diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 12:08:03 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 12:08:18 +0000 |
commit | 5da14042f70711ea5cf66e034699730335462f66 (patch) | |
tree | 0f6354ccac934ed87a2d555f45be4c831cf92f4a /src/web/api/http_header.c | |
parent | Releasing debian version 1.44.3-2. (diff) | |
download | netdata-5da14042f70711ea5cf66e034699730335462f66.tar.xz netdata-5da14042f70711ea5cf66e034699730335462f66.zip |
Merging upstream version 1.45.3+dfsg.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | src/web/api/http_header.c | 254 |
1 files changed, 254 insertions, 0 deletions
diff --git a/src/web/api/http_header.c b/src/web/api/http_header.c new file mode 100644 index 000000000..5b0b1b651 --- /dev/null +++ b/src/web/api/http_header.c @@ -0,0 +1,254 @@ +// SPDX-License-Identifier: GPL-3.0-or-later + +#include "http_header.h" + +static void web_client_enable_deflate(struct web_client *w, bool gzip) { + if(gzip) + web_client_flag_set(w, WEB_CLIENT_ENCODING_GZIP); + else + web_client_flag_set(w, WEB_CLIENT_ENCODING_DEFLATE); + + if(!web_client_check_conn_unix(w) && !web_client_check_conn_tcp(w) && !web_client_check_conn_cloud(w)) + return; + + if(unlikely(w->response.zinitialized)) { + // compression has already been initialized for this client. + return; + } + + if(unlikely(w->response.sent)) { + netdata_log_error("%llu: Cannot enable compression in the middle of a conversation.", w->id); + return; + } + + w->response.zstream.zalloc = Z_NULL; + w->response.zstream.zfree = Z_NULL; + w->response.zstream.opaque = Z_NULL; + + w->response.zstream.next_in = (Bytef *)w->response.data->buffer; + w->response.zstream.avail_in = 0; + w->response.zstream.total_in = 0; + + w->response.zstream.next_out = w->response.zbuffer; + w->response.zstream.avail_out = 0; + w->response.zstream.total_out = 0; + + w->response.zstream.zalloc = Z_NULL; + w->response.zstream.zfree = Z_NULL; + w->response.zstream.opaque = Z_NULL; + + // Select GZIP compression: windowbits = 15 + 16 = 31 + if(deflateInit2(&w->response.zstream, web_gzip_level, Z_DEFLATED, 15 + ((gzip)?16:0), 8, web_gzip_strategy) != Z_OK) { + netdata_log_error("%llu: Failed to initialize zlib. Proceeding without compression.", w->id); + return; + } + + w->response.zsent = 0; + w->response.zoutput = true; + w->response.zinitialized = true; + + if(!web_client_check_conn_cloud(w)) + // cloud sends the entire response at once, not in chunks + web_client_flag_set(w, WEB_CLIENT_CHUNKED_TRANSFER); + + netdata_log_debug(D_DEFLATE, "%llu: Initialized compression.", w->id); +} + +static void http_header_origin(struct web_client *w, const char *v, size_t len __maybe_unused) { + freez(w->origin); + w->origin = strdupz(v); +} + +static void http_header_connection(struct web_client *w, const char *v, size_t len __maybe_unused) { + if(strcasestr(v, "keep-alive")) + web_client_enable_keepalive(w); +} + +static void http_header_dnt(struct web_client *w, const char *v, size_t len __maybe_unused) { + if(respect_web_browser_do_not_track_policy) { + if (*v == '0') web_client_disable_donottrack(w); + else if (*v == '1') web_client_enable_donottrack(w); + } +} + +static void http_header_user_agent(struct web_client *w, const char *v, size_t len __maybe_unused) { + if(w->mode == HTTP_REQUEST_MODE_STREAM) { + freez(w->user_agent); + w->user_agent = strdupz(v); + } +} + +static void http_header_x_auth_token(struct web_client *w, const char *v, size_t len __maybe_unused) { + freez(w->auth_bearer_token); + w->auth_bearer_token = strdupz(v); +} + +static void http_header_host(struct web_client *w, const char *v, size_t len) { + char buffer[NI_MAXHOST]; + strncpyz(buffer, v, (len < sizeof(buffer) - 1 ? len : sizeof(buffer) - 1)); + freez(w->server_host); + w->server_host = strdupz(buffer); +} + +static void http_header_accept_encoding(struct web_client *w, const char *v, size_t len __maybe_unused) { + if(web_enable_gzip) { + if(strcasestr(v, "gzip")) + web_client_enable_deflate(w, true); + + // does not seem to work + // else if(strcasestr(v, "deflate")) + // web_client_enable_deflate(w, 0); + } +} + +static void http_header_x_forwarded_host(struct web_client *w, const char *v, size_t len) { + char buffer[NI_MAXHOST]; + strncpyz(buffer, v, (len < sizeof(buffer) - 1 ? len : sizeof(buffer) - 1)); + freez(w->forwarded_host); + w->forwarded_host = strdupz(buffer); +} + +static void http_header_x_forwarded_for(struct web_client *w, const char *v, size_t len) { + char buffer[NI_MAXHOST]; + strncpyz(buffer, v, (len < sizeof(buffer) - 1 ? len : sizeof(buffer) - 1)); + freez(w->forwarded_for); + w->forwarded_for = strdupz(buffer); +} + +static void http_header_x_transaction_id(struct web_client *w, const char *v, size_t len) { + char buffer[UUID_STR_LEN * 2]; + strncpyz(buffer, v, (len < sizeof(buffer) - 1 ? len : sizeof(buffer) - 1)); + uuid_parse_flexi(buffer, w->transaction); // will not alter w->transaction if it fails +} + +static void http_header_x_netdata_account_id(struct web_client *w, const char *v, size_t len) { + if(web_client_flag_check(w, WEB_CLIENT_FLAG_CONN_CLOUD) && w->acl & HTTP_ACL_ACLK) { + char buffer[UUID_STR_LEN * 2]; + strncpyz(buffer, v, (len < sizeof(buffer) - 1 ? len : sizeof(buffer) - 1)); + uuid_parse_flexi(buffer, w->auth.cloud_account_id); // will not alter w->cloud_account_id if it fails + } +} + +static void http_header_x_netdata_role(struct web_client *w, const char *v, size_t len) { + if(web_client_flag_check(w, WEB_CLIENT_FLAG_CONN_CLOUD) && w->acl & HTTP_ACL_ACLK) { + char buffer[100]; + strncpyz(buffer, v, (len < sizeof(buffer) - 1 ? len : sizeof(buffer) - 1)); + if (strcasecmp(buffer, "admin") == 0) + w->user_role = HTTP_USER_ROLE_ADMIN; + else if(strcasecmp(buffer, "manager") == 0) + w->user_role = HTTP_USER_ROLE_MANAGER; + else if(strcasecmp(buffer, "troubleshooter") == 0) + w->user_role = HTTP_USER_ROLE_TROUBLESHOOTER; + else if(strcasecmp(buffer, "observer") == 0) + w->user_role = HTTP_USER_ROLE_OBSERVER; + else if(strcasecmp(buffer, "member") == 0) + w->user_role = HTTP_USER_ROLE_MEMBER; + else if(strcasecmp(buffer, "billing") == 0) + w->user_role = HTTP_USER_ROLE_BILLING; + else + w->user_role = HTTP_USER_ROLE_MEMBER; + } +} + +static void http_header_x_netdata_permissions(struct web_client *w, const char *v, size_t len __maybe_unused) { + if(web_client_flag_check(w, WEB_CLIENT_FLAG_CONN_CLOUD) && w->acl & HTTP_ACL_ACLK) { + HTTP_ACCESS access = http_access_from_hex(v); + web_client_set_permissions(w, access, w->user_role, WEB_CLIENT_FLAG_AUTH_CLOUD); + } +} + +static void http_header_x_netdata_user_name(struct web_client *w, const char *v, size_t len) { + if(web_client_flag_check(w, WEB_CLIENT_FLAG_CONN_CLOUD) && w->acl & HTTP_ACL_ACLK) { + strncpyz(w->auth.client_name, v, (len < sizeof(w->auth.client_name) - 1 ? len : sizeof(w->auth.client_name) - 1)); + } +} + +static void http_header_x_netdata_auth(struct web_client *w, const char *v, size_t len __maybe_unused) { + if(web_client_flag_check(w, WEB_CLIENT_FLAG_CONN_CLOUD) && w->acl & HTTP_ACL_ACLK) + // we don't need authorization bearer when the request comes from netdata cloud + return; + + if(strncasecmp(v, "Bearer ", 7) == 0) { + v = &v[7]; + while(*v && isspace(*v)) v++; + web_client_bearer_token_auth(w, v); + } +} + +struct { + uint32_t hash; + const char *key; + void (*cb)(struct web_client *w, const char *value, size_t value_len); +} supported_headers[] = { + { .hash = 0, .key = "Origin", .cb = http_header_origin }, + { .hash = 0, .key = "Connection", .cb = http_header_connection }, + { .hash = 0, .key = "DNT", .cb = http_header_dnt }, + { .hash = 0, .key = "User-Agent", .cb = http_header_user_agent}, + { .hash = 0, .key = "X-Auth-Token", .cb = http_header_x_auth_token }, + { .hash = 0, .key = "Host", .cb = http_header_host }, + { .hash = 0, .key = "Accept-Encoding", .cb = http_header_accept_encoding }, + { .hash = 0, .key = "X-Forwarded-Host", .cb = http_header_x_forwarded_host }, + { .hash = 0, .key = "X-Forwarded-For", .cb = http_header_x_forwarded_for }, + { .hash = 0, .key = "X-Transaction-Id", .cb = http_header_x_transaction_id }, + { .hash = 0, .key = "X-Netdata-Account-Id", .cb = http_header_x_netdata_account_id }, + { .hash = 0, .key = "X-Netdata-Role", .cb = http_header_x_netdata_role }, + { .hash = 0, .key = "X-Netdata-Permissions", .cb = http_header_x_netdata_permissions }, + { .hash = 0, .key = "X-Netdata-User-Name", .cb = http_header_x_netdata_user_name }, + { .hash = 0, .key = "X-Netdata-Auth", .cb = http_header_x_netdata_auth }, + + // for historical reasons. + // there are a few nightly versions of netdata UI that incorrectly use this instead of X-Netdata-Auth + { .hash = 0, .key = "Authorization", .cb = http_header_x_netdata_auth }, + + // terminator + { .hash = 0, .key = NULL, .cb = NULL } +}; + +char *http_header_parse_line(struct web_client *w, char *s) { + if(unlikely(!supported_headers[0].hash)) { + // initialize the hashes, the first time it runs + + for(size_t i = 0; supported_headers[i].key ;i++) + supported_headers[i].hash = simple_uhash(supported_headers[i].key); + } + + char *e = s; + + // find the colon + while(*e && *e != ':') e++; + if(!*e) return e; + + // get the name + *e = '\0'; + + // find the value + char *v = e + 1, *ve; + + // skip leading spaces from value + while(*v == ' ') v++; + ve = v; + + // find the \r + while(*ve && *ve != '\r') ve++; + if(!*ve || ve[1] != '\n') { + *e = ':'; + return ve; + } + + // terminate the value + *ve = '\0'; + + uint32_t hash = simple_uhash(s); + + for(size_t i = 0; supported_headers[i].key ;i++) { + if(likely(hash != supported_headers[i].hash || strcasecmp(s, supported_headers[i].key) != 0)) + continue; + + supported_headers[i].cb(w, v, ve - v); + break; + } + + *e = ':'; + *ve = '\r'; + return ve; +} |