plugins: basic auth & cors

plugins/auth/basic.go

@@ -1,23 +1,38 @@
-// Beego (http://beego.me/)
+// Copyright 2014 beego Author. All Rights Reserved.
 //
-// @description beego is an open-source, high-performance web framework for the Go programming language.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
 //
-// @link        http://github.com/astaxie/beego for the canonical source repository
+//      http://www.apache.org/licenses/LICENSE-2.0
 //
-// @license     http://github.com/astaxie/beego/blob/master/LICENSE
-//
-// @authors     astaxie
-package auth
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
-// Example:
+// Package auth provides handlers to enable basic auth support.
+// Simple Usage:
+//	import(
+//		"github.com/astaxie/beego"
+//		"github.com/astaxie/beego/plugins/auth"
+//	)
+//
+//	func main(){
+//		// authenticate every request
+//		beego.InsertFilter("*", beego.BeforeRouter,auth.Basic("username","secretpassword"))
+//		beego.Run()
+//	}
+//
+//
+// Advanced Usage:
 // func SecretAuth(username, password string) bool {
-// 	if username == "astaxie" && password == "helloBeego" {
-// 		return true
-// 	}
-// 	return false
+// 	return username == "astaxie" && password == "helloBeego"
 // }
-// authPlugin := auth.NewBasicAuthenticator(SecretAuth, "My Realm")
+// authPlugin := auth.NewBasicAuthenticator(SecretAuth, "Authorization Required")
 // beego.InsertFilter("*", beego.BeforeRouter,authPlugin)
+package auth
 
 import (
 	"encoding/base64"
@@ -28,6 +43,15 @@ import (
 	"github.com/astaxie/beego/context"
 )
 
+var defaultRealm = "Authorization Required"
+
+func Basic(username string, password string) beego.FilterFunc {
+	secrets := func(user, pass string) bool {
+		return user == username && pass == password
+	}
+	return NewBasicAuthenticator(secrets, defaultRealm)
+}
+
 func NewBasicAuthenticator(secrets SecretProvider, Realm string) beego.FilterFunc {
 	return func(ctx *context.Context) {
 		a := &BasicAuth{Secrets: secrets, Realm: Realm}
@@ -44,13 +68,10 @@ type BasicAuth struct {
 	Realm   string
 }
 
-/*
- Checks the username/password combination from the request. Returns
- either an empty string (authentication failed) or the name of the
- authenticated user.
-
- Supports MD5 and SHA1 password entries
-*/
+//Checks the username/password combination from the request. Returns
+//either an empty string (authentication failed) or the name of the
+//authenticated user.
+//Supports MD5 and SHA1 password entries
 func (a *BasicAuth) CheckAuth(r *http.Request) string {
 	s := strings.SplitN(r.Header.Get("Authorization"), " ", 2)
 	if len(s) != 2 || s[0] != "Basic" {
@@ -72,10 +93,8 @@ func (a *BasicAuth) CheckAuth(r *http.Request) string {
 	return ""
 }
 
-/*
- http.Handler for BasicAuth which initiates the authentication process
- (or requires reauthentication).
-*/
+//http.Handler for BasicAuth which initiates the authentication process
+//(or requires reauthentication).
 func (a *BasicAuth) RequireAuth(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("WWW-Authenticate", `Basic realm="`+a.Realm+`"`)
 	w.WriteHeader(401)

plugins/cors/cors.go

@@ -0,0 +1,229 @@
+// Copyright 2014 beego Author. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package cors provides handlers to enable CORS support.
+// Usage
+//
+// import (
+//  "github.com/astaxie/beego"
+//  "github.com/astaxie/beego/plugins/cors"
+// )
+
+//func main() {
+//  // CORS for https://foo.* origins, allowing:
+//  // - PUT and PATCH methods
+//  // - Origin header
+//  // - Credentials share
+//  beego.InsertFilter("*", beego.BeforeRouter,cors.Allow(&cors.Options{
+//    AllowOrigins:     []string{"https://*.foo.com"},
+//    AllowMethods:     []string{"PUT", "PATCH"},
+//    AllowHeaders:     []string{"Origin"},
+//    ExposeHeaders:    []string{"Content-Length"},
+//    AllowCredentials: true,
+//  }))
+//  beego.Run()
+//}
+package cors
+
+import (
+	"net/http"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/astaxie/beego"
+	"github.com/astaxie/beego/context"
+)
+
+const (
+	headerAllowOrigin      = "Access-Control-Allow-Origin"
+	headerAllowCredentials = "Access-Control-Allow-Credentials"
+	headerAllowHeaders     = "Access-Control-Allow-Headers"
+	headerAllowMethods     = "Access-Control-Allow-Methods"
+	headerExposeHeaders    = "Access-Control-Expose-Headers"
+	headerMaxAge           = "Access-Control-Max-Age"
+
+	headerOrigin         = "Origin"
+	headerRequestMethod  = "Access-Control-Request-Method"
+	headerRequestHeaders = "Access-Control-Request-Headers"
+)
+
+var (
+	defaultAllowHeaders = []string{"Origin", "Accept", "Content-Type", "Authorization"}
+	// Regex patterns are generated from AllowOrigins. These are used and generated internally.
+	allowOriginPatterns = []string{}
+)
+
+// Options represents Access Control options.
+type Options struct {
+	// If set, all origins are allowed.
+	AllowAllOrigins bool
+	// A list of allowed origins. Wild cards and FQDNs are supported.
+	AllowOrigins []string
+	// If set, allows to share auth credentials such as cookies.
+	AllowCredentials bool
+	// A list of allowed HTTP methods.
+	AllowMethods []string
+	// A list of allowed HTTP headers.
+	AllowHeaders []string
+	// A list of exposed HTTP headers.
+	ExposeHeaders []string
+	// Max age of the CORS headers.
+	MaxAge time.Duration
+}
+
+// Header converts options into CORS headers.
+func (o *Options) Header(origin string) (headers map[string]string) {
+	headers = make(map[string]string)
+	// if origin is not allowed, don't extend the headers
+	// with CORS headers.
+	if !o.AllowAllOrigins && !o.IsOriginAllowed(origin) {
+		return
+	}
+
+	// add allow origin
+	if o.AllowAllOrigins {
+		headers[headerAllowOrigin] = "*"
+	} else {
+		headers[headerAllowOrigin] = origin
+	}
+
+	// add allow credentials
+	headers[headerAllowCredentials] = strconv.FormatBool(o.AllowCredentials)
+
+	// add allow methods
+	if len(o.AllowMethods) > 0 {
+		headers[headerAllowMethods] = strings.Join(o.AllowMethods, ",")
+	}
+
+	// add allow headers
+	if len(o.AllowHeaders) > 0 {
+		headers[headerAllowHeaders] = strings.Join(o.AllowHeaders, ",")
+	}
+
+	// add exposed header
+	if len(o.ExposeHeaders) > 0 {
+		headers[headerExposeHeaders] = strings.Join(o.ExposeHeaders, ",")
+	}
+	// add a max age header
+	if o.MaxAge > time.Duration(0) {
+		headers[headerMaxAge] = strconv.FormatInt(int64(o.MaxAge/time.Second), 10)
+	}
+	return
+}
+
+// PreflightHeader converts options into CORS headers for a preflight response.
+func (o *Options) PreflightHeader(origin, rMethod, rHeaders string) (headers map[string]string) {
+	headers = make(map[string]string)
+	if !o.AllowAllOrigins && !o.IsOriginAllowed(origin) {
+		return
+	}
+	// verify if requested method is allowed
+	for _, method := range o.AllowMethods {
+		if method == rMethod {
+			headers[headerAllowMethods] = strings.Join(o.AllowMethods, ",")
+			break
+		}
+	}
+
+	// verify if requested headers are allowed
+	var allowed []string
+	for _, rHeader := range strings.Split(rHeaders, ",") {
+		rHeader = strings.TrimSpace(rHeader)
+	lookupLoop:
+		for _, allowedHeader := range o.AllowHeaders {
+			if strings.ToLower(rHeader) == strings.ToLower(allowedHeader) {
+				allowed = append(allowed, rHeader)
+				break lookupLoop
+			}
+		}
+	}
+
+	headers[headerAllowCredentials] = strconv.FormatBool(o.AllowCredentials)
+	// add allow origin
+	if o.AllowAllOrigins {
+		headers[headerAllowOrigin] = "*"
+	} else {
+		headers[headerAllowOrigin] = origin
+	}
+
+	// add allowed headers
+	if len(allowed) > 0 {
+		headers[headerAllowHeaders] = strings.Join(allowed, ",")
+	}
+
+	// add exposed headers
+	if len(o.ExposeHeaders) > 0 {
+		headers[headerExposeHeaders] = strings.Join(o.ExposeHeaders, ",")
+	}
+	// add a max age header
+	if o.MaxAge > time.Duration(0) {
+		headers[headerMaxAge] = strconv.FormatInt(int64(o.MaxAge/time.Second), 10)
+	}
+	return
+}
+
+// IsOriginAllowed looks up if the origin matches one of the patterns
+// generated from Options.AllowOrigins patterns.
+func (o *Options) IsOriginAllowed(origin string) (allowed bool) {
+	for _, pattern := range allowOriginPatterns {
+		allowed, _ = regexp.MatchString(pattern, origin)
+		if allowed {
+			return
+		}
+	}
+	return
+}
+
+// Allow enables CORS for requests those match the provided options.
+func Allow(opts *Options) beego.FilterFunc {
+	// Allow default headers if nothing is specified.
+	if len(opts.AllowHeaders) == 0 {
+		opts.AllowHeaders = defaultAllowHeaders
+	}
+
+	for _, origin := range opts.AllowOrigins {
+		pattern := regexp.QuoteMeta(origin)
+		pattern = strings.Replace(pattern, "\\*", ".*", -1)
+		pattern = strings.Replace(pattern, "\\?", ".", -1)
+		allowOriginPatterns = append(allowOriginPatterns, "^"+pattern+"$")
+	}
+
+	return func(ctx *context.Context) {
+		var (
+			origin           = ctx.Input.Header(headerOrigin)
+			requestedMethod  = ctx.Input.Header(headerRequestMethod)
+			requestedHeaders = ctx.Input.Header(headerRequestHeaders)
+			// additional headers to be added
+			// to the response.
+			headers map[string]string
+		)
+
+		if ctx.Input.Method() == "OPTIONS" &&
+			(requestedMethod != "" || requestedHeaders != "") {
+			headers = opts.PreflightHeader(origin, requestedMethod, requestedHeaders)
+			for key, value := range headers {
+				ctx.Output.Header(key, value)
+			}
+			ctx.Output.SetStatus(http.StatusOK)
+			return
+		}
+		headers = opts.Header(origin)
+
+		for key, value := range headers {
+			ctx.Output.Header(key, value)
+		}
+	}
+}

plugins/cors/cors_test.go

@@ -0,0 +1,253 @@
+// Copyright 2014 beego Author. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package cors provides handlers to enable CORS support.
+package cors
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/astaxie/beego"
+	"github.com/astaxie/beego/context"
+)
+
+type HttpHeaderGuardRecorder struct {
+	*httptest.ResponseRecorder
+	savedHeaderMap http.Header
+}
+
+func NewRecorder() *HttpHeaderGuardRecorder {
+	return &HttpHeaderGuardRecorder{httptest.NewRecorder(), nil}
+}
+
+func (gr *HttpHeaderGuardRecorder) WriteHeader(code int) {
+	gr.ResponseRecorder.WriteHeader(code)
+	gr.savedHeaderMap = gr.ResponseRecorder.Header()
+}
+
+func (gr *HttpHeaderGuardRecorder) Header() http.Header {
+	if gr.savedHeaderMap != nil {
+		// headers were written. clone so we don't get updates
+		clone := make(http.Header)
+		for k, v := range gr.savedHeaderMap {
+			clone[k] = v
+		}
+		return clone
+	} else {
+		return gr.ResponseRecorder.Header()
+	}
+}
+
+func Test_AllowAll(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins: true,
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	handler.ServeHTTP(recorder, r)
+
+	if recorder.HeaderMap.Get(headerAllowOrigin) != "*" {
+		t.Errorf("Allow-Origin header should be *")
+	}
+}
+
+func Test_AllowRegexMatch(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowOrigins: []string{"https://aaa.com", "https://*.foo.com"},
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	origin := "https://bar.foo.com"
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	r.Header.Add("Origin", origin)
+	handler.ServeHTTP(recorder, r)
+
+	headerValue := recorder.HeaderMap.Get(headerAllowOrigin)
+	if headerValue != origin {
+		t.Errorf("Allow-Origin header should be %v, found %v", origin, headerValue)
+	}
+}
+
+func Test_AllowRegexNoMatch(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowOrigins: []string{"https://*.foo.com"},
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	origin := "https://ww.foo.com.evil.com"
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	r.Header.Add("Origin", origin)
+	handler.ServeHTTP(recorder, r)
+
+	headerValue := recorder.HeaderMap.Get(headerAllowOrigin)
+	if headerValue != "" {
+		t.Errorf("Allow-Origin header should not exist, found %v", headerValue)
+	}
+}
+
+func Test_OtherHeaders(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins:  true,
+		AllowCredentials: true,
+		AllowMethods:     []string{"PATCH", "GET"},
+		AllowHeaders:     []string{"Origin", "X-whatever"},
+		ExposeHeaders:    []string{"Content-Length", "Hello"},
+		MaxAge:           5 * time.Minute,
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	handler.ServeHTTP(recorder, r)
+
+	credentialsVal := recorder.HeaderMap.Get(headerAllowCredentials)
+	methodsVal := recorder.HeaderMap.Get(headerAllowMethods)
+	headersVal := recorder.HeaderMap.Get(headerAllowHeaders)
+	exposedHeadersVal := recorder.HeaderMap.Get(headerExposeHeaders)
+	maxAgeVal := recorder.HeaderMap.Get(headerMaxAge)
+
+	if credentialsVal != "true" {
+		t.Errorf("Allow-Credentials is expected to be true, found %v", credentialsVal)
+	}
+
+	if methodsVal != "PATCH,GET" {
+		t.Errorf("Allow-Methods is expected to be PATCH,GET; found %v", methodsVal)
+	}
+
+	if headersVal != "Origin,X-whatever" {
+		t.Errorf("Allow-Headers is expected to be Origin,X-whatever; found %v", headersVal)
+	}
+
+	if exposedHeadersVal != "Content-Length,Hello" {
+		t.Errorf("Expose-Headers are expected to be Content-Length,Hello. Found %v", exposedHeadersVal)
+	}
+
+	if maxAgeVal != "300" {
+		t.Errorf("Max-Age is expected to be 300, found %v", maxAgeVal)
+	}
+}
+
+func Test_DefaultAllowHeaders(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins: true,
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	handler.ServeHTTP(recorder, r)
+
+	headersVal := recorder.HeaderMap.Get(headerAllowHeaders)
+	if headersVal != "Origin,Accept,Content-Type,Authorization" {
+		t.Errorf("Allow-Headers is expected to be Origin,Accept,Content-Type,Authorization; found %v", headersVal)
+	}
+}
+
+func Test_Preflight(t *testing.T) {
+	recorder := NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins: true,
+		AllowMethods:    []string{"PUT", "PATCH"},
+		AllowHeaders:    []string{"Origin", "X-whatever", "X-CaseSensitive"},
+	}))
+
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(200)
+	})
+
+	r, _ := http.NewRequest("OPTIONS", "/foo", nil)
+	r.Header.Add(headerRequestMethod, "PUT")
+	r.Header.Add(headerRequestHeaders, "X-whatever, x-casesensitive")
+	handler.ServeHTTP(recorder, r)
+
+	headers := recorder.Header()
+	methodsVal := headers.Get(headerAllowMethods)
+	headersVal := headers.Get(headerAllowHeaders)
+	originVal := headers.Get(headerAllowOrigin)
+
+	if methodsVal != "PUT,PATCH" {
+		t.Errorf("Allow-Methods is expected to be PUT,PATCH, found %v", methodsVal)
+	}
+
+	if !strings.Contains(headersVal, "X-whatever") {
+		t.Errorf("Allow-Headers is expected to contain X-whatever, found %v", headersVal)
+	}
+
+	if !strings.Contains(headersVal, "x-casesensitive") {
+		t.Errorf("Allow-Headers is expected to contain x-casesensitive, found %v", headersVal)
+	}
+
+	if originVal != "*" {
+		t.Errorf("Allow-Origin is expected to be *, found %v", originVal)
+	}
+
+	if recorder.Code != http.StatusOK {
+		t.Errorf("Status code is expected to be 200, found %d", recorder.Code)
+	}
+}
+
+func Benchmark_WithoutCORS(b *testing.B) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	beego.RunMode = "prod"
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	b.ResetTimer()
+	for i := 0; i < 100; i++ {
+		r, _ := http.NewRequest("PUT", "/foo", nil)
+		handler.ServeHTTP(recorder, r)
+	}
+}
+
+func Benchmark_WithCORS(b *testing.B) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	beego.RunMode = "prod"
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins:  true,
+		AllowCredentials: true,
+		AllowMethods:     []string{"PATCH", "GET"},
+		AllowHeaders:     []string{"Origin", "X-whatever"},
+		MaxAge:           5 * time.Minute,
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	b.ResetTimer()
+	for i := 0; i < 100; i++ {
+		r, _ := http.NewRequest("PUT", "/foo", nil)
+		handler.ServeHTTP(recorder, r)
+	}
+}