mirror of
https://github.com/coder/coder.git
synced 2026-06-03 04:58:23 +00:00
ケイラ
42 lines
1.6 KiB
Go
42 lines
1.6 KiB
Go
//go:build !slim
|
|
|
|
package httpapi
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
|
|
"github.com/coder/coder/v2/coderd/rbac"
|
|
)
|
|
|
|
// The x-authz-checks header can end up being >10KB in size on certain queries.
|
|
// Many HTTP clients will fail if a header or the response head as a whole is
|
|
// too long to prevent malicious responses from consuming all of the client's
|
|
// memory. I've seen reports that browsers have this limit as low as 4KB for the
|
|
// entire response head, so we limit this header to a little less than 2KB,
|
|
// ensuring there's still plenty of room for the usual smaller headers.
|
|
const maxHeaderLength = 2000
|
|
|
|
// This is defined separately in slim builds to avoid importing the rbac
|
|
// package, which is a large dependency.
|
|
func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) {
|
|
if rec, ok := rbac.GetAuthzCheckRecorder(ctx); ok {
|
|
// If you're here because you saw this header in a response, and you're
|
|
// trying to investigate the code, here are a couple of notable things
|
|
// for you to know:
|
|
// - If any of the checks are `false`, they might not represent the whole
|
|
// picture. There could be additional checks that weren't performed,
|
|
// because processing stopped after the failure.
|
|
// - The checks are recorded by the `authzRecorder` type, which is
|
|
// configured on server startup for development and testing builds.
|
|
// - If this header is missing from a response, make sure the response is
|
|
// being written by calling `httpapi.Write`!
|
|
checks := rec.String()
|
|
if len(checks) > maxHeaderLength {
|
|
checks = checks[:maxHeaderLength]
|
|
checks += "<truncated>"
|
|
}
|
|
rw.Header().Set("x-authz-checks", checks)
|
|
}
|
|
}
|