From 21e2b93bf3ffa5f076b6d5bb70dab7207abc6397 Mon Sep 17 00:00:00 2001 From: Stephen Soltesz Date: Tue, 9 Aug 2022 18:43:20 -0400 Subject: [PATCH] Update m-lab/access version to use explicit access controller.Paths (#370) * Update m-lab/access version * Set explicit access controller paths --- go.mod | 2 +- go.sum | 2 ++ ndt-server.go | 22 +++++++++++++++++----- 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index d7aeaf74..c34753fb 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/google/uuid v1.2.0 github.com/gorilla/handlers v1.5.1 github.com/gorilla/websocket v1.5.0 - github.com/m-lab/access v0.0.10 + github.com/m-lab/access v0.0.11 github.com/m-lab/go v0.1.53 github.com/m-lab/tcp-info v1.5.3 github.com/m-lab/uuid v0.0.0-20191115203855-549727171666 diff --git a/go.sum b/go.sum index c2292642..3f2275f2 100644 --- a/go.sum +++ b/go.sum @@ -186,6 +186,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/m-lab/access v0.0.10 h1:t/lMUJ+nGyDvW9fhT3yDFB+1hQgmuKEX7QMBOqkJBrA= github.com/m-lab/access v0.0.10/go.mod h1:gZ7YN3SeMTZYeRv5EFaLdG+XVI/F/X4njM1G1BfwuE4= +github.com/m-lab/access v0.0.11 h1:i2aoal7zgdzXAA7pGL5mXpM8yybURDJGZLwBMmA4Le8= +github.com/m-lab/access v0.0.11/go.mod h1:ky+hXvIDE1VgEdWhMRJLjYonRrcvfiEJ1BEZtK6+zFQ= github.com/m-lab/go v0.1.53 h1:1PsQSMfzPVs6qjrcf2Q3ZDYgiN/Y762K2fOXWSJcXSQ= github.com/m-lab/go v0.1.53/go.mod h1:woT26L9Hf07juZGHe7Z4WveV7MM6NS6vQaaWzRQnab4= github.com/m-lab/tcp-info v1.5.3 h1:4IspTPcNc8D8LNRvuFnID8gDiz+hxPAtYvpKZaiGGe8= diff --git a/ndt-server.go b/ndt-server.go index 422eef83..1fbcd225 100644 --- a/ndt-server.go +++ b/ndt-server.go @@ -173,9 +173,24 @@ func main() { if (tokenRequired5 || tokenRequired7) && err != nil { rtx.Must(err, "Failed to load verifier for when tokens are required") } + + // Enforce tokens and tx controllers on the same ndt5 resource. + // NOTE: raw ndt5 requests cannot honor tokens or differentiate between upload/downloads. + ndt5Paths := controller.Paths{ + "/ndt_protocol": true, + } + // Enforce Tx limits only on downloads. + ndt7TxPaths := controller.Paths{ + spec.DownloadURLPath: true, + } + // Enforce tokens on uploads and downloads. + ndt7TokenPaths := controller.Paths{ + spec.DownloadURLPath: true, + spec.UploadURLPath: true, + } // NDT5 uses a raw server, which requires tx5. NDT7 is HTTP only. - ac5, tx5 := controller.Setup(ctx, v, tokenRequired5, tokenMachine) - ac7, _ := controller.Setup(ctx, v, tokenRequired7, tokenMachine) + ac5, tx5 := controller.Setup(ctx, v, tokenRequired5, tokenMachine, ndt5Paths, ndt5Paths) + ac7, _ := controller.Setup(ctx, v, tokenRequired7, tokenMachine, ndt7TxPaths, ndt7TokenPaths) // The ndt5 protocol serving non-HTTP-based tests - forwards to Ws-based // server if the first three bytes are "GET". @@ -189,7 +204,6 @@ func main() { ndt5WsMux := http.NewServeMux() ndt5WsMux.Handle("/", http.FileServer(http.Dir(*htmlDir))) ndt5WsMux.Handle("/ndt_protocol", ndt5handler.NewWS(*dataDir+"/ndt5", serverMetadata)) - controller.AllowPathLabel("/ndt_protocol") ndt5WsServer := httpServer( *ndt5WsAddr, // NOTE: do not use `ac.Then()` to prevent 'double jeopardy' for @@ -211,8 +225,6 @@ func main() { } ndt7Mux.Handle(spec.DownloadURLPath, http.HandlerFunc(ndt7Handler.Download)) ndt7Mux.Handle(spec.UploadURLPath, http.HandlerFunc(ndt7Handler.Upload)) - controller.AllowPathLabel(spec.DownloadURLPath) - controller.AllowPathLabel(spec.UploadURLPath) ndt7ServerCleartext := httpServer( *ndt7AddrCleartext, ac7.Then(logging.MakeAccessLogHandler(ndt7Mux)),