echo: protect profiles by IPecho/v0.16.3

author: Mike Crute <mike@crute.us> 2023-11-12 11:09:11 -0800
committer: Mike Crute <mike@crute.us> 2023-11-12 11:09:11 -0800
commit: c9878e6aa081869ad5b711e15cb4cb561a44dab6 (patch)
tree: 2b57194887510a265005c84b135f90e79f7515da
parent: aaebdc0a79968e68ab24dc1a98fa45607d74f30c (diff)
download: golib-c9878e6aa081869ad5b711e15cb4cb561a44dab6.tar.bz2
golib-c9878e6aa081869ad5b711e15cb4cb561a44dab6.tar.xz
golib-c9878e6aa081869ad5b711e15cb4cb561a44dab6.zip
2 files changed, 64 insertions, 34 deletions
diff --git a/echo/echo_default.go b/echo/echo_default.go
index dadeb90..5cd4b75 100644
--- a/echo/echo_default.go
+++ b/echo/echo_default.go
@@ -82,6 +82,7 @@ type EchoWrapper struct {
        autocert          autocert.PrimingCertProvider
        templateFS        fs.FS
        errorHandler      ErrorHandler
+        netboxIpFilter    *glmw.NetboxIPFilter
 }
 // NewEchoWrapper creates a new instance of Echo and wraps it in an
@@ -163,10 +164,6 @@ func (w *EchoWrapper) AddErrorHandler(h ContentErrorHandler, mime ...string) {
 }
 func (w *EchoWrapper) Configure(c EchoConfig) (err error) {
-        if w.Debug || c.EnableTrace {
-                glmw.RegisterPprof(w.Echo)
-        }
        w.configureAutocert(&c)
        if err := w.configureIpExtractor(&c); err != nil {
@@ -197,7 +194,11 @@ func (w *EchoWrapper) Configure(c EchoConfig) (err error) {
        w.configureCORS(&c)
        w.configureCSP(&c)
        w.configureServerHeader(&c)
+        // These all depend on w.netboxIpFilter
+        w.configureNetboxIpFilter(&c)
        w.configurePrometheus(&c)
+        w.configurePprof(&c)
        return nil
 }
@@ -404,19 +405,21 @@ func (w *EchoWrapper) configureServerHeader(c *EchoConfig) {
        }
 }
-func (w *EchoWrapper) configurePrometheus(c *EchoConfig) {
+func (w *EchoWrapper) configureNetboxIpFilter(c *EchoConfig) {
-        if !c.DisablePrometheus && c.NetboxClient != nil {
+        // TODO: Should constrain this by site probably but monitoring happens
-                // TODO: Should constrain this by site probably but monitoring happens
+        // across sites so those prefixes need to be included
-                // across sites so those prefixes need to be included
+        w.netboxIpFilter = &glmw.NetboxIPFilter{
-                f := &glmw.NetboxIPFilter{
+                NetboxClient:     c.NetboxClient,
-                        NetboxClient:     c.NetboxClient,
+                Tag:              "management",
-                        Tag:              "management",
+                IncludeLocalhost: true,
-                        IncludeLocalhost: true,
+                Logger:           w.Logger,
-                        Logger:           w.Logger,
+        }
-                }
+        w.runner.AddInitJob(w.netboxIpFilter.Init)
-                w.runner.AddInitJob(f.Init)
+        w.runner.AddJob(w.netboxIpFilter.RunRefresh)
-                w.runner.AddJob(f.RunRefresh)
+}
+func (w *EchoWrapper) configurePrometheus(c *EchoConfig) {
+        if !c.DisablePrometheus && w.netboxIpFilter != nil {
                var prom *prometheus.Prometheus
                if c.PrometheusConfig != nil {
                        prom = prometheus.NewPrometheusWithConfig(c.PrometheusConfig)
@@ -425,6 +428,16 @@ func (w *EchoWrapper) configurePrometheus(c *EchoConfig) {
                }
                w.Use(prom.MiddlewareHandler)
-                w.GET(prom.Config.MetricsPath, prom.MetricsHandler, f.Middleware)
+                w.GET(prom.Config.MetricsPath, prom.MetricsHandler, w.netboxIpFilter.Middleware)
+        }
+}
+func (w *EchoWrapper) configurePprof(c *EchoConfig) {
+        if (w.Debug || c.EnableTrace) && w.netboxIpFilter != nil {
+                glmw.RegisterPprofWithConfig(
+                        w.Echo,
+                        glmw.DefaultPprofConfig,
+                        w.netboxIpFilter.Middleware,
+                )
        }
 }
diff --git a/echo/middleware/pprof.go b/echo/middleware/pprof.go
index cc69505..8c7fe1b 100644
--- a/echo/middleware/pprof.go
+++ b/echo/middleware/pprof.go
@@ -5,28 +5,45 @@ import (
        "net/http/pprof"
        "github.com/labstack/echo/v4"
+        "github.com/labstack/echo/v4/middleware"
 )
-func RegisterPprof(e *echo.Echo, prefixOptions ...string) {
+type PprofConfig struct {
-        prefix := "/debug/pprof"
+        Skipper middleware.Skipper
-        if len(prefixOptions) > 0 {
+        Prefix  string
-                prefix = prefixOptions[0]
+}
+var DefaultPprofConfig = PprofConfig{
+        Skipper: middleware.DefaultSkipper,
+        Prefix:  "/debug/pprof",
+}
+func RegisterPprof(e *echo.Echo) {
+        RegisterPprofWithConfig(e, DefaultPprofConfig)
+}
+func RegisterPprofWithConfig(e *echo.Echo, config PprofConfig, mw ...echo.MiddlewareFunc) {
+        if config.Skipper == nil {
+                config.Skipper = DefaultPprofConfig.Skipper
+        }
+        if config.Prefix == "" {
+                config.Prefix = DefaultPprofConfig.Prefix
        }
-        prefixRouter := e.Group(prefix)
+        g := e.Group(config.Prefix)
        {
-                prefixRouter.GET("/", pprofAdapter(pprof.Index))
+                g.GET("/", pprofAdapter(pprof.Index), mw...)
-                prefixRouter.GET("/allocs", pprofAdapter(pprof.Handler("allocs").ServeHTTP))
+                g.GET("/allocs", pprofAdapter(pprof.Handler("allocs").ServeHTTP), mw...)
-                prefixRouter.GET("/block", pprofAdapter(pprof.Handler("block").ServeHTTP))
+                g.GET("/block", pprofAdapter(pprof.Handler("block").ServeHTTP), mw...)
-                prefixRouter.GET("/cmdline", pprofAdapter(pprof.Cmdline))
+                g.GET("/cmdline", pprofAdapter(pprof.Cmdline), mw...)
-                prefixRouter.GET("/goroutine", pprofAdapter(pprof.Handler("goroutine").ServeHTTP))
+                g.GET("/goroutine", pprofAdapter(pprof.Handler("goroutine").ServeHTTP), mw...)
-                prefixRouter.GET("/heap", pprofAdapter(pprof.Handler("heap").ServeHTTP))
+                g.GET("/heap", pprofAdapter(pprof.Handler("heap").ServeHTTP), mw...)
-                prefixRouter.GET("/mutex", pprofAdapter(pprof.Handler("mutex").ServeHTTP))
+                g.GET("/mutex", pprofAdapter(pprof.Handler("mutex").ServeHTTP), mw...)
-                prefixRouter.GET("/profile", pprofAdapter(pprof.Profile))
+                g.GET("/profile", pprofAdapter(pprof.Profile), mw...)
-                prefixRouter.POST("/symbol", pprofAdapter(pprof.Symbol))
+                g.POST("/symbol", pprofAdapter(pprof.Symbol), mw...)
-                prefixRouter.GET("/symbol", pprofAdapter(pprof.Symbol))
+                g.GET("/symbol", pprofAdapter(pprof.Symbol), mw...)
-                prefixRouter.GET("/threadcreate", pprofAdapter(pprof.Handler("threadcreate").ServeHTTP))
+                g.GET("/threadcreate", pprofAdapter(pprof.Handler("threadcreate").ServeHTTP), mw...)
-                prefixRouter.GET("/trace", pprofAdapter(pprof.Trace))
+                g.GET("/trace", pprofAdapter(pprof.Trace), mw...)
        }
 }
author	Mike Crute <mike@crute.us>	2023-11-12 11:09:11 -0800
committer	Mike Crute <mike@crute.us>	2023-11-12 11:09:11 -0800
commit	c9878e6aa081869ad5b711e15cb4cb561a44dab6 (patch)
tree	2b57194887510a265005c84b135f90e79f7515da
parent	aaebdc0a79968e68ab24dc1a98fa45607d74f30c (diff)
download	golib-c9878e6aa081869ad5b711e15cb4cb561a44dab6.tar.bz2 golib-c9878e6aa081869ad5b711e15cb4cb561a44dab6.tar.xz golib-c9878e6aa081869ad5b711e15cb4cb561a44dab6.zip