Pull most configurable functions into plugins (#22)

Author: sethfowler

relay/config.go

@@ -3,9 +3,7 @@ package relay
 import (
 	"fmt"
 	"net/url"
-	"regexp"
 	"strconv"
-	"strings"
 
 	"github.com/fullstorydev/relay-core/relay/commands"
 	"github.com/fullstorydev/relay-core/relay/traffic"
@@ -36,6 +34,8 @@ func ReadConfig(env *commands.Environment) (*Config, error) {
 	if err := env.ParseRequired("TRAFFIC_RELAY_TARGET", func(key string, value string) error {
 		if targetURL, err := url.Parse(value); err != nil {
 			return err
+		} else if targetURL.Scheme == "" || targetURL.Host == "" {
+			return fmt.Errorf("Invalid or relative target URL")
 		} else {
 			config.Relay.TargetScheme = targetURL.Scheme
 			config.Relay.TargetHost = targetURL.Host
@@ -45,12 +45,6 @@ func ReadConfig(env *commands.Environment) (*Config, error) {
 		return nil, err
 	}
 
-	if cookiesVar, ok := env.LookupOptional("TRAFFIC_RELAY_COOKIES"); ok {
-		for _, cookieName := range strings.Split(cookiesVar, " ") { // Should we support spaces?
-			config.Relay.RelayedCookies[cookieName] = true
-		}
-	}
-
 	if err := env.ParseOptional("TRAFFIC_RELAY_MAX_BODY_SIZE", func(key string, value string) error {
 		if maxBodySize, err := strconv.ParseInt(value, 10, 64); err != nil {
 			return err
@@ -62,35 +56,5 @@ func ReadConfig(env *commands.Environment) (*Config, error) {
 		return nil, err
 	}
 
-	if originOverrideVar, ok := env.LookupOptional("TRAFFIC_RELAY_ORIGIN_OVERRIDE"); ok {
-		config.Relay.OriginOverride = originOverrideVar
-	}
-
-	if err := env.ParseOptional("TRAFFIC_RELAY_SPECIALS", func(key string, value string) error {
-		specialsTokens := strings.Split(value, " ")
-		if len(specialsTokens)%2 != 0 {
-			return fmt.Errorf("Last key has no value")
-		}
-
-		for i := 0; i < len(specialsTokens); i += 2 {
-			matchVar := specialsTokens[i]
-			replacementString := specialsTokens[i+1]
-			matchRE, err := regexp.Compile(matchVar)
-			if err != nil {
-				return fmt.Errorf("Could not compile regular expression \"%v\": %v", matchVar, err)
-			}
-			special := traffic.SpecialPath{
-				Match:       matchRE,
-				Replacement: replacementString,
-			}
-			config.Relay.SpecialPaths = append(config.Relay.SpecialPaths, special)
-			logger.Printf("Relaying special expression \"%v\" to \"%v\"", special.Match, special.Replacement)
-		}
-
-		return nil
-	}); err != nil {
-		return nil, err
-	}
-
 	return config, nil
 }

relay/main/main.go

@@ -7,19 +7,11 @@ import (
 
 	"github.com/fullstorydev/relay-core/relay"
 	"github.com/fullstorydev/relay-core/relay/commands"
-	"github.com/fullstorydev/relay-core/relay/plugins/traffic/content-blocker-plugin"
-	"github.com/fullstorydev/relay-core/relay/plugins/traffic/paths-plugin"
-	"github.com/fullstorydev/relay-core/relay/traffic"
+	"github.com/fullstorydev/relay-core/relay/traffic/plugin-loader"
 )
 
 var logger = log.New(os.Stdout, "[relay] ", 0)
 
-// The default set of traffic plugins.
-var DefaultPlugins = []traffic.PluginFactory{
-	paths_plugin.Factory,
-	content_blocker_plugin.Factory,
-}
-
 func main() {
 	envProvider := commands.NewDefaultEnvironmentProvider()
 	env := commands.NewEnvironment(envProvider)
@@ -29,7 +21,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	trafficPlugins, err := traffic.LoadPlugins(DefaultPlugins, env)
+	trafficPlugins, err := plugin_loader.Load(plugin_loader.DefaultPlugins, env)
 	if err != nil {
 		logger.Println(err)
 		os.Exit(1)

relay/plugins/traffic/content-blocker-plugin/content-blocker-plugin.go

@@ -101,7 +101,15 @@ func (plug contentBlockerPlugin) Name() string {
 	return pluginName
 }
 
-func (plug contentBlockerPlugin) HandleRequest(response http.ResponseWriter, request *http.Request, serviced bool) bool {
+func (plug contentBlockerPlugin) HandleRequest(
+	response http.ResponseWriter,
+	request *http.Request,
+	info traffic.RequestInfo,
+) bool {
+	if info.Serviced {
+		return false
+	}
+
 	if serviced := plug.blockHeaderContent(response, request); serviced {
 		return true
 	}

relay/plugins/traffic/cookies-plugin/cookies-plugin.go

@@ -0,0 +1,106 @@
+package cookies_plugin
+
+// The Cookies plugin provides the capability to allowlist cookies on incoming
+// requests. By default, all cookies are blocked. This is because in the context
+// of the relay, cookies are quite high-risk; it usually runs in a first-party
+// context, so the risk of receiving cookies that were intended for another
+// service is substantial.
+
+import (
+	"log"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/fullstorydev/relay-core/relay/commands"
+	"github.com/fullstorydev/relay-core/relay/traffic"
+)
+
+var (
+	Factory    cookiesPluginFactory
+	logger     = log.New(os.Stdout, "[traffic-cookies] ", 0)
+	pluginName = "Cookies"
+)
+
+type cookiesPluginFactory struct{}
+
+func (f cookiesPluginFactory) Name() string {
+	return pluginName
+}
+
+func (f cookiesPluginFactory) New(env *commands.Environment) (traffic.Plugin, error) {
+	plugin := &cookiesPlugin{
+		allowlist: map[string]bool{},
+	}
+
+	if cookiesVal, ok := env.LookupOptional("TRAFFIC_RELAY_COOKIES"); ok {
+		for _, cookieName := range strings.Split(cookiesVal, " ") {
+			logger.Printf(`Cookies plugin will allowlist cookie "%s"`, cookieName)
+			plugin.allowlist[cookieName] = true
+		}
+	}
+
+	if len(plugin.allowlist) == 0 {
+		return nil, nil
+	}
+
+	return plugin, nil
+}
+
+type cookiesPlugin struct {
+	allowlist map[string]bool // The name of cookies that should be relayed.
+}
+
+func (plug cookiesPlugin) Name() string {
+	return pluginName
+}
+
+func (plug cookiesPlugin) HandleRequest(
+	response http.ResponseWriter,
+	request *http.Request,
+	info traffic.RequestInfo,
+) bool {
+	if info.Serviced {
+		return false
+	}
+
+	// Restore the original Cookie header so that we can parse it using the
+	// methods on http.Request.
+	for _, headerValue := range info.OriginalCookieHeaders {
+		request.Header.Add("Cookie", headerValue)
+	}
+
+	// Parse the Cookie header and filter out cookies which aren't present in
+	// the allowlist.
+	var cookies []string
+	for _, cookie := range request.Cookies() {
+		if !plug.allowlist[cookie.Name] {
+			continue
+		}
+		cookies = append(cookies, cookie.String())
+	}
+
+	// Reserialize the Cookie header.
+	request.Header.Set("Cookie", strings.Join(cookies, "; "))
+
+	return false
+}
+
+/*
+Copyright 2022 FullStory, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software
+and associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/

relay/plugins/traffic/cookies-plugin/cookies-plugin_test.go

@@ -0,0 +1,118 @@
+package cookies_plugin_test
+
+import (
+	"net/http"
+	"reflect"
+	"testing"
+
+	"github.com/fullstorydev/relay-core/catcher"
+	"github.com/fullstorydev/relay-core/relay"
+	"github.com/fullstorydev/relay-core/relay/plugins/traffic/cookies-plugin"
+	"github.com/fullstorydev/relay-core/relay/test"
+	"github.com/fullstorydev/relay-core/relay/traffic"
+)
+
+func TestRelayedCookies(t *testing.T) {
+	testCases := []struct {
+		desc                  string
+		env                   map[string]string
+		originalCookieHeaders []string
+		expectedCookieHeaders []string
+	}{
+		{
+			desc:                  "No cookies are relayed by default",
+			env:                   map[string]string{},
+			originalCookieHeaders: []string{"SPECIAL_ID=298zf09hf012fh2; token=u32t4o3tb3gg43", "_gat=1"},
+			expectedCookieHeaders: nil,
+		},
+		{
+			desc: "Multiple Cookie headers are merged",
+			env: map[string]string{
+				"TRAFFIC_RELAY_COOKIES": "SPECIAL_ID token _gat",
+			},
+			originalCookieHeaders: []string{"SPECIAL_ID=298zf09hf012fh2; token=u32t4o3tb3gg43", "_gat=1"},
+			expectedCookieHeaders: []string{"SPECIAL_ID=298zf09hf012fh2; token=u32t4o3tb3gg43; _gat=1"},
+		},
+		{
+			desc: "Only allowlisted cookies are relayed",
+			env: map[string]string{
+				"TRAFFIC_RELAY_COOKIES": "SPECIAL_ID foo _gat",
+			},
+			originalCookieHeaders: []string{"SPECIAL_ID=298zf09hf012fh2; token=u32t4o3tb3gg43; foo=bar", "_gat=1; bar=foo"},
+			expectedCookieHeaders: []string{"SPECIAL_ID=298zf09hf012fh2; foo=bar; _gat=1"},
+		},
+		{
+			desc: "A Cookie header is dropped entirely when no cookies match",
+			env: map[string]string{
+				"TRAFFIC_RELAY_COOKIES": "bar",
+			},
+			originalCookieHeaders: []string{"SPECIAL_ID=298zf09hf012fh2; token=u32t4o3tb3gg43; foo=bar", "_gat=1; bar=foo"},
+			expectedCookieHeaders: []string{"bar=foo"},
+		},
+	}
+
+	plugins := []traffic.PluginFactory{
+		cookies_plugin.Factory,
+	}
+
+	for _, testCase := range testCases {
+		test.WithCatcherAndRelay(t, testCase.env, plugins, func(catcherService *catcher.Service, relayService *relay.Service) {
+			request, err := http.NewRequest("GET", relayService.HttpUrl(), nil)
+			if err != nil {
+				t.Errorf("Test '%v': Error creating request: %v", testCase.desc, err)
+				return
+			}
+
+			for _, cookieHeaderValue := range testCase.originalCookieHeaders {
+				request.Header.Add("Cookie", cookieHeaderValue)
+			}
+
+			response, err := http.DefaultClient.Do(request)
+			if err != nil {
+				t.Errorf("Test '%v': Error GETing: %v", testCase.desc, err)
+				return
+			}
+			defer response.Body.Close()
+
+			if response.StatusCode != 200 {
+				t.Errorf("Test '%v': Expected 200 response: %v", testCase.desc, response)
+				return
+			}
+
+			lastRequest, err := catcherService.LastRequest()
+			if err != nil {
+				t.Errorf("Test '%v': Error reading last request from catcher: %v", testCase.desc, err)
+				return
+			}
+
+			actualCookieHeaders := lastRequest.Header["Cookie"]
+			if !reflect.DeepEqual(testCase.expectedCookieHeaders, actualCookieHeaders) {
+				t.Errorf(
+					"Test '%v': Expected Cookie header values '%v' but got '%v'",
+					testCase.desc,
+					testCase.expectedCookieHeaders,
+					actualCookieHeaders,
+				)
+			}
+		})
+	}
+}
+
+/*
+Copyright 2022 FullStory, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software
+and associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/