haveapi-go-client 0.27.3 → 0.28.1

data/template/request.go.erb

@@ -3,17 +3,180 @@ package <%= package %>
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"io/ioutil"
 	"net/http"
+	"net/url"
+	"strings"
 )
 
+func (client *Client) actionURL(path string) (string, error) {
+	if !strings.HasPrefix(path, "/") || strings.HasPrefix(path, "//") {
+		return "", fmt.Errorf("unsafe API action path %q", path)
+	}
+
+	ref, err := url.Parse(path)
+	if err != nil {
+		return "", err
+	}
+
+	if ref.IsAbs() || ref.Host != "" || ref.User != nil {
+		return "", fmt.Errorf("unsafe API action path %q", path)
+	}
+
+	return client.sameOriginURL(client.Url + path)
+}
+
+func (client *Client) descriptionURL(rawURL string) (string, error) {
+	return client.descriptionURLWithTrustedOrigins(rawURL, nil)
+}
+
+func (client *Client) oauth2DescriptionURL(rawURL string) (string, error) {
+	return client.descriptionURLWithTrustedOrigins(rawURL, client.oauth2TrustedOrigins)
+}
+
+// AllowOAuth2Origin permits OAuth2 endpoints from an additional trusted origin.
+func (client *Client) AllowOAuth2Origin(rawOrigin string) error {
+	origin, err := parseTrustedOrigin(rawOrigin)
+	if err != nil {
+		return err
+	}
+
+	if client.oauth2TrustedOrigins == nil {
+		client.oauth2TrustedOrigins = make(map[string]struct{})
+	}
+
+	client.oauth2TrustedOrigins[origin] = struct{}{}
+	return nil
+}
+
+func (client *Client) descriptionURLWithTrustedOrigins(rawURL string, trustedOrigins map[string]struct{}) (string, error) {
+	base, err := client.parsedBaseURL()
+	if err != nil {
+		return "", err
+	}
+
+	ref, err := url.Parse(rawURL)
+	if err != nil {
+		return "", err
+	}
+
+	if ref.User != nil {
+		return "", fmt.Errorf("unsafe API description URL %q", rawURL)
+	}
+
+	if ref.Host != "" && ref.Scheme == "" {
+		return "", fmt.Errorf("unsafe API description URL %q", rawURL)
+	}
+
+	resolved := base.ResolveReference(ref)
+	if !sameOrigin(base, resolved) && !originAllowed(resolved, trustedOrigins) {
+		return "", fmt.Errorf("API description URL %q is outside client origin", rawURL)
+	}
+
+	return resolved.String(), nil
+}
+
+func (client *Client) sameOriginURL(rawURL string) (string, error) {
+	base, err := client.parsedBaseURL()
+	if err != nil {
+		return "", err
+	}
+
+	resolved, err := url.Parse(rawURL)
+	if err != nil {
+		return "", err
+	}
+
+	if !sameOrigin(base, resolved) {
+		return "", fmt.Errorf("request URL %q is outside client origin", rawURL)
+	}
+
+	return resolved.String(), nil
+}
+
+func (client *Client) parsedBaseURL() (*url.URL, error) {
+	base, err := url.Parse(client.Url)
+	if err != nil {
+		return nil, err
+	}
+
+	if base.Scheme == "" || base.Host == "" {
+		return nil, fmt.Errorf("invalid client URL %q", client.Url)
+	}
+
+	return base, nil
+}
+
+func sameOrigin(a *url.URL, b *url.URL) bool {
+	return strings.EqualFold(a.Scheme, b.Scheme) &&
+		strings.EqualFold(a.Hostname(), b.Hostname()) &&
+		originPort(a) == originPort(b)
+}
+
+func originAllowed(u *url.URL, trustedOrigins map[string]struct{}) bool {
+	if len(trustedOrigins) == 0 {
+		return false
+	}
+
+	_, ok := trustedOrigins[originKey(u)]
+	return ok
+}
+
+func parseTrustedOrigin(rawOrigin string) (string, error) {
+	if rawOrigin == "" || strings.ContainsAny(rawOrigin, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\v\f\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f \x7f\\") {
+		return "", fmt.Errorf("invalid trusted OAuth2 origin %q", rawOrigin)
+	}
+
+	parsed, err := url.Parse(rawOrigin)
+	if err != nil {
+		return "", err
+	}
+
+	if parsed.Scheme == "" || parsed.Host == "" || parsed.User != nil ||
+		(parsed.Path != "" && parsed.Path != "/") ||
+		parsed.RawQuery != "" || parsed.Fragment != "" {
+		return "", fmt.Errorf("invalid trusted OAuth2 origin %q", rawOrigin)
+	}
+
+	return originKey(parsed), nil
+}
+
+func originKey(u *url.URL) string {
+	host := strings.ToLower(u.Hostname())
+	if strings.Contains(host, ":") {
+		host = "[" + host + "]"
+	}
+
+	return strings.ToLower(u.Scheme) + "://" + host + ":" + originPort(u)
+}
+
+func originPort(u *url.URL) string {
+	port := u.Port()
+	if port != "" {
+		return port
+	}
+
+	switch strings.ToLower(u.Scheme) {
+	case "http":
+		return "80"
+	case "https":
+		return "443"
+	default:
+		return ""
+	}
+}
+
 // DoQueryStringRequests makes a HTTP requests in which input parameters are
 // sent as query parameters.
 func (client *Client) DoQueryStringRequest(path string, queryParams map[string]string, output interface{}) error {
-	httpClient := &http.Client{}
-	url := client.Url + path
+	requestURL, err := client.actionURL(path)
+
+	if err != nil {
+		return err
+	}
 
-	req, err := http.NewRequest("GET", url, nil)
+	req, err := http.NewRequest("GET", requestURL, nil)
 
 	if err != nil {
 		return err
@@ -31,7 +194,7 @@ func (client *Client) DoQueryStringRequest(path string, queryParams map[string]s
 
 	req.URL.RawQuery = q.Encode()
 
-	resp, err := httpClient.Do(req)
+	resp, err := client.do(req)
 
 	if err != nil {
 		return err
@@ -54,8 +217,7 @@ func (client *Client) DoQueryStringRequest(path string, queryParams map[string]s
 // DoBodyRequest makes a HTTP requests in which the input parameters are sent
 // within the request body, encoded in JSON.
 func (client *Client) DoBodyRequest(method string, path string, params interface{}, output interface{}) error {
-	httpClient := &http.Client{}
-	url := client.Url + path
+	requestURL, err := client.actionURL(path)
 
 	jsonData, err := json.Marshal(params)
 
@@ -63,7 +225,7 @@ func (client *Client) DoBodyRequest(method string, path string, params interface
 		return err
 	}
 
-	req, err := http.NewRequest(method, url, bytes.NewBuffer(jsonData))
+	req, err := http.NewRequest(method, requestURL, bytes.NewBuffer(jsonData))
 
 	if err != nil {
 		return err
@@ -75,7 +237,7 @@ func (client *Client) DoBodyRequest(method string, path string, params interface
 		client.Authentication.Authenticate(req)
 	}
 
-	resp, err := httpClient.Do(req)
+	resp, err := client.do(req)
 
 	if err != nil {
 		return err

data/template/resource.go.erb

@@ -1,17 +1,17 @@
 package <%= package %>
 
-// Type for resource <%= resource.full_dot_name %>
+// Type for resource <%= go_comment_text(resource.full_dot_name) %>
 type <%= resource.go_type %> struct {
 	// Pointer to client
 	Client *Client
 
 <% resource.resources.each do |r| -%>
-	// Resource <%= r.full_dot_name %>
+	// Resource <%= go_comment_text(r.full_dot_name) %>
 	<%= r.go_name %> *<%= r.go_type %>
 <% end -%>
 <% resource.actions.each do |a| -%>
 <% a.all_names do |go_name| -%>
-	// Action <%= a.full_dot_name %>
+	// Action <%= go_comment_text(a.full_dot_name) %>
 	<%= go_name %> *<%= a.go_type %>
 <% end -%>
 <% end -%>

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: haveapi-go-client
 version: !ruby/object:Gem::Version
-  version: 0.27.3
+  version: 0.28.1
 platform: ruby
 authors:
 - Jakub Skokan
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.27.3
+        version: 0.28.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.27.3
+        version: 0.28.1
 description: Go client generator
 email:
 - jakub.skokan@vpsfree.cz
@@ -60,7 +60,6 @@ files:
 - lib/haveapi/go_client/resource.rb
 - lib/haveapi/go_client/utils.rb
 - lib/haveapi/go_client/version.rb
-- shell.nix
 - spec/integration/generator_spec.rb
 - spec/spec_helper.rb
 - spec/support/test_server.rb

data/shell.nix

@@ -1,23 +0,0 @@
-let
-  pkgs = import <nixpkgs> {};
-  stdenv = pkgs.stdenv;
-
-in stdenv.mkDerivation rec {
-  name = "haveapi-go-client";
-
-  buildInputs = with pkgs;[
-    git
-    go
-    gotools
-    openssl
-    ruby_3_3
-  ];
-
-  shellHook = ''
-    export GEM_HOME=$(pwd)/.gems
-    export PATH="$GEM_HOME/.gems/bin:$PATH"
-    gem install bundler
-    bundler install
-    export RUBYOPT=-rbundler/setup
-  '';
-}