From 3937b7cda5036cdf21f324adfa75e57f4a352651 Mon Sep 17 00:00:00 2001 From: Adrien PONSIN Date: Thu, 17 Apr 2025 17:11:00 +0200 Subject: [PATCH] try fixing logic --- command/serve.go | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/command/serve.go b/command/serve.go index ec33d4d..9846e38 100644 --- a/command/serve.go +++ b/command/serve.go @@ -151,14 +151,15 @@ func (ph *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { log.Debug().Str("remote_addr", r.RemoteAddr).Str("method", r.Method).Str("path", r.URL.Path).Msg("incoming request") mr, ok := containerMethodRegex["*"] if ok { - if ph.checkMethodAndRegex(mr, r, "") { - ph.rp.ServeHTTP(w, r) + if code := ph.checkMethodAndRegex(mr, r, ""); code != http.StatusOK { + http.Error(w, http.StatusText(code), code) return } + ph.rp.ServeHTTP(w, r) + return } var ( containerName string - authorized bool host, _, _ = net.SplitHostPort(r.RemoteAddr) ) for containerName, mr = range containerMethodRegex { @@ -168,19 +169,23 @@ func (ph *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { } for _, resolvedIP := range resolvedIPs { if resolvedIP.Equal(net.ParseIP(host)) { - if ph.checkMethodAndRegex(mr, r, containerName) { - authorized = true - break + if code := ph.checkMethodAndRegex(mr, r, containerName); code != http.StatusOK { + http.Error(w, http.StatusText(code), code) + return } + ph.rp.ServeHTTP(w, r) + return } } } - if !authorized { - logDeniedRequest(r, http.StatusUnauthorized, "this container is not on the list of authorized ones") - http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) - return - } - ph.rp.ServeHTTP(w, r) + http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + return + /* + if !authorized { + http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + return + } + */ } func logDeniedRequest(r *http.Request, statusCode int, message string) { @@ -203,18 +208,18 @@ func logAuthorizedRequest(r *http.Request, containerName, message string) { l.Msg(message) } -func (ph *ProxyHandler) checkMethodAndRegex(mr methodRegex, r *http.Request, containerName string) bool { +func (ph *ProxyHandler) checkMethodAndRegex(mr methodRegex, r *http.Request, containerName string) int { req, ok := mr[r.Method] if !ok { logDeniedRequest(r, http.StatusMethodNotAllowed, "this HTTP method is not in the list of those authorized for this container") - return false + return http.StatusMethodNotAllowed } if !req.MatchString(r.URL.Path) { logDeniedRequest(r, http.StatusForbidden, "this path does not match any regular expression for this HTTP method") - return false + return http.StatusForbidden } logAuthorizedRequest(r, containerName, "incoming request matches a registered regular expression") - return true + return http.StatusOK } // action is executed when the ServeCmd command is called.