Ilia Denisov
27916bbe61
Tests · Go / test (push) Successful in 2m0s
Add the server-rendered operator console at /_gm, exposed publicly through the gateway behind the existing admin_accounts Basic Auth. Backend: - new internal/adminconsole package (html/template Renderer, stateless HMAC CSRF signer, embedded stylesheet) - /_gm route group reusing basicauth.Middleware(admin.Service) + a CSRF guard (per-operator token + same-origin check); dashboard landing page - BACKEND_ADMIN_CONSOLE_CSRF_KEY config (per-process random fallback) Gateway: - new "admin" public route class (per-IP rate limit, body + GET/HEAD/POST method limits) classifying /_gm traffic - reverse proxy to the backend /_gm surface, preserving Host and relaying the backend 401 Basic Auth challenge; 502 when the backend is unreachable - GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_* config dev-deploy: - Caddy routes /_gm/* to the gateway - bootstrap admin + stable CSRF key; enable Prometheus /metrics exporters on backend and gateway (forward-compat for a future Prometheus/Grafana stack) Docs: ARCHITECTURE 14.1/16, FUNCTIONAL 10.2.1 (+ru mirror), backend and gateway READMEs, new backend/docs/admin-console.md. Tests: renderer + CSRF unit tests; backend router auth/render/asset/CSRF; gateway classifier, proxy forwarding/Host/401/405/413/429/502.
155 lines
5.1 KiB
Go
155 lines
5.1 KiB
Go
package server
|
|
|
|
import (
|
|
"bytes"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"galaxy/backend/internal/adminconsole"
|
|
"galaxy/backend/internal/server/httperr"
|
|
"galaxy/backend/internal/server/middleware/basicauth"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
// AdminConsoleHandlers renders the server-side operator console mounted under
|
|
// the `/_gm` route group. It wraps the framework-agnostic
|
|
// adminconsole.Renderer and CSRF signer with the gin glue: the per-page
|
|
// handlers, the embedded static-asset handler, and the CSRF guard middleware
|
|
// applied to state-changing requests. Authentication is provided by the shared
|
|
// admin Basic Auth middleware mounted on the group, so this type assumes the
|
|
// caller has already been verified.
|
|
type AdminConsoleHandlers struct {
|
|
renderer *adminconsole.Renderer
|
|
csrf *adminconsole.CSRF
|
|
assets http.Handler
|
|
logger *zap.Logger
|
|
}
|
|
|
|
// NewAdminConsoleHandlers constructs the console handler set. A nil renderer
|
|
// falls back to the embedded default templates; a nil csrf falls back to a
|
|
// fresh per-process random key; a nil logger falls back to zap.NewNop. It
|
|
// panics only on conditions that are unrecoverable at startup (template parse
|
|
// failure or crypto/rand failure), both of which indicate a broken build or
|
|
// host rather than a runtime input.
|
|
func NewAdminConsoleHandlers(renderer *adminconsole.Renderer, csrf *adminconsole.CSRF, logger *zap.Logger) *AdminConsoleHandlers {
|
|
if logger == nil {
|
|
logger = zap.NewNop()
|
|
}
|
|
if renderer == nil {
|
|
renderer = adminconsole.MustNewRenderer()
|
|
}
|
|
if csrf == nil {
|
|
generated, err := adminconsole.NewRandomCSRF()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
csrf = generated
|
|
}
|
|
|
|
assetsFS, err := adminconsole.Assets()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
return &AdminConsoleHandlers{
|
|
renderer: renderer,
|
|
csrf: csrf,
|
|
assets: http.StripPrefix("/_gm/assets/", http.FileServer(http.FS(assetsFS))),
|
|
logger: logger.Named("http.admin.console"),
|
|
}
|
|
}
|
|
|
|
// Dashboard renders the console landing page (GET /_gm and GET /_gm/).
|
|
func (h *AdminConsoleHandlers) Dashboard() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
h.render(c, http.StatusOK, "dashboard", "dashboard", "Dashboard", nil)
|
|
}
|
|
}
|
|
|
|
// Asset serves the embedded console static assets under `/_gm/assets/`.
|
|
func (h *AdminConsoleHandlers) Asset() gin.HandlerFunc {
|
|
return gin.WrapH(h.assets)
|
|
}
|
|
|
|
// RequireCSRF returns middleware guarding state-changing requests against
|
|
// cross-site request forgery. Safe methods pass through untouched. For unsafe
|
|
// methods it requires both a same-origin Origin/Referer header (when the
|
|
// browser sends one) and a valid per-operator token in the `_csrf` form field;
|
|
// either check failing yields 403.
|
|
func (h *AdminConsoleHandlers) RequireCSRF() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
if isSafeHTTPMethod(c.Request.Method) {
|
|
c.Next()
|
|
return
|
|
}
|
|
if !sameOriginRequest(c.Request) {
|
|
httperr.Abort(c, http.StatusForbidden, httperr.CodeForbidden, "cross-origin request rejected")
|
|
return
|
|
}
|
|
username, _ := basicauth.UsernameFromContext(c.Request.Context())
|
|
if !h.csrf.Verify(username, c.PostForm("_csrf")) {
|
|
httperr.Abort(c, http.StatusForbidden, httperr.CodeForbidden, "invalid or missing CSRF token")
|
|
return
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// render composes the data common to every console page (operator name, CSRF
|
|
// token, active navigation entry) and writes the named page. It renders into an
|
|
// intermediate buffer so a template failure surfaces as a clean 500 without
|
|
// emitting a partial document.
|
|
func (h *AdminConsoleHandlers) render(c *gin.Context, status int, page, activeNav, title string, data any) {
|
|
username, _ := basicauth.UsernameFromContext(c.Request.Context())
|
|
|
|
var buf bytes.Buffer
|
|
err := h.renderer.Render(&buf, page, adminconsole.PageData{
|
|
Title: title,
|
|
Username: username,
|
|
CSRFToken: h.csrf.Token(username),
|
|
ActiveNav: activeNav,
|
|
Data: data,
|
|
})
|
|
if err != nil {
|
|
h.logger.Error("render admin console page", zap.String("page", page), zap.Error(err))
|
|
httperr.Abort(c, http.StatusInternalServerError, httperr.CodeInternalError, "failed to render page")
|
|
return
|
|
}
|
|
|
|
c.Data(status, "text/html; charset=utf-8", buf.Bytes())
|
|
}
|
|
|
|
// isSafeHTTPMethod reports whether method is a read-only HTTP method that the
|
|
// CSRF guard may let through without a token.
|
|
func isSafeHTTPMethod(method string) bool {
|
|
switch method {
|
|
case http.MethodGet, http.MethodHead, http.MethodOptions:
|
|
return true
|
|
default:
|
|
return false
|
|
}
|
|
}
|
|
|
|
// sameOriginRequest reports whether the request's Origin (or, failing that,
|
|
// Referer) names the same host as the request itself. A request that carries
|
|
// neither header is treated as same-origin, leaving the CSRF token as the sole
|
|
// guard; a malformed or cross-host value is rejected. This relies on the
|
|
// gateway reverse proxy preserving the inbound Host header.
|
|
func sameOriginRequest(r *http.Request) bool {
|
|
source := r.Header.Get("Origin")
|
|
if source == "" {
|
|
source = r.Header.Get("Referer")
|
|
}
|
|
if source == "" {
|
|
return true
|
|
}
|
|
parsed, err := url.Parse(source)
|
|
if err != nil || parsed.Host == "" {
|
|
return false
|
|
}
|
|
return strings.EqualFold(parsed.Host, r.Host)
|
|
}
|