norman/api/validate.go

package api

import (
	"crypto/rand"
	"encoding/hex"
	"fmt"
	"net/http"

	"github.com/rancher/norman/httperror"
	"github.com/rancher/norman/parse"
	"github.com/rancher/norman/types"
)

const (
	csrfCookie = "CSRF"
	csrfHeader = "X-API-CSRF"
)

func ValidateAction(request *types.APIContext) (*types.Action, error) {
	if request.Action == "" || request.Link != "" || request.Method != http.MethodPost {
		return nil, nil
	}

	actions := request.Schema.CollectionActions
	if request.ID != "" {
		actions = request.Schema.ResourceActions
	}

	action, ok := actions[request.Action]
	if !ok {
		return nil, httperror.NewAPIError(httperror.InvalidAction, fmt.Sprintf("Invalid action: %s", request.Action))
	}

	if request.ID != "" && request.ReferenceValidator != nil {
		resource := request.ReferenceValidator.Lookup(request.Type, request.ID)
		if resource == nil {
			return nil, httperror.NewAPIError(httperror.NotFound, fmt.Sprintf("Failed to find type: %s id: %s", request.Type, request.ID))
		}

		if _, ok := resource.Actions[request.Action]; !ok {
			return nil, httperror.NewAPIError(httperror.InvalidAction, fmt.Sprintf("Invalid action: %s", request.Action))
		}
	}

	return &action, nil
}

func CheckCSRF(apiContext *types.APIContext) error {
	if !parse.IsBrowser(apiContext.Request, false) {
		return nil
	}

	cookie, err := apiContext.Request.Cookie(csrfCookie)
	if err == http.ErrNoCookie {
		// 16 bytes = 32 Hex Char = 128 bit entropy
		bytes := make([]byte, 16)
		_, err := rand.Read(bytes)
		if err != nil {
			return httperror.WrapAPIError(err, httperror.ServerError, "Failed in CSRF processing")
		}

		cookie = &http.Cookie{
			Name:   csrfCookie,
			Value:  hex.EncodeToString(bytes),
			Path:   "/",
			Secure: true,
		}

		http.SetCookie(apiContext.Response, cookie)
	} else if err != nil {
		return httperror.NewAPIError(httperror.InvalidCSRFToken, "Failed to parse cookies")
	}

	// Not an else-if, because this should happen even if there was no cookie to begin with.
	if apiContext.Method != http.MethodGet {
		/*
		 * Very important to use apiContext.Method and not apiContext.Request.Method. The client can override the HTTP method with _method
		 */
		if cookie.Value == apiContext.Request.Header.Get(csrfHeader) {
			// Good
		} else if cookie.Value == apiContext.Request.URL.Query().Get(csrfCookie) {
			// Good
		} else {
			return httperror.NewAPIError(httperror.InvalidCSRFToken, "Invalid CSRF token")
		}
	}

	return nil
}
More initial dev 2017-11-11 04:44:02 +00:00			`package api`
Initial 2017-10-16 02:23:15 +00:00
			`import (`
			`"crypto/rand"`
			`"encoding/hex"`
More initial dev 2017-11-11 04:44:02 +00:00			`"fmt"`
Initial 2017-10-16 02:23:15 +00:00			`"net/http"`

			`"github.com/rancher/norman/httperror"`
More initial dev 2017-11-11 04:44:02 +00:00			`"github.com/rancher/norman/parse"`
			`"github.com/rancher/norman/types"`
Initial 2017-10-16 02:23:15 +00:00			`)`

			`const (`
			`csrfCookie = "CSRF"`
			`csrfHeader = "X-API-CSRF"`
			`)`

More initial dev 2017-11-11 04:44:02 +00:00			`func ValidateAction(request types.APIContext) (types.Action, error) {`
use patch for update, fix namespace actions 2017-12-27 22:02:16 +00:00			`if request.Action == "" \|\| request.Link != "" \|\| request.Method != http.MethodPost {`
More initial dev 2017-11-11 04:44:02 +00:00			`return nil, nil`
			`}`

			`actions := request.Schema.CollectionActions`
			`if request.ID != "" {`
			`actions = request.Schema.ResourceActions`
			`}`

			`action, ok := actions[request.Action]`
			`if !ok {`
Subcontext and mapping updates 2017-11-21 20:46:30 +00:00			`return nil, httperror.NewAPIError(httperror.InvalidAction, fmt.Sprintf("Invalid action: %s", request.Action))`
More initial dev 2017-11-11 04:44:02 +00:00			`}`

workaround unimplementd ref validator 2017-12-16 02:22:10 +00:00			`if request.ID != "" && request.ReferenceValidator != nil {`
More initial dev 2017-11-11 04:44:02 +00:00			`resource := request.ReferenceValidator.Lookup(request.Type, request.ID)`
			`if resource == nil {`
Subcontext and mapping updates 2017-11-21 20:46:30 +00:00			`return nil, httperror.NewAPIError(httperror.NotFound, fmt.Sprintf("Failed to find type: %s id: %s", request.Type, request.ID))`
More initial dev 2017-11-11 04:44:02 +00:00			`}`

			`if _, ok := resource.Actions[request.Action]; !ok {`
Subcontext and mapping updates 2017-11-21 20:46:30 +00:00			`return nil, httperror.NewAPIError(httperror.InvalidAction, fmt.Sprintf("Invalid action: %s", request.Action))`
More initial dev 2017-11-11 04:44:02 +00:00			`}`
			`}`

			`return &action, nil`
			`}`

Attempt to fix CSRF, still untested though 2017-12-29 22:04:12 +00:00			`func CheckCSRF(apiContext *types.APIContext) error {`
			`if !parse.IsBrowser(apiContext.Request, false) {`
Initial 2017-10-16 02:23:15 +00:00			`return nil`
			`}`

Attempt to fix CSRF, still untested though 2017-12-29 22:04:12 +00:00			`cookie, err := apiContext.Request.Cookie(csrfCookie)`
More initial dev 2017-11-11 04:44:02 +00:00			`if err == http.ErrNoCookie {`
updated cookie token size 2022-06-09 15:34:57 +00:00			`// 16 bytes = 32 Hex Char = 128 bit entropy`
			`bytes := make([]byte, 16)`
Initial 2017-10-16 02:23:15 +00:00			`_, err := rand.Read(bytes)`
			`if err != nil {`
Subcontext and mapping updates 2017-11-21 20:46:30 +00:00			`return httperror.WrapAPIError(err, httperror.ServerError, "Failed in CSRF processing")`
Initial 2017-10-16 02:23:15 +00:00			`}`

			`cookie = &http.Cookie{`
set secure for CSRF cookie 2019-04-29 22:17:02 +00:00			`Name: csrfCookie,`
			`Value: hex.EncodeToString(bytes),`
CSRF Cookie fixes - Only set the cookie if it doesn't exist - Always mark it secure (it was previously getting re-sent as not) -.Check the value against the header even if there was no value (so that a request that is missing the cookie but should have had one fails). 2020-02-24 22:50:44 +00:00			`Path: "/",`
set secure for CSRF cookie 2019-04-29 22:17:02 +00:00			`Secure: true,`
Initial 2017-10-16 02:23:15 +00:00			`}`
CSRF Cookie fixes - Only set the cookie if it doesn't exist - Always mark it secure (it was previously getting re-sent as not) -.Check the value against the header even if there was no value (so that a request that is missing the cookie but should have had one fails). 2020-02-24 22:50:44 +00:00
			`http.SetCookie(apiContext.Response, cookie)`
More initial dev 2017-11-11 04:44:02 +00:00			`} else if err != nil {`
Subcontext and mapping updates 2017-11-21 20:46:30 +00:00			`return httperror.NewAPIError(httperror.InvalidCSRFToken, "Failed to parse cookies")`
CSRF Cookie fixes - Only set the cookie if it doesn't exist - Always mark it secure (it was previously getting re-sent as not) -.Check the value against the header even if there was no value (so that a request that is missing the cookie but should have had one fails). 2020-02-24 22:50:44 +00:00			`}`

			`// Not an else-if, because this should happen even if there was no cookie to begin with.`
			`if apiContext.Method != http.MethodGet {`
Initial 2017-10-16 02:23:15 +00:00			`/*`
Attempt to fix CSRF, still untested though 2017-12-29 22:04:12 +00:00			`* Very important to use apiContext.Method and not apiContext.Request.Method. The client can override the HTTP method with _method`
Initial 2017-10-16 02:23:15 +00:00			`*/`
Attempt to fix CSRF, still untested though 2017-12-29 22:04:12 +00:00			`if cookie.Value == apiContext.Request.Header.Get(csrfHeader) {`
Initial 2017-10-16 02:23:15 +00:00			`// Good`
Attempt to fix CSRF, still untested though 2017-12-29 22:04:12 +00:00			`} else if cookie.Value == apiContext.Request.URL.Query().Get(csrfCookie) {`
Initial 2017-10-16 02:23:15 +00:00			`// Good`
			`} else {`
Subcontext and mapping updates 2017-11-21 20:46:30 +00:00			`return httperror.NewAPIError(httperror.InvalidCSRFToken, "Invalid CSRF token")`
Initial 2017-10-16 02:23:15 +00:00			`}`
			`}`

			`return nil`
			`}`