forgejo/routers/common/middleware.go

// Copyright 2021 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package common

import (
	"fmt"
	"net/http"
	"strings"

	"code.gitea.io/gitea/modules/context"
	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/process"
	"code.gitea.io/gitea/modules/setting"
	"code.gitea.io/gitea/modules/web/routing"

	"github.com/chi-middleware/proxy"
	"github.com/go-chi/chi/v5/middleware"
)

// Middlewares returns common middlewares
func Middlewares() []func(http.Handler) http.Handler {
	handlers := []func(http.Handler) http.Handler{
		func(next http.Handler) http.Handler {
			return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
				// First of all escape the URL RawPath to ensure that all routing is done using a correctly escaped URL
				req.URL.RawPath = req.URL.EscapedPath()

				ctx, _, finished := process.GetManager().AddTypedContext(req.Context(), fmt.Sprintf("%s: %s", req.Method, req.RequestURI), process.RequestProcessType, true)
				defer finished()
				next.ServeHTTP(context.NewResponse(resp), req.WithContext(ctx))
			})
		},
	}

	if setting.ReverseProxyLimit > 0 {
		opt := proxy.NewForwardedHeadersOptions().
			WithForwardLimit(setting.ReverseProxyLimit).
			ClearTrustedProxies()
		for _, n := range setting.ReverseProxyTrustedProxies {
			if !strings.Contains(n, "/") {
				opt.AddTrustedProxy(n)
			} else {
				opt.AddTrustedNetwork(n)
			}
		}
		handlers = append(handlers, proxy.ForwardedHeaders(opt))
	}

	handlers = append(handlers, middleware.StripSlashes)

	if !setting.DisableRouterLog {
		handlers = append(handlers, routing.NewLoggerHandler())
	}

	if setting.EnableAccessLog {
		handlers = append(handlers, context.AccessLogger())
	}

	handlers = append(handlers, func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
			// Why we need this? The Recovery() will try to render a beautiful
			// error page for user, but the process can still panic again, and other
			// middleware like session also may panic then we have to recover twice
			// and send a simple error page that should not panic anymore.
			defer func() {
				if err := recover(); err != nil {
					routing.UpdatePanicError(req.Context(), err)
					combinedErr := fmt.Sprintf("PANIC: %v\n%s", err, log.Stack(2))
					log.Error("%v", combinedErr)
					if setting.IsProd {
						http.Error(resp, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
					} else {
						http.Error(resp, combinedErr, http.StatusInternalServerError)
					}
				}
			}()
			next.ServeHTTP(resp, req)
		})
	})
	return handlers
}
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`// Copyright 2021 The Gitea Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`package common`

			`import (`
			`"fmt"`
			`"net/http"`
			`"strings"`

			`"code.gitea.io/gitea/modules/context"`
			`"code.gitea.io/gitea/modules/log"`
Make Requests Processes and create process hierarchy. Associate OpenRepository with context. (#17125) This PR registers requests with the process manager and manages hierarchy within the processes. Git repos are then associated with a context, (usually the request's context) - with sub commands using this context as their base context. Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-11-30 23:06:32 +03:00			`"code.gitea.io/gitea/modules/process"`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`"code.gitea.io/gitea/modules/setting"`
Refactor Router Logger (#17308) Make router logger more friendly, show the related function name/file/line. [BREAKING] This PR substantially changes the logging format of the router logger. If you use this logging for monitoring e.g. fail2ban you will need to update this to match the new format. 2022-01-20 14:41:25 +03:00			`"code.gitea.io/gitea/modules/web/routing"`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00
			`"github.com/chi-middleware/proxy"`
Update chi/middleware to chi/v5/middleware (#17888) Fix #17880 Co-authored-by: Lauris BH <lauris@nix.lv> 2021-12-02 23:58:08 +03:00			`"github.com/go-chi/chi/v5/middleware"`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`)`

			`// Middlewares returns common middlewares`
			`func Middlewares() []func(http.Handler) http.Handler {`
format with gofumpt (#18184) * gofumpt -w -l . * gofumpt -w -l -extra . * Add linter * manual fix * change make fmt 2022-01-20 20:46:10 +03:00			`handlers := []func(http.Handler) http.Handler{`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {`
Instead of using routerCtx just escape the url before routing (#18086) A consequence of forcibly setting the RoutePath to the escaped url is that the auto routing to endpoints without terminal slashes fails (Causing #18060.) This failure raises the possibility that forcibly setting the RoutePath causes other unexpected behaviors too. Therefore, instead we should simply pre-escape the URL in the process registering handler. Then the request URL will be properly escaped for all the following calls. Fix #17938 Fix #18060 Replace #18062 Replace #17997 Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-12-24 19:50:49 +03:00			`// First of all escape the URL RawPath to ensure that all routing is done using a correctly escaped URL`
			`req.URL.RawPath = req.URL.EscapedPath()`

Add Goroutine stack inspector to admin/monitor (#19207) Continues on from #19202. Following the addition of pprof labels we can now more easily understand the relationship between a goroutine and the requests that spawn them. This PR takes advantage of the labels and adds a few others, then provides a mechanism for the monitoring page to query the pprof goroutine profile. The binary profile that results from this profile is immediately piped in to the google library for parsing this and then stack traces are formed for the goroutines. If the goroutine is within a context or has been created from a goroutine within a process context it will acquire the process description labels for that process. The goroutines are mapped with there associate pids and any that do not have an associated pid are placed in a group at the bottom as unbound. In this way we should be able to more easily examine goroutines that have been stuck. A manager command `gitea manager processes` is also provided that can export the processes (with or without stacktraces) to the command line. Signed-off-by: Andrew Thornton <art27@cantab.net> 2022-03-31 20:01:43 +03:00			`ctx, _, finished := process.GetManager().AddTypedContext(req.Context(), fmt.Sprintf("%s: %s", req.Method, req.RequestURI), process.RequestProcessType, true)`
Make Requests Processes and create process hierarchy. Associate OpenRepository with context. (#17125) This PR registers requests with the process manager and manages hierarchy within the processes. Git repos are then associated with a context, (usually the request's context) - with sub commands using this context as their base context. Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-11-30 23:06:32 +03:00			`defer finished()`
			`next.ServeHTTP(context.NewResponse(resp), req.WithContext(ctx))`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`})`
			`},`
			`}`

			`if setting.ReverseProxyLimit > 0 {`
			`opt := proxy.NewForwardedHeadersOptions().`
			`WithForwardLimit(setting.ReverseProxyLimit).`
			`ClearTrustedProxies()`
			`for _, n := range setting.ReverseProxyTrustedProxies {`
			`if !strings.Contains(n, "/") {`
			`opt.AddTrustedProxy(n)`
			`} else {`
			`opt.AddTrustedNetwork(n)`
			`}`
			`}`
			`handlers = append(handlers, proxy.ForwardedHeaders(opt))`
			`}`

			`handlers = append(handlers, middleware.StripSlashes)`

Refactor Router Logger (#17308) Make router logger more friendly, show the related function name/file/line. [BREAKING] This PR substantially changes the logging format of the router logger. If you use this logging for monitoring e.g. fail2ban you will need to update this to match the new format. 2022-01-20 14:41:25 +03:00			`if !setting.DisableRouterLog {`
			`handlers = append(handlers, routing.NewLoggerHandler())`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`}`
Refactor Router Logger (#17308) Make router logger more friendly, show the related function name/file/line. [BREAKING] This PR substantially changes the logging format of the router logger. If you use this logging for monitoring e.g. fail2ban you will need to update this to match the new format. 2022-01-20 14:41:25 +03:00
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`if setting.EnableAccessLog {`
			`handlers = append(handlers, context.AccessLogger())`
			`}`

			`handlers = append(handlers, func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {`
			`// Why we need this? The Recovery() will try to render a beautiful`
			`// error page for user, but the process can still panic again, and other`
			`// middleware like session also may panic then we have to recover twice`
Refactor Router Logger (#17308) Make router logger more friendly, show the related function name/file/line. [BREAKING] This PR substantially changes the logging format of the router logger. If you use this logging for monitoring e.g. fail2ban you will need to update this to match the new format. 2022-01-20 14:41:25 +03:00			`// and send a simple error page that should not panic anymore.`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`defer func() {`
			`if err := recover(); err != nil {`
Refactor Router Logger (#17308) Make router logger more friendly, show the related function name/file/line. [BREAKING] This PR substantially changes the logging format of the router logger. If you use this logging for monitoring e.g. fail2ban you will need to update this to match the new format. 2022-01-20 14:41:25 +03:00			`routing.UpdatePanicError(req.Context(), err)`
			`combinedErr := fmt.Sprintf("PANIC: %v\n%s", err, log.Stack(2))`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`log.Error("%v", combinedErr)`
Use a variable but a function for IsProd because of a slight performance increment (#17368) 2021-10-20 17:37:19 +03:00			`if setting.IsProd {`
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect 2022-03-23 07:54:07 +03:00			`http.Error(resp, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`} else {`
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect 2022-03-23 07:54:07 +03:00			`http.Error(resp, combinedErr, http.StatusInternalServerError)`
Refactor routers directory (#15800) * refactor routers directory * move func used for web and api to common * make corsHandler a function to prohibit side efects * rm unused func Co-authored-by: 6543 <6543@obermui.de> 2021-06-09 02:33:54 +03:00			`}`
			`}`
			`}()`
			`next.ServeHTTP(resp, req)`
			`})`
			`})`
			`return handlers`
			`}`