refactor(serverHandler): refine restrict access

- remove cache flag `restrictAccess`
- add `Vary` header only when restrict access
- filter restrict access data that only match current alias handler

Author: marjune163

src/param/helper.go

@@ -80,22 +80,8 @@ func dedupPathValues(inputs []string) []string {
 		return inputs
 	}
 
-	values := inputs[1:]
-	endIndex := 1
-eachValue:
-	for i, length := 1, len(values); i < length; i++ {
-		for j := 0; j < endIndex; j++ {
-			if values[i] == values[j] {
-				continue eachValue
-			}
-		}
-		if endIndex != i {
-			values[endIndex] = values[i]
-		}
-		endIndex++
-	}
-
-	return inputs[:1+endIndex]
+	values := util.InPlaceDedup(inputs[1:])
+	return inputs[:1+len(values)]
 }
 
 func dedupAllPathValues(inputs [][]string) {

src/param/main.go

@@ -136,6 +136,7 @@ func (param *Param) normalize() (errs []error) {
 	// global restrict access, nil to disable, non-nil to enable with allowed hosts
 	if param.GlobalRestrictAccess != nil {
 		param.GlobalRestrictAccess = util.ExtractHostsFromUrls(param.GlobalRestrictAccess)
+		param.GlobalRestrictAccess = util.InPlaceDedup(param.GlobalRestrictAccess)
 	}
 
 	// restrict access

src/serverHandler/aliasHandler.go

@@ -6,6 +6,7 @@ import (
 	"mjpclab.dev/ghfs/src/serverLog"
 	"mjpclab.dev/ghfs/src/tpl/theme"
 	"mjpclab.dev/ghfs/src/user"
+	"mjpclab.dev/ghfs/src/util"
 	"net/http"
 	"regexp"
 	"strconv"
@@ -14,8 +15,6 @@ import (
 
 var defaultHandler = http.NotFoundHandler()
 
-type prefixFilter func(whole, prefix string) bool
-
 type aliasHandler struct {
 	alias
 
@@ -45,10 +44,9 @@ type aliasHandler struct {
 	authUrls   []string
 	authDirs   []string
 
-	restrictAccess       bool
 	globalRestrictAccess []string
-	restrictAccessUrls   []pathStrings
-	restrictAccessDirs   []pathStrings
+	restrictAccessUrls   pathStringsList
+	restrictAccessDirs   pathStringsList
 
 	globalHeaders [][2]string
 	headersUrls   []pathHeaders
@@ -114,7 +112,7 @@ func (h *aliasHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	if !session.allowAccess {
 		if !h.applyMiddlewares(h.postMiddlewares, w, r, session, data) {
-			h.page(w, r, data)
+			h.page(w, r, session, data)
 		}
 		return
 	}
@@ -174,7 +172,7 @@ func (h *aliasHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	} else if shouldServeAsContent(session.file, data.Item) {
 		h.content(w, r, session, data)
 	} else {
-		h.page(w, r, data)
+		h.page(w, r, session, data)
 	}
 }
 
@@ -186,6 +184,11 @@ func newAliasHandler(
 ) *aliasHandler {
 	emptyRoot := p.EmptyRoot && currentAlias.url == "/"
 
+	globalRestrictAccess := p.GlobalRestrictAccess
+	globalRestrictAccess = vhostCtx.restrictAccessUrls.mergePrefixMatched(globalRestrictAccess, util.HasUrlPrefixDir, currentAlias.url)
+	globalRestrictAccess = vhostCtx.restrictAccessDirs.mergePrefixMatched(globalRestrictAccess, util.HasFsPrefixDir, currentAlias.fs)
+	globalRestrictAccess = util.InPlaceDedup(globalRestrictAccess)
+
 	h := &aliasHandler{
 		alias:        currentAlias,
 		emptyRoot:    emptyRoot,
@@ -207,10 +210,9 @@ func newAliasHandler(
 		authUrls:   p.AuthUrls,
 		authDirs:   p.AuthDirs,
 
-		restrictAccess:       vhostCtx.restrictAccess,
-		globalRestrictAccess: p.GlobalRestrictAccess,
-		restrictAccessUrls:   vhostCtx.restrictAccessUrls,
-		restrictAccessDirs:   vhostCtx.restrictAccessDirs,
+		globalRestrictAccess: globalRestrictAccess,
+		restrictAccessUrls:   vhostCtx.restrictAccessUrls.filterSuccessor(util.HasUrlPrefixDir, currentAlias.url),
+		restrictAccessDirs:   vhostCtx.restrictAccessDirs.filterSuccessor(util.HasFsPrefixDir, currentAlias.fs),
 
 		globalHeaders: p.GlobalHeaders,
 		headersUrls:   vhostCtx.headersUrls,

src/serverHandler/content.go

@@ -7,7 +7,7 @@ import (
 
 func (h *aliasHandler) content(w http.ResponseWriter, r *http.Request, session *sessionContext, data *responseData) {
 	header := w.Header()
-	header.Set("Vary", h.vary)
+	header.Set("Vary", session.vary)
 	header.Set("X-Content-Type-Options", "nosniff")
 	if data.IsDownload {
 		header.Set("Content-Disposition", "attachment; filename*=UTF-8''"+url.PathEscape(data.ItemName))

src/serverHandler/page.go

@@ -62,9 +62,9 @@ func updateTranslation(r *http.Request, data *responseData) {
 	data.Trans = i18n.Dictionaries[index].Trans
 }
 
-func (h *aliasHandler) page(w http.ResponseWriter, r *http.Request, data *responseData) {
+func (h *aliasHandler) page(w http.ResponseWriter, r *http.Request, session *sessionContext, data *responseData) {
 	header := w.Header()
-	header.Set("Vary", h.vary)
+	header.Set("Vary", session.vary)
 	header.Set("X-Content-Type-Options", "nosniff")
 	header.Set("Content-Type", "text/html; charset=utf-8")
 	if lacksHeader(header, "Cache-Control") {

src/serverHandler/pathValues.go

@@ -0,0 +1,53 @@
+package serverHandler
+
+// prefixFilter
+
+type prefixFilter func(whole, prefix string) bool
+
+// pathStrings
+
+type pathStrings struct {
+	path    string
+	strings []string
+}
+
+type pathStringsList []pathStrings
+
+func (list pathStringsList) mergePrefixMatched(mergeWith []string, matchPrefix prefixFilter, refPath string) []string {
+	var result []string
+	if mergeWith != nil {
+		result = make([]string, len(mergeWith))
+		copy(result, mergeWith)
+	}
+
+	for i := range list {
+		if matchPrefix(refPath, list[i].path) {
+			if result == nil {
+				result = []string{}
+			}
+			result = append(result, list[i].strings...)
+		}
+	}
+
+	if mergeWith != nil && len(mergeWith) == len(result) {
+		return mergeWith
+	} else {
+		return result
+	}
+}
+
+func (list pathStringsList) filterSuccessor(matchPrefix prefixFilter, refPath string) pathStringsList {
+	var result pathStringsList
+
+	for i := range list {
+		if len(list[i].path) > len(refPath) && matchPrefix(list[i].path, refPath) {
+			result = append(result, list[i])
+		}
+	}
+
+	if len(list) == len(result) {
+		return list
+	} else {
+		return result
+	}
+}

src/serverHandler/pathValues_test.go

@@ -0,0 +1,34 @@
+package serverHandler
+
+import (
+	"mjpclab.dev/ghfs/src/util"
+	"testing"
+)
+
+func TestPathStrings(t *testing.T) {
+	ps := pathStringsList{
+		{"/a", []string{"a"}},
+		{"/a/b", []string{"ab"}},
+		{"/a/b/c", []string{"abc"}},
+		{"/foo/bar", []string{"foobar"}},
+	}
+
+	mergeWith := []string{"/xxx", "/yyy"}
+	merged := ps.mergePrefixMatched(mergeWith, util.HasUrlPrefixDir, "/a/b")
+	if len(mergeWith) != 2 {
+		t.Error()
+	}
+	if len(merged) != 4 || merged[2] != "a" || merged[3] != "ab" {
+		t.Error(merged)
+	}
+
+	merged = ps.mergePrefixMatched(nil, util.HasUrlPrefixDir, "/lorem/ipsum")
+	if merged != nil {
+		t.Error(merged)
+	}
+
+	successors := ps.filterSuccessor(util.HasUrlPrefixDir, "/a/b")
+	if len(successors) != 1 || successors[0].path != "/a/b/c" {
+		t.Error(successors)
+	}
+}

src/serverHandler/restrictAccess.go

@@ -20,13 +20,9 @@ func newRestrictAccesses(pathHostsList [][]string) []pathStrings {
 	return restricts
 }
 
-func hasRestrictAccess(globalRestrictAccesses []string, restrictAccessUrls, restrictAccessDirs []pathStrings) bool {
-	return globalRestrictAccesses != nil || len(restrictAccessUrls) > 0 || len(restrictAccessDirs) > 0
-}
-
-func (h *aliasHandler) isAllowAccess(r *http.Request, reqUrlPath, reqFsPath string, file *os.File, item os.FileInfo) bool {
-	if !h.restrictAccess {
-		return true
+func (h *aliasHandler) isAllowAccess(r *http.Request, reqUrlPath, reqFsPath string, file *os.File, item os.FileInfo) (restrict, allow bool) {
+	if h.globalRestrictAccess == nil && len(h.restrictAccessUrls) == 0 && len(h.restrictAccessDirs) == 0 {
+		return false, true
 	}
 
 	reqHeader := r.Header
@@ -36,17 +32,17 @@ func (h *aliasHandler) isAllowAccess(r *http.Request, reqUrlPath, reqFsPath stri
 	}
 
 	if len(sourceHost) == 0 && !shouldServeAsContent(file, item) {
-		return true
+		return true, true
 	}
 
 	sourceHost = util.ExtractHostFromUrl(sourceHost)
 	selfHost := strings.ToLower(r.Host)
 	if sourceHost == selfHost {
-		return true
+		return true, true
 	}
 
 	if util.Contains(h.globalRestrictAccess, sourceHost) {
-		return true
+		return true, true
 	}
 
 	urlMatched := false
@@ -56,7 +52,7 @@ func (h *aliasHandler) isAllowAccess(r *http.Request, reqUrlPath, reqFsPath stri
 		}
 		urlMatched = true
 		if util.Contains(h.restrictAccessUrls[i].strings, sourceHost) {
-			return true
+			return true, true
 		}
 	}
 
@@ -67,13 +63,13 @@ func (h *aliasHandler) isAllowAccess(r *http.Request, reqUrlPath, reqFsPath stri
 		}
 		dirMatched = true
 		if util.Contains(h.restrictAccessDirs[i].strings, sourceHost) {
-			return true
+			return true, true
 		}
 	}
 
 	if h.globalRestrictAccess == nil && !urlMatched && !dirMatched {
-		return true
+		return true, true
 	}
 
-	return false
+	return true, false
 }

src/serverHandler/sessionData.go

@@ -48,10 +48,12 @@ type sessionContext struct {
 	authSuccess  bool
 
 	redirectAction redirectAction
+	vary           string
+	headers        [][2]string
 
-	headers  [][2]string
 	wantJson bool
-	file     *os.File
+
+	file *os.File
 
 	errors []error
 }
@@ -406,7 +408,11 @@ func (h *aliasHandler) getSessionData(r *http.Request) (session *sessionContext,
 		}
 	}
 
-	allowAccess := h.isAllowAccess(r, vhostReqPath, fsPath, file, item)
+	restrictAccess, allowAccess := h.isAllowAccess(r, vhostReqPath, fsPath, file, item)
+	vary := h.vary
+	if restrictAccess {
+		vary += ", referer, origin"
+	}
 	if !allowAccess {
 		status = http.StatusForbidden
 	}
@@ -467,17 +473,19 @@ func (h *aliasHandler) getSessionData(r *http.Request) (session *sessionContext,
 
 		allowAccess: allowAccess,
 
-		redirectAction: redirectAction,
-
 		needAuth:     needAuth,
 		requestAuth:  requestAuth,
 		authUserId:   authUserId,
 		authUserName: authUserName,
 		authSuccess:  authSuccess,
 
-		headers:  headers,
+		redirectAction: redirectAction,
+		vary:           vary,
+		headers:        headers,
+
 		wantJson: wantJson,
-		file:     file,
+
+		file: file,
 
 		errors: errs,
 	}

src/serverHandler/vhostHandler.go

@@ -22,9 +22,8 @@ type vhostContext struct {
 	hideDirs  *regexp.Regexp
 	hideFiles *regexp.Regexp
 
-	restrictAccess     bool
-	restrictAccessUrls []pathStrings
-	restrictAccessDirs []pathStrings
+	restrictAccessUrls pathStringsList
+	restrictAccessDirs pathStringsList
 
 	headersUrls []pathHeaders
 	headersDirs []pathHeaders
@@ -79,13 +78,9 @@ func NewVhostHandler(
 	// restrict access
 	restrictAccessUrls := newRestrictAccesses(p.RestrictAccessUrls)
 	restrictAccessDirs := newRestrictAccesses(p.RestrictAccessDirs)
-	restrictAccess := hasRestrictAccess(p.GlobalRestrictAccess, restrictAccessUrls, restrictAccessDirs)
 
 	// `Vary` header
 	vary := "accept-encoding"
-	if restrictAccess {
-		vary += ", referer, origin"
-	}
 
 	// alias param
 	vhostCtx := &vhostContext{
@@ -100,7 +95,6 @@ func NewVhostHandler(
 		hideDirs:  hideDirs,
 		hideFiles: hideFiles,
 
-		restrictAccess:     restrictAccess,
 		restrictAccessUrls: restrictAccessUrls,
 		restrictAccessDirs: restrictAccessDirs,