From dd35ad43caab407cc70ef3b153b3f94d57242ed9 Mon Sep 17 00:00:00 2001 From: Jesse Hallam Date: Thu, 21 Jun 2018 14:31:51 -0400 Subject: MM-10370: serve subpath (#8968) * factor out GetSubpathFromConfig * mv web/subpath.go to utils/subpath.go * serve up web, api and ws on /subpath if configured * pass config to utils.RenderWeb(App)?Error This allows the methods to extract the configured subpath and redirect to the appropriate `/subpath/error` handler. * ensure GetSubpathFromConfig returns trailing slashes deterministically * fix error 404 handling * redirect /subpath to /subpath/ This is necessary for the static handler to match, otherwise none of the registered routes find anything. This also makes it no longer necessary to add trailing slashes in the root router. --- utils/api.go | 13 ++-- utils/api_test.go | 4 +- utils/subpath.go | 148 ++++++++++++++++++++++++++++++++++++++ utils/subpath_test.go | 192 ++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 351 insertions(+), 6 deletions(-) create mode 100644 utils/subpath.go create mode 100644 utils/subpath_test.go (limited to 'utils') diff --git a/utils/api.go b/utils/api.go index b5e490eb7..d14f316b6 100644 --- a/utils/api.go +++ b/utils/api.go @@ -11,6 +11,7 @@ import ( "html/template" "net/http" "net/url" + "path" "strings" "github.com/mattermost/mattermost-server/model" @@ -35,24 +36,26 @@ func OriginChecker(allowedOrigins string) func(*http.Request) bool { } } -func RenderWebAppError(w http.ResponseWriter, r *http.Request, err *model.AppError, s crypto.Signer) { - RenderWebError(w, r, err.StatusCode, url.Values{ +func RenderWebAppError(config *model.Config, w http.ResponseWriter, r *http.Request, err *model.AppError, s crypto.Signer) { + RenderWebError(config, w, r, err.StatusCode, url.Values{ "message": []string{err.Message}, }, s) } -func RenderWebError(w http.ResponseWriter, r *http.Request, status int, params url.Values, s crypto.Signer) { +func RenderWebError(config *model.Config, w http.ResponseWriter, r *http.Request, status int, params url.Values, s crypto.Signer) { queryString := params.Encode() + subpath, _ := GetSubpathFromConfig(config) + h := crypto.SHA256 sum := h.New() - sum.Write([]byte("/error?" + queryString)) + sum.Write([]byte(path.Join(subpath, "error") + "?" + queryString)) signature, err := s.Sign(rand.Reader, sum.Sum(nil), h) if err != nil { http.Error(w, "", http.StatusInternalServerError) return } - destination := "/error?" + queryString + "&s=" + base64.URLEncoding.EncodeToString(signature) + destination := path.Join(subpath, "error") + "?" + queryString + "&s=" + base64.URLEncoding.EncodeToString(signature) if status >= 300 && status < 400 { http.Redirect(w, r, destination, status) diff --git a/utils/api_test.go b/utils/api_test.go index 5e41c7bfe..d84207eaa 100644 --- a/utils/api_test.go +++ b/utils/api_test.go @@ -18,6 +18,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + + "github.com/mattermost/mattermost-server/model" ) func TestRenderWebError(t *testing.T) { @@ -25,7 +27,7 @@ func TestRenderWebError(t *testing.T) { w := httptest.NewRecorder() key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) require.NoError(t, err) - RenderWebError(w, r, http.StatusTemporaryRedirect, url.Values{ + RenderWebError(&model.Config{}, w, r, http.StatusTemporaryRedirect, url.Values{ "foo": []string{"bar"}, }, key) diff --git a/utils/subpath.go b/utils/subpath.go new file mode 100644 index 000000000..cddc90fa4 --- /dev/null +++ b/utils/subpath.go @@ -0,0 +1,148 @@ +// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package utils + +import ( + "crypto/sha256" + "encoding/base64" + "fmt" + "io/ioutil" + "net/url" + "os" + "path" + "path/filepath" + "regexp" + "strings" + + "github.com/pkg/errors" + + "github.com/mattermost/mattermost-server/mlog" + "github.com/mattermost/mattermost-server/model" +) + +// UpdateAssetsSubpath rewrites assets in the /client directory to assume the application is hosted +// at the given subpath instead of at the root. No changes are written unless necessary. +func UpdateAssetsSubpath(subpath string) error { + if subpath == "" { + subpath = "/" + } + + staticDir, found := FindDir(model.CLIENT_DIR) + if !found { + return errors.New("failed to find client dir") + } + + staticDir, err := filepath.EvalSymlinks(staticDir) + if err != nil { + return errors.Wrapf(err, "failed to resolve symlinks to %s", staticDir) + } + + rootHtmlPath := filepath.Join(staticDir, "root.html") + oldRootHtml, err := ioutil.ReadFile(rootHtmlPath) + if err != nil { + return errors.Wrap(err, "failed to open root.html") + } + + pathToReplace := "/static/" + newPath := path.Join(subpath, "static") + "/" + + // Determine if a previous subpath had already been rewritten into the assets. + reWebpackPublicPathScript := regexp.MustCompile("window.publicPath='([^']+)'") + alreadyRewritten := false + if matches := reWebpackPublicPathScript.FindStringSubmatch(string(oldRootHtml)); matches != nil { + pathToReplace = matches[1] + alreadyRewritten = true + } + + if pathToReplace == newPath { + mlog.Debug("No rewrite required for static assets", mlog.String("path", pathToReplace)) + return nil + } + + mlog.Debug("Rewriting static assets", mlog.String("from_path", pathToReplace), mlog.String("to_path", newPath)) + + newRootHtml := string(oldRootHtml) + + // Compute the sha256 hash for the inline script and reference same in the CSP meta tag. + // This allows the inline script defining `window.publicPath` to bypass CSP protections. + script := fmt.Sprintf("window.publicPath='%s'", newPath) + scriptHash := sha256.Sum256([]byte(script)) + + reCSP := regexp.MustCompile(``) + newRootHtml = reCSP.ReplaceAllLiteralString(newRootHtml, fmt.Sprintf( + ``, + base64.StdEncoding.EncodeToString(scriptHash[:]), + )) + + // Rewrite the root.html references to `/static/*` to include the given subpath. This + // potentially includes a previously injected inline script. + newRootHtml = strings.Replace(newRootHtml, pathToReplace, newPath, -1) + + // Inject the script, if needed, to define `window.publicPath`. + if !alreadyRewritten { + newRootHtml = strings.Replace(newRootHtml, "", fmt.Sprintf("", script), 1) + } + + // Write out the updated root.html. + if err = ioutil.WriteFile(rootHtmlPath, []byte(newRootHtml), 0); err != nil { + return errors.Wrapf(err, "failed to update root.html with subpath %s", subpath) + } + + // Rewrite the *.css references to `/static/*` (or a previously rewritten subpath). + err = filepath.Walk(staticDir, func(walkPath string, info os.FileInfo, err error) error { + if filepath.Ext(walkPath) == ".css" { + if oldCss, err := ioutil.ReadFile(walkPath); err != nil { + return errors.Wrapf(err, "failed to open %s", walkPath) + } else { + newCss := strings.Replace(string(oldCss), pathToReplace, newPath, -1) + if err = ioutil.WriteFile(walkPath, []byte(newCss), 0); err != nil { + return errors.Wrapf(err, "failed to update %s with subpath %s", walkPath, subpath) + } + } + } + + return nil + }) + if err != nil { + return errors.Wrapf(err, "error walking %s", staticDir) + } + + return nil +} + +// UpdateAssetsSubpathFromConfig uses UpdateAssetsSubpath and any path defined in the SiteURL. +func UpdateAssetsSubpathFromConfig(config *model.Config) error { + // Don't rewrite in development environments, since webpack in developer mode constantly + // updates the assets and must be configured separately. + if model.BuildNumber == "dev" { + mlog.Debug("Skipping update to assets subpath since dev build") + return nil + } + + subpath, err := GetSubpathFromConfig(config) + if err != nil { + return err + } + + return UpdateAssetsSubpath(subpath) +} + +func GetSubpathFromConfig(config *model.Config) (string, error) { + if config == nil { + return "", errors.New("no config provided") + } else if config.ServiceSettings.SiteURL == nil { + return "/", nil + } + + u, err := url.Parse(*config.ServiceSettings.SiteURL) + if err != nil { + return "", errors.Wrap(err, "failed to parse SiteURL from config") + } + + if u.Path == "" { + return "/", nil + } + + return path.Clean(u.Path), nil +} diff --git a/utils/subpath_test.go b/utils/subpath_test.go new file mode 100644 index 000000000..ee518d5f6 --- /dev/null +++ b/utils/subpath_test.go @@ -0,0 +1,192 @@ +package utils_test + +import ( + "io/ioutil" + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/mattermost/mattermost-server/model" + "github.com/mattermost/mattermost-server/utils" +) + +func TestUpdateAssetsSubpath(t *testing.T) { + t.Run("no client dir", func(t *testing.T) { + tempDir, err := ioutil.TempDir("", "test_update_assets_subpath") + require.NoError(t, err) + defer os.RemoveAll(tempDir) + os.Chdir(tempDir) + + err = utils.UpdateAssetsSubpath("/") + require.Error(t, err) + }) + + t.Run("valid", func(t *testing.T) { + tempDir, err := ioutil.TempDir("", "test_update_assets_subpath") + require.NoError(t, err) + defer os.RemoveAll(tempDir) + os.Chdir(tempDir) + + err = os.Mkdir(model.CLIENT_DIR, 0700) + require.NoError(t, err) + + testCases := []struct { + Description string + RootHTML string + MainCSS string + Subpath string + ExpectedRootHTML string + ExpectedMainCSS string + }{ + { + "no changes required, empty subpath provided", + baseRootHtml, + baseCss, + "", + baseRootHtml, + baseCss, + }, + { + "no changes required", + baseRootHtml, + baseCss, + "/", + baseRootHtml, + baseCss, + }, + { + "subpath", + baseRootHtml, + baseCss, + "/subpath", + subpathRootHtml, + subpathCss, + }, + { + "new subpath from old", + subpathRootHtml, + subpathCss, + "/nested/subpath", + newSubpathRootHtml, + newSubpathCss, + }, + { + "resetting to /", + subpathRootHtml, + subpathCss, + "/", + resetRootHtml, + baseCss, + }, + } + + for _, testCase := range testCases { + t.Run(testCase.Description, func(t *testing.T) { + ioutil.WriteFile(filepath.Join(tempDir, model.CLIENT_DIR, "root.html"), []byte(testCase.RootHTML), 0700) + ioutil.WriteFile(filepath.Join(tempDir, model.CLIENT_DIR, "main.css"), []byte(testCase.MainCSS), 0700) + err := utils.UpdateAssetsSubpath(testCase.Subpath) + require.NoError(t, err) + + contents, err := ioutil.ReadFile(filepath.Join(tempDir, model.CLIENT_DIR, "root.html")) + require.NoError(t, err) + require.Equal(t, testCase.ExpectedRootHTML, string(contents)) + + contents, err = ioutil.ReadFile(filepath.Join(tempDir, model.CLIENT_DIR, "main.css")) + require.NoError(t, err) + require.Equal(t, testCase.ExpectedMainCSS, string(contents)) + + }) + } + }) +} + +func TestGetSubpathFromConfig(t *testing.T) { + sToP := func(s string) *string { + return &s + } + + testCases := []struct { + Description string + SiteURL *string + ExpectedError bool + ExpectedSubpath string + }{ + { + "empty SiteURL", + sToP(""), + false, + "/", + }, + { + "invalid SiteURL", + sToP("cache_object:foo/bar"), + true, + "", + }, + { + "nil SiteURL", + nil, + false, + "/", + }, + { + "no trailing slash", + sToP("http://localhost:8065"), + false, + "/", + }, + { + "trailing slash", + sToP("http://localhost:8065/"), + false, + "/", + }, + { + "subpath, no trailing slash", + sToP("http://localhost:8065/subpath"), + false, + "/subpath", + }, + { + "trailing slash", + sToP("http://localhost:8065/subpath/"), + false, + "/subpath", + }, + } + + for _, testCase := range testCases { + t.Run(testCase.Description, func(t *testing.T) { + config := &model.Config{ + ServiceSettings: model.ServiceSettings{ + SiteURL: testCase.SiteURL, + }, + } + + subpath, err := utils.GetSubpathFromConfig(config) + if testCase.ExpectedError { + require.Error(t, err) + } else { + require.NoError(t, err) + } + + require.Equal(t, testCase.ExpectedSubpath, subpath) + }) + } +} + +const baseRootHtml = ` Mattermost

Cannot connect to Mattermost

We're having trouble connecting to Mattermost. If refreshing this page (Ctrl+R or Command+R) does not work, please verify that your computer is connected to the internet.


` + +const baseCss = `@font-face{font-family:FontAwesome;src:url(/static/files/674f50d287a8c48dc19ba404d20fe713.eot);src:url(/static/files/674f50d287a8c48dc19ba404d20fe713.eot?#iefix&v=4.7.0) format("embedded-opentype"),url(/static/files/af7ae505a9eed503f8b8e6982036873e.woff2) format("woff2"),url(/static/files/fee66e712a8a08eef5805a46892932ad.woff) format("woff"),url(/static/files/b06871f281fee6b241d60582ae9369b9.ttf) format("truetype"),url(/static/files/677433a0892aaed7b7d2628c313c9775.svg#fontawesomeregular) format("svg");font-weight:400;font-style:normal}` + +const subpathRootHtml = ` Mattermost

Cannot connect to Mattermost

We're having trouble connecting to Mattermost. If refreshing this page (Ctrl+R or Command+R) does not work, please verify that your computer is connected to the internet.


` + +const subpathCss = `@font-face{font-family:FontAwesome;src:url(/subpath/static/files/674f50d287a8c48dc19ba404d20fe713.eot);src:url(/subpath/static/files/674f50d287a8c48dc19ba404d20fe713.eot?#iefix&v=4.7.0) format("embedded-opentype"),url(/subpath/static/files/af7ae505a9eed503f8b8e6982036873e.woff2) format("woff2"),url(/subpath/static/files/fee66e712a8a08eef5805a46892932ad.woff) format("woff"),url(/subpath/static/files/b06871f281fee6b241d60582ae9369b9.ttf) format("truetype"),url(/subpath/static/files/677433a0892aaed7b7d2628c313c9775.svg#fontawesomeregular) format("svg");font-weight:400;font-style:normal}` + +const newSubpathRootHtml = ` Mattermost

Cannot connect to Mattermost

We're having trouble connecting to Mattermost. If refreshing this page (Ctrl+R or Command+R) does not work, please verify that your computer is connected to the internet.


` + +const newSubpathCss = `@font-face{font-family:FontAwesome;src:url(/nested/subpath/static/files/674f50d287a8c48dc19ba404d20fe713.eot);src:url(/nested/subpath/static/files/674f50d287a8c48dc19ba404d20fe713.eot?#iefix&v=4.7.0) format("embedded-opentype"),url(/nested/subpath/static/files/af7ae505a9eed503f8b8e6982036873e.woff2) format("woff2"),url(/nested/subpath/static/files/fee66e712a8a08eef5805a46892932ad.woff) format("woff"),url(/nested/subpath/static/files/b06871f281fee6b241d60582ae9369b9.ttf) format("truetype"),url(/nested/subpath/static/files/677433a0892aaed7b7d2628c313c9775.svg#fontawesomeregular) format("svg");font-weight:400;font-style:normal}` + +const resetRootHtml = ` Mattermost

Cannot connect to Mattermost

We're having trouble connecting to Mattermost. If refreshing this page (Ctrl+R or Command+R) does not work, please verify that your computer is connected to the internet.


` -- cgit v1.2.3-1-g7c22