diff --git a/server/bindata.go b/server/bindata.go index bf3c03639259752681498fc2a8dff7a64584feee..7e9bbcceea385cad1ec65a89c5ae34a86407b9f2 100644 --- a/server/bindata.go +++ b/server/bindata.go @@ -74,7 +74,7 @@ func staticCssBootstrapMinCss() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "static/css/bootstrap.min.css", size: 140936, mode: os.FileMode(420), modTime: time.Unix(1560696660, 0)} + info := bindataFileInfo{name: "static/css/bootstrap.min.css", size: 140936, mode: os.FileMode(420), modTime: time.Unix(1550305824, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -147,7 +147,7 @@ func staticCssSigninCss() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "static/css/signin.css", size: 1009, mode: os.FileMode(420), modTime: time.Unix(1560696660, 0)} + info := bindataFileInfo{name: "static/css/signin.css", size: 1009, mode: os.FileMode(420), modTime: time.Unix(1535013418, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -170,7 +170,7 @@ func staticJsBootstrap413MinJs() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "static/js/bootstrap-4.1.3.min.js", size: 51039, mode: os.FileMode(420), modTime: time.Unix(1560696660, 0)} + info := bindataFileInfo{name: "static/js/bootstrap-4.1.3.min.js", size: 51039, mode: os.FileMode(420), modTime: time.Unix(1550305766, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -189,7 +189,7 @@ func staticJsJquery331MinJs() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "static/js/jquery-3.3.1.min.js", size: 86927, mode: os.FileMode(420), modTime: time.Unix(1560696660, 0)} + info := bindataFileInfo{name: "static/js/jquery-3.3.1.min.js", size: 86927, mode: os.FileMode(420), modTime: time.Unix(1516469204, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -243,7 +243,7 @@ func staticJsLogoutJs() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "static/js/logout.js", size: 1005, mode: os.FileMode(420), modTime: time.Unix(1560696660, 0)} + info := bindataFileInfo{name: "static/js/logout.js", size: 1005, mode: os.FileMode(420), modTime: time.Unix(1535013418, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -265,7 +265,7 @@ func staticJsPopper1143MinJs() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "static/js/popper-1.14.3.min.js", size: 20337, mode: os.FileMode(420), modTime: time.Unix(1560696660, 0)} + info := bindataFileInfo{name: "static/js/popper-1.14.3.min.js", size: 20337, mode: os.FileMode(420), modTime: time.Unix(1526549114, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1030,7 +1030,7 @@ func staticJsU2fApiJs() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "static/js/u2f-api.js", size: 20880, mode: os.FileMode(420), modTime: time.Unix(1512325237, 0)} + info := bindataFileInfo{name: "static/js/u2f-api.js", size: 20880, mode: os.FileMode(420), modTime: time.Unix(1535013418, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1099,7 +1099,7 @@ func staticJsU2fJs() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "static/js/u2f.js", size: 1274, mode: os.FileMode(420), modTime: time.Unix(1560696660, 0)} + info := bindataFileInfo{name: "static/js/u2f.js", size: 1274, mode: os.FileMode(420), modTime: time.Unix(1541228751, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1154,7 +1154,7 @@ func templatesLogin_otpHtml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "templates/login_otp.html", size: 956, mode: os.FileMode(420), modTime: time.Unix(1561757406, 0)} + info := bindataFileInfo{name: "templates/login_otp.html", size: 956, mode: os.FileMode(420), modTime: time.Unix(1561884470, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1225,7 +1225,7 @@ func templatesLogin_passwordHtml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "templates/login_password.html", size: 1432, mode: os.FileMode(420), modTime: time.Unix(1561757427, 0)} + info := bindataFileInfo{name: "templates/login_password.html", size: 1432, mode: os.FileMode(420), modTime: time.Unix(1561884470, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1282,7 +1282,7 @@ func templatesLogin_u2fHtml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "templates/login_u2f.html", size: 908, mode: os.FileMode(420), modTime: time.Unix(1561757448, 0)} + info := bindataFileInfo{name: "templates/login_u2f.html", size: 908, mode: os.FileMode(420), modTime: time.Unix(1561884470, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1342,7 +1342,7 @@ func templatesLogoutHtml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "templates/logout.html", size: 1063, mode: os.FileMode(420), modTime: time.Unix(1561757528, 0)} + info := bindataFileInfo{name: "templates/logout.html", size: 1063, mode: os.FileMode(420), modTime: time.Unix(1548600535, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -1353,8 +1353,8 @@ var _templatesPageHtml = []byte(`{{define "header"}} {{if .U2FSignRequest}}{{end}} - - + + {{if .SiteFavicon}}{{end}} {{if .SiteName}}{{.SiteName}} - {{end}}Sign In @@ -1366,15 +1366,15 @@ var _templatesPageHtml = []byte(`{{define "header"}} {{define "footer"}} - - - + + + {{if .U2FSignRequest}} - - + + {{end}} {{if .IncludeLogoutScripts}} - + {{end}} @@ -1391,7 +1391,7 @@ func templatesPageHtml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "templates/page.html", size: 1865, mode: os.FileMode(420), modTime: time.Unix(1561757493, 0)} + info := bindataFileInfo{name: "templates/page.html", size: 1476, mode: os.FileMode(420), modTime: time.Unix(1576422396, 0)} a := &asset{bytes: bytes, info: info} return a, nil } diff --git a/server/http.go b/server/http.go index f4412f1a9bb762ab1b90cb4cccb1b9cd1bef9587..cc299c23683548e6e0f71ebab900e77f1d385bf4 100644 --- a/server/http.go +++ b/server/http.go @@ -1,6 +1,6 @@ package server -//go:generate python sri.py templates/*.html +//go:generate go run scripts/sri.go --package server --output sri_map.go static //go:generate go-bindata --nocompress --pkg server static/... templates/... import ( @@ -362,6 +362,7 @@ func (h *Server) Handler() http.Handler { func parseEmbeddedTemplates() *template.Template { root := template.New("").Funcs(template.FuncMap{ "json": toJSON, + "SRI": sriIntegrity, }) files, err := AssetDir("templates") if err != nil { @@ -422,3 +423,13 @@ func intersectGroups(a, b []string) []string { } return out } + +// Return an integrity= attribute for the given URI (which should be +// supplied without an eventual prefix). +func sriIntegrity(uri string) template.HTML { + sri, ok := sriMap[uri] + if !ok { + return template.HTML("") + } + return template.HTML(fmt.Sprintf(" integrity=\"%s\"", sri)) +} diff --git a/server/scripts/sri.go b/server/scripts/sri.go new file mode 100644 index 0000000000000000000000000000000000000000..251ddddb768a534d2a4e09d27d751b8234a28bc0 --- /dev/null +++ b/server/scripts/sri.go @@ -0,0 +1,94 @@ +package main + +import ( + "crypto/sha512" + "encoding/base64" + "flag" + "fmt" + "io" + "io/ioutil" + "log" + "os" + "path/filepath" + "strings" +) + +var ( + outputPath = flag.String("output", "", "output `file` name") + packageName = flag.String("package", "", "`name` of the package for generated code") + stripPrefix = flag.String("strip", "", "prefix to strip from `path`s to generate URLs") +) + +func computeChecksum(path string) (string, error) { + data, err := ioutil.ReadFile(path) + if err != nil { + return "", err + } + sha := sha512.Sum384(data) + return "sha384-" + base64.StdEncoding.EncodeToString(sha[:]), nil +} + +func urlForPath(path string) string { + path = strings.TrimPrefix(path, *stripPrefix) + if !strings.HasPrefix(path, "/") { + path = "/" + path + } + return path +} + +func mkSRIMap(m map[string]string, dir string) error { + return filepath.Walk(dir, func(path string, info os.FileInfo, err error) error { + // Only match files with the desired extensions. + if info.IsDir() || !match(info.Name()) { + return nil + } + + if cksum, err := computeChecksum(path); err == nil { + m[urlForPath(path)] = cksum + } + return nil + }) +} + +func match(name string) bool { + switch filepath.Ext(name) { + case ".js", ".json", ".css": + return true + default: + return false + } +} + +// nolint: errcheck +func codegen(w io.Writer, m map[string]string) { + fmt.Fprintf(w, "package %s\n", *packageName) + io.WriteString(w, ` +var sriMap = map[string]string{ +`) + for k, v := range m { + fmt.Fprintf(w, "\t%q: %q,\n", k, v) + } + io.WriteString(w, "}\n") +} + +func main() { + log.SetFlags(0) + flag.Parse() + + m := make(map[string]string) + for _, path := range flag.Args() { + if err := mkSRIMap(m, path); err != nil { + log.Println(err) + } + } + + var w io.Writer = os.Stdout + if *outputPath != "" { + var err error + w, err = os.Create(*outputPath) + if err != nil { + log.Fatal(err) + } + } + codegen(w, m) +} diff --git a/server/sri.py b/server/sri.py deleted file mode 100755 index 725dd07c6a5ffdbdcd04743aa1d41289130d94f4..0000000000000000000000000000000000000000 --- a/server/sri.py +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/python -# -# Automatically fix Subresource Integrity links in the HTML templates. -# -# Pass templates as command-line arguments. Expects to be run from the -# base resource directory. -# - -import glob -import re -import sys -from hashlib import sha384 - - -script_rx = re.compile(r'<(?:script|link rel="stylesheet")[^>]*(?:src|href)="(?:{{.URLPrefix}})?([^"]+)"[^>]*>') -integrity_rx = re.compile(r' +integrity="[^"]*"') - - -def compute_checksum(src): - if src[0] == '/': - src = src[1:] - with open(src) as fd: - return 'sha384-' + sha384(fd.read()).digest().encode('base64').strip() - - -def replace_checksum(m): - src = m.group(1) - checksum = compute_checksum(src) - - script = m.group(0) - script = integrity_rx.sub('', script) - script = '%s integrity="%s">' % (script[:-1], checksum) - - return script - - -def fix_sri(path): - with open(path) as fd: - data = fd.read() - result = script_rx.sub(replace_checksum, data) - if result != data: - print >>sys.stderr, 'updating %s' % path - with open(path, 'w') as fd: - fd.write(result) - - -if __name__ == '__main__': - for arg in sys.argv[1:]: - for path in glob.glob(arg): - try: - fix_sri(path) - except Exception as e: - print >>sys.stderr, "Error fixing %s: %s" % (path, e) - diff --git a/server/sri_map.go b/server/sri_map.go new file mode 100644 index 0000000000000000000000000000000000000000..9fb8c6dcd4649f467d4982b55009d78647142196 --- /dev/null +++ b/server/sri_map.go @@ -0,0 +1,12 @@ +package server + +var sriMap = map[string]string{ + "/static/css/bootstrap.min.css": "sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO", + "/static/css/signin.css": "sha384-9Y3UkAyM3svAuamEoaXIxe+1MqBKJdZtL8S1FZjvE1XqkICDH7DTXNavnFV8Uk2o", + "/static/js/bootstrap-4.1.3.min.js": "sha384-ChfqqxuZUCnJSK3+MXmPNIyE6ZbWh2IMqE241rYiqJxyMiZ6OW/JmZQ5stwEULTy", + "/static/js/jquery-3.3.1.min.js": "sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT", + "/static/js/logout.js": "sha384-lChVngGLNFXetIJTSxc+scDpi1vsBL+7Xa4r2uZpQFP/6Y2z9eCDXe/Y4IUdklRD", + "/static/js/popper-1.14.3.min.js": "sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49", + "/static/js/u2f-api.js": "sha384-9ChevE6pp8ArGK03HgolnFjZbF3webZQtYkwcabzbcI28Lx1/2x2j2fbaAWD4cgR", + "/static/js/u2f.js": "sha384-7zZy25ajTABErGlCQgcyRDpQDS9QVZv9o+95IfvCjWftQe20f411F1a39Ge5xmCe", +} diff --git a/server/templates/page.html b/server/templates/page.html index 18401f5c983b6ae622554e8a5fa17452f16ab396..e1ec50fe7730f505471cfa1da9285590208fd647 100644 --- a/server/templates/page.html +++ b/server/templates/page.html @@ -4,8 +4,8 @@ {{if .U2FSignRequest}}{{end}} - - + + {{if .SiteFavicon}}{{end}} {{if .SiteName}}{{.SiteName}} - {{end}}Sign In @@ -17,15 +17,15 @@ {{define "footer"}} - - - + + + {{if .U2FSignRequest}} - - + + {{end}} {{if .IncludeLogoutScripts}} - + {{end}}