle backend request request-body) + (values response response-body)))))) diff --git a/src/scm/webid-oidc/server/endpoint/Makefile.am b/src/scm/webid-oidc/server/endpoint/Makefile.am index e32794d..ba4799a 100644 --- a/src/scm/webid-oidc/server/endpoint/Makefile.am +++ b/src/scm/webid-oidc/server/endpoint/Makefile.am @@ -14,6 +14,8 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <https://www.gnu.org/licenses/>. -dist_endpointserverwebidoidcmod_DATA += +dist_endpointserverwebidoidcmod_DATA += \ + %reldir%/reverse-proxy.scm -endpointserverwebidoidcgo_DATA += +endpointserverwebidoidcgo_DATA += \ + %reldir%/reverse-proxy.go diff --git a/src/scm/webid-oidc/server/endpoint/reverse-proxy.scm b/src/scm/webid-oidc/server/endpoint/reverse-proxy.scm new file mode 100644 index 0000000..a082882 --- /dev/null +++ b/src/scm/webid-oidc/server/endpoint/reverse-proxy.scm @@ -0,0 +1,144 @@ +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see <https://www.gnu.org/licenses/>. + +(define-module (webid-oidc server endpoint reverse-proxy) + #:use-module (webid-oidc errors) + #:use-module (webid-oidc provider-confirmation) + #:use-module (webid-oidc server endpoint) + #:use-module ((webid-oidc parameters) #:prefix p:) + #:use-module ((webid-oidc config) #:prefix cfg:) + #:use-module (web request) + #:use-module (web response) + #:use-module (web uri) + #:use-module (web server) + #:use-module (web client) + #:use-module (ice-9 optargs) + #:use-module (ice-9 receive) + #:use-module (webid-oidc web-i18n) + #:use-module (webid-oidc offloading) + #:use-module (ice-9 getopt-long) + #:use-module (ice-9 suspendable-ports) + #:use-module (ice-9 control) + #:use-module (ice-9 match) + #:use-module (ice-9 exceptions) + #:use-module (sxml simple) + #:use-module (srfi srfi-19) + #:use-module (srfi srfi-26) + #:use-module (rnrs bytevectors) + #:use-module (oop goops) + #:duplicates (merge-generics) + #:declarative? #t + #:export + ( + <reverse-proxy> + backend-uri + authentication-header + + open-socket-for-uri + )) + +(define open-socket-for-uri + (make-parameter + (@ (web client) open-socket-for-uri))) + +(define-class <reverse-proxy> (<endpoint>) + (backend-uri #:init-keyword #:backend-uri #:getter backend-uri) + (authentication-header + #:init-keyword #:authentication-header + #:getter authentication-header + #:init-value 'XXX-Agent)) + +(define-method (initialize (endpoint <reverse-proxy>) initargs) + (next-method) + (let-keywords + initargs #t + ((backend-uri #f) + (authentication-header 'XXX-Agent)) + (match backend-uri + ((? string? (= string->uri (? uri? the-backend-uri))) + (set! backend-uri the-backend-uri) + (slot-set! endpoint 'backend-uri the-backend-uri)) + (else #t)) + (unless (and backend-uri (uri? backend-uri)) + (scm-error 'wrong-type-arg "make <reverse-proxy>" + (G_ "#:backend-uri should be an URI") + '() + (list backend-uri))) + (unless (symbol? authentication-header) + (scm-error 'wrong-type-arg "make <reverse-proxy>" + (G_ "#:authentication-header should be a symbol") + '() + (list authentication-header))))) + +(define-method (handle (endpoint <reverse-proxy>) request request-body) + (let ((modified-request + (build-request + (request-uri request) + #:method (request-method request) + #:headers + `(,@(let ((user (assq-ref (request-meta request) 'user))) + (if user + `((,(authentication-header endpoint) . ,(uri->string user))) + '())) + ,@(filter + (match-lambda + ((header . _) + (not (string-ci=? + (symbol->string header) + (symbol->string (authentication-header endpoint)))))) + (request-headers request)))))) + (in-another-thread + (let/ec return + (with-exception-handler + (lambda (exn) + (if (exception-with-message? exn) + (format (current-error-port) + (G_ "~a: reverse proxy failure: ~a\n") + (date->string ((p:current-date))) + (exception-message exn)) + (format (current-error-port) + (G_ "~a: reverse proxy failure\n") + (date->string ((p:current-date))))) + (return + (build-response + #:code 502 + #:reason-phrase (W_ "reason-phrase|Bad Gateway") + #:headers '((content-type application/xhtml+xml))) + (call-with-output-string + (cute sxml->xml + `(*TOP* + (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") + (html (@ (xmlns "http://www.w3.org/1999/xhtml") + (xml:lang ,(W_ "xml-lang|en"))) + (head + (title ,(W_ "page-title|Bad Gateway"))) + (body + (p ,(W_ "The backend server could not be contacted."))))) + <>)) + '())) + (lambda () + (let ((port ((open-socket-for-uri) (backend-uri endpoint)))) + (let ((request-with-port + (write-request modified-request port))) + (when request-body + (unless (bytevector? request-body) + (set! request-body (string->utf8 request-body))) + (write-request-body request-with-port request-body)) + (force-output (request-port request-with-port)) + (let ((response (read-response port))) + (let ((body (and (not (response-must-not-include-body? response)) + port))) + (values response body '()))))))))))) diff --git a/tests/Makefile.am b/tests/Makefile.am index 2f5c1d6..8cc262b 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -66,7 +66,10 @@ TESTS = %reldir%/load-library.scm \ %reldir%/crud.scm \ %reldir%/preconditions.scm \ %reldir%/xml-keys.scm \ - %reldir%/xml-accounts.scm + %reldir%/xml-accounts.scm \ + %reldir%/reverse-proxy.scm \ + %reldir%/reverse-proxy-502.scm \ + %reldir%/reverse-proxy-anonymous.scm EXTRA_DIST += $(TESTS) %reldir%/ChangeLog diff --git a/tests/reverse-proxy-502.scm b/tests/reverse-proxy-502.scm new file mode 100644 index 0000000..22ef269 --- /dev/null +++ b/tests/reverse-proxy-502.scm @@ -0,0 +1,62 @@ +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see <https://www.gnu.org/licenses/>. + +(define-module (tests reverse-proxy-502) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint reverse-proxy) + #:use-module (webid-oidc testing) + #:use-module (webid-oidc offloading) + #:use-module ((webid-oidc parameters) #:prefix p:) + #:use-module (oop goops) + #:use-module (web server) + #:use-module (web request) + #:use-module (web response) + #:use-module (web uri) + #:use-module (ice-9 match) + #:use-module (ice-9 receive) + #:use-module (srfi srfi-26) + #:use-module (rnrs bytevectors) + #:declarative? #t + #:duplicates (merge-generics)) + +(with-test-environment + "reverse-proxy-502" + (lambda () + (parameterize + ((p:current-date 0) + (open-socket-for-uri + (lambda _ + (error "This failed.")))) + (with-threads + (let ((reverse-proxy + (make <reverse-proxy> + #:backend-uri (string->uri "https://example.com") + #:authentication-header 'test)) + (request + (build-request + (string->uri "https://example.com") + #:headers '((content-type text/plain) + (test . "https://attack.com/profile/card#me")) + #:meta `((user . ,(string->uri "https://example.com/profile/card#me"))))) + (request-body (string->utf8 "Hello, world!"))) + (receive (response response-body response-meta) + (handle reverse-proxy request request-body) + (unless (eqv? (response-code response) 502) + (exit 1)) + (primitive-exit 0)))) + (sleep 120) + (format (current-error-port) "Test timeout.\n") + (exit 2)))) diff --git a/tests/reverse-proxy-anonymous.scm b/tests/reverse-proxy-anonymous.scm new file mode 100644 index 0000000..34e113d --- /dev/null +++ b/tests/reverse-proxy-anonymous.scm @@ -0,0 +1,124 @@ +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see <https://www.gnu.org/licenses/>. + +(define-module (tests reverse-proxy-anonymous) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint reverse-proxy) + #:use-module (webid-oidc testing) + #:use-module (webid-oidc offloading) + #:use-module ((webid-oidc parameters) #:prefix p:) + #:use-module (oop goops) + #:use-module (web server) + #:use-module (web request) + #:use-module (web response) + #:use-module (web uri) + #:use-module (ice-9 match) + #:use-module (ice-9 receive) + #:use-module (srfi srfi-26) + #:use-module (rnrs bytevectors) + #:declarative? #t + #:duplicates (merge-generics)) + +(with-test-environment + "reverse-proxy-anonymous" + (lambda () + (define request-characters-reversed '()) + (define (push-char c) + (set! request-characters-reversed + `(,c ,@request-characters-reversed))) + (define (push-string str) + (for-each push-char (string->list str))) + (define chars-to-read + (string->list + (call-with-output-string + (lambda (port) + (let ((updated + (write-response (build-response + #:headers '((content-type text/plain))) + port))) + (write-response-body updated (string->utf8 "Hello!"))))))) + (parameterize + ((p:current-date 0) + (open-socket-for-uri + (lambda _ + (make-soft-port + (vector + ;; Request character is written: + push-char + ;; Request string is written: + push-string + ;; Flushing output: + (lambda () #t) + ;; Get one character: + (lambda () + (match chars-to-read + ((next rest ...) + (set! chars-to-read rest) + next) + (else + (call-with-input-string "" read)))) ;; EOF + ;; Close the port: + (lambda () #t)) + "rw")))) + (with-threads + (let ((reverse-proxy + (make <reverse-proxy> + #:backend-uri (string->uri "https://example.com") + #:authentication-header 'test)) + (request + (build-request + (string->uri "https://example.com") + #:headers '((content-type text/plain) + (test . "https://attack.com/profile/card#me")) + #:meta '())) + (request-body (string->utf8 "Hello, world!"))) + (receive (response response-body response-meta) + (handle reverse-proxy request request-body) + (unless (eqv? (response-code response) 200) + (exit 1)) + (let ((request-read + (list->string (reverse request-characters-reversed))) + (expected-request + (call-with-output-string + (lambda (port) + (write-request-body + (write-request + (build-request + (string->uri "https://example.com") + #:headers '((host . ("example.com" . #f)) + (content-type text/plain))) + port) + request-body))))) + (unless (equal? request-read expected-request) + (format (current-error-port) "Expected request: +~s +Actual request: +~s +" + expected-request request-read) + (exit 2))) + (set! response-body + (read-response-body response)) + (unless (null? chars-to-read) + (format (current-error-port) "Remaining chars to read: ~s\n" + (list->string chars-to-read)) + (exit 3)) + (unless (equal? response-body (string->utf8 "Hello!")) + (exit 4)) + (primitive-exit 0)))) + (sleep 120) + (format (current-error-port) "Test timeout.\n") + (exit 5)))) diff --git a/tests/reverse-proxy.scm b/tests/reverse-proxy.scm new file mode 100644 index 0000000..da074ff --- /dev/null +++ b/tests/reverse-proxy.scm @@ -0,0 +1,125 @@ +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see <https://www.gnu.org/licenses/>. + +(define-module (tests reverse-proxy) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint reverse-proxy) + #:use-module (webid-oidc testing) + #:use-module (webid-oidc offloading) + #:use-module ((webid-oidc parameters) #:prefix p:) + #:use-module (oop goops) + #:use-module (web server) + #:use-module (web request) + #:use-module (web response) + #:use-module (web uri) + #:use-module (ice-9 match) + #:use-module (ice-9 receive) + #:use-module (srfi srfi-26) + #:use-module (rnrs bytevectors) + #:declarative? #t + #:duplicates (merge-generics)) + +(with-test-environment + "reverse-proxy" + (lambda () + (define request-characters-reversed '()) + (define (push-char c) + (set! request-characters-reversed + `(,c ,@request-characters-reversed))) + (define (push-string str) + (for-each push-char (string->list str))) + (define chars-to-read + (string->list + (call-with-output-string + (lambda (port) + (let ((updated + (write-response (build-response + #:headers '((content-type text/plain))) + port))) + (write-response-body updated (string->utf8 "Hello!"))))))) + (parameterize + ((p:current-date 0) + (open-socket-for-uri + (lambda _ + (make-soft-port + (vector + ;; Request character is written: + push-char + ;; Request string is written: + push-string + ;; Flushing output: + (lambda () #t) + ;; Get one character: + (lambda () + (match chars-to-read + ((next rest ...) + (set! chars-to-read rest) + next) + (else + (call-with-input-string "" read)))) ;; EOF + ;; Close the port: + (lambda () #t)) + "rw")))) + (with-threads + (let ((reverse-proxy + (make <reverse-proxy> + #:backend-uri (string->uri "https://example.com") + #:authentication-header 'test)) + (request + (build-request + (string->uri "https://example.com") + #:headers '((content-type text/plain) + (test . "https://attack.com/profile/card#me")) + #:meta `((user . ,(string->uri "https://example.com/profile/card#me"))))) + (request-body (string->utf8 "Hello, world!"))) + (receive (response response-body response-meta) + (handle reverse-proxy request request-body) + (unless (eqv? (response-code response) 200) + (exit 1)) + (let ((request-read + (list->string (reverse request-characters-reversed))) + (expected-request + (call-with-output-string + (lambda (port) + (write-request-body + (write-request + (build-request + (string->uri "https://example.com") + #:headers '((test . "https://example.com/profile/card#me") + (host . ("example.com" . #f)) + (content-type text/plain))) + port) + request-body))))) + (unless (equal? request-read expected-request) + (format (current-error-port) "Expected request: +~s +Actual request: +~s +" + expected-request request-read) + (exit 2))) + (set! response-body + (read-response-body response)) + (unless (null? chars-to-read) + (format (current-error-port) "Remaining chars to read: ~s\n" + (list->string chars-to-read)) + (exit 3)) + (unless (equal? response-body (string->utf8 "Hello!")) + (exit 4)) + (primitive-exit 0)))) + (sleep 120) + (format (current-error-port) "Test timeout.\n") + (exit 5)))) |