diff --git a/cmd/ipfs/daemon.go b/cmd/ipfs/daemon.go index dec47a18dcb..b8486f8aba1 100644 --- a/cmd/ipfs/daemon.go +++ b/cmd/ipfs/daemon.go @@ -12,6 +12,8 @@ import ( "sort" "sync" + multierror "github.com/hashicorp/go-multierror" + version "github.com/ipfs/go-ipfs" config "github.com/ipfs/go-ipfs-config" cserial "github.com/ipfs/go-ipfs-config/serialize" @@ -27,7 +29,6 @@ import ( migrate "github.com/ipfs/go-ipfs/repo/fsrepo/migrations" sockets "github.com/libp2p/go-socket-activation" - "github.com/hashicorp/go-multierror" cmds "github.com/ipfs/go-ipfs-cmds" mprome "github.com/ipfs/go-metrics-prometheus" goprocess "github.com/jbenet/goprocess" @@ -298,9 +299,9 @@ func daemonFunc(req *cmds.Request, re cmds.ResponseEmitter, env cmds.Environment // Start assembling node config ncfg := &core.BuildCfg{ - Repo: repo, - Permanent: true, // It is temporary way to signify that node is permanent - Online: !offline, + Repo: repo, + Permanent: true, // It is temporary way to signify that node is permanent + Online: !offline, DisableEncryptedConnections: unencrypted, ExtraOpts: map[string]bool{ "pubsub": pubsub, @@ -636,7 +637,7 @@ func serveHTTPGateway(req *cmds.Request, cctx *oldcmds.Context) (<-chan error, e var opts = []corehttp.ServeOption{ corehttp.MetricsCollectionOption("gateway"), - corehttp.IPNSHostnameOption(), + corehttp.HostnameOption(), corehttp.GatewayOption(writable, "/ipfs", "/ipns"), corehttp.VersionOption(), corehttp.CheckVersionOption(), diff --git a/core/corehttp/corehttp.go b/core/corehttp/corehttp.go index c52bea8f5c7..d99a0769119 100644 --- a/core/corehttp/corehttp.go +++ b/core/corehttp/corehttp.go @@ -43,7 +43,17 @@ func makeHandler(n *core.IpfsNode, l net.Listener, options ...ServeOption) (http return nil, err } } - return topMux, nil + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // ServeMux does not support requests with CONNECT method, + // so we need to handle them separately + // https://golang.org/src/net/http/request.go#L111 + if r.Method == http.MethodConnect { + w.WriteHeader(http.StatusOK) + return + } + topMux.ServeHTTP(w, r) + }) + return handler, nil } // ListenAndServe runs an HTTP server listening at |listeningMultiAddr| with @@ -70,6 +80,8 @@ func ListenAndServe(n *core.IpfsNode, listeningMultiAddr string, options ...Serv return Serve(n, manet.NetListener(list), options...) } +// Serve accepts incoming HTTP connections on the listener and pass them +// to ServeOption handlers. func Serve(node *core.IpfsNode, lis net.Listener, options ...ServeOption) error { // make sure we close this no matter what. defer lis.Close() diff --git a/core/corehttp/gateway_handler.go b/core/corehttp/gateway_handler.go index 5b1382a8655..cf74202434a 100644 --- a/core/corehttp/gateway_handler.go +++ b/core/corehttp/gateway_handler.go @@ -14,12 +14,12 @@ import ( "strings" "time" - "github.com/dustin/go-humanize" + humanize "github.com/dustin/go-humanize" "github.com/ipfs/go-cid" files "github.com/ipfs/go-ipfs-files" dag "github.com/ipfs/go-merkledag" - "github.com/ipfs/go-mfs" - "github.com/ipfs/go-path" + mfs "github.com/ipfs/go-mfs" + path "github.com/ipfs/go-path" "github.com/ipfs/go-path/resolver" coreiface "github.com/ipfs/interface-go-ipfs-core" ipath "github.com/ipfs/interface-go-ipfs-core/path" @@ -142,7 +142,7 @@ func (i *gatewayHandler) getOrHeadHandler(w http.ResponseWriter, r *http.Request } } - // IPNSHostnameOption might have constructed an IPNS path using the Host header. + // HostnameOption might have constructed an IPNS/IPFS path using the Host header. // In this case, we need the original path for constructing redirects // and links that match the requested URL. // For example, http://example.net would become /ipns/example.net, and @@ -150,6 +150,7 @@ func (i *gatewayHandler) getOrHeadHandler(w http.ResponseWriter, r *http.Request requestURI, err := url.ParseRequestURI(r.RequestURI) if err != nil { webError(w, "failed to parse request path", err, http.StatusInternalServerError) + return } originalUrlPath := prefix + requestURI.Path diff --git a/core/corehttp/gateway_test.go b/core/corehttp/gateway_test.go index 9128aa0175d..daf1af07c6c 100644 --- a/core/corehttp/gateway_test.go +++ b/core/corehttp/gateway_test.go @@ -138,7 +138,7 @@ func newTestServerAndNode(t *testing.T, ns mockNamesys) (*httptest.Server, iface dh.Handler, err = makeHandler(n, ts.Listener, - IPNSHostnameOption(), + HostnameOption(), GatewayOption(false, "/ipfs", "/ipns"), VersionOption(), ) @@ -184,12 +184,12 @@ func TestGatewayGet(t *testing.T) { status int text string }{ - {"localhost:5001", "/", http.StatusNotFound, "404 page not found\n"}, - {"localhost:5001", "/" + k.Cid().String(), http.StatusNotFound, "404 page not found\n"}, - {"localhost:5001", k.String(), http.StatusOK, "fnord"}, - {"localhost:5001", "/ipns/nxdomain.example.com", http.StatusNotFound, "ipfs resolve -r /ipns/nxdomain.example.com: " + namesys.ErrResolveFailed.Error() + "\n"}, - {"localhost:5001", "/ipns/%0D%0A%0D%0Ahello", http.StatusNotFound, "ipfs resolve -r /ipns/%0D%0A%0D%0Ahello: " + namesys.ErrResolveFailed.Error() + "\n"}, - {"localhost:5001", "/ipns/example.com", http.StatusOK, "fnord"}, + {"127.0.0.1:8080", "/", http.StatusNotFound, "404 page not found\n"}, + {"127.0.0.1:8080", "/" + k.Cid().String(), http.StatusNotFound, "404 page not found\n"}, + {"127.0.0.1:8080", k.String(), http.StatusOK, "fnord"}, + {"127.0.0.1:8080", "/ipns/nxdomain.example.com", http.StatusNotFound, "ipfs resolve -r /ipns/nxdomain.example.com: " + namesys.ErrResolveFailed.Error() + "\n"}, + {"127.0.0.1:8080", "/ipns/%0D%0A%0D%0Ahello", http.StatusNotFound, "ipfs resolve -r /ipns/%0D%0A%0D%0Ahello: " + namesys.ErrResolveFailed.Error() + "\n"}, + {"127.0.0.1:8080", "/ipns/example.com", http.StatusOK, "fnord"}, {"example.com", "/", http.StatusOK, "fnord"}, {"working.example.com", "/", http.StatusOK, "fnord"}, @@ -381,7 +381,7 @@ func TestIPNSHostnameBacklinks(t *testing.T) { if !strings.Contains(s, "Index of /foo? #<'/") { t.Fatalf("expected a path in directory listing") } - if !strings.Contains(s, "") { + if !strings.Contains(s, "") { t.Fatalf("expected backlink in directory listing") } if !strings.Contains(s, "") { @@ -447,7 +447,7 @@ func TestIPNSHostnameBacklinks(t *testing.T) { if !strings.Contains(s, "Index of /foo? #<'/bar/") { t.Fatalf("expected a path in directory listing") } - if !strings.Contains(s, "") { + if !strings.Contains(s, "") { t.Fatalf("expected backlink in directory listing") } if !strings.Contains(s, "") { diff --git a/core/corehttp/hostname.go b/core/corehttp/hostname.go new file mode 100644 index 00000000000..910ba5bc87d --- /dev/null +++ b/core/corehttp/hostname.go @@ -0,0 +1,358 @@ +package corehttp + +import ( + "context" + "fmt" + "net" + "net/http" + "net/url" + "strings" + + cid "github.com/ipfs/go-cid" + core "github.com/ipfs/go-ipfs/core" + coreapi "github.com/ipfs/go-ipfs/core/coreapi" + namesys "github.com/ipfs/go-ipfs/namesys" + isd "github.com/jbenet/go-is-domain" + "github.com/libp2p/go-libp2p-core/peer" + mbase "github.com/multiformats/go-multibase" + + config "github.com/ipfs/go-ipfs-config" + iface "github.com/ipfs/interface-go-ipfs-core" + options "github.com/ipfs/interface-go-ipfs-core/options" + nsopts "github.com/ipfs/interface-go-ipfs-core/options/namesys" +) + +var defaultPaths = []string{"/ipfs/", "/ipns/", "/api/", "/p2p/", "/version"} + +var pathGatewaySpec = config.GatewaySpec{ + Paths: defaultPaths, + UseSubdomains: false, +} + +var subdomainGatewaySpec = config.GatewaySpec{ + Paths: defaultPaths, + UseSubdomains: true, +} + +var defaultKnownGateways = map[string]config.GatewaySpec{ + "localhost": subdomainGatewaySpec, + "ipfs.io": pathGatewaySpec, + "gateway.ipfs.io": pathGatewaySpec, + "dweb.link": subdomainGatewaySpec, +} + +// HostnameOption rewrites an incoming request based on the Host header. +func HostnameOption() ServeOption { + return func(n *core.IpfsNode, _ net.Listener, mux *http.ServeMux) (*http.ServeMux, error) { + childMux := http.NewServeMux() + + coreApi, err := coreapi.NewCoreAPI(n) + if err != nil { + return nil, err + } + + cfg, err := n.Repo.Config() + if err != nil { + return nil, err + } + knownGateways := make( + map[string]config.GatewaySpec, + len(defaultKnownGateways)+len(cfg.Gateway.PublicGateways), + ) + for hostname, gw := range defaultKnownGateways { + knownGateways[hostname] = gw + } + for hostname, gw := range cfg.Gateway.PublicGateways { + if gw == nil { + // Allows the user to remove gateways but _also_ + // allows us to continuously update the list. + delete(knownGateways, hostname) + } else { + knownGateways[hostname] = *gw + } + } + + mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + // Unfortunately, many (well, ipfs.io) gateways use + // DNSLink so if we blindly rewrite with DNSLink, we'll + // break /ipfs links. + // + // We fix this by maintaining a list of known gateways + // and the paths that they serve "gateway" content on. + // That way, we can use DNSLink for everything else. + + // HTTP Host & Path check: is this one of our "known gateways"? + if gw, ok := isKnownHostname(r.Host, knownGateways); ok { + // This is a known gateway but request is not using + // the subdomain feature. + + // Does this gateway _handle_ this path? + if hasPrefix(r.URL.Path, gw.Paths...) { + // It does. + + // Should this gateway use subdomains instead of paths? + if gw.UseSubdomains { + // Yes, redirect if applicable + // Example: dweb.link/ipfs/{cid} → {cid}.ipfs.dweb.link + if newURL, ok := toSubdomainURL(r.Host, r.URL.Path, r); ok { + http.Redirect(w, r, newURL, http.StatusMovedPermanently) + return + } + } + + // Not a subdomain resource, continue with path processing + // Example: 127.0.0.1:8080/ipfs/{CID}, ipfs.io/ipfs/{CID} etc + childMux.ServeHTTP(w, r) + return + } + // Not a whitelisted path + + // Try DNSLink, if it was not explicitly disabled for the hostname + if !gw.NoDNSLink && isDNSLinkRequest(n.Context(), coreApi, r) { + // rewrite path and handle as DNSLink + r.URL.Path = "/ipns/" + stripPort(r.Host) + r.URL.Path + childMux.ServeHTTP(w, r) + return + } + + // If not, resource does not exist on the hostname, return 404 + http.NotFound(w, r) + return + } + + // HTTP Host check: is this one of our subdomain-based "known gateways"? + // Example: {cid}.ipfs.localhost, {cid}.ipfs.dweb.link + if gw, hostname, ns, rootID, ok := knownSubdomainDetails(r.Host, knownGateways); ok { + // Looks like we're using known subdomain gateway. + + // Assemble original path prefix. + pathPrefix := "/" + ns + "/" + rootID + + // Does this gateway _handle_ this path? + if !(gw.UseSubdomains && hasPrefix(pathPrefix, gw.Paths...)) { + // If not, resource does not exist, return 404 + http.NotFound(w, r) + return + } + + // Do we need to fix multicodec in PeerID represented as CIDv1? + if isPeerIDNamespace(ns) { + keyCid, err := cid.Decode(rootID) + if err == nil && keyCid.Type() != cid.Libp2pKey { + if newURL, ok := toSubdomainURL(hostname, pathPrefix+r.URL.Path, r); ok { + // Redirect to CID fixed inside of toSubdomainURL() + http.Redirect(w, r, newURL, http.StatusMovedPermanently) + return + } + } + } + + // Rewrite the path to not use subdomains + r.URL.Path = pathPrefix + r.URL.Path + + // Serve path request + childMux.ServeHTTP(w, r) + return + } + // We don't have a known gateway. Fallback on DNSLink lookup + + // Wildcard HTTP Host check: + // 1. is wildcard DNSLink enabled (Gateway.NoDNSLink=false)? + // 2. does Host header include a fully qualified domain name (FQDN)? + // 3. does DNSLink record exist in DNS? + if !cfg.Gateway.NoDNSLink && isDNSLinkRequest(n.Context(), coreApi, r) { + // rewrite path and handle as DNSLink + r.URL.Path = "/ipns/" + stripPort(r.Host) + r.URL.Path + childMux.ServeHTTP(w, r) + return + } + + // else, treat it as an old school gateway, I guess. + childMux.ServeHTTP(w, r) + }) + return childMux, nil + } +} + +// isKnownHostname checks Gateway.PublicGateways and returns matching +// GatewaySpec with gracefull fallback to version without port +func isKnownHostname(hostname string, knownGateways map[string]config.GatewaySpec) (gw config.GatewaySpec, ok bool) { + // Try hostname (host+optional port - value from Host header as-is) + if gw, ok := knownGateways[hostname]; ok { + return gw, ok + } + // Fallback to hostname without port + gw, ok = knownGateways[stripPort(hostname)] + return gw, ok +} + +// Parses Host header and looks for a known subdomain gateway host. +// If found, returns GatewaySpec and subdomain components. +// Note: hostname is host + optional port +func knownSubdomainDetails(hostname string, knownGateways map[string]config.GatewaySpec) (gw config.GatewaySpec, knownHostname, ns, rootID string, ok bool) { + labels := strings.Split(hostname, ".") + // Look for FQDN of a known gateway hostname. + // Example: given "dist.ipfs.io.ipns.dweb.link": + // 1. Lookup "link" TLD in knownGateways: negative + // 2. Lookup "dweb.link" in knownGateways: positive + // + // Stops when we have 2 or fewer labels left as we need at least a + // rootId and a namespace. + for i := len(labels) - 1; i >= 2; i-- { + fqdn := strings.Join(labels[i:], ".") + gw, ok := isKnownHostname(fqdn, knownGateways) + if !ok { + continue + } + + ns := labels[i-1] + if !isSubdomainNamespace(ns) { + break + } + + // Merge remaining labels (could be a FQDN with DNSLink) + rootID := strings.Join(labels[:i-1], ".") + return gw, fqdn, ns, rootID, true + } + // not a known subdomain gateway + return gw, "", "", "", false +} + +// isDNSLinkRequest returns bool that indicates if request +// should return data from content path listed in DNSLink record (if exists) +func isDNSLinkRequest(ctx context.Context, ipfs iface.CoreAPI, r *http.Request) bool { + fqdn := stripPort(r.Host) + if len(fqdn) == 0 && !isd.IsDomain(fqdn) { + return false + } + name := "/ipns/" + fqdn + // check if DNSLink exists + depth := options.Name.ResolveOption(nsopts.Depth(1)) + _, err := ipfs.Name().Resolve(ctx, name, depth) + return err == nil || err == namesys.ErrResolveRecursion +} + +func isSubdomainNamespace(ns string) bool { + switch ns { + case "ipfs", "ipns", "p2p", "ipld": + return true + default: + return false + } +} + +func isPeerIDNamespace(ns string) bool { + switch ns { + case "ipns", "p2p": + return true + default: + return false + } +} + +// Converts a hostname/path to a subdomain-based URL, if applicable. +func toSubdomainURL(hostname, path string, r *http.Request) (redirURL string, ok bool) { + var scheme, ns, rootID, rest string + + query := r.URL.RawQuery + parts := strings.SplitN(path, "/", 4) + safeRedirectURL := func(in string) (out string, ok bool) { + safeURI, err := url.ParseRequestURI(in) + if err != nil { + return "", false + } + return safeURI.String(), true + } + + // Support X-Forwarded-Proto if added by a reverse proxy + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto + xproto := r.Header.Get("X-Forwarded-Proto") + if xproto == "https" { + scheme = "https:" + } else { + scheme = "http:" + } + + switch len(parts) { + case 4: + rest = parts[3] + fallthrough + case 3: + ns = parts[1] + rootID = parts[2] + default: + return "", false + } + + if !isSubdomainNamespace(ns) { + return "", false + } + + // add prefix if query is present + if query != "" { + query = "?" + query + } + + // Normalize problematic PeerIDs (eg. ed25519+identity) to CID representation + if isPeerIDNamespace(ns) && !isd.IsDomain(rootID) { + peerID, err := peer.Decode(rootID) + // Note: PeerID CIDv1 with protobuf multicodec will fail, but we fix it + // in the next block + if err == nil { + rootID = peer.ToCid(peerID).String() + } + } + + // If rootID is a CID, ensure it uses DNS-friendly text representation + if rootCid, err := cid.Decode(rootID); err == nil { + multicodec := rootCid.Type() + + // PeerIDs represented as CIDv1 are expected to have libp2p-key + // multicodec (https://github.com/libp2p/specs/pull/209). + // We ease the transition by fixing multicodec on the fly: + // https://github.com/ipfs/go-ipfs/issues/5287#issuecomment-492163929 + if isPeerIDNamespace(ns) && multicodec != cid.Libp2pKey { + multicodec = cid.Libp2pKey + } + + // if object turns out to be a valid CID, + // ensure text representation used in subdomain is CIDv1 in Base32 + // https://github.com/ipfs/in-web-browsers/issues/89 + rootID, err = cid.NewCidV1(multicodec, rootCid.Hash()).StringOfBase(mbase.Base32) + if err != nil { + // should not error, but if it does, its clealy not possible to + // produce a subdomain URL + return "", false + } + } + + return safeRedirectURL(fmt.Sprintf( + "%s//%s.%s.%s/%s%s", + scheme, + rootID, + ns, + hostname, + rest, + query, + )) +} + +func hasPrefix(path string, prefixes ...string) bool { + for _, prefix := range prefixes { + // Assume people are creative with trailing slashes in Gateway config + p := strings.TrimSuffix(prefix, "/") + // Support for both /version and /ipfs/$cid + if p == path || strings.HasPrefix(path, p+"/") { + return true + } + } + return false +} + +func stripPort(hostname string) string { + host, _, err := net.SplitHostPort(hostname) + if err == nil { + return host + } + return hostname +} diff --git a/core/corehttp/hostname_test.go b/core/corehttp/hostname_test.go new file mode 100644 index 00000000000..9a297464891 --- /dev/null +++ b/core/corehttp/hostname_test.go @@ -0,0 +1,152 @@ +package corehttp + +import ( + "net/http/httptest" + "testing" + + config "github.com/ipfs/go-ipfs-config" +) + +func TestToSubdomainURL(t *testing.T) { + r := httptest.NewRequest("GET", "http://request-stub.example.com", nil) + for _, test := range []struct { + // in: + hostname string + path string + // out: + url string + ok bool + }{ + // DNSLink + {"localhost", "/ipns/dnslink.io", "http://dnslink.io.ipns.localhost/", true}, + // Hostname with port + {"localhost:8080", "/ipns/dnslink.io", "http://dnslink.io.ipns.localhost:8080/", true}, + // CIDv0 → CIDv1base32 + {"localhost", "/ipfs/QmbCMUZw6JFeZ7Wp9jkzbye3Fzp2GGcPgC3nmeUjfVF87n", "http://bafybeif7a7gdklt6hodwdrmwmxnhksctcuav6lfxlcyfz4khzl3qfmvcgu.ipfs.localhost/", true}, + // PeerID as CIDv1 needs to have libp2p-key multicodec + {"localhost", "/ipns/QmY3hE8xgFCjGcz6PHgnvJz5HZi1BaKRfPkn1ghZUcYMjD", "http://bafzbeieqhtl2l3mrszjnhv6hf2iloiitsx7mexiolcnywnbcrzkqxwslja.ipns.localhost/", true}, + {"localhost", "/ipns/bafybeickencdqw37dpz3ha36ewrh4undfjt2do52chtcky4rxkj447qhdm", "http://bafzbeickencdqw37dpz3ha36ewrh4undfjt2do52chtcky4rxkj447qhdm.ipns.localhost/", true}, + // PeerID: ed25519+identity multihash + {"localhost", "/ipns/12D3KooWFB51PRY9BxcXSH6khFXw1BZeszeLDy7C8GciskqCTZn5", "http://bafzaajaiaejcat4yhiwnr2qz73mtu6vrnj2krxlpfoa3wo2pllfi37quorgwh2jw.ipns.localhost/", true}, + } { + url, ok := toSubdomainURL(test.hostname, test.path, r) + if ok != test.ok || url != test.url { + t.Errorf("(%s, %s) returned (%s, %t), expected (%s, %t)", test.hostname, test.path, url, ok, test.url, ok) + } + } +} + +func TestHasPrefix(t *testing.T) { + for _, test := range []struct { + prefixes []string + path string + out bool + }{ + {[]string{"/ipfs"}, "/ipfs/cid", true}, + {[]string{"/ipfs/"}, "/ipfs/cid", true}, + {[]string{"/version/"}, "/version", true}, + {[]string{"/version"}, "/version", true}, + } { + out := hasPrefix(test.path, test.prefixes...) + if out != test.out { + t.Errorf("(%+v, %s) returned '%t', expected '%t'", test.prefixes, test.path, out, test.out) + } + } +} + +func TestPortStripping(t *testing.T) { + for _, test := range []struct { + in string + out string + }{ + {"localhost:8080", "localhost"}, + {"bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am.ipfs.localhost:8080", "bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am.ipfs.localhost"}, + {"example.com:443", "example.com"}, + {"example.com", "example.com"}, + {"foo-dweb.ipfs.pvt.k12.ma.us:8080", "foo-dweb.ipfs.pvt.k12.ma.us"}, + {"localhost", "localhost"}, + {"[::1]:8080", "::1"}, + } { + out := stripPort(test.in) + if out != test.out { + t.Errorf("(%s): returned '%s', expected '%s'", test.in, out, test.out) + } + } + +} + +func TestKnownSubdomainDetails(t *testing.T) { + gwSpec := config.GatewaySpec{ + UseSubdomains: true, + } + knownGateways := map[string]config.GatewaySpec{ + "localhost": gwSpec, + "dweb.link": gwSpec, + "dweb.ipfs.pvt.k12.ma.us": gwSpec, // note the sneaky ".ipfs." ;-) + } + + for _, test := range []struct { + // in: + hostHeader string + // out: + hostname string + ns string + rootID string + ok bool + }{ + // no subdomain + {"127.0.0.1:8080", "", "", "", false}, + {"[::1]:8080", "", "", "", false}, + {"hey.look.example.com", "", "", "", false}, + {"dweb.link", "", "", "", false}, + // malformed Host header + {".....dweb.link", "", "", "", false}, + {"link", "", "", "", false}, + {"8080:dweb.link", "", "", "", false}, + {" ", "", "", "", false}, + {"", "", "", "", false}, + // unknown gateway host + {"bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am.ipfs.unknown.example.com", "", "", "", false}, + // cid in subdomain, known gateway + {"bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am.ipfs.localhost:8080", "localhost:8080", "ipfs", "bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am", true}, + {"bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am.ipfs.dweb.link", "dweb.link", "ipfs", "bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am", true}, + // capture everything before .ipfs. + {"foo.bar.boo-buzz.ipfs.dweb.link", "dweb.link", "ipfs", "foo.bar.boo-buzz", true}, + // ipns + {"bafzbeihe35nmjqar22thmxsnlsgxppd66pseq6tscs4mo25y55juhh6bju.ipns.localhost:8080", "localhost:8080", "ipns", "bafzbeihe35nmjqar22thmxsnlsgxppd66pseq6tscs4mo25y55juhh6bju", true}, + {"bafzbeihe35nmjqar22thmxsnlsgxppd66pseq6tscs4mo25y55juhh6bju.ipns.dweb.link", "dweb.link", "ipns", "bafzbeihe35nmjqar22thmxsnlsgxppd66pseq6tscs4mo25y55juhh6bju", true}, + // edge case check: public gateway under long TLD (see: https://publicsuffix.org) + {"bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am.ipfs.dweb.ipfs.pvt.k12.ma.us", "dweb.ipfs.pvt.k12.ma.us", "ipfs", "bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am", true}, + {"bafzbeihe35nmjqar22thmxsnlsgxppd66pseq6tscs4mo25y55juhh6bju.ipns.dweb.ipfs.pvt.k12.ma.us", "dweb.ipfs.pvt.k12.ma.us", "ipns", "bafzbeihe35nmjqar22thmxsnlsgxppd66pseq6tscs4mo25y55juhh6bju", true}, + // dnslink in subdomain + {"en.wikipedia-on-ipfs.org.ipns.localhost:8080", "localhost:8080", "ipns", "en.wikipedia-on-ipfs.org", true}, + {"en.wikipedia-on-ipfs.org.ipns.localhost", "localhost", "ipns", "en.wikipedia-on-ipfs.org", true}, + {"dist.ipfs.io.ipns.localhost:8080", "localhost:8080", "ipns", "dist.ipfs.io", true}, + {"en.wikipedia-on-ipfs.org.ipns.dweb.link", "dweb.link", "ipns", "en.wikipedia-on-ipfs.org", true}, + // edge case check: public gateway under long TLD (see: https://publicsuffix.org) + {"foo.dweb.ipfs.pvt.k12.ma.us", "", "", "", false}, + {"bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am.ipfs.dweb.ipfs.pvt.k12.ma.us", "dweb.ipfs.pvt.k12.ma.us", "ipfs", "bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am", true}, + {"bafzbeihe35nmjqar22thmxsnlsgxppd66pseq6tscs4mo25y55juhh6bju.ipns.dweb.ipfs.pvt.k12.ma.us", "dweb.ipfs.pvt.k12.ma.us", "ipns", "bafzbeihe35nmjqar22thmxsnlsgxppd66pseq6tscs4mo25y55juhh6bju", true}, + // other namespaces + {"api.localhost", "", "", "", false}, + {"peerid.p2p.localhost", "localhost", "p2p", "peerid", true}, + } { + gw, hostname, ns, rootID, ok := knownSubdomainDetails(test.hostHeader, knownGateways) + if ok != test.ok { + t.Errorf("knownSubdomainDetails(%s): ok is %t, expected %t", test.hostHeader, ok, test.ok) + } + if rootID != test.rootID { + t.Errorf("knownSubdomainDetails(%s): rootID is '%s', expected '%s'", test.hostHeader, rootID, test.rootID) + } + if ns != test.ns { + t.Errorf("knownSubdomainDetails(%s): ns is '%s', expected '%s'", test.hostHeader, ns, test.ns) + } + if hostname != test.hostname { + t.Errorf("knownSubdomainDetails(%s): hostname is '%s', expected '%s'", test.hostHeader, hostname, test.hostname) + } + if ok && gw.UseSubdomains != gwSpec.UseSubdomains { + t.Errorf("knownSubdomainDetails(%s): gw is %+v, expected %+v", test.hostHeader, gw, gwSpec) + } + } + +} diff --git a/core/corehttp/ipns_hostname.go b/core/corehttp/ipns_hostname.go deleted file mode 100644 index ddcd58c6129..00000000000 --- a/core/corehttp/ipns_hostname.go +++ /dev/null @@ -1,38 +0,0 @@ -package corehttp - -import ( - "context" - "net" - "net/http" - "strings" - - core "github.com/ipfs/go-ipfs/core" - namesys "github.com/ipfs/go-ipfs/namesys" - - nsopts "github.com/ipfs/interface-go-ipfs-core/options/namesys" - isd "github.com/jbenet/go-is-domain" -) - -// IPNSHostnameOption rewrites an incoming request if its Host: header contains -// an IPNS name. -// The rewritten request points at the resolved name on the gateway handler. -func IPNSHostnameOption() ServeOption { - return func(n *core.IpfsNode, _ net.Listener, mux *http.ServeMux) (*http.ServeMux, error) { - childMux := http.NewServeMux() - mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - ctx, cancel := context.WithCancel(n.Context()) - defer cancel() - - host := strings.SplitN(r.Host, ":", 2)[0] - if len(host) > 0 && isd.IsDomain(host) { - name := "/ipns/" + host - _, err := n.Namesys.Resolve(ctx, name, nsopts.Depth(1)) - if err == nil || err == namesys.ErrResolveRecursion { - r.URL.Path = name + r.URL.Path - } - } - childMux.ServeHTTP(w, r) - }) - return childMux, nil - } -} diff --git a/docs/config.md b/docs/config.md index 5a3446b9dd9..9efe56c5359 100644 --- a/docs/config.md +++ b/docs/config.md @@ -83,10 +83,13 @@ Available profiles: - [`Routing.Type`](#routingtype) - [`Gateway`](#gateway) - [`Gateway.NoFetch`](#gatewaynofetch) + - [`Gateway.NoDNSLink`](#gatewaynodnslink) - [`Gateway.HTTPHeaders`](#gatewayhttpheaders) - [`Gateway.RootRedirect`](#gatewayrootredirect) - [`Gateway.Writable`](#gatewaywritable) - [`Gateway.PathPrefixes`](#gatewaypathprefixes) + - [`Gateway.PublicGateways`](#gatewaypublicgateways) + - [`Gateway` recipes](#gateway-recipes) - [`Identity`](#identity) - [`Identity.PeerID`](#identitypeerid) - [`Identity.PrivKey`](#identityprivkey) @@ -348,6 +351,14 @@ and will not fetch files from the network. Default: `false` +### `Gateway.NoDNSLink` + +A boolean to configure whether DNSLink lookup for value in `Host` HTTP header +should be performed. If DNSLink is present, content path stored in the DNS TXT +record becomes the `/` and respective payload is returned to the client. + +Default: `false` + ### `Gateway.HTTPHeaders` Headers to set on gateway responses. @@ -379,7 +390,6 @@ A boolean to configure whether the gateway is writeable or not. Default: `false` - ### `Gateway.PathPrefixes` Array of acceptable url paths that a client can specify in X-Ipfs-Path-Prefix @@ -409,6 +419,145 @@ location /blog/ { Default: `[]` + +### `Gateway.PublicGateways` + +`PublicGateways` is a dictionary for defining gateway behavior on specified hostnames. + +#### `Gateway.PublicGateways: Paths` + +Array of paths that should be exposed on the hostname. + +Example: +```json +{ + "Gateway": { + "PublicGateways": { + "example.com": { + "Paths": ["/ipfs", "/ipns"], +``` + +Above enables `http://example.com/ipfs/*` and `http://example.com/ipns/*` but not `http://example.com/api/*` + +Default: `[]` + +#### `Gateway.PublicGateways: UseSubdomains` + +A boolean to configure whether the gateway at the hostname provides [Origin isolation](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) +between content roots. + +- `true` - enables [subdomain gateway](#https://docs-beta.ipfs.io/how-to/address-ipfs-on-web/#subdomain-gateway) at `http://*.{hostname}/` + - **Requires whitelist:** make sure respective `Paths` are set. + For example, `Paths: ["/ipfs", "/ipns"]` are required for `http://{cid}.ipfs.{hostname}` and `http://{foo}.ipns.{hostname}` to work: + ```json + { + "Gateway": { + "PublicGateways": { + "dweb.link": { + "UseSubdomains": true, + "Paths": ["/ipfs", "/ipns"], + ``` + - **Backward-compatible:** requests for content paths such as `http://{hostname}/ipfs/{cid}` produce redirect to `http://{cid}.ipfs.{hostname}` + - **API:** if `/api` is on the `Paths` whitelist, `http://{hostname}/api/{cmd}` produces redirect to `http://api.{hostname}/api/{cmd}` + +- `false` - enables [path gateway](https://docs-beta.ipfs.io/how-to/address-ipfs-on-web/#path-gateway) at `http://{hostname}/*` + - Example: + ```json + { + "Gateway": { + "PublicGateways": { + "ipfs.io": { + "UseSubdomains": false, + "Paths": ["/ipfs", "/ipns", "/api"], + ``` + + +Default: `false` + + +#### `Gateway.PublicGateways: NoDNSLink` + +A boolean to configure whether DNSLink for hostname present in `Host` +HTTP header should be resolved. Overrides global setting. +If `Paths` are defined, they take priority over DNSLink. + +Default: `false` (DNSLink lookup enabled by default for every defined hostname) + +#### Implicit defaults of `Gateway.PublicGateways` + +Default entries for `localhost` hostname and loopback IPs are always present. +If additional config is provided for those hostnames, it will be merged on top of implicit values: +```json +{ + "Gateway": { + "PublicGateways": { + "localhost": { + "Paths": ["/ipfs", "/ipns"], + "UseSubdomains": true + } + } + } +} +``` + +It is also possible to remove a default by setting it to `null`. +For example, to disable subdomain gateway on `localhost` +and make that hostname act the same as `127.0.0.1`: + +```console +$ ipfs config --json Gateway.PublicGateways '{"localhost": null }' +``` + +### `Gateway` recipes + +Below is a list of the most common public gateway setups. + +* Public [subdomain gateway](https://docs-beta.ipfs.io/how-to/address-ipfs-on-web/#subdomain-gateway) at `http://{cid}.ipfs.dweb.link` (each content root gets its own Origin) + ```console + $ ipfs config --json Gateway.PublicGateways '{ + "dweb.link": { + "UseSubdomains": true, + "Paths": ["/ipfs", "/ipns"] + } + }' + ``` + **Note:** this enables automatic redirects from content paths to subdomains + `http://dweb.link/ipfs/{cid}` → `http://{cid}.ipfs.dweb.link` + +* Public [path gateway](https://docs-beta.ipfs.io/how-to/address-ipfs-on-web/#path-gateway) at `http://ipfs.io/ipfs/{cid}` (no Origin separation) + ```console + $ ipfs config --json Gateway.PublicGateways '{ + "ipfs.io": { + "UseSubdomains": false, + "Paths": ["/ipfs", "/ipns", "/api"] + } + }' + ``` + +* Public [DNSLink](https://dnslink.io/) gateway resolving every hostname passed in `Host` header. + ```console + $ ipfs config --json Gateway.NoDNSLink true + ``` + * Note that `NoDNSLink: false` is the default (it works out of the box unless set to `true` manually) + +* Hardened, site-specific [DNSLink gateway](https://docs-beta.ipfs.io/how-to/address-ipfs-on-web/#dnslink-gateway). + Disable fetching of remote data (`NoFetch: true`) + and resolving DNSLink at unknown hostnames (`NoDNSLink: true`). + Then, enable DNSLink gateway only for the specific hostname (for which data + is already present on the node), without exposing any content-addressing `Paths`: + "NoFetch": true, + "NoDNSLink": true, + ```console + $ ipfs config --json Gateway.NoFetch true + $ ipfs config --json Gateway.NoDNSLink true + $ ipfs config --json Gateway.PublicGateways '{ + "en.wikipedia-on-ipfs.org": { + "NoDNSLink": false, + "Paths": [] + } + }' + ``` + ## `Identity` ### `Identity.PeerID` diff --git a/docs/environment-variables.md b/docs/environment-variables.md index fdc92f461c3..b64a4e2481d 100644 --- a/docs/environment-variables.md +++ b/docs/environment-variables.md @@ -84,7 +84,7 @@ Default: https://ipfs.io/ipfs/$something (depends on the IPFS version) ## `IPFS_NS_MAP` -Prewarms namesys cache with static records for deteministic tests and debugging. +Adds static namesys records for deteministic tests and debugging. Useful for testing things like DNSLink without real DNS lookup. Example: diff --git a/go.mod b/go.mod index 53ccb013976..c1823843bd9 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/ipfs/go-ipfs-blockstore v0.1.4 github.com/ipfs/go-ipfs-chunker v0.0.4 github.com/ipfs/go-ipfs-cmds v0.1.2 - github.com/ipfs/go-ipfs-config v0.2.1 + github.com/ipfs/go-ipfs-config v0.3.0 github.com/ipfs/go-ipfs-ds-help v0.1.1 github.com/ipfs/go-ipfs-exchange-interface v0.0.1 github.com/ipfs/go-ipfs-exchange-offline v0.0.1 diff --git a/go.sum b/go.sum index 88d51c67606..9a8b551dc0b 100644 --- a/go.sum +++ b/go.sum @@ -268,14 +268,10 @@ github.com/ipfs/go-ipfs-chunker v0.0.1 h1:cHUUxKFQ99pozdahi+uSC/3Y6HeRpi9oTeUHbE github.com/ipfs/go-ipfs-chunker v0.0.1/go.mod h1:tWewYK0we3+rMbOh7pPFGDyypCtvGcBFymgY4rSDLAw= github.com/ipfs/go-ipfs-chunker v0.0.4 h1:nb2ZIgtOk0TxJ5KDBEk+sv6iqJTF/PHg6owN2xCrUjE= github.com/ipfs/go-ipfs-chunker v0.0.4/go.mod h1:jhgdF8vxRHycr00k13FM8Y0E+6BoalYeobXmUyTreP8= -github.com/ipfs/go-ipfs-cmds v0.1.1 h1:H9/BLf5rcsULHMj/x8gC0e5o+raYhqk1OQsfzbGMNM4= -github.com/ipfs/go-ipfs-cmds v0.1.1/go.mod h1:k1zMXcOLtljA9iAnZHddbH69yVm5+weRL0snmMD/rK0= -github.com/ipfs/go-ipfs-cmds v0.1.2-0.20200316211807-0c2a21b0dacc h1:HIG2l6XUnov+M6UwcUKKrwGc8Q+n9AYGbiGM4pK21SM= -github.com/ipfs/go-ipfs-cmds v0.1.2-0.20200316211807-0c2a21b0dacc/go.mod h1:a9LyFOtQCnVc3BvbAgW+GrMXEuN29aLCNi3Wk0IM8wo= github.com/ipfs/go-ipfs-cmds v0.1.2 h1:02FLzTA9jYRle/xdMWYwGwxu3gzC3GhPUaz35dH+FrY= github.com/ipfs/go-ipfs-cmds v0.1.2/go.mod h1:a9LyFOtQCnVc3BvbAgW+GrMXEuN29aLCNi3Wk0IM8wo= -github.com/ipfs/go-ipfs-config v0.2.1 h1:Mpyvdf9Zc8k3jg+sRe8e9iylYXHYXqFMuePUjAZQvsE= -github.com/ipfs/go-ipfs-config v0.2.1/go.mod h1:zCKH1uf1XIvf67589BnQ5IAv/Pld2J3gQoQYvG8TK8w= +github.com/ipfs/go-ipfs-config v0.3.0 h1:fGs3JBqB9ia/Joi8up47uiKn150EOEqqVFwv8HZqXao= +github.com/ipfs/go-ipfs-config v0.3.0/go.mod h1:nSLCFtlaL+2rbl3F+9D4gQZQbT1LjRKx7TJg/IHz6oM= github.com/ipfs/go-ipfs-delay v0.0.0-20181109222059-70721b86a9a8/go.mod h1:8SP1YXK1M1kXuc4KJZINY3TQQ03J2rwBG9QfXmbRPrw= github.com/ipfs/go-ipfs-delay v0.0.1 h1:r/UXYyRcddO6thwOnhiznIAiSvxMECGgtv35Xs1IeRQ= github.com/ipfs/go-ipfs-delay v0.0.1/go.mod h1:8SP1YXK1M1kXuc4KJZINY3TQQ03J2rwBG9QfXmbRPrw= diff --git a/namesys/namesys.go b/namesys/namesys.go index 11f4646f174..a486b83b8a3 100644 --- a/namesys/namesys.go +++ b/namesys/namesys.go @@ -2,11 +2,13 @@ package namesys import ( "context" + "fmt" "os" "strings" "time" lru "github.com/hashicorp/golang-lru" + cid "github.com/ipfs/go-cid" ds "github.com/ipfs/go-datastore" path "github.com/ipfs/go-path" opts "github.com/ipfs/interface-go-ipfs-core/options/namesys" @@ -14,7 +16,6 @@ import ( ci "github.com/libp2p/go-libp2p-core/crypto" peer "github.com/libp2p/go-libp2p-core/peer" routing "github.com/libp2p/go-libp2p-core/routing" - mh "github.com/multiformats/go-multihash" ) // mpns (a multi-protocol NameSystem) implements generic IPFS naming. @@ -133,12 +134,28 @@ func (ns *mpns) resolveOnceAsync(ctx context.Context, name string, options opts. } // Resolver selection: - // 1. if it is a multihash resolve through "ipns". + // 1. if it is a PeerID/CID/multihash resolve through "ipns". // 2. if it is a domain name, resolve through "dns" // 3. otherwise resolve through the "proquint" resolver var res resolver - if _, err := mh.FromB58String(key); err == nil { + _, err := peer.Decode(key) + + // CIDs in IPNS are expected to have libp2p-key multicodec + // We ease the transition by returning a more meaningful error with a valid CID + if err != nil && err.Error() == "can't convert CID of type protobuf to a peer ID" { + ipnsCid, cidErr := cid.Decode(key) + if cidErr == nil && ipnsCid.Version() == 1 && ipnsCid.Type() != cid.Libp2pKey { + fixedCid := cid.NewCidV1(cid.Libp2pKey, ipnsCid.Hash()).String() + codecErr := fmt.Errorf("peer ID represented as CIDv1 require libp2p-key multicodec: retry with /ipns/%s", fixedCid) + log.Debugf("RoutingResolver: could not convert public key hash %s to peer ID: %s\n", key, codecErr) + out <- onceResult{err: codecErr} + close(out) + return out + } + } + + if err == nil { res = ns.ipnsResolver } else if isd.IsDomain(key) { res = ns.dnsResolver diff --git a/namesys/namesys_test.go b/namesys/namesys_test.go index a0ffbc50d80..b3e963c9e9e 100644 --- a/namesys/namesys_test.go +++ b/namesys/namesys_test.go @@ -11,7 +11,7 @@ import ( offroute "github.com/ipfs/go-ipfs-routing/offline" ipns "github.com/ipfs/go-ipns" path "github.com/ipfs/go-path" - "github.com/ipfs/go-unixfs" + unixfs "github.com/ipfs/go-unixfs" opts "github.com/ipfs/interface-go-ipfs-core/options/namesys" ci "github.com/libp2p/go-libp2p-core/crypto" peer "github.com/libp2p/go-libp2p-core/peer" @@ -49,10 +49,12 @@ func (r *mockResolver) resolveOnceAsync(ctx context.Context, name string, option func mockResolverOne() *mockResolver { return &mockResolver{ entries: map[string]string{ - "QmatmE9msSfkKxoffpHwNLNKgwZG8eT9Bud6YoPab52vpy": "/ipfs/Qmcqtw8FfrVSBaRmbWwHxt3AuySBhJLcvmFYi3Lbc4xnwj", - "QmbCMUZw6JFeZ7Wp9jkzbye3Fzp2GGcPgC3nmeUjfVF87n": "/ipns/QmatmE9msSfkKxoffpHwNLNKgwZG8eT9Bud6YoPab52vpy", - "QmY3hE8xgFCjGcz6PHgnvJz5HZi1BaKRfPkn1ghZUcYMjD": "/ipns/ipfs.io", - "QmQ4QZh8nrsczdUEwTyfBope4THUhqxqc1fx6qYhhzZQei": "/ipfs/QmP3ouCnU8NNLsW6261pAx2pNLV2E4dQoisB1sgda12Act", + "QmatmE9msSfkKxoffpHwNLNKgwZG8eT9Bud6YoPab52vpy": "/ipfs/Qmcqtw8FfrVSBaRmbWwHxt3AuySBhJLcvmFYi3Lbc4xnwj", + "QmbCMUZw6JFeZ7Wp9jkzbye3Fzp2GGcPgC3nmeUjfVF87n": "/ipns/QmatmE9msSfkKxoffpHwNLNKgwZG8eT9Bud6YoPab52vpy", + "QmY3hE8xgFCjGcz6PHgnvJz5HZi1BaKRfPkn1ghZUcYMjD": "/ipns/ipfs.io", + "QmQ4QZh8nrsczdUEwTyfBope4THUhqxqc1fx6qYhhzZQei": "/ipfs/QmP3ouCnU8NNLsW6261pAx2pNLV2E4dQoisB1sgda12Act", + "12D3KooWFB51PRY9BxcXSH6khFXw1BZeszeLDy7C8GciskqCTZn5": "/ipns/QmbCMUZw6JFeZ7Wp9jkzbye3Fzp2GGcPgC3nmeUjfVF87n", // ed25519+identity multihash + "bafzbeickencdqw37dpz3ha36ewrh4undfjt2do52chtcky4rxkj447qhdm": "/ipns/QmbCMUZw6JFeZ7Wp9jkzbye3Fzp2GGcPgC3nmeUjfVF87n", // cidv1 in base32 with libp2p-key multicodec }, } } @@ -82,6 +84,8 @@ func TestNamesysResolution(t *testing.T) { testResolution(t, r, "/ipns/QmY3hE8xgFCjGcz6PHgnvJz5HZi1BaKRfPkn1ghZUcYMjD", 1, "/ipns/ipfs.io", ErrResolveRecursion) testResolution(t, r, "/ipns/QmY3hE8xgFCjGcz6PHgnvJz5HZi1BaKRfPkn1ghZUcYMjD", 2, "/ipns/QmbCMUZw6JFeZ7Wp9jkzbye3Fzp2GGcPgC3nmeUjfVF87n", ErrResolveRecursion) testResolution(t, r, "/ipns/QmY3hE8xgFCjGcz6PHgnvJz5HZi1BaKRfPkn1ghZUcYMjD", 3, "/ipns/QmatmE9msSfkKxoffpHwNLNKgwZG8eT9Bud6YoPab52vpy", ErrResolveRecursion) + testResolution(t, r, "/ipns/12D3KooWFB51PRY9BxcXSH6khFXw1BZeszeLDy7C8GciskqCTZn5", 1, "/ipns/QmbCMUZw6JFeZ7Wp9jkzbye3Fzp2GGcPgC3nmeUjfVF87n", ErrResolveRecursion) + testResolution(t, r, "/ipns/bafzbeickencdqw37dpz3ha36ewrh4undfjt2do52chtcky4rxkj447qhdm", 1, "/ipns/QmbCMUZw6JFeZ7Wp9jkzbye3Fzp2GGcPgC3nmeUjfVF87n", ErrResolveRecursion) } func TestPublishWithCache0(t *testing.T) { diff --git a/namesys/routing.go b/namesys/routing.go index c2d0d0252d4..60928fbca69 100644 --- a/namesys/routing.go +++ b/namesys/routing.go @@ -59,6 +59,7 @@ func (r *IpnsResolver) resolveOnceAsync(ctx context.Context, name string, option } name = strings.TrimPrefix(name, "/ipns/") + pid, err := peer.Decode(name) if err != nil { log.Debugf("RoutingResolver: could not convert public key hash %s to peer ID: %s\n", name, err) diff --git a/test/sharness/t0111-gateway-writeable.sh b/test/sharness/t0111-gateway-writeable.sh index f63b49bcf4b..6708b91a6db 100755 --- a/test/sharness/t0111-gateway-writeable.sh +++ b/test/sharness/t0111-gateway-writeable.sh @@ -41,7 +41,7 @@ test_expect_success "HTTP gateway gives access to sample file" ' test_expect_success "HTTP POST file gives Hash" ' echo "$RANDOM" >infile && - URL="http://localhost:$port/ipfs/" && + URL="http://127.0.0.1:$port/ipfs/" && curl -svX POST --data-binary @infile "$URL" 2>curl_post.out && grep "HTTP/1.1 201 Created" curl_post.out && LOCATION=$(grep Location curl_post.out) && @@ -49,7 +49,7 @@ test_expect_success "HTTP POST file gives Hash" ' ' test_expect_success "We can HTTP GET file just created" ' - URL="http://localhost:${port}${HASH}" && + URL="http://127.0.0.1:${port}${HASH}" && curl -so outfile "$URL" && test_cmp infile outfile ' @@ -60,7 +60,7 @@ test_expect_success "We got the correct hash" ' ' test_expect_success "HTTP GET empty directory" ' - URL="http://localhost:$port/ipfs/$HASH_EMPTY_DIR/" && + URL="http://127.0.0.1:$port/ipfs/$HASH_EMPTY_DIR/" && echo "GET $URL" && curl -so outfile "$URL" 2>curl_getEmpty.out && grep "Index of /ipfs/$HASH_EMPTY_DIR/" outfile @@ -68,7 +68,7 @@ test_expect_success "HTTP GET empty directory" ' test_expect_success "HTTP PUT file to construct a hierarchy" ' echo "$RANDOM" >infile && - URL="http://localhost:$port/ipfs/$HASH_EMPTY_DIR/test.txt" && + URL="http://127.0.0.1:$port/ipfs/$HASH_EMPTY_DIR/test.txt" && echo "PUT $URL" && curl -svX PUT --data-binary @infile "$URL" 2>curl_put.out && grep "HTTP/1.1 201 Created" curl_put.out && @@ -77,7 +77,7 @@ test_expect_success "HTTP PUT file to construct a hierarchy" ' ' test_expect_success "We can HTTP GET file just created" ' - URL="http://localhost:$port/ipfs/$HASH/test.txt" && + URL="http://127.0.0.1:$port/ipfs/$HASH/test.txt" && echo "GET $URL" && curl -so outfile "$URL" && test_cmp infile outfile @@ -85,7 +85,7 @@ test_expect_success "We can HTTP GET file just created" ' test_expect_success "HTTP PUT file to append to existing hierarchy" ' echo "$RANDOM" >infile2 && - URL="http://localhost:$port/ipfs/$HASH/test/test.txt" && + URL="http://127.0.0.1:$port/ipfs/$HASH/test/test.txt" && echo "PUT $URL" && curl -svX PUT --data-binary @infile2 "$URL" 2>curl_putAgain.out && grep "HTTP/1.1 201 Created" curl_putAgain.out && @@ -95,7 +95,7 @@ test_expect_success "HTTP PUT file to append to existing hierarchy" ' test_expect_success "We can HTTP GET file just updated" ' - URL="http://localhost:$port/ipfs/$HASH/test/test.txt" && + URL="http://127.0.0.1:$port/ipfs/$HASH/test/test.txt" && echo "GET $URL" && curl -svo outfile2 "$URL" 2>curl_getAgain.out && test_cmp infile2 outfile2 @@ -103,7 +103,7 @@ test_expect_success "We can HTTP GET file just updated" ' test_expect_success "HTTP PUT to replace a directory" ' echo "$RANDOM" >infile3 && - URL="http://localhost:$port/ipfs/$HASH/test" && + URL="http://127.0.0.1:$port/ipfs/$HASH/test" && echo "PUT $URL" && curl -svX PUT --data-binary @infile3 "$URL" 2>curl_putOverDirectory.out && grep "HTTP/1.1 201 Created" curl_putOverDirectory.out && @@ -112,7 +112,7 @@ test_expect_success "HTTP PUT to replace a directory" ' ' test_expect_success "We can HTTP GET file just put over a directory" ' - URL="http://localhost:$port/ipfs/$HASH/test" && + URL="http://127.0.0.1:$port/ipfs/$HASH/test" && echo "GET $URL" && curl -svo outfile3 "$URL" 2>curl_getOverDirectory.out && test_cmp infile3 outfile3 @@ -120,7 +120,7 @@ test_expect_success "We can HTTP GET file just put over a directory" ' test_expect_success "HTTP PUT to /ipns fails" ' PEERID=`ipfs id --format=""` && - URL="http://localhost:$port/ipns/$PEERID/test.txt" && + URL="http://127.0.0.1:$port/ipns/$PEERID/test.txt" && echo "PUT $URL" && curl -svX PUT --data-binary @infile1 "$URL" 2>curl_putIpns.out && grep "HTTP/1.1 400 Bad Request" curl_putIpns.out diff --git a/test/sharness/t0114-gateway-subdomains.sh b/test/sharness/t0114-gateway-subdomains.sh new file mode 100755 index 00000000000..38aa4cc9710 --- /dev/null +++ b/test/sharness/t0114-gateway-subdomains.sh @@ -0,0 +1,641 @@ +#!/usr/bin/env bash +# +# Copyright (c) Protocol Labs + +test_description="Test subdomain support on the HTTP gateway" + + +. lib/test-lib.sh + +## ============================================================================ +## Helpers specific to subdomain tests +## ============================================================================ + +# Helper that tests gateway response over direct HTTP +# and in all supported HTTP proxy modes +test_localhost_gateway_response_should_contain() { + local label="$1" + local expected="$3" + + # explicit "Host: $hostname" header to match browser behavior + # and also make tests independent from DNS + local host=$(echo $2 | cut -d'/' -f3 | cut -d':' -f1) + local hostname=$(echo $2 | cut -d'/' -f3 | cut -d':' -f1,2) + + # Proxy is the same as HTTP Gateway, we use raw IP and port to be sure + local proxy="http://127.0.0.1:$GWAY_PORT" + + # Create a raw URL version with IP to ensure hostname from Host header is used + # (removes false-positives, Host header is used for passing hostname already) + local url="$2" + local rawurl=$(echo "$url" | sed "s/$hostname/127.0.0.1:$GWAY_PORT/") + + #echo "hostname: $hostname" + #echo "url before: $url" + #echo "url after: $rawurl" + + # regular HTTP request + # (hostname in Host header, raw IP in URL) + test_expect_success "$label (direct HTTP)" " + curl -H \"Host: $hostname\" -sD - \"$rawurl\" > response && + test_should_contain \"$expected\" response + " + + # HTTP proxy + # (hostname is passed via URL) + # Note: proxy client should not care, but curl does DNS lookup + # for some reason anyway, so we pass static DNS mapping + test_expect_success "$label (HTTP proxy)" " + curl -x $proxy --resolve $hostname:127.0.0.1 -sD - \"$url\" > response && + test_should_contain \"$expected\" response + " + + # HTTP proxy 1.0 + # (repeating proxy test with older spec, just to be sure) + test_expect_success "$label (HTTP proxy 1.0)" " + curl --proxy1.0 $proxy --resolve $hostname:127.0.0.1 -sD - \"$url\" > response && + test_should_contain \"$expected\" response + " + + # HTTP proxy tunneling (CONNECT) + # https://tools.ietf.org/html/rfc7231#section-4.3.6 + # In HTTP/1.x, the pseudo-method CONNECT + # can be used to convert an HTTP connection into a tunnel to a remote host + test_expect_success "$label (HTTP proxy tunneling)" " + curl --proxytunnel -x $proxy -H \"Host: $hostname\" -sD - \"$rawurl\" > response && + test_should_contain \"$expected\" response + " +} + +# Helper that checks gateway resonse for specific hostname in Host header +test_hostname_gateway_response_should_contain() { + local label="$1" + local hostname="$2" + local url="$3" + local rawurl=$(echo "$url" | sed "s/$hostname/127.0.0.1:$GWAY_PORT/") + local expected="$4" + test_expect_success "$label" " + curl -H \"Host: $hostname\" -sD - \"$rawurl\" > response && + test_should_contain \"$expected\" response + " +} + +## ============================================================================ +## Start IPFS Node and prepare test CIDs +## ============================================================================ + +test_init_ipfs +test_launch_ipfs_daemon --offline + +# CIDv0to1 is necessary because raw-leaves are enabled by default during +# "ipfs add" with CIDv1 and disabled with CIDv0 +test_expect_success "Add test text file" ' + CID_VAL="hello" + CIDv1=$(echo $CID_VAL | ipfs add --cid-version 1 -Q) + CIDv0=$(echo $CID_VAL | ipfs add --cid-version 0 -Q) + CIDv0to1=$(echo "$CIDv0" | ipfs cid base32) +' + +test_expect_success "Add the test directory" ' + mkdir -p testdirlisting/subdir1/subdir2 && + echo "hello" > testdirlisting/hello && + echo "subdir2-bar" > testdirlisting/subdir1/subdir2/bar && + mkdir -p testdirlisting/api && + mkdir -p testdirlisting/ipfs && + echo "I am a txt file" > testdirlisting/api/file.txt && + echo "I am a txt file" > testdirlisting/ipfs/file.txt && + DIR_CID=$(ipfs add -Qr --cid-version 1 testdirlisting) +' + +test_expect_success "Publish test text file to IPNS" ' + PEERID=$(ipfs id --format="") + IPNS_IDv0=$(echo "$PEERID" | ipfs cid format -v 0) + IPNS_IDv1=$(echo "$PEERID" | ipfs cid format -v 1 --codec libp2p-key -b base32) + IPNS_IDv1_DAGPB=$(echo "$IPNS_IDv0" | ipfs cid format -v 1 -b base32) + test_check_peerid "${PEERID}" && + ipfs name publish --allow-offline -Q "/ipfs/$CIDv1" > name_publish_out && + ipfs name resolve "$PEERID" > output && + printf "/ipfs/%s\n" "$CIDv1" > expected2 && + test_cmp expected2 output +' + + +# ensure we start with empty Gateway.PublicGateways +test_expect_success 'start daemon with empty config for Gateway.PublicGateways' ' + test_kill_ipfs_daemon && + ipfs config --json Gateway.PublicGateways "{}" && + test_launch_ipfs_daemon --offline +' + +## ============================================================================ +## Test path-based requests to a local gateway with default config +## (forced redirects to http://*.localhost) +## ============================================================================ + +# /ipfs/ + +# IP remains old school path-based gateway + +test_localhost_gateway_response_should_contain \ + "request for 127.0.0.1/ipfs/{CID} stays on path" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/$CIDv1" \ + "$CID_VAL" + +# 'localhost' hostname is used for subdomains, and should not return +# payload directly, but redirect to URL with proper origin isolation + +test_localhost_gateway_response_should_contain \ + "request for localhost/ipfs/{CIDv1} redirects to subdomain" \ + "http://localhost:$GWAY_PORT/ipfs/$CIDv1" \ + "Location: http://$CIDv1.ipfs.localhost:$GWAY_PORT/" + +test_localhost_gateway_response_should_contain \ + "request for localhost/ipfs/{CIDv0} redirects to CIDv1 representation in subdomain" \ + "http://localhost:$GWAY_PORT/ipfs/$CIDv0" \ + "Location: http://${CIDv0to1}.ipfs.localhost:$GWAY_PORT/" + +# /ipns/ + +test_localhost_gateway_response_should_contain \ + "request for localhost/ipns/{CIDv0} redirects to CIDv1 with libp2p-key multicodec in subdomain" \ + "http://localhost:$GWAY_PORT/ipns/$IPNS_IDv0" \ + "Location: http://${IPNS_IDv1}.ipns.localhost:$GWAY_PORT/" + +# /ipns/ + +test_localhost_gateway_response_should_contain \ + "request for localhost/ipns/{fqdn} redirects to DNSLink in subdomain" \ + "http://localhost:$GWAY_PORT/ipns/en.wikipedia-on-ipfs.org/wiki" \ + "Location: http://en.wikipedia-on-ipfs.org.ipns.localhost:$GWAY_PORT/wiki" + +# API on localhost subdomain gateway + +# /api/v0 present on the root hostname +test_localhost_gateway_response_should_contain \ + "request for localhost/api" \ + "http://localhost:$GWAY_PORT/api/v0/refs?arg=${DIR_CID}&r=true" \ + "Ref" + +# /api/v0 not mounted on content root subdomains +test_localhost_gateway_response_should_contain \ + "request for {cid}.ipfs.localhost/api returns data if present on the content root" \ + "http://${DIR_CID}.ipfs.localhost:$GWAY_PORT/api/file.txt" \ + "I am a txt file" + +test_localhost_gateway_response_should_contain \ + "request for {cid}.ipfs.localhost/api/v0/refs returns 404" \ + "http://${DIR_CID}.ipfs.localhost:$GWAY_PORT/api/v0/refs?arg=${DIR_CID}&r=true" \ + "404 Not Found" + +## ============================================================================ +## Test subdomain-based requests to a local gateway with default config +## (origin per content root at http://*.localhost) +## ============================================================================ + +# {CID}.ipfs.localhost + +test_localhost_gateway_response_should_contain \ + "request for {CID}.ipfs.localhost should return expected payload" \ + "http://${CIDv1}.ipfs.localhost:$GWAY_PORT" \ + "$CID_VAL" + +# ensure /ipfs/ namespace is not mounted on subdomain +test_localhost_gateway_response_should_contain \ + "request for {CID}.ipfs.localhost/ipfs/{CID} should return HTTP 404" \ + "http://${CIDv1}.ipfs.localhost:$GWAY_PORT/ipfs/$CIDv1" \ + "404 Not Found" + +# ensure requests to /ipfs/* are not blocked, if content root has such subdirectory +test_localhost_gateway_response_should_contain \ + "request for {CID}.ipfs.localhost/ipfs/file.txt should return data from a file in CID content root" \ + "http://${DIR_CID}.ipfs.localhost:$GWAY_PORT/ipfs/file.txt" \ + "I am a txt file" + +# {CID}.ipfs.localhost/sub/dir (Directory Listing) +DIR_HOSTNAME="${DIR_CID}.ipfs.localhost:$GWAY_PORT" + +test_expect_success "valid file and subdirectory paths in directory listing at {cid}.ipfs.localhost" ' + curl -s --resolve $DIR_HOSTNAME:127.0.0.1 "http://$DIR_HOSTNAME" > list_response && + test_should_contain "hello" list_response && + test_should_contain "subdir1" list_response +' + +test_expect_success "valid parent directory path in directory listing at {cid}.ipfs.localhost/sub/dir" ' + curl -s --resolve $DIR_HOSTNAME:127.0.0.1 "http://$DIR_HOSTNAME/subdir1/subdir2/" > list_response && + test_should_contain ".." list_response && + test_should_contain "bar" list_response +' + +test_expect_success "request for deep path resource at {cid}.ipfs.localhost/sub/dir/file" ' + curl -s --resolve $DIR_HOSTNAME:127.0.0.1 "http://$DIR_HOSTNAME/subdir1/subdir2/bar" > list_response && + test_should_contain "subdir2-bar" list_response +' + +# *.ipns.localhost + +# .ipns.localhost + +test_localhost_gateway_response_should_contain \ + "request for {CIDv1-libp2p-key}.ipns.localhost returns expected payload" \ + "http://${IPNS_IDv1}.ipns.localhost:$GWAY_PORT" \ + "$CID_VAL" + +test_localhost_gateway_response_should_contain \ + "request for {CIDv1-dag-pb}.ipns.localhost redirects to CID with libp2p-key multicodec" \ + "http://${IPNS_IDv1_DAGPB}.ipns.localhost:$GWAY_PORT" \ + "Location: http://${IPNS_IDv1}.ipns.localhost:$GWAY_PORT/" + +# .ipns.localhost + +# DNSLink test requires a daemon in online mode with precached /ipns/ mapping +test_kill_ipfs_daemon +DNSLINK_FQDN="dnslink-test.example.com" +export IPFS_NS_MAP="$DNSLINK_FQDN:/ipfs/$CIDv1" +test_launch_ipfs_daemon + +test_localhost_gateway_response_should_contain \ + "request for {dnslink}.ipns.localhost returns expected payload" \ + "http://$DNSLINK_FQDN.ipns.localhost:$GWAY_PORT" \ + "$CID_VAL" + +# api.localhost/api + +# Note: we use DIR_CID so refs -r returns some CIDs for child nodes +test_localhost_gateway_response_should_contain \ + "request for api.localhost returns API response" \ + "http://api.localhost:$GWAY_PORT/api/v0/refs?arg=$DIR_CID&r=true" \ + "Ref" + +## ============================================================================ +## Test subdomain-based requests with a custom hostname config +## (origin per content root at http://*.example.com) +## ============================================================================ + +# set explicit subdomain gateway config for the hostname +ipfs config --json Gateway.PublicGateways '{ + "example.com": { + "UseSubdomains": true, + "Paths": ["/ipfs", "/ipns", "/api"] + } +}' || exit 1 +# restart daemon to apply config changes +test_kill_ipfs_daemon +test_launch_ipfs_daemon --offline + + +# example.com/ip(f|n)s/* +# ============================================================================= + +# path requests to the root hostname should redirect +# to a subdomain URL with proper origin isolation + +test_hostname_gateway_response_should_contain \ + "request for example.com/ipfs/{CIDv1} produces redirect to {CIDv1}.ipfs.example.com" \ + "example.com" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/$CIDv1" \ + "Location: http://$CIDv1.ipfs.example.com/" + +# error message should include original CID +# (and it should be case-sensitive, as we can't assume everyone uses base32) +test_hostname_gateway_response_should_contain \ + "request for example.com/ipfs/{InvalidCID} produces useful error before redirect" \ + "example.com" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/QmInvalidCID" \ + 'invalid path \"/ipfs/QmInvalidCID\"' + +test_hostname_gateway_response_should_contain \ + "request for example.com/ipfs/{CIDv0} produces redirect to {CIDv1}.ipfs.example.com" \ + "example.com" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/$CIDv0" \ + "Location: http://${CIDv0to1}.ipfs.example.com/" + +# Support X-Forwarded-Proto +test_expect_success "request for http://example.com/ipfs/{CID} with X-Forwarded-Proto: https produces redirect to HTTPS URL" " + curl -H \"X-Forwarded-Proto: https\" -H \"Host: example.com\" -sD - \"http://127.0.0.1:$GWAY_PORT/ipfs/$CIDv1\" > response && + test_should_contain \"Location: https://$CIDv1.ipfs.example.com/\" response +" + + + +# example.com/ipns/ + +test_hostname_gateway_response_should_contain \ + "request for example.com/ipns/{CIDv0} redirects to CIDv1 with libp2p-key multicodec in subdomain" \ + "example.com" \ + "http://127.0.0.1:$GWAY_PORT/ipns/$IPNS_IDv0" \ + "Location: http://${IPNS_IDv1}.ipns.example.com/" + +# example.com/ipns/ + +test_hostname_gateway_response_should_contain \ + "request for example.com/ipns/{fqdn} redirects to DNSLink in subdomain" \ + "example.com" \ + "http://127.0.0.1:$GWAY_PORT/ipns/en.wikipedia-on-ipfs.org/wiki" \ + "Location: http://en.wikipedia-on-ipfs.org.ipns.example.com/wiki" + +# *.ipfs.example.com: subdomain requests made with custom FQDN in Host header + +test_hostname_gateway_response_should_contain \ + "request for {CID}.ipfs.example.com should return expected payload" \ + "${CIDv1}.ipfs.example.com" \ + "http://127.0.0.1:$GWAY_PORT/" \ + "$CID_VAL" + +test_hostname_gateway_response_should_contain \ + "request for {CID}.ipfs.example.com/ipfs/{CID} should return HTTP 404" \ + "${CIDv1}.ipfs.example.com" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/$CIDv1" \ + "404 Not Found" + +# {CID}.ipfs.example.com/sub/dir (Directory Listing) +DIR_FQDN="${DIR_CID}.ipfs.example.com" + +test_expect_success "valid file and directory paths in directory listing at {cid}.ipfs.example.com" ' + curl -s -H "Host: $DIR_FQDN" http://127.0.0.1:$GWAY_PORT > list_response && + test_should_contain "hello" list_response && + test_should_contain "subdir1" list_response +' + +test_expect_success "valid parent directory path in directory listing at {cid}.ipfs.example.com/sub/dir" ' + curl -s -H "Host: $DIR_FQDN" http://127.0.0.1:$GWAY_PORT/subdir1/subdir2/ > list_response && + test_should_contain ".." list_response && + test_should_contain "bar" list_response +' + +test_expect_success "request for deep path resource {cid}.ipfs.example.com/sub/dir/file" ' + curl -s -H "Host: $DIR_FQDN" http://127.0.0.1:$GWAY_PORT/subdir1/subdir2/bar > list_response && + test_should_contain "subdir2-bar" list_response +' + +# *.ipns.example.com +# ============================================================================ + +# .ipns.example.com + +test_hostname_gateway_response_should_contain \ + "request for {CIDv1-libp2p-key}.ipns.example.com returns expected payload" \ + "${IPNS_IDv1}.ipns.example.com" \ + "http://127.0.0.1:$GWAY_PORT" \ + "$CID_VAL" + +test_hostname_gateway_response_should_contain \ + "request for {CIDv1-dag-pb}.ipns.localhost redirects to CID with libp2p-key multicodec" \ + "${IPNS_IDv1_DAGPB}.ipns.example.com" \ + "http://127.0.0.1:$GWAY_PORT" \ + "Location: http://${IPNS_IDv1}.ipns.example.com/" + +# API on subdomain gateway example.com +# ============================================================================ + +# present at the root domain +test_hostname_gateway_response_should_contain \ + "request for example.com/api/v0/refs returns expected payload when /api is on Paths whitelist" \ + "example.com" \ + "http://127.0.0.1:$GWAY_PORT/api/v0/refs?arg=${DIR_CID}&r=true" \ + "Ref" + +# not mounted on content root subdomains +test_hostname_gateway_response_should_contain \ + "request for {cid}.ipfs.example.com/api returns data if present on the content root" \ + "$DIR_CID.ipfs.example.com" \ + "http://127.0.0.1:$GWAY_PORT/api/file.txt" \ + "I am a txt file" + +test_hostname_gateway_response_should_contain \ + "request for {cid}.ipfs.example.com/api/v0/refs returns 404" \ + "$CIDv1.ipfs.example.com" \ + "http://127.0.0.1:$GWAY_PORT/api/v0/refs?arg=${DIR_CID}&r=true" \ + "404 Not Found" + +# disable /api on example.com +ipfs config --json Gateway.PublicGateways '{ + "example.com": { + "UseSubdomains": true, + "Paths": ["/ipfs", "/ipns"] + } +}' || exit 1 +# restart daemon to apply config changes +test_kill_ipfs_daemon +test_launch_ipfs_daemon --offline + +# not mounted at the root domain +test_hostname_gateway_response_should_contain \ + "request for example.com/api/v0/refs returns 404 if /api not on Paths whitelist" \ + "example.com" \ + "http://127.0.0.1:$GWAY_PORT/api/v0/refs?arg=${DIR_CID}&r=true" \ + "404 Not Found" + +# not mounted on content root subdomains +test_hostname_gateway_response_should_contain \ + "request for {cid}.ipfs.example.com/api returns data if present on the content root" \ + "$DIR_CID.ipfs.example.com" \ + "http://127.0.0.1:$GWAY_PORT/api/file.txt" \ + "I am a txt file" + +# DNSLink: .ipns.example.com +# (not really useful outside of localhost, as setting TLS for more than one +# level of wildcard is a pain, but we support it if someone really wants it) +# ============================================================================ + +# DNSLink test requires a daemon in online mode with precached /ipns/ mapping +test_kill_ipfs_daemon +DNSLINK_FQDN="dnslink-subdomain-gw-test.example.org" +export IPFS_NS_MAP="$DNSLINK_FQDN:/ipfs/$CIDv1" +test_launch_ipfs_daemon + +test_hostname_gateway_response_should_contain \ + "request for {dnslink}.ipns.example.com returns expected payload" \ + "$DNSLINK_FQDN.ipns.example.com" \ + "http://127.0.0.1:$GWAY_PORT" \ + "$CID_VAL" + +# Disable selected Paths for the subdomain gateway hostname +# ============================================================================= + +# disable /ipns for the hostname by not whitelisting it +ipfs config --json Gateway.PublicGateways '{ + "example.com": { + "UseSubdomains": true, + "Paths": ["/ipfs"] + } +}' || exit 1 +# restart daemon to apply config changes +test_kill_ipfs_daemon +test_launch_ipfs_daemon --offline + +# refuse requests to Paths that were not explicitly whitelisted for the hostname +test_hostname_gateway_response_should_contain \ + "request for *.ipns.example.com returns HTTP 404 Not Found when /ipns is not on Paths whitelist" \ + "${IPNS_IDv1}.ipns.example.com" \ + "http://127.0.0.1:$GWAY_PORT" \ + "404 Not Found" + + +## ============================================================================ +## Test path-based requests with a custom hostname config +## ============================================================================ + +# set explicit subdomain gateway config for the hostname +ipfs config --json Gateway.PublicGateways '{ + "example.com": { + "UseSubdomains": false, + "Paths": ["/ipfs"] + } +}' || exit 1 + +# restart daemon to apply config changes +test_kill_ipfs_daemon +test_launch_ipfs_daemon --offline + +# example.com/ip(f|n)s/* smoke-tests +# ============================================================================= + +# confirm path gateway works for /ipfs +test_hostname_gateway_response_should_contain \ + "request for example.com/ipfs/{CIDv1} returns expected payload" \ + "example.com" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/$CIDv1" \ + "$CID_VAL" + +# refuse subdomain requests on path gateway +# (we don't want false sense of security) +test_hostname_gateway_response_should_contain \ + "request for {CID}.ipfs.example.com/ipfs/{CID} should return HTTP 404 Not Found" \ + "${CIDv1}.ipfs.example.com" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/$CIDv1" \ + "404 Not Found" + +# refuse requests to Paths that were not explicitly whitelisted for the hostname +test_hostname_gateway_response_should_contain \ + "request for example.com/ipns/ returns HTTP 404 Not Found when /ipns is not on Paths whitelist" \ + "example.com" \ + "http://127.0.0.1:$GWAY_PORT/ipns/$IPNS_IDv1" \ + "404 Not Found" + +## ============================================================================ +## Test DNSLink requests with a custom PublicGateway (hostname config) +## (DNSLink site at http://dnslink-test.example.com) +## ============================================================================ + +test_kill_ipfs_daemon + +# disable wildcard DNSLink gateway +# and enable it on specific NSLink hostname +ipfs config --json Gateway.NoDNSLink true && \ +ipfs config --json Gateway.PublicGateways '{ + "dnslink-enabled-on-fqdn.example.org": { + "NoDNSLink": false, + "UseSubdomains": false, + "Paths": ["/ipfs"] + }, + "only-dnslink-enabled-on-fqdn.example.org": { + "NoDNSLink": false, + "UseSubdomains": false, + "Paths": [] + }, + "dnslink-disabled-on-fqdn.example.com": { + "NoDNSLink": true, + "UseSubdomains": false, + "Paths": [] + } +}' || exit 1 + +# DNSLink test requires a daemon in online mode with precached /ipns/ mapping +DNSLINK_FQDN="dnslink-enabled-on-fqdn.example.org" +ONLY_DNSLINK_FQDN="only-dnslink-enabled-on-fqdn.example.org" +NO_DNSLINK_FQDN="dnslink-disabled-on-fqdn.example.com" +export IPFS_NS_MAP="$DNSLINK_FQDN:/ipfs/$CIDv1,$ONLY_DNSLINK_FQDN:/ipfs/$DIR_CID" + +# restart daemon to apply config changes +test_launch_ipfs_daemon + +# make sure test setup is valid (fail if CoreAPI is unable to resolve) +test_expect_success "spoofed DNSLink record resolves in cli" " + ipfs resolve /ipns/$DNSLINK_FQDN > result && + test_should_contain \"$CIDv1\" result && + ipfs cat /ipns/$DNSLINK_FQDN > result && + test_should_contain \"$CID_VAL\" result +" + +# DNSLink enabled + +test_hostname_gateway_response_should_contain \ + "request for http://{dnslink-fqdn}/ PublicGateway returns expected payload" \ + "$DNSLINK_FQDN" \ + "http://127.0.0.1:$GWAY_PORT/" \ + "$CID_VAL" + +test_hostname_gateway_response_should_contain \ + "request for {dnslink-fqdn}/ipfs/{cid} returns expected payload when /ipfs is on Paths whitelist" \ + "$DNSLINK_FQDN" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/$CIDv1" \ + "$CID_VAL" + +# Test for a fun edge case: DNSLink-only gateway without /ipfs/ namespace +# mounted, and with subdirectory named "ipfs" ¯\_(ツ)_/¯ +test_hostname_gateway_response_should_contain \ + "request for {dnslink-fqdn}/ipfs/file.txt returns data from content root when /ipfs in not on Paths whitelist" \ + "$ONLY_DNSLINK_FQDN" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/file.txt" \ + "I am a txt file" + +test_hostname_gateway_response_should_contain \ + "request for {dnslink-fqdn}/ipns/{peerid} returns 404 when path is not whitelisted" \ + "$DNSLINK_FQDN" \ + "http://127.0.0.1:$GWAY_PORT/ipns/$IPNS_IDv0" \ + "404 Not Found" + +# DNSLink disabled + +test_hostname_gateway_response_should_contain \ + "request for http://{dnslink-fqdn}/ returns 404 when NoDNSLink=true" \ + "$NO_DNSLINK_FQDN" \ + "http://127.0.0.1:$GWAY_PORT/" \ + "404 Not Found" + +test_hostname_gateway_response_should_contain \ + "request for {dnslink-fqdn}/ipfs/{cid} returns 404 when path is not whitelisted" \ + "$NO_DNSLINK_FQDN" \ + "http://127.0.0.1:$GWAY_PORT/ipfs/$CIDv0" \ + "404 Not Found" + + +## ============================================================================ +## Test wildcard DNSLink (any hostname, with default config) +## ============================================================================ + +test_kill_ipfs_daemon + +# enable wildcard DNSLink gateway (any value in Host header) +# and remove custom PublicGateways +ipfs config --json Gateway.NoDNSLink false && \ +ipfs config --json Gateway.PublicGateways '{}' || exit 1 + +# DNSLink test requires a daemon in online mode with precached /ipns/ mapping +DNSLINK_FQDN="wildcard-dnslink-not-in-config.example.com" +export IPFS_NS_MAP="$DNSLINK_FQDN:/ipfs/$CIDv1" + +# restart daemon to apply config changes +test_launch_ipfs_daemon + +# make sure test setup is valid (fail if CoreAPI is unable to resolve) +test_expect_success "spoofed DNSLink record resolves in cli" " + ipfs resolve /ipns/$DNSLINK_FQDN > result && + test_should_contain \"$CIDv1\" result && + ipfs cat /ipns/$DNSLINK_FQDN > result && + test_should_contain \"$CID_VAL\" result +" + +# gateway test +test_hostname_gateway_response_should_contain \ + "request for http://{dnslink-fqdn}/ (wildcard) returns expected payload" \ + "$DNSLINK_FQDN" \ + "http://127.0.0.1:$GWAY_PORT/" \ + "$CID_VAL" + +# ============================================================================= +# ensure we end with empty Gateway.PublicGateways +ipfs config --json Gateway.PublicGateways '{}' +test_kill_ipfs_daemon + +test_done diff --git a/test/sharness/t0160-resolve.sh b/test/sharness/t0160-resolve.sh index 87740685644..62a6f5b3bfa 100755 --- a/test/sharness/t0160-resolve.sh +++ b/test/sharness/t0160-resolve.sh @@ -116,6 +116,15 @@ test_resolve_cmd_b32() { test_resolve_setup_name "self" "/ipfs/$c_hash_b32" test_resolve "/ipns/$self_hash" "/ipfs/$c_hash_b32" --cid-base=base32 + + # peer ID represented as CIDv1 require libp2p-key multicodec + # https://github.com/libp2p/specs/blob/master/RFC/0001-text-peerid-cid.md + local self_hash_b32protobuf=$(echo $self_hash | ipfs cid format -v 1 -b b --codec protobuf) + local self_hash_b32libp2pkey=$(echo $self_hash | ipfs cid format -v 1 -b b --codec libp2p-key) + test_expect_success "resolve of /ipns/{cidv1} with multicodec other than libp2p-key returns a meaningful error" ' + test_expect_code 1 ipfs resolve /ipns/$self_hash_b32protobuf 2>cidcodec_error && + grep "Error: peer ID represented as CIDv1 require libp2p-key multicodec: retry with /ipns/$self_hash_b32libp2pkey" cidcodec_error + ' } diff --git a/test/sharness/t0184-http-proxy-over-p2p.sh b/test/sharness/t0184-http-proxy-over-p2p.sh index 578a3f424df..06a3b9ccb18 100755 --- a/test/sharness/t0184-http-proxy-over-p2p.sh +++ b/test/sharness/t0184-http-proxy-over-p2p.sh @@ -144,10 +144,19 @@ test_expect_success 'configure nodes' ' iptb testbed create -type localipfs -count 2 -force -init && ipfsi 0 config --json Experimental.Libp2pStreamMounting true && ipfsi 1 config --json Experimental.Libp2pStreamMounting true && - ipfsi 0 config --json Experimental.P2pHttpProxy true + ipfsi 0 config --json Experimental.P2pHttpProxy true && ipfsi 0 config --json Addresses.Gateway "[\"/ip4/127.0.0.1/tcp/$IPFS_GATEWAY_PORT\"]" ' +test_expect_success 'configure a subdomain gateway with /p2p/ path whitelisted' " + ipfsi 0 config --json Gateway.PublicGateways '{ + \"example.com\": { + \"UseSubdomains\": true, + \"Paths\": [\"/p2p/\"] + } + }' +" + test_expect_success 'start and connect nodes' ' iptb start -wait && iptb connect 0 1 ' @@ -206,6 +215,30 @@ test_expect_success 'handle multipart/form-data http request' ' curl_send_multipart_form_request 200 ' +# subdomain gateway at *.p2p.example.com requires PeerdID in base32 +RECEIVER_ID_CIDv1=$( ipfs cid format -v 1 -b b --codec libp2p-key -- $RECEIVER_ID) + +# OK: $peerid.p2p.example.com/http/index.txt +test_expect_success "handle http request to a subdomain gateway" ' + serve_content "SUBDOMAIN PROVIDES ORIGIN ISOLATION PER RECEIVER_ID" && + curl -H "Host: $RECEIVER_ID_CIDv1.p2p.example.com" -sD - $SENDER_GATEWAY/http/index.txt > p2p_response && + test_should_contain "SUBDOMAIN PROVIDES ORIGIN ISOLATION PER RECEIVER_ID" p2p_response +' + +# FAIL: $peerid.p2p.example.com/p2p/$peerid/http/index.txt +test_expect_success "handle invalid http request to a subdomain gateway" ' + serve_content "SUBDOMAIN DOES NOT SUPPORT FULL /p2p/ PATH" && + curl -H "Host: $RECEIVER_ID_CIDv1.p2p.example.com" -sD - $SENDER_GATEWAY/p2p/$RECEIVER_ID/http/index.txt > p2p_response && + test_should_contain "400 Bad Request" p2p_response +' + +# REDIRECT: example.com/p2p/$peerid/http/index.txt → $peerid.p2p.example.com/http/index.txt +test_expect_success "redirect http path request to subdomain gateway" ' + serve_content "SUBDOMAIN ROOT REDIRECTS /p2p/ PATH TO SUBDOMAIN" && + curl -H "Host: example.com" -sD - $SENDER_GATEWAY/p2p/$RECEIVER_ID/http/index.txt > p2p_response && + test_should_contain "Location: http://$RECEIVER_ID_CIDv1.p2p.example.com/http/index.txt" p2p_response +' + test_expect_success 'stop http server' ' teardown_remote_server '