|
| 1 | +package handler |
| 2 | + |
| 3 | +import ( |
| 4 | + "fmt" |
| 5 | + "io" |
| 6 | + "net/http" |
| 7 | + "net/http/httputil" |
| 8 | + "net/textproto" |
| 9 | + "net/url" |
| 10 | + "time" |
| 11 | + |
| 12 | + "github.com/gin-gonic/gin" |
| 13 | + "github.com/utmstack/utmstack/backend/modules/threatintel/internal" |
| 14 | +) |
| 15 | + |
| 16 | +// ReverseProxyHandler creates a reverse proxy that maps a local route to a CM proxy target. |
| 17 | +type ReverseProxyHandler struct { |
| 18 | + targetPath string |
| 19 | +} |
| 20 | + |
| 21 | +// NewReverseProxyHandler creates a handler for a specific route mapping. |
| 22 | +func NewReverseProxyHandler(targetPath string) *ReverseProxyHandler { |
| 23 | + return &ReverseProxyHandler{targetPath: targetPath} |
| 24 | +} |
| 25 | + |
| 26 | +// Handle is the Gin handler that proxies the request. |
| 27 | +func (h *ReverseProxyHandler) Handle(c *gin.Context) { |
| 28 | + cfg := internal.Get() |
| 29 | + if cfg == nil || cfg.Server == "" || cfg.InstanceID == "" || cfg.InstanceKey == "" { |
| 30 | + c.JSON(http.StatusServiceUnavailable, gin.H{"error": "instance not configured"}) |
| 31 | + return |
| 32 | + } |
| 33 | + |
| 34 | + targetURL, err := url.Parse(cfg.Server) |
| 35 | + if err != nil { |
| 36 | + c.JSON(http.StatusServiceUnavailable, gin.H{"error": "invalid CM server URL"}) |
| 37 | + return |
| 38 | + } |
| 39 | + |
| 40 | + // Create reverse proxy with custom director |
| 41 | + proxy := &httputil.ReverseProxy{ |
| 42 | + Director: h.directorFunc(cfg, targetURL), |
| 43 | + ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) { |
| 44 | + w.Header().Set("Content-Type", "application/json") |
| 45 | + w.WriteHeader(http.StatusBadGateway) |
| 46 | + w.Write([]byte(`{"error":"upstream service error"}`)) |
| 47 | + }, |
| 48 | + } |
| 49 | + |
| 50 | + proxy.ServeHTTP(c.Writer, c.Request) |
| 51 | +} |
| 52 | + |
| 53 | +// directorFunc returns a Director function that rewrites the request. |
| 54 | +func (h *ReverseProxyHandler) directorFunc(cfg *internal.InstanceConfig, targetURL *url.URL) func(*http.Request) { |
| 55 | + return func(req *http.Request) { |
| 56 | + // Set scheme and host from CM proxy |
| 57 | + req.URL.Scheme = targetURL.Scheme |
| 58 | + req.URL.Host = targetURL.Host |
| 59 | + |
| 60 | + // Rewrite path to the target on CM proxy |
| 61 | + req.URL.Path = h.targetPath |
| 62 | + // Preserve query string (already in req.URL.RawQuery) |
| 63 | + |
| 64 | + req.RequestURI = "" // must be cleared for the reverse proxy |
| 65 | + req.Host = targetURL.Host |
| 66 | + |
| 67 | + // Clear auth headers |
| 68 | + req.Header.Del("Authorization") |
| 69 | + req.Header.Del("id") |
| 70 | + req.Header.Del("key") |
| 71 | + |
| 72 | + // Set instance credentials |
| 73 | + req.Header.Set("id", cfg.InstanceID) |
| 74 | + req.Header.Set("key", cfg.InstanceKey) |
| 75 | + } |
| 76 | +} |
| 77 | + |
| 78 | +// HandleUsageEndpoint is a special handler for the /usage endpoint which has a different prefix structure. |
| 79 | +func (h *ReverseProxyHandler) HandleUsageEndpoint(c *gin.Context) { |
| 80 | + cfg := internal.Get() |
| 81 | + if cfg == nil || cfg.Server == "" || cfg.InstanceID == "" || cfg.InstanceKey == "" { |
| 82 | + c.JSON(http.StatusServiceUnavailable, gin.H{"error": "instance not configured"}) |
| 83 | + return |
| 84 | + } |
| 85 | + |
| 86 | + // Build the full target URL for usage endpoint (no /proxy/api prefix, just /proxy/usage) |
| 87 | + fullURL := fmt.Sprintf("%s%s", cfg.Server, h.targetPath) |
| 88 | + targetURL, err := url.Parse(fullURL) |
| 89 | + if err != nil { |
| 90 | + c.JSON(http.StatusServiceUnavailable, gin.H{"error": "invalid target URL"}) |
| 91 | + return |
| 92 | + } |
| 93 | + |
| 94 | + // Create and execute the request |
| 95 | + req, err := http.NewRequestWithContext(c.Request.Context(), c.Request.Method, targetURL.String(), c.Request.Body) |
| 96 | + if err != nil { |
| 97 | + c.JSON(http.StatusServiceUnavailable, gin.H{"error": "failed to create request"}) |
| 98 | + return |
| 99 | + } |
| 100 | + |
| 101 | + allowed := map[string]struct{}{ |
| 102 | + "Accept": {}, |
| 103 | + "Content-Type": {}, |
| 104 | + "User-Agent": {}, |
| 105 | + "X-Request-Id": {}, |
| 106 | + "X-Correlation-Id": {}, |
| 107 | + } |
| 108 | + |
| 109 | + // Copy headers |
| 110 | + for k, values := range c.Request.Header { |
| 111 | + canonical := textproto.CanonicalMIMEHeaderKey(k) |
| 112 | + if _, ok := allowed[canonical]; ok { |
| 113 | + for _, v := range values { |
| 114 | + req.Header.Add(canonical, v) |
| 115 | + } |
| 116 | + } |
| 117 | + } |
| 118 | + |
| 119 | + // Set instance credentials |
| 120 | + req.Header.Set("id", cfg.InstanceID) |
| 121 | + req.Header.Set("key", cfg.InstanceKey) |
| 122 | + |
| 123 | + // Execute request |
| 124 | + client := &http.Client{ |
| 125 | + Timeout: 20* time.Second, |
| 126 | + } |
| 127 | + resp, err := client.Do(req) |
| 128 | + if err != nil { |
| 129 | + c.JSON(http.StatusBadGateway, gin.H{"error": "upstream service error"}) |
| 130 | + return |
| 131 | + } |
| 132 | + defer resp.Body.Close() |
| 133 | + |
| 134 | + // Copy response |
| 135 | + for k, v := range resp.Header { |
| 136 | + for _, vv := range v { |
| 137 | + c.Header(k, vv) |
| 138 | + } |
| 139 | + } |
| 140 | + c.Status(resp.StatusCode) |
| 141 | + io.Copy(c.Writer, resp.Body) |
| 142 | +} |
0 commit comments