server: add a reverse proxy endpoint

author: Vivien Kraus <vivien@planete-kraus.eu> 2021-10-13 17:08:30 +0200
committer: Vivien Kraus <vivien@planete-kraus.eu> 2021-10-19 11:33:00 +0200
commit: c2f4994c20072c11d407d506e7416e2c609d0ca3 (patch)
tree: 86d20c1f2cf608c60c23d808c0a22346a81a84a7 /src
parent: a219bf64933d3313aebe0e5576b291e32e93d93f (diff)
3 files changed, 164 insertions, 42 deletions
diff --git a/src/scm/webid-oidc/reverse-proxy.scm b/src/scm/webid-oidc/reverse-proxy.scm
index ee4878e..4221fa5 100644
--- a/src/scm/webid-oidc/reverse-proxy.scm
+++ b/src/scm/webid-oidc/reverse-proxy.scm
@@ -34,6 +34,8 @@
   #:use-module (webid-oidc cache)
   #:use-module (webid-oidc web-i18n)
   #:use-module (web server)
+  #:use-module (webid-oidc server endpoint)
+  #:use-module (webid-oidc server endpoint reverse-proxy)
   #:declarative? #t
   #:export
   (
@@ -56,6 +58,10 @@
      #:server-uri server-uri))
   (unless (and endpoint (uri? endpoint))
     (fail (G_ "#:endpoint argument is not present or not an URI.")))
+  (define backend
+    (make <reverse-proxy>
+      #:backend-uri endpoint
+      #:authentication-header auth-header))
   (lambda (request request-body)
     (let ((agent
            (catch #t
@@ -72,43 +78,13 @@
           (request-time ((p:current-date))))
       (parameterize ((p:current-date request-time)
                      (web-locale request))
-        ;; The time is now set for the duration of the request
-        (let ((raw-headers (request-headers request)))
-          (let ((modified-headers
-                 (append
-                  (if agent
-                      (list (cons auth-header (uri->string agent)))
-                      '())
-                  (filter
-                   (lambda (h)
-                     (not (eq? (car h) auth-header)))
-                   raw-headers))))
-            (let ((modified-request
-                   (build-request
-                    (request-uri request)
-                    #:method (request-method request)
-                    #:headers modified-headers)))
-              (let ((port (open-socket-for-uri endpoint)))
-                (let ((request-with-port
-                       (write-request modified-request port)))
-                  (when request-body
-                    (unless (bytevector? request-body)
-                      (set! request-body (string->utf8 request-body)))
-                    (write-request-body request-with-port request-body))
-                  (force-output (request-port request-with-port))
-                  (let ((response (read-response port)))
-                    (let ((response-body
-                           (or (response-must-not-include-body? response)
-                               (read-response-body response))))
-                      (let ((adapted-response
-                             (build-response
-                              #:code (response-code response)
-                              #:reason-phrase (response-reason-phrase response)
-                              #:headers
-                              (append
-                               (if (eqv? (response-code response) 401)
-                                   (list (cons 'www-authenticate '((DPoP))))
-                                   '())
-                               (response-headers response)))))
-                        (close-port port)
-                        (values adapted-response response-body)))))))))))))
+        (set! request
+              (build-request (request-uri request)
+                             #:method (request-method request)
+                             #:version (request-version request)
+                             #:headers (request-headers request)
+                             #:port (request-port request)
+                             #:meta `((user . ,agent) ,@(request-meta request))))
+        (receive (response response-body response-meta)
+            (handle backend request request-body)
+          (values response response-body))))))
diff --git a/src/scm/webid-oidc/server/endpoint/Makefile.am b/src/scm/webid-oidc/server/endpoint/Makefile.am
index e32794d..ba4799a 100644
--- a/src/scm/webid-oidc/server/endpoint/Makefile.am
+++ b/src/scm/webid-oidc/server/endpoint/Makefile.am
@@ -14,6 +14,8 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-dist_endpointserverwebidoidcmod_DATA +=
+dist_endpointserverwebidoidcmod_DATA += \
+  %reldir%/reverse-proxy.scm
 
-endpointserverwebidoidcgo_DATA +=
+endpointserverwebidoidcgo_DATA += \
+  %reldir%/reverse-proxy.go
diff --git a/src/scm/webid-oidc/server/endpoint/reverse-proxy.scm b/src/scm/webid-oidc/server/endpoint/reverse-proxy.scm
new file mode 100644
index 0000000..a082882
--- /dev/null
+++ b/src/scm/webid-oidc/server/endpoint/reverse-proxy.scm
@@ -0,0 +1,144 @@
+;; disfluid, implementation of the Solid specification
+;; Copyright (C) 2021  Vivien Kraus
+
+;; This program is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU Affero General Public License as
+;; published by the Free Software Foundation, either version 3 of the
+;; License, or (at your option) any later version.
+
+;; This program is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;; GNU Affero General Public License for more details.
+
+;; You should have received a copy of the GNU Affero General Public License
+;; along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+(define-module (webid-oidc server endpoint reverse-proxy)
+  #:use-module (webid-oidc errors)
+  #:use-module (webid-oidc provider-confirmation)
+  #:use-module (webid-oidc server endpoint)
+  #:use-module ((webid-oidc parameters) #:prefix p:)
+  #:use-module ((webid-oidc config) #:prefix cfg:)
+  #:use-module (web request)
+  #:use-module (web response)
+  #:use-module (web uri)
+  #:use-module (web server)
+  #:use-module (web client)
+  #:use-module (ice-9 optargs)
+  #:use-module (ice-9 receive)
+  #:use-module (webid-oidc web-i18n)
+  #:use-module (webid-oidc offloading)
+  #:use-module (ice-9 getopt-long)
+  #:use-module (ice-9 suspendable-ports)
+  #:use-module (ice-9 control)
+  #:use-module (ice-9 match)
+  #:use-module (ice-9 exceptions)
+  #:use-module (sxml simple)
+  #:use-module (srfi srfi-19)
+  #:use-module (srfi srfi-26)
+  #:use-module (rnrs bytevectors)
+  #:use-module (oop goops)
+  #:duplicates (merge-generics)
+  #:declarative? #t
+  #:export
+  (
+   <reverse-proxy>
+   backend-uri
+   authentication-header
+
+   open-socket-for-uri
+   ))
+
+(define open-socket-for-uri
+  (make-parameter
+   (@ (web client) open-socket-for-uri)))
+
+(define-class <reverse-proxy> (<endpoint>)
+  (backend-uri #:init-keyword #:backend-uri #:getter backend-uri)
+  (authentication-header
+   #:init-keyword #:authentication-header
+   #:getter authentication-header
+   #:init-value 'XXX-Agent))
+
+(define-method (initialize (endpoint <reverse-proxy>) initargs)
+  (next-method)
+  (let-keywords
+   initargs #t
+   ((backend-uri #f)
+    (authentication-header 'XXX-Agent))
+   (match backend-uri
+     ((? string? (= string->uri (? uri? the-backend-uri)))
+      (set! backend-uri the-backend-uri)
+      (slot-set! endpoint 'backend-uri the-backend-uri))
+     (else #t))
+   (unless (and backend-uri (uri? backend-uri))
+     (scm-error 'wrong-type-arg "make <reverse-proxy>"
+                (G_ "#:backend-uri should be an URI")
+                '()
+                (list backend-uri)))
+   (unless (symbol? authentication-header)
+     (scm-error 'wrong-type-arg "make <reverse-proxy>"
+                (G_ "#:authentication-header should be a symbol")
+                '()
+                (list authentication-header)))))
+
+(define-method (handle (endpoint <reverse-proxy>) request request-body)
+  (let ((modified-request
+         (build-request
+          (request-uri request)
+          #:method (request-method request)
+          #:headers
+          `(,@(let ((user (assq-ref (request-meta request) 'user)))
+                (if user
+                    `((,(authentication-header endpoint) . ,(uri->string user)))
+                    '()))
+            ,@(filter
+               (match-lambda
+                 ((header . _)
+                  (not (string-ci=?
+                        (symbol->string header)
+                        (symbol->string (authentication-header endpoint))))))
+               (request-headers request))))))
+    (in-another-thread
+     (let/ec return
+       (with-exception-handler
+           (lambda (exn)
+             (if (exception-with-message? exn)
+                 (format (current-error-port)
+                         (G_ "~a: reverse proxy failure: ~a\n")
+                         (date->string ((p:current-date)))
+                         (exception-message exn))
+                 (format (current-error-port)
+                         (G_ "~a: reverse proxy failure\n")
+                         (date->string ((p:current-date)))))
+             (return
+              (build-response
+               #:code 502
+               #:reason-phrase (W_ "reason-phrase|Bad Gateway")
+               #:headers '((content-type application/xhtml+xml)))
+              (call-with-output-string
+                (cute sxml->xml
+                      `(*TOP*
+                        (*PI* xml "version=\"1.0\" encoding=\"utf-8\"")
+                        (html (@ (xmlns "http://www.w3.org/1999/xhtml")
+                                 (xml:lang ,(W_ "xml-lang|en")))
+                              (head
+                               (title ,(W_ "page-title|Bad Gateway")))
+                              (body
+                               (p ,(W_ "The backend server could not be contacted.")))))
+                      <>))
+              '()))
+         (lambda ()
+           (let ((port ((open-socket-for-uri) (backend-uri endpoint))))
+             (let ((request-with-port
+                    (write-request modified-request port)))
+               (when request-body
+                 (unless (bytevector? request-body)
+                   (set! request-body (string->utf8 request-body)))
+                 (write-request-body request-with-port request-body))
+               (force-output (request-port request-with-port))
+               (let ((response (read-response port)))
+                 (let ((body (and (not (response-must-not-include-body? response))
+                                  port)))
+                   (values response body '())))))))))))
author	Vivien Kraus <vivien@planete-kraus.eu>	2021-10-13 17:08:30 +0200
committer	Vivien Kraus <vivien@planete-kraus.eu>	2021-10-19 11:33:00 +0200
commit	c2f4994c20072c11d407d506e7416e2c609d0ca3 (patch)
tree	86d20c1f2cf608c60c23d808c0a22346a81a84a7 /src
parent	a219bf64933d3313aebe0e5576b291e32e93d93f (diff)