Force HTTPS for backend connections in old-style configurations.
Prevents clients from sending a HTTP auth URL to trigger an insecure connection from the signaling server to Nextcloud.
This commit is contained in:
parent
2662d49017
commit
ec71f29fee
|
@ -87,6 +87,9 @@ func TestPostOnRedirect(t *testing.T) {
|
||||||
config := goconf.NewConfigFile()
|
config := goconf.NewConfigFile()
|
||||||
config.AddOption("backend", "allowed", u.Host)
|
config.AddOption("backend", "allowed", u.Host)
|
||||||
config.AddOption("backend", "secret", string(testBackendSecret))
|
config.AddOption("backend", "secret", string(testBackendSecret))
|
||||||
|
if u.Scheme == "http" {
|
||||||
|
config.AddOption("backend", "allowhttp", "true")
|
||||||
|
}
|
||||||
client, err := NewBackendClient(config, 1, "0.0")
|
client, err := NewBackendClient(config, 1, "0.0")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
|
|
@ -41,6 +41,8 @@ type Backend struct {
|
||||||
secret []byte
|
secret []byte
|
||||||
compat bool
|
compat bool
|
||||||
|
|
||||||
|
allowHttp bool
|
||||||
|
|
||||||
maxStreamBitrate int
|
maxStreamBitrate int
|
||||||
maxScreenBitrate int
|
maxScreenBitrate int
|
||||||
|
|
||||||
|
@ -61,6 +63,17 @@ func (b *Backend) IsCompat() bool {
|
||||||
return b.compat
|
return b.compat
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (b *Backend) IsUrlAllowed(u *url.URL) bool {
|
||||||
|
switch u.Scheme {
|
||||||
|
case "https":
|
||||||
|
return true
|
||||||
|
case "http":
|
||||||
|
return b.allowHttp
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func (b *Backend) AddSession(session Session) error {
|
func (b *Backend) AddSession(session Session) error {
|
||||||
if session.ClientType() == HelloClientTypeInternal || session.ClientType() == HelloClientTypeVirtual {
|
if session.ClientType() == HelloClientTypeInternal || session.ClientType() == HelloClientTypeVirtual {
|
||||||
// Internal and virtual sessions are not counting to the limit.
|
// Internal and virtual sessions are not counting to the limit.
|
||||||
|
@ -102,6 +115,7 @@ type BackendConfiguration struct {
|
||||||
|
|
||||||
func NewBackendConfiguration(config *goconf.ConfigFile) (*BackendConfiguration, error) {
|
func NewBackendConfiguration(config *goconf.ConfigFile) (*BackendConfiguration, error) {
|
||||||
allowAll, _ := config.GetBool("backend", "allowall")
|
allowAll, _ := config.GetBool("backend", "allowall")
|
||||||
|
allowHttp, _ := config.GetBool("backend", "allowhttp")
|
||||||
commonSecret, _ := config.GetString("backend", "secret")
|
commonSecret, _ := config.GetString("backend", "secret")
|
||||||
sessionLimit, err := config.GetInt("backend", "sessionlimit")
|
sessionLimit, err := config.GetInt("backend", "sessionlimit")
|
||||||
if err != nil || sessionLimit < 0 {
|
if err != nil || sessionLimit < 0 {
|
||||||
|
@ -116,6 +130,8 @@ func NewBackendConfiguration(config *goconf.ConfigFile) (*BackendConfiguration,
|
||||||
secret: []byte(commonSecret),
|
secret: []byte(commonSecret),
|
||||||
compat: true,
|
compat: true,
|
||||||
|
|
||||||
|
allowHttp: allowHttp,
|
||||||
|
|
||||||
sessionLimit: uint64(sessionLimit),
|
sessionLimit: uint64(sessionLimit),
|
||||||
}
|
}
|
||||||
if sessionLimit > 0 {
|
if sessionLimit > 0 {
|
||||||
|
@ -150,6 +166,8 @@ func NewBackendConfiguration(config *goconf.ConfigFile) (*BackendConfiguration,
|
||||||
secret: []byte(commonSecret),
|
secret: []byte(commonSecret),
|
||||||
compat: true,
|
compat: true,
|
||||||
|
|
||||||
|
allowHttp: allowHttp,
|
||||||
|
|
||||||
sessionLimit: uint64(sessionLimit),
|
sessionLimit: uint64(sessionLimit),
|
||||||
}
|
}
|
||||||
hosts := make([]string, 0, len(allowMap))
|
hosts := make([]string, 0, len(allowMap))
|
||||||
|
@ -286,6 +304,8 @@ func getConfiguredHosts(backendIds string, config *goconf.ConfigFile) (hosts map
|
||||||
url: u,
|
url: u,
|
||||||
secret: []byte(secret),
|
secret: []byte(secret),
|
||||||
|
|
||||||
|
allowHttp: parsed.Scheme == "http",
|
||||||
|
|
||||||
maxStreamBitrate: maxStreamBitrate,
|
maxStreamBitrate: maxStreamBitrate,
|
||||||
maxScreenBitrate: maxScreenBitrate,
|
maxScreenBitrate: maxScreenBitrate,
|
||||||
|
|
||||||
|
@ -341,6 +361,10 @@ func (b *BackendConfiguration) GetBackend(u *url.URL) *Backend {
|
||||||
s += "/"
|
s += "/"
|
||||||
}
|
}
|
||||||
for _, entry := range entries {
|
for _, entry := range entries {
|
||||||
|
if !entry.IsUrlAllowed(u) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
if entry.url == "" {
|
if entry.url == "" {
|
||||||
// Old-style configuration, only hosts are configured.
|
// Old-style configuration, only hosts are configured.
|
||||||
return entry
|
return entry
|
||||||
|
|
|
@ -101,6 +101,28 @@ func TestIsUrlAllowed_Compat(t *testing.T) {
|
||||||
}
|
}
|
||||||
config := goconf.NewConfigFile()
|
config := goconf.NewConfigFile()
|
||||||
config.AddOption("backend", "allowed", "domain.invalid")
|
config.AddOption("backend", "allowed", "domain.invalid")
|
||||||
|
config.AddOption("backend", "allowhttp", "true")
|
||||||
|
config.AddOption("backend", "secret", string(testBackendSecret))
|
||||||
|
cfg, err := NewBackendConfiguration(config)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
testUrls(t, cfg, valid_urls, invalid_urls)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestIsUrlAllowed_CompatForceHttps(t *testing.T) {
|
||||||
|
// Old-style configuration, force HTTPS
|
||||||
|
valid_urls := []string{
|
||||||
|
"https://domain.invalid",
|
||||||
|
}
|
||||||
|
invalid_urls := []string{
|
||||||
|
"http://domain.invalid",
|
||||||
|
"http://otherdomain.invalid",
|
||||||
|
"https://otherdomain.invalid",
|
||||||
|
"domain.invalid",
|
||||||
|
}
|
||||||
|
config := goconf.NewConfigFile()
|
||||||
|
config.AddOption("backend", "allowed", "domain.invalid")
|
||||||
config.AddOption("backend", "secret", string(testBackendSecret))
|
config.AddOption("backend", "secret", string(testBackendSecret))
|
||||||
cfg, err := NewBackendConfiguration(config)
|
cfg, err := NewBackendConfiguration(config)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -119,22 +141,32 @@ func TestIsUrlAllowed(t *testing.T) {
|
||||||
{"https://domain.invalid/bar/", string(testBackendSecret) + "-bar"},
|
{"https://domain.invalid/bar/", string(testBackendSecret) + "-bar"},
|
||||||
{"https://domain.invalid:443/bar/", string(testBackendSecret) + "-bar"},
|
{"https://domain.invalid:443/bar/", string(testBackendSecret) + "-bar"},
|
||||||
{"https://domain.invalid/bar/folder/", string(testBackendSecret) + "-bar"},
|
{"https://domain.invalid/bar/folder/", string(testBackendSecret) + "-bar"},
|
||||||
|
{"http://domain.invalid/baz", string(testBackendSecret) + "-baz"},
|
||||||
|
{"http://domain.invalid/baz/", string(testBackendSecret) + "-baz"},
|
||||||
|
{"http://domain.invalid:80/baz/", string(testBackendSecret) + "-baz"},
|
||||||
|
{"http://domain.invalid/baz/folder/", string(testBackendSecret) + "-baz"},
|
||||||
{"https://otherdomain.invalid/", string(testBackendSecret) + "-lala"},
|
{"https://otherdomain.invalid/", string(testBackendSecret) + "-lala"},
|
||||||
{"https://otherdomain.invalid/folder/", string(testBackendSecret) + "-lala"},
|
{"https://otherdomain.invalid/folder/", string(testBackendSecret) + "-lala"},
|
||||||
}
|
}
|
||||||
invalid_urls := []string{
|
invalid_urls := []string{
|
||||||
|
"http://domain.invalid",
|
||||||
|
"http://domain.invalid/",
|
||||||
"https://domain.invalid",
|
"https://domain.invalid",
|
||||||
"https://domain.invalid/",
|
"https://domain.invalid/",
|
||||||
|
"http://domain.invalid/foo",
|
||||||
|
"http://domain.invalid/foo/",
|
||||||
"https://domain.invalid:8443/foo/",
|
"https://domain.invalid:8443/foo/",
|
||||||
"https://www.domain.invalid/foo/",
|
"https://www.domain.invalid/foo/",
|
||||||
"https://domain.invalid/baz/",
|
"https://domain.invalid/baz/",
|
||||||
}
|
}
|
||||||
config := goconf.NewConfigFile()
|
config := goconf.NewConfigFile()
|
||||||
config.AddOption("backend", "backends", "foo, bar, lala, missing")
|
config.AddOption("backend", "backends", "foo, bar, baz, lala, missing")
|
||||||
config.AddOption("foo", "url", "https://domain.invalid/foo")
|
config.AddOption("foo", "url", "https://domain.invalid/foo")
|
||||||
config.AddOption("foo", "secret", string(testBackendSecret)+"-foo")
|
config.AddOption("foo", "secret", string(testBackendSecret)+"-foo")
|
||||||
config.AddOption("bar", "url", "https://domain.invalid:443/bar/")
|
config.AddOption("bar", "url", "https://domain.invalid:443/bar/")
|
||||||
config.AddOption("bar", "secret", string(testBackendSecret)+"-bar")
|
config.AddOption("bar", "secret", string(testBackendSecret)+"-bar")
|
||||||
|
config.AddOption("baz", "url", "http://domain.invalid/baz")
|
||||||
|
config.AddOption("baz", "secret", string(testBackendSecret)+"-baz")
|
||||||
config.AddOption("lala", "url", "https://otherdomain.invalid/")
|
config.AddOption("lala", "url", "https://otherdomain.invalid/")
|
||||||
config.AddOption("lala", "secret", string(testBackendSecret)+"-lala")
|
config.AddOption("lala", "secret", string(testBackendSecret)+"-lala")
|
||||||
cfg, err := NewBackendConfiguration(config)
|
cfg, err := NewBackendConfiguration(config)
|
||||||
|
|
|
@ -77,6 +77,9 @@ func CreateBackendServerForTestFromConfig(t *testing.T, config *goconf.ConfigFil
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
config.AddOption("backend", "allowed", u.Host)
|
config.AddOption("backend", "allowed", u.Host)
|
||||||
|
if u.Scheme == "http" {
|
||||||
|
config.AddOption("backend", "allowhttp", "true")
|
||||||
|
}
|
||||||
config.AddOption("backend", "secret", string(testBackendSecret))
|
config.AddOption("backend", "secret", string(testBackendSecret))
|
||||||
config.AddOption("sessions", "hashkey", "12345678901234567890123456789012")
|
config.AddOption("sessions", "hashkey", "12345678901234567890123456789012")
|
||||||
config.AddOption("sessions", "blockkey", "09876543210987654321098765432109")
|
config.AddOption("sessions", "blockkey", "09876543210987654321098765432109")
|
||||||
|
|
|
@ -68,6 +68,9 @@ func getTestConfig(server *httptest.Server) (*goconf.ConfigFile, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
config.AddOption("backend", "allowed", u.Host)
|
config.AddOption("backend", "allowed", u.Host)
|
||||||
|
if u.Scheme == "http" {
|
||||||
|
config.AddOption("backend", "allowhttp", "true")
|
||||||
|
}
|
||||||
config.AddOption("backend", "secret", string(testBackendSecret))
|
config.AddOption("backend", "secret", string(testBackendSecret))
|
||||||
config.AddOption("sessions", "hashkey", "12345678901234567890123456789012")
|
config.AddOption("sessions", "hashkey", "12345678901234567890123456789012")
|
||||||
config.AddOption("sessions", "blockkey", "09876543210987654321098765432109")
|
config.AddOption("sessions", "blockkey", "09876543210987654321098765432109")
|
||||||
|
|
Loading…
Reference in New Issue