gatekeeper/referer_policy.go at master · 4nkitd/gatekeeper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package gatekeeper

import (
	"fmt"
	"net/http"
	"regexp"
	"strings"
)

// newParsedRefererPolicy creates a parsed referer policy from configuration
func newParsedRefererPolicy(config *RefererPolicyConfig) (*parsedRefererPolicy, error) {
	if config == nil {
		return nil, fmt.Errorf("referer policy config is nil")
	}

	parsed := &parsedRefererPolicy{
		config:   config,
		exactSet: make(map[string]struct{}),
	}

	// Process exact referers (case-insensitive)
	for _, referer := range config.Exact {
		parsed.exactSet[strings.ToLower(referer)] = struct{}{}
	}

	// Compile regex patterns
	for _, pattern := range config.Patterns {
		compiled, err := regexp.Compile(pattern)
		if err != nil {
			return nil, fmt.Errorf("invalid referer regex pattern '%s': %w", pattern, err)
		}
		parsed.compiledPatterns = append(parsed.compiledPatterns, compiled)
	}

	return parsed, nil
}

// RefererPolicy implements the referer-based access control middleware
func (gk *Gatekeeper) RefererPolicy(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		referer := r.Header.Get("Referer")

		// If no referer policy is configured, allow the request
		if gk.parsedRefererPolicy == nil {
			next.ServeHTTP(w, r)
			return
		}

		config := gk.parsedRefererPolicy.config
		isMatched := gk.isRefererMatched(referer)

		var shouldBlock bool
		var reason string

		switch config.Mode {
		case ModeBlacklist:
			if isMatched {
				shouldBlock = true
				reason = fmt.Sprintf("referer '%s' is blacklisted", referer)
			}
		case ModeWhitelist:
			if !isMatched {
				shouldBlock = true
				if referer == "" {
					reason = "no referer provided and whitelist mode is active"
				} else {
					reason = fmt.Sprintf("referer '%s' is not whitelisted", referer)
				}
			}
		default:
			gk.logger.Printf("Invalid referer policy mode: %s", config.Mode)
			next.ServeHTTP(w, r)
			return
		}

		if shouldBlock {
			gk.blockRequest(w, r, gk.config.DefaultBlockStatusCode, gk.config.DefaultBlockMessage, reason)
			return
		}

		next.ServeHTTP(w, r)
	})
}

// isRefererMatched checks if the referer matches any configured pattern or exact string
func (gk *Gatekeeper) isRefererMatched(referer string) bool {
	if gk.parsedRefererPolicy == nil {
		return false
	}

	// Normalize referer for case-insensitive comparison
	refererLower := strings.ToLower(referer)

	// Check exact matches
	if _, exists := gk.parsedRefererPolicy.exactSet[refererLower]; exists {
		return true
	}

	// Check regex patterns
	for _, pattern := range gk.parsedRefererPolicy.compiledPatterns {
		if pattern.MatchString(referer) {
			return true
		}
	}

	return false
}