mirror of
https://github.com/ovh/the-bastion.git
synced 2025-01-26 09:41:03 +08:00
2e9fe9288b
Added the `log_request_response` and `log_request_response_max_size` options to osh-http-proxy.conf. By default, requests are logged, including their body, up to a size of 64K per request response. Before, there was no size limit to the logged body response.
534 lines
23 KiB
Perl
534 lines
23 KiB
Perl
package OVH::Bastion::ProxyHTTP;
|
|
|
|
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
|
|
use common::sense;
|
|
|
|
use File::Basename;
|
|
use lib dirname(__FILE__) . '/../../../../lib/perl';
|
|
use OVH::Result;
|
|
use OVH::Bastion;
|
|
|
|
use CGI;
|
|
use JSON;
|
|
use Fcntl qw(:flock);
|
|
use Time::HiRes ();
|
|
use MIME::Base64;
|
|
use Net::Server::PreForkSimple;
|
|
use Net::Server::PreFork;
|
|
use Sys::Hostname;
|
|
use base qw{Net::Server::HTTP};
|
|
|
|
###########################
|
|
# BE CAREFUL IN THIS CLASS: STDIN && STDOUT are bound to the server->client socket
|
|
# of the current request, in other words, everything that is printed to stdout goes
|
|
# to the network, this is NOT the case with stderr
|
|
|
|
# override Net::Server::HTTP::send_status, because it hardcodes content-type: text/html,
|
|
# and there's no way for the caller to prevent that :(
|
|
sub send_status {
|
|
my ($self, $status, $msg, $body) = @_;
|
|
$msg ||= ($status == 200) ? 'OK' : '-';
|
|
my $request_info = $self->{'request_info'};
|
|
|
|
my $content_type_already_sent = 0;
|
|
my $want_gzip = 0;
|
|
my $out = "HTTP/1.0 $status $msg\r\n";
|
|
foreach my $row (@{$self->http_base_headers}) {
|
|
$out .= "$row->[0]: $row->[1]\r\n";
|
|
push @{$request_info->{'response_headers'}}, $row;
|
|
$content_type_already_sent++ if (lc($row->[0]) eq 'content-type');
|
|
$want_gzip++ if (lc($row->[0]) eq 'content-encoding' && $row->[1] =~ /gzip/);
|
|
}
|
|
$self->{'server'}->{'client'}->print($out);
|
|
$request_info->{'http_version'} = '1.0';
|
|
$request_info->{'response_status'} = $status;
|
|
$request_info->{'response_header_size'} += length $out;
|
|
|
|
if ($body) {
|
|
|
|
# add Content-Type only if not already defined
|
|
if (not $content_type_already_sent) {
|
|
push @{$request_info->{'response_headers'}}, ['Content-type', 'text/plain'];
|
|
$out = "Content-Type: text/plain\r\n\r\n";
|
|
}
|
|
else {
|
|
$out = "\r\n";
|
|
}
|
|
$request_info->{'response_header_size'} += length $out;
|
|
$self->{'server'}->{'client'}->print($out);
|
|
$request_info->{'headers_sent'} = 1;
|
|
my $encoded_body = $body;
|
|
if ($want_gzip) {
|
|
require IO::Compress::Gzip;
|
|
IO::Compress::Gzip::gzip(\$body => \$encoded_body);
|
|
}
|
|
$self->{'server'}->{'client'}->print($encoded_body);
|
|
$request_info->{'response_size'} += length $encoded_body;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
sub log_and_exit {
|
|
my ($self, $code, $msg, $body, $params) = @_;
|
|
$params->{'returnvalue'} ||= "$code $msg";
|
|
|
|
my $account = delete $self->{'_log'}{'account'};
|
|
my $user = delete $self->{'_log'}{'user'};
|
|
my $hostto = delete $self->{'_log'}{'hostto'};
|
|
my $portto = delete $self->{'_log'}{'portto'};
|
|
my $starttime = delete $self->{'_log'}{'start_time'};
|
|
my $allowed = delete $self->{'_log'}{'allowed'} || 0;
|
|
my $bastion2device_delay = delete $self->{'_log'}{'bastion2device_delay'};
|
|
my $request_body_length = delete $self->{'_log'}{'request_body_length'};
|
|
|
|
# log in sql and/or logfile and/or syslog
|
|
my $processing_delay = ($starttime ? int(Time::HiRes::tv_interval($starttime) * 1_000_000) : undef);
|
|
$params->{'account'} = $account; # might be undef if we're called before the account is extracted from the payload
|
|
$params->{'user'} = $user; # ditto
|
|
$params->{'hostto'} = $hostto; # ditto
|
|
$params->{'portto'} = $portto; # ditto
|
|
$params->{'loghome'} = 'proxyhttp';
|
|
$params->{'cmdtype'} = 'proxyhttp_daemon';
|
|
$params->{'ipfrom'} = $self->{'request_info'}{'peeraddr'};
|
|
$params->{'portfrom'} = $self->{'request_info'}{'peerport'};
|
|
$params->{'bastionip'} = $self->{'request_info'}{'sockaddr'};
|
|
$params->{'bastionport'} = $self->{'request_info'}{'sockport'};
|
|
$params->{'params'} = $self->{'request_info'}{'request_path'};
|
|
$params->{'plugin'} = uc($self->{'request_info'}{'request_method'});
|
|
$params->{'allowed'} = $allowed;
|
|
|
|
# custom data will only be logged to logfile and syslog, not sql (it's not in the generic schema)
|
|
$params->{'custom'} = [
|
|
['user_agent' => $ENV{'HTTP_USER_AGENT'}],
|
|
['request_headers_length' => $self->{'request_info'}{'request_header_size'}],
|
|
['request_body_length' => $request_body_length + 0],
|
|
['response_body_length' => length($body)],
|
|
['timing_bastion2device_usec' => $bastion2device_delay],
|
|
['timing_global_usec' => $processing_delay],
|
|
['code' => $code],
|
|
['msg' => $msg],
|
|
];
|
|
if ($processing_delay) {
|
|
push @{$params->{'custom'}}, ['timing_overhead_usec' => ($processing_delay - $bastion2device_delay) + 0];
|
|
}
|
|
$self->{'_log'}{'logret'} = OVH::Bastion::log_access_insert(%$params);
|
|
|
|
# log in "ttyrec"
|
|
my $basedir = "/home/proxyhttp/ttyrec";
|
|
-d $basedir || mkdir $basedir;
|
|
|
|
my $srcip = 'src_' . ($ENV{'REMOTE_ADDR'} || '0.0.0.0');
|
|
my $finaldir = "$basedir/$srcip";
|
|
-d $finaldir || mkdir $finaldir;
|
|
|
|
my @now = Time::HiRes::gettimeofday();
|
|
my @t = localtime($now[0]);
|
|
|
|
my @request_lines = ($self->{'request_info'}{'request'});
|
|
foreach my $array (@{$self->{'request_info'}{'request_headers'} || []}) {
|
|
push @request_lines, sprintf("%s: %s", @$array);
|
|
}
|
|
if (exists $self->{'_log'}{'post_content'}) {
|
|
push @request_lines, '';
|
|
push @request_lines, delete $self->{'_log'}{'post_content'};
|
|
}
|
|
|
|
my $bastion_answer_log = "HTTP/1.0 $code $msg\n";
|
|
foreach my $row (@{$self->http_base_headers()}) {
|
|
$bastion_answer_log .= $row->[0] . ": " . $row->[1] . "\n";
|
|
}
|
|
$bastion_answer_log .= "\n(BODY OMITTED, " . length($body) . " bytes)\n";
|
|
my @headerlog = ($ENV{'UNIQID'}, $now[0], $now[1], POSIX::strftime("%Y/%m/%d.%H:%M:%S", @t));
|
|
my $logfile = sprintf("%s/%s.txt", $finaldir, POSIX::strftime("%F", @t));
|
|
my $logline = sprintf(
|
|
""
|
|
. "--- CLIENT_REQUEST UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n"
|
|
. "--- BASTION_ANSWER UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n"
|
|
. "--- END UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n\n",
|
|
@headerlog, join("\n", @request_lines),
|
|
@headerlog, $bastion_answer_log, @headerlog,
|
|
);
|
|
$logline =~ s/^(Authorization:).+/$1 (removed)/mgi;
|
|
|
|
if (open(my $log, '>>', $logfile)) {
|
|
flock($log, LOCK_EX);
|
|
print $log $logline;
|
|
flock($log, LOCK_UN);
|
|
close($log);
|
|
}
|
|
else {
|
|
warn("Couldn't open $logfile for log write");
|
|
}
|
|
|
|
# if status is 401, tell client what scheme we expect for the auth
|
|
if ($code == 401) {
|
|
push @{$self->{'_supplementary_headers'}}, ['WWW-Authenticate', 'Basic realm="bastion"'];
|
|
}
|
|
|
|
# and send status (will also fill access_log)
|
|
return $self->send_status($code, $msg, $body . "\n");
|
|
}
|
|
|
|
# called by Net::Server when initializing, we set its log_function here to handle error logs, such as timeouts.
|
|
# if func is undefined when Net::Server needs it, it'll log to STDERR, and we don't want that
|
|
sub configure_hook { ## no critic (RequireFinalReturn)
|
|
my $self = shift;
|
|
$self->{'server'}{'log_function'} = sub {
|
|
my ($level, $msg) = @_;
|
|
warn_syslog("osh-http-proxy-daemon: level $level: $msg");
|
|
}
|
|
}
|
|
|
|
# overrides parent func
|
|
sub run {
|
|
my ($self, %params) = @_;
|
|
$self->{'proxy_config'} = (delete $params{'proxy_config'}) || {};
|
|
return $self->SUPER::run($self, %params);
|
|
}
|
|
|
|
# used twice in process_http_request(): get the worker cmd to execute, launch it
|
|
# and decapsulate the result with the proper error checks
|
|
## no critic (Subroutines::RequireArgUnpacking)
|
|
sub _exec_worker_and_get_result {
|
|
my $self = shift;
|
|
my @cmd = @_;
|
|
my $fnret;
|
|
|
|
$fnret = OVH::Bastion::execute_simple(cmd => \@cmd);
|
|
$fnret or return $self->log_and_exit(500, "Internal Error (couldn't exec worker)", "Couldn't exec worker (" . $fnret->msg . ")", {comment => "worker_exec_failed"});
|
|
|
|
if ($fnret->value->{'sysret'} != 0) {
|
|
return $self->log_and_exit(
|
|
500,
|
|
"Internal Error (worker returned a non-zero exit value)",
|
|
"Worker returned a non-zero exit value (" . $fnret->value->{'sysret'} . ")",
|
|
{comment => "worker_non_zero_exit"}
|
|
);
|
|
}
|
|
|
|
if (!$fnret->value->{'output'}) {
|
|
return $self->log_and_exit(500, "Internal Error (worker returned no data)", "Worker returned no data", {comment => "worker_no_data"});
|
|
}
|
|
|
|
my $json_decoded;
|
|
eval { $json_decoded = decode_json($fnret->value->{'output'}); };
|
|
if ($@) {
|
|
return $self->log_and_exit(
|
|
500,
|
|
"Internal Error (worker returned invalid JSON)",
|
|
"Worker returned "
|
|
. (length($fnret->value->{'output'}))
|
|
. " bytes of data but JSON decoding failed ($@). The first 500 bytes follow:\n"
|
|
. substr($fnret->value->{'output'}, 0, 500),
|
|
{comment => "worker_invalid_json"}
|
|
);
|
|
}
|
|
|
|
$fnret = OVH::Bastion::helper_decapsulate($json_decoded);
|
|
$fnret or return $self->log_and_exit(500, "Internal Error (worker returned an error)", "Worker returned an error (" . $fnret->msg . ")", {comment => "worker_error"});
|
|
|
|
return $fnret;
|
|
}
|
|
|
|
# overrides parent func
|
|
sub process_http_request {
|
|
my ($self, $client) = @_;
|
|
my $fnret;
|
|
|
|
$ENV{'FORCE_STDERR'} = 1;
|
|
$self->{'_log'}{'start_time'} = [Time::HiRes::gettimeofday()];
|
|
|
|
$ENV{'UNIQID'} = OVH::Bastion::generate_uniq_id()->value;
|
|
|
|
$self->{'server'}{'access_log_format'} = qq#%h - - %t "%r" %>s %b "-" "$ENV{'UNIQID'}" "%{User-Agent}i" %D -#;
|
|
|
|
# consistency check
|
|
if ($self->{'request_info'}{'peerport'} ne $ENV{'REMOTE_PORT'}) {
|
|
return $self->log_and_exit(
|
|
500,
|
|
"Internal Server Error (consistency)",
|
|
"Internal consistency error: remote_port doesn't match peerport, this shouldn't happen",
|
|
{comment => 'consistency_error'}
|
|
);
|
|
}
|
|
|
|
# only GET or POST are allowed
|
|
if (not grep { uc($self->{'request_info'}{'request_method'}) eq $_ } qw{ GET POST }) {
|
|
return $self->log_and_exit(400, "Bad Request (method forbidden)", "Only GET and POST methods are allowed", {comment => 'method_forbidden'});
|
|
}
|
|
|
|
# if we don't have the request_headers, we really have a big problem
|
|
if (ref $self->{'request_info'} ne 'HASH' or ref $self->{'request_info'}{'request_headers'} ne 'ARRAY') {
|
|
return $self->log_and_exit(500, "Internal Server Error (headers not found)", "The headers of the request can't be found", {comment => "headers_not_found"});
|
|
}
|
|
|
|
# convert headers into a hash
|
|
my $req_headers = _flatten_headers($self->{'request_info'}{'request_headers'});
|
|
if (ref $req_headers ne 'HASH') {
|
|
return $self->log_and_exit(500, "Internal Server Error (headers are not a hash)", "Request headers couldn't be parsed properly", {comment => "headers_cannot_be_parsed"});
|
|
}
|
|
|
|
# check if it's not just a self-health test
|
|
if ($ENV{'REQUEST_URI'} eq '/bastion-health-check') {
|
|
|
|
# launch the worker in monitoring mode, to be sure we test all the sudo part
|
|
my @cmd = ("sudo", "-n", "-u", "proxyhttp", "--", "/usr/bin/env", "perl", "-T", "/opt/bastion/bin/proxy/osh-http-proxy-worker");
|
|
push @cmd, "--monitoring", "--uniqid", $ENV{'UNIQID'};
|
|
|
|
$fnret = $self->_exec_worker_and_get_result(@cmd);
|
|
|
|
my $workerversion = $fnret->value->{'body'};
|
|
|
|
if ($workerversion eq $OVH::Bastion::VERSION) {
|
|
return $self->log_and_exit(200, "OK", "Bastion HTTPS proxy version " . $OVH::Bastion::VERSION . " is running nominally.", {comment => "monitoring"});
|
|
}
|
|
else {
|
|
return $self->log_and_exit(
|
|
202,
|
|
"Semi-OK",
|
|
"A discrepancy was found between the Bastion HTTPS proxy daemon version ("
|
|
. $OVH::Bastion::VERSION
|
|
. ") and worker version ($workerversion), please reload the daemon to avoid problems.",
|
|
{comment => "monitoring"}
|
|
);
|
|
}
|
|
}
|
|
|
|
# this header is mandatory, and must be a Basic scheme auth
|
|
if (not $req_headers->{'authorization'}) {
|
|
return $self->log_and_exit(401, "Authorization required (no auth provided)", "No authentication provided, and authentication is mandatory",
|
|
{comment => "no_auth_provided"});
|
|
}
|
|
my $basic_auth_header_value;
|
|
if (not $req_headers->{'authorization'} =~ m{^Basic (\S+)$}i) {
|
|
return $self->log_and_exit(401, "Authorization required (basic auth scheme needed)", "Basic authorization scheme required", {comment => "bad_auth_scheme"});
|
|
}
|
|
else {
|
|
$basic_auth_header_value = $1;
|
|
}
|
|
if ($req_headers->{'authorization'} ne $ENV{'HTTP_AUTHORIZATION'}) {
|
|
return $self->log_and_exit(500, "Internal Server Error (consistency)", "Internal consistency error: authorization header doesn't match envvar",
|
|
{comment => 'consistency_error'});
|
|
}
|
|
delete $ENV{'HTTP_AUTHORIZATION'};
|
|
|
|
# decode the auth header
|
|
my $decoded = decode_base64($basic_auth_header_value);
|
|
undef $basic_auth_header_value;
|
|
|
|
#print STDERR "I decoded $decoded\n";
|
|
|
|
# the decoded header should be of the form LOGIN:PASSWORD
|
|
if (not $decoded or $decoded !~ /^(.+):([^:]+)$/) {
|
|
return $self->log_and_exit(401, "Authorization required (malformed basic auth)", "Malformed Basic authorization '$decoded'", {comment => "malformed_basic_auth"});
|
|
}
|
|
|
|
# in our case, the LOGIN should in fact be of the form bastion_account@remote_login_expression@remote_host_to_connect_to,
|
|
# where remote_login_expression can be one of "$user", "group=$shortGroup,user=$user" or "user=$user"
|
|
my ($loginpart, $pass) = ($1, $2); ## no critic (ProhibitCaptureWithoutTest)
|
|
if ($loginpart !~ m{^([^@]+)@([^@]+)@([0-9a-zA-Z._-]+)(%(\d+))?$}) { ## no critic (ProhibitUnusedCapture)
|
|
return $self->log_and_exit(
|
|
400,
|
|
"Bad Request (bad login format)",
|
|
"Expected an Authorization line with credentials of the form 'BASTIONACCOUNT\@DEVICEUSER\@HOST' or "
|
|
. "'BASTIONACCOUNT\@group=BASTIONGROUP,user=DEVICEUSER\@HOST' or 'BASTIONACCOUNT\@user=DEVICEUSER\@HOST'",
|
|
{comment => "bad_login_format"}
|
|
);
|
|
}
|
|
my ($account, $user_expression, $remotemachine, $remoteport) = ($1, $2, $3, $5); ## no critic (ProhibitCaptureWithoutTest)
|
|
undef $loginpart; # no longer needed
|
|
$remoteport = 443 if not defined $remoteport;
|
|
$self->{'_log'}{'hostto'} = $remotemachine;
|
|
$self->{'_log'}{'portto'} = $remoteport;
|
|
|
|
my $context;
|
|
my $group;
|
|
my $user;
|
|
if ($user_expression =~ m{^group=(\S+),user=(\S+)$}) {
|
|
$context = 'group';
|
|
$group = $1;
|
|
$user = $2;
|
|
}
|
|
elsif ($user_expression =~ m{^user=(\S+),group=(\S+)$}) {
|
|
$context = 'group';
|
|
$group = $2;
|
|
$user = $1;
|
|
}
|
|
elsif ($user_expression =~ m{^user=(\S+)$}) {
|
|
$context = 'self';
|
|
$user = $1;
|
|
}
|
|
else {
|
|
$context = 'autodetect';
|
|
$user = $user_expression;
|
|
}
|
|
undef $user_expression; # no longer needed
|
|
|
|
if (not OVH::Bastion::is_account_valid(account => $account)) {
|
|
return $self->log_and_exit(400, "Bad Request (bad account)", "Account name is invalid", {comment => "invalid_account"});
|
|
}
|
|
my $escaped_account = $account;
|
|
$escaped_account =~ s/%/%%/g;
|
|
$self->{'server'}{'access_log_format'} = qq#%h $escaped_account %u %t "%r" %>s %b "$remotemachine" "$ENV{'UNIQID'}" "%{User-Agent}i" %D -#;
|
|
if (not OVH::Bastion::is_valid_port(port => $remoteport)) {
|
|
return $self->log_and_exit(400, "Bad Request (bad port number)", "Port number is out of range", {comment => "invalid_port_number"});
|
|
}
|
|
|
|
$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account);
|
|
if (not $fnret) {
|
|
|
|
# don't be too specific on the error message to avoid account name guessing
|
|
return $self->log_and_exit(403, "Access Denied", "Incorrect username ($account) or password (#REDACTED#, length=" . length($pass) . ")",
|
|
{comment => "invalid_credentials"});
|
|
}
|
|
$account = $fnret->value->{'account'}; # untaint
|
|
$self->{'_log'}{'account'} = $account;
|
|
|
|
if ($user !~ /^[a-zA-Z0-9._-]+/) {
|
|
return $self->log_and_exit(400, "Bad Request (bad user name)", "User name '$user' has forbidden characters", {comment => "bad_user_name"});
|
|
}
|
|
$self->{'_log'}{'user'} = $user;
|
|
my $escaped_user = $user;
|
|
$escaped_user =~ s/%/%%/g;
|
|
$self->{'server'}{'access_log_format'} = qq#%h $escaped_account $escaped_user %t "%r" %>s %b "$remotemachine" "$ENV{'UNIQID'}" "%{User-Agent}i" %D -#;
|
|
|
|
# config value by default
|
|
my $timeout = $self->{'proxy_config'}{'timeout'};
|
|
|
|
# if there's a timeout header, get it
|
|
if ($req_headers->{'x-bastion-timeout'}) {
|
|
if ($req_headers->{'x-bastion-timeout'} =~ /^\d+$/) {
|
|
$timeout = $req_headers->{'x-bastion-timeout'};
|
|
}
|
|
else {
|
|
return $self->log_and_exit(400, "Bad Request (invalid timeout value)", "Expected an integer timeout value expressed in seconds", {comment => "bad_timeout_value"});
|
|
}
|
|
}
|
|
|
|
# if there's an allow-downgrade header, get it
|
|
my $allow_downgrade = 0;
|
|
if ($req_headers->{'x-bastion-allow-downgrade'}) {
|
|
if ($req_headers->{'x-bastion-allow-downgrade'} eq "1" || $req_headers->{'x-bastion-allow-downgrade'} eq "0") {
|
|
$allow_downgrade = $req_headers->{'x-bastion-allow-downgrade'} + 0;
|
|
}
|
|
else {
|
|
return $self->log_and_exit(400, "Bad Request (invalid allow-downgrade value)", "Expected value '0', '1' or no header", {comment => "bad_allow_downgrade_value"});
|
|
}
|
|
}
|
|
|
|
# if there's an enforce-secure header, get it
|
|
my $enforce_secure = 0;
|
|
if ($req_headers->{'x-bastion-enforce-secure'}) {
|
|
if ($req_headers->{'x-bastion-enforce-secure'} eq "1" || $req_headers->{'x-bastion-enforce-secure'} eq "0") {
|
|
$enforce_secure = $req_headers->{'x-bastion-enforce-secure'} + 0;
|
|
}
|
|
else {
|
|
return $self->log_and_exit(400, "Bad Request (invalid enforce-secure value)", "Expected value '0', '1' or no header", {comment => "bad_enforce_secure_value"});
|
|
}
|
|
}
|
|
|
|
# here, we know the account is right, so we sudo to this account to proceed
|
|
my @cmd = ("sudo", "-n", "-u", $account, "--", "/usr/bin/env", "perl", "-T", "/opt/bastion/bin/proxy/osh-http-proxy-worker");
|
|
push @cmd, "--account", $account, "--context", $context, "--user", $user, "--host", $remotemachine, "--uniqid", $ENV{'UNIQID'};
|
|
push @cmd, "--method", $self->{'request_info'}{'request_method'}, "--path", $self->{'request_info'}{'request_path'};
|
|
push @cmd, "--port", $remoteport;
|
|
push @cmd, "--group", $group if $group;
|
|
push @cmd, "--timeout", $timeout if $timeout;
|
|
push @cmd, "--allow-downgrade" if $allow_downgrade;
|
|
push @cmd, "--insecure" if ($self->{'proxy_config'}{'insecure'} && !$enforce_secure);
|
|
push @cmd, "--log-request-response" if ($self->{'proxy_config'}{'log_request_response'});
|
|
push @cmd, "--log-request-response-max-size", $self->{'proxy_config'}{'log_request_response_max_size'} if ($self->{'proxy_config'}{'log_request_response'});
|
|
|
|
# X-Test-* is only used for functional tests, and has to be passed to the remote
|
|
foreach my $pattern (qw{ accept content-type content-length content-encoding x-test-[a-z-]+ }) {
|
|
foreach my $key (grep { /^$pattern$/i } keys %$req_headers) {
|
|
push @cmd, "--header", $key . ':' . $req_headers->{$key};
|
|
}
|
|
}
|
|
|
|
# we don't want the CGI module to parse/modify/interpret the content, so we
|
|
# fake an application/xml content, this has the effect in the CGI module code
|
|
# to not mess at all with the data, which is what we want. This way we can get the
|
|
# raw unparsed/unmodified data through the special 'XForms:Model' param. Once done,
|
|
# we simply restore the real content-type
|
|
my $real_content_type = $ENV{'CONTENT_TYPE'};
|
|
$ENV{'CONTENT_TYPE'} = 'application/xml';
|
|
my $content = CGI->new->param('XForms:Model');
|
|
$ENV{'CONTENT_TYPE'} = $real_content_type;
|
|
$ENV{'PROXY_POST_DATA'} = encode_base64($content);
|
|
|
|
$ENV{'PROXY_ACCOUNT_PASSWORD'} = $pass;
|
|
undef $pass;
|
|
$self->{'_log'}{'request_body_length'} = length($content);
|
|
|
|
$fnret = $self->_exec_worker_and_get_result(@cmd);
|
|
|
|
delete $ENV{'PROXY_ACCOUNT_PASSWORD'};
|
|
delete $ENV{'PROXY_POST_DATA'};
|
|
|
|
if (ref $fnret->value->{'headers'} eq 'ARRAY') {
|
|
push @{$self->{'_supplementary_headers'}}, @{$fnret->value->{'headers'}};
|
|
}
|
|
if ($req_headers->{'accept-encoding'} =~ /gzip/) {
|
|
push @{$self->{'_supplementary_headers'}}, ['Content-Encoding', 'gzip'];
|
|
}
|
|
$self->{'request_info'}{'headers_sent'} = 1; # needed to avoid duplicate headers by our parent package
|
|
|
|
my $flattened_bastion2client_headers = _flatten_headers($self->{'_supplementary_headers'});
|
|
my $bastion2devicedelay = $flattened_bastion2client_headers->{'x-bastion-egress-timing'};
|
|
$self->{'_log'}{'post_content'} = $content;
|
|
$self->{'server'}{'access_log_format'} =
|
|
qq#%h $escaped_account $escaped_user %t "%r" %>s %b "$remotemachine" "$ENV{'UNIQID'}" "%{User-Agent}i" %D # . ($bastion2devicedelay || '-');
|
|
|
|
$self->{'_log'}{'bastion2device_delay'} = $bastion2devicedelay;
|
|
$self->{'_log'}{'allowed'} = $fnret->value->{'allowed'};
|
|
$self->log_and_exit($fnret->value->{'code'}, $fnret->value->{'msg'}, $fnret->value->{'body'}, {comment => "worker_returned"});
|
|
|
|
return 1;
|
|
}
|
|
|
|
# overrides parent func
|
|
sub http_base_headers {
|
|
my $self = shift;
|
|
my @headers = (
|
|
[Date => gmtime() . " GMT"],
|
|
[Connection => 'close'],
|
|
[Server => "The Bastion " . $OVH::Bastion::VERSION],
|
|
['X-Bastion-Instance' => hostname()],
|
|
['X-Bastion-ReqID' => $ENV{'UNIQID'}],
|
|
);
|
|
foreach my $keyval (@{$self->{'_supplementary_headers'}}) {
|
|
my $keyname = $keyval->[0];
|
|
$keyname = 'X-Bastion-Remote-' . $keyname if ($keyname =~ /^(client-ssl-)/i);
|
|
push @headers, [$keyname, $keyval->[1]];
|
|
}
|
|
return \@headers;
|
|
}
|
|
|
|
# this sub turns [ [ HeaDerA, ValueA ], [ HEAderB, ValueB ] ]
|
|
# into { headera => ValueA, headerb => ValueB }
|
|
# and errors if there is a duplicate header somewhere
|
|
sub _flatten_headers {
|
|
my $arrayref = shift;
|
|
my %headers;
|
|
|
|
if (ref $arrayref ne 'ARRAY') {
|
|
return "Bad call";
|
|
}
|
|
|
|
foreach my $keyval (@$arrayref) {
|
|
if (ref $keyval ne 'ARRAY' or @$keyval != 2) {
|
|
return "Malformed headers";
|
|
}
|
|
my $key = lc($keyval->[0]);
|
|
my $val = $keyval->[1];
|
|
if (exists($headers{$key})) {
|
|
return "Duplicate header $key";
|
|
}
|
|
$headers{$key} = $val;
|
|
}
|
|
return \%headers;
|
|
}
|
|
|
|
1;
|