VictoriaMetrics/app/vmauth/target_url.go

package main

import (
	"fmt"
	"net/url"
	"path"
	"strings"
)

func mergeURLs(uiURL string, requestURI *url.URL) (string, error) {
	prefixURL, err := url.Parse(uiURL)
	if err != nil {
		return "", fmt.Errorf("BUG - cannot parse userInfo url: %q, err: %w", uiURL, err)
	}
	prefixURL.Path += requestURI.Path
	requestParams := requestURI.Query()
	// fast path
	if len(requestParams) == 0 {
		return prefixURL.String(), nil
	}
	// merge query parameters from requests.
	userInfoParams := prefixURL.Query()
	for k, v := range requestParams {
		// skip clashed query params from original request
		if exist := userInfoParams.Get(k); len(exist) > 0 {
			continue
		}
		for i := range v {
			userInfoParams.Add(k, v[i])
		}
	}
	prefixURL.RawQuery = userInfoParams.Encode()
	return prefixURL.String(), nil
}

func createTargetURL(ui *UserInfo, uOrig *url.URL) (string, error) {
	u, err := url.Parse(uOrig.String())
	if err != nil {
		return "", fmt.Errorf("cannot make a copy of %q: %w", u, err)
	}
	// Prevent from attacks with using `..` in r.URL.Path
	u.Path = path.Clean(u.Path)
	if !strings.HasPrefix(u.Path, "/") {
		u.Path = "/" + u.Path
	}
	for _, e := range ui.URLMap {
		for _, sp := range e.SrcPaths {
			if sp.match(u.Path) {
				return mergeURLs(e.URLPrefix, u)
			}
		}
	}
	if len(ui.URLPrefix) > 0 {
		return mergeURLs(ui.URLPrefix, u)
	}
	return "", fmt.Errorf("missing route for %q", u)
}
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			`package main`

			`import (`
app/vmauth: add ability to route requests from a single users to multiple targets depending on the requested path Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1064 2021-02-11 11:40:59 +01:00			`"fmt"`
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			`"net/url"`
			`"path"`
			`"strings"`
			`)`

adds query params support for vmauth urlPrefix (#1226) * adds query params support for vmauth urlPrefix * Update app/vmauth/example_config.yml * Update app/vmauth/example_config.yml Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com> 2021-04-20 09:51:03 +02:00			`func mergeURLs(uiURL string, requestURI *url.URL) (string, error) {`
			`prefixURL, err := url.Parse(uiURL)`
			`if err != nil {`
			`return "", fmt.Errorf("BUG - cannot parse userInfo url: %q, err: %w", uiURL, err)`
			`}`
			`prefixURL.Path += requestURI.Path`
			`requestParams := requestURI.Query()`
			`// fast path`
			`if len(requestParams) == 0 {`
			`return prefixURL.String(), nil`
			`}`
			`// merge query parameters from requests.`
			`userInfoParams := prefixURL.Query()`
			`for k, v := range requestParams {`
			`// skip clashed query params from original request`
			`if exist := userInfoParams.Get(k); len(exist) > 0 {`
			`continue`
			`}`
			`for i := range v {`
			`userInfoParams.Add(k, v[i])`
			`}`
			`}`
			`prefixURL.RawQuery = userInfoParams.Encode()`
			`return prefixURL.String(), nil`
			`}`

app/vmauth: add ability to route requests from a single users to multiple targets depending on the requested path Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1064 2021-02-11 11:40:59 +01:00			`func createTargetURL(ui UserInfo, uOrig url.URL) (string, error) {`
			`u, err := url.Parse(uOrig.String())`
			`if err != nil {`
			`return "", fmt.Errorf("cannot make a copy of %q: %w", u, err)`
			`}`
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			// Prevent from attacks with using `..` in r.URL.Path
			`u.Path = path.Clean(u.Path)`
			`if !strings.HasPrefix(u.Path, "/") {`
			`u.Path = "/" + u.Path`
			`}`
app/vmauth: add ability to route requests from a single users to multiple targets depending on the requested path Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1064 2021-02-11 11:40:59 +01:00			`for _, e := range ui.URLMap {`
app/vmauth: allow using regexps in `url_map` paths See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1112 2021-03-05 17:21:11 +01:00			`for _, sp := range e.SrcPaths {`
			`if sp.match(u.Path) {`
adds query params support for vmauth urlPrefix (#1226) * adds query params support for vmauth urlPrefix * Update app/vmauth/example_config.yml * Update app/vmauth/example_config.yml Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com> 2021-04-20 09:51:03 +02:00			`return mergeURLs(e.URLPrefix, u)`
app/vmauth: add ability to route requests from a single users to multiple targets depending on the requested path Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1064 2021-02-11 11:40:59 +01:00			`}`
			`}`
			`}`
			`if len(ui.URLPrefix) > 0 {`
adds query params support for vmauth urlPrefix (#1226) * adds query params support for vmauth urlPrefix * Update app/vmauth/example_config.yml * Update app/vmauth/example_config.yml Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com> 2021-04-20 09:51:03 +02:00			`return mergeURLs(ui.URLPrefix, u)`
app/vmauth: add ability to route requests from a single users to multiple targets depending on the requested path Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1064 2021-02-11 11:40:59 +01:00			`}`
			`return "", fmt.Errorf("missing route for %q", u)`
app/vmauth: prevent from attacks with `..` in path for accessing resources outside the configured `url_prefix` 2020-05-07 11:36:32 +02:00			`}`