VictoriaMetrics/app/vmauth/target_url.go

package main

import (
	"net/http"
	"net/url"
	"path"
	"slices"
	"strings"
)

func mergeURLs(uiURL, requestURI *url.URL, dropSrcPathPrefixParts int) *url.URL {
	targetURL := *uiURL
	srcPath := dropPrefixParts(requestURI.Path, dropSrcPathPrefixParts)
	if strings.HasPrefix(srcPath, "/") {
		targetURL.Path = strings.TrimSuffix(targetURL.Path, "/")
	}
	targetURL.Path += srcPath
	requestParams := requestURI.Query()
	// fast path
	if len(requestParams) == 0 {
		return &targetURL
	}
	// merge query parameters from requests.
	uiParams := targetURL.Query()
	for k, v := range requestParams {
		// skip clashed query params from original request
		if exist := uiParams.Get(k); len(exist) > 0 {
			continue
		}
		for i := range v {
			uiParams.Add(k, v[i])
		}
	}
	targetURL.RawQuery = uiParams.Encode()
	return &targetURL
}

func dropPrefixParts(path string, parts int) string {
	if parts <= 0 {
		return path
	}
	for parts > 0 {
		path = strings.TrimPrefix(path, "/")
		n := strings.IndexByte(path, '/')
		if n < 0 {
			return ""
		}
		path = path[n:]
		parts--
	}
	return path
}

func (ui *UserInfo) getURLPrefixAndHeaders(u *url.URL, h http.Header) (*URLPrefix, HeadersConf) {
	for _, e := range ui.URLMaps {
		if !matchAnyRegex(e.SrcHosts, u.Host) {
			continue
		}
		if !matchAnyRegex(e.SrcPaths, u.Path) {
			continue
		}
		if !matchAnyQueryArg(e.SrcQueryArgs, u.Query()) {
			continue
		}
		if !matchAnyHeader(e.SrcHeaders, h) {
			continue
		}

		return e.URLPrefix, e.HeadersConf
	}
	if ui.URLPrefix != nil {
		return ui.URLPrefix, ui.HeadersConf
	}
	return nil, HeadersConf{}
}

func matchAnyRegex(rs []*Regex, s string) bool {
	if len(rs) == 0 {
		return true
	}
	for _, r := range rs {
		if r.match(s) {
			return true
		}
	}
	return false
}

func matchAnyQueryArg(qas []*QueryArg, args url.Values) bool {
	if len(qas) == 0 {
		return true
	}
	for _, qa := range qas {
		vs, ok := args[qa.Name]
		if !ok {
			continue
		}
		for _, v := range vs {
			if qa.Value.match(v) {
				return true
			}
		}
	}
	return false
}

func matchAnyHeader(headers []*Header, h http.Header) bool {
	if len(headers) == 0 {
		return true
	}
	for _, header := range headers {
		if slices.Contains(h.Values(header.Name), header.Value) {
			return true
		}
	}
	return false
}

func normalizeURL(uOrig *url.URL) *url.URL {
	u := *uOrig
	// Prevent from attacks with using `..` in r.URL.Path
	u.Path = path.Clean(u.Path)
	if !strings.HasSuffix(u.Path, "/") && strings.HasSuffix(uOrig.Path, "/") {
		// The path.Clean() removes trailing slash.
		// Return it back if needed.
		// This should fix https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1752
		u.Path += "/"
	}
	if !strings.HasPrefix(u.Path, "/") {
		u.Path = "/" + u.Path
	}
	if u.Path == "/" {
		// See https://github.com/VictoriaMetrics/VictoriaMetrics/pull/1554
		u.Path = ""
	}
	return &u
}
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			`package main`

			`import (`
app/vmauth: add `src_headers` option at `url_map`, which allows routing incoming requests to different backends depending on request headers 2024-03-06 20:56:32 +01:00			`"net/http"`
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			`"net/url"`
			`"path"`
app/vmauth: add ability to route requests based on HTTP query args via src_query_args option See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5878 2024-03-06 19:52:23 +01:00			`"slices"`
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			`"strings"`
			`)`

app/vmauth: add ability to drop the specified number of `/`-delimited prefix parts from request path This can be done via `drop_src_path_prefix_parts` option at `url_map` and `user` levels. See https://docs.victoriametrics.com/vmauth.html#dropping-request-path-prefix 2023-11-13 22:30:39 +01:00			`func mergeURLs(uiURL, requestURI url.URL, dropSrcPathPrefixParts int) url.URL {`
app/vmauth: parse `url_prefix` only once during config load 2021-04-21 09:55:29 +02:00			`targetURL := *uiURL`
app/vmauth: add ability to drop the specified number of `/`-delimited prefix parts from request path This can be done via `drop_src_path_prefix_parts` option at `url_map` and `user` levels. See https://docs.victoriametrics.com/vmauth.html#dropping-request-path-prefix 2023-11-13 22:30:39 +01:00			`srcPath := dropPrefixParts(requestURI.Path, dropSrcPathPrefixParts)`
			`if strings.HasPrefix(srcPath, "/") {`
app/vmauth: retry requests at other backends on 5xx response status codes This should allow implementing high availability scheme described at https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4792#issuecomment-1674338561 See also https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4893 2023-09-08 00:46:34 +02:00			`targetURL.Path = strings.TrimSuffix(targetURL.Path, "/")`
			`}`
app/vmauth: add ability to drop the specified number of `/`-delimited prefix parts from request path This can be done via `drop_src_path_prefix_parts` option at `url_map` and `user` levels. See https://docs.victoriametrics.com/vmauth.html#dropping-request-path-prefix 2023-11-13 22:30:39 +01:00			`targetURL.Path += srcPath`
adds query params support for vmauth urlPrefix (#1226) * adds query params support for vmauth urlPrefix * Update app/vmauth/example_config.yml * Update app/vmauth/example_config.yml Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com> 2021-04-20 09:51:03 +02:00			`requestParams := requestURI.Query()`
			`// fast path`
			`if len(requestParams) == 0 {`
app/vmauth: parse `url_prefix` only once during config load 2021-04-21 09:55:29 +02:00			`return &targetURL`
adds query params support for vmauth urlPrefix (#1226) * adds query params support for vmauth urlPrefix * Update app/vmauth/example_config.yml * Update app/vmauth/example_config.yml Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com> 2021-04-20 09:51:03 +02:00			`}`
			`// merge query parameters from requests.`
app/vmauth: parse `url_prefix` only once during config load 2021-04-21 09:55:29 +02:00			`uiParams := targetURL.Query()`
adds query params support for vmauth urlPrefix (#1226) * adds query params support for vmauth urlPrefix * Update app/vmauth/example_config.yml * Update app/vmauth/example_config.yml Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com> 2021-04-20 09:51:03 +02:00			`for k, v := range requestParams {`
			`// skip clashed query params from original request`
app/vmauth: parse `url_prefix` only once during config load 2021-04-21 09:55:29 +02:00			`if exist := uiParams.Get(k); len(exist) > 0 {`
adds query params support for vmauth urlPrefix (#1226) * adds query params support for vmauth urlPrefix * Update app/vmauth/example_config.yml * Update app/vmauth/example_config.yml Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com> 2021-04-20 09:51:03 +02:00			`continue`
			`}`
			`for i := range v {`
app/vmauth: parse `url_prefix` only once during config load 2021-04-21 09:55:29 +02:00			`uiParams.Add(k, v[i])`
adds query params support for vmauth urlPrefix (#1226) * adds query params support for vmauth urlPrefix * Update app/vmauth/example_config.yml * Update app/vmauth/example_config.yml Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com> 2021-04-20 09:51:03 +02:00			`}`
			`}`
app/vmauth: parse `url_prefix` only once during config load 2021-04-21 09:55:29 +02:00			`targetURL.RawQuery = uiParams.Encode()`
			`return &targetURL`
adds query params support for vmauth urlPrefix (#1226) * adds query params support for vmauth urlPrefix * Update app/vmauth/example_config.yml * Update app/vmauth/example_config.yml Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com> 2021-04-20 09:51:03 +02:00			`}`

app/vmauth: add ability to drop the specified number of `/`-delimited prefix parts from request path This can be done via `drop_src_path_prefix_parts` option at `url_map` and `user` levels. See https://docs.victoriametrics.com/vmauth.html#dropping-request-path-prefix 2023-11-13 22:30:39 +01:00			`func dropPrefixParts(path string, parts int) string {`
			`if parts <= 0 {`
			`return path`
			`}`
			`for parts > 0 {`
			`path = strings.TrimPrefix(path, "/")`
			`n := strings.IndexByte(path, '/')`
			`if n < 0 {`
			`return ""`
			`}`
			`path = path[n:]`
			`parts--`
			`}`
			`return path`
			`}`

app/vmauth: add `src_headers` option at `url_map`, which allows routing incoming requests to different backends depending on request headers 2024-03-06 20:56:32 +01:00			`func (ui UserInfo) getURLPrefixAndHeaders(u url.URL, h http.Header) (*URLPrefix, HeadersConf) {`
app/vmauth: automatically retry failing GET requests on the remaining backends 2023-02-10 06:05:13 +01:00			`for _, e := range ui.URLMaps {`
app/vmauth: add `src_headers` option at `url_map`, which allows routing incoming requests to different backends depending on request headers 2024-03-06 20:56:32 +01:00			`if !matchAnyRegex(e.SrcHosts, u.Host) {`
			`continue`
			`}`
			`if !matchAnyRegex(e.SrcPaths, u.Path) {`
			`continue`
			`}`
			`if !matchAnyQueryArg(e.SrcQueryArgs, u.Query()) {`
			`continue`
			`}`
			`if !matchAnyHeader(e.SrcHeaders, h) {`
			`continue`
app/vmauth: automatically retry failing GET requests on the remaining backends 2023-02-10 06:05:13 +01:00			`}`
app/vmauth: add `src_headers` option at `url_map`, which allows routing incoming requests to different backends depending on request headers 2024-03-06 20:56:32 +01:00
			`return e.URLPrefix, e.HeadersConf`
app/vmauth: automatically retry failing GET requests on the remaining backends 2023-02-10 06:05:13 +01:00			`}`
			`if ui.URLPrefix != nil {`
app/vmauth: allow specifying an empty retry_status_codes and and zero drop_src_path_prefix_parts in order to override user-level setting Previously `retry_status_codes: []` and `drop_src_path_prefix_parts: 0` at `url_map` were equivalent to missing values. This was resulting in using the user-level values instead. 2023-12-14 00:04:46 +01:00			`return ui.URLPrefix, ui.HeadersConf`
app/vmauth: automatically retry failing GET requests on the remaining backends 2023-02-10 06:05:13 +01:00			`}`
app/vmauth: allow specifying an empty retry_status_codes and and zero drop_src_path_prefix_parts in order to override user-level setting Previously `retry_status_codes: []` and `drop_src_path_prefix_parts: 0` at `url_map` were equivalent to missing values. This was resulting in using the user-level values instead. 2023-12-14 00:04:46 +01:00			`return nil, HeadersConf{}`
app/vmauth: automatically retry failing GET requests on the remaining backends 2023-02-10 06:05:13 +01:00			`}`

app/vmauth: add ability to route requests to different backends depending on the request host 2023-12-13 23:46:36 +01:00			`func matchAnyRegex(rs []*Regex, s string) bool {`
			`if len(rs) == 0 {`
			`return true`
			`}`
			`for _, r := range rs {`
			`if r.match(s) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

app/vmauth: follow-up for b155b20de456a0bf05b5e2b3cb215c6a08d312f0 - Use exact matching by default for the query arg value provided via arg=value syntax at src_query_args. Regex matching can be enabled by using =~ instead of = . For example, arg=~regex. This ensures that the exact matching works as expected without the need to escape special regex chars. - Add helper functions for creating QueryArg, Header and Regex structs in tests. This improves maintainability of the tests. - Remove url.QueryUnescape() call on the url in TestCreateTargetURLSuccess(), since this is bogus approach. The url.QueryUnescape() must be applied to individual query args, and it mustn't be applied to the whole url, since in this case it may perform invalid unescaping in the context of the url, or make the resulting url invalid. While at it, properly marshal all the fields inside UserInfo config to yaml in tests. Previously Header and QueryArg structs were improperly marshaled because the custom MarshalYAML is called only on pointers to Header and QueryArg structs. This improves test coverage. Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6070 Updates https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6115 2024-04-17 14:03:15 +02:00			`func matchAnyQueryArg(qas []*QueryArg, args url.Values) bool {`
app/vmauth: add ability to route requests based on HTTP query args via src_query_args option See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5878 2024-03-06 19:52:23 +01:00			`if len(qas) == 0 {`
			`return true`
			`}`
			`for _, qa := range qas {`
app/vmauth: support regex matching in `src_query_args` (#6115) Support regex matching when routing incoming requests based on HTTP query args via `src_query_args` option at `url_map`. https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6070 Signed-off-by: hagen1778 <roman@victoriametrics.com> 2024-04-17 09:54:43 +02:00			`vs, ok := args[qa.Name]`
			`if !ok {`
			`continue`
			`}`
			`for _, v := range vs {`
			`if qa.Value.match(v) {`
			`return true`
			`}`
app/vmauth: add ability to route requests based on HTTP query args via src_query_args option See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5878 2024-03-06 19:52:23 +01:00			`}`
			`}`
			`return false`
			`}`

app/vmauth: follow-up for b155b20de456a0bf05b5e2b3cb215c6a08d312f0 - Use exact matching by default for the query arg value provided via arg=value syntax at src_query_args. Regex matching can be enabled by using =~ instead of = . For example, arg=~regex. This ensures that the exact matching works as expected without the need to escape special regex chars. - Add helper functions for creating QueryArg, Header and Regex structs in tests. This improves maintainability of the tests. - Remove url.QueryUnescape() call on the url in TestCreateTargetURLSuccess(), since this is bogus approach. The url.QueryUnescape() must be applied to individual query args, and it mustn't be applied to the whole url, since in this case it may perform invalid unescaping in the context of the url, or make the resulting url invalid. While at it, properly marshal all the fields inside UserInfo config to yaml in tests. Previously Header and QueryArg structs were improperly marshaled because the custom MarshalYAML is called only on pointers to Header and QueryArg structs. This improves test coverage. Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6070 Updates https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6115 2024-04-17 14:03:15 +02:00			`func matchAnyHeader(headers []*Header, h http.Header) bool {`
app/vmauth: add `src_headers` option at `url_map`, which allows routing incoming requests to different backends depending on request headers 2024-03-06 20:56:32 +01:00			`if len(headers) == 0 {`
			`return true`
			`}`
			`for _, header := range headers {`
			`if slices.Contains(h.Values(header.Name), header.Value) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

app/vmauth: automatically retry failing GET requests on the remaining backends 2023-02-10 06:05:13 +01:00			`func normalizeURL(uOrig url.URL) url.URL {`
app/vmauth: parse `url_prefix` only once during config load 2021-04-21 09:55:29 +02:00			`u := *uOrig`
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			// Prevent from attacks with using `..` in r.URL.Path
			`u.Path = path.Clean(u.Path)`
app/vmauth: do not remove trailing slash from the proxied path This should fix the issue with opening VMUI at /vmui/ page. See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1752 2022-10-01 15:52:27 +02:00			`if !strings.HasSuffix(u.Path, "/") && strings.HasSuffix(uOrig.Path, "/") {`
app,lib: fix typos in comments (#3804) 2023-02-13 13:27:13 +01:00			`// The path.Clean() removes trailing slash.`
app/vmauth: do not remove trailing slash from the proxied path This should fix the issue with opening VMUI at /vmui/ page. See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1752 2022-10-01 15:52:27 +02:00			`// Return it back if needed.`
			`// This should fix https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1752`
			`u.Path += "/"`
			`}`
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			`if !strings.HasPrefix(u.Path, "/") {`
			`u.Path = "/" + u.Path`
			`}`
app/vmauth: do not remove trailing slash from the proxied path This should fix the issue with opening VMUI at /vmui/ page. See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1752 2022-10-01 15:52:27 +02:00			`if u.Path == "/" {`
			`// See https://github.com/VictoriaMetrics/VictoriaMetrics/pull/1554`
			`u.Path = ""`
			`}`
app/vmauth: automatically retry failing GET requests on the remaining backends 2023-02-10 06:05:13 +01:00			`return &u`
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			`}`