diff options
Diffstat (limited to 'vendor/github.com/go-macaron/csrf')
| -rw-r--r-- | vendor/github.com/go-macaron/csrf/LICENSE | 191 | ||||
| -rw-r--r-- | vendor/github.com/go-macaron/csrf/README.md | 18 | ||||
| -rw-r--r-- | vendor/github.com/go-macaron/csrf/csrf.go | 251 | ||||
| -rw-r--r-- | vendor/github.com/go-macaron/csrf/xsrf.go | 97 |
4 files changed, 0 insertions, 557 deletions
diff --git a/vendor/github.com/go-macaron/csrf/LICENSE b/vendor/github.com/go-macaron/csrf/LICENSE deleted file mode 100644 index 8405e89a..00000000 --- a/vendor/github.com/go-macaron/csrf/LICENSE +++ /dev/null @@ -1,191 +0,0 @@ -Apache License -Version 2.0, January 2004 -http://www.apache.org/licenses/ - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - -"License" shall mean the terms and conditions for use, reproduction, and -distribution as defined by Sections 1 through 9 of this document. - -"Licensor" shall mean the copyright owner or entity authorized by the copyright -owner that is granting the License. - -"Legal Entity" shall mean the union of the acting entity and all other entities -that control, are controlled by, or are under common control with that entity. -For the purposes of this definition, "control" means (i) the power, direct or -indirect, to cause the direction or management of such entity, whether by -contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the -outstanding shares, or (iii) beneficial ownership of such entity. - -"You" (or "Your") shall mean an individual or Legal Entity exercising -permissions granted by this License. - -"Source" form shall mean the preferred form for making modifications, including -but not limited to software source code, documentation source, and configuration -files. - -"Object" form shall mean any form resulting from mechanical transformation or -translation of a Source form, including but not limited to compiled object code, -generated documentation, and conversions to other media types. - -"Work" shall mean the work of authorship, whether in Source or Object form, made -available under the License, as indicated by a copyright notice that is included -in or attached to the work (an example is provided in the Appendix below). - -"Derivative Works" shall mean any work, whether in Source or Object form, that -is based on (or derived from) the Work and for which the editorial revisions, -annotations, elaborations, or other modifications represent, as a whole, an -original work of authorship. For the purposes of this License, Derivative Works -shall not include works that remain separable from, or merely link (or bind by -name) to the interfaces of, the Work and Derivative Works thereof. - -"Contribution" shall mean any work of authorship, including the original version -of the Work and any modifications or additions to that Work or Derivative Works -thereof, that is intentionally submitted to Licensor for inclusion in the Work -by the copyright owner or by an individual or Legal Entity authorized to submit -on behalf of the copyright owner. For the purposes of this definition, -"submitted" means any form of electronic, verbal, or written communication sent -to the Licensor or its representatives, including but not limited to -communication on electronic mailing lists, source code control systems, and -issue tracking systems that are managed by, or on behalf of, the Licensor for -the purpose of discussing and improving the Work, but excluding communication -that is conspicuously marked or otherwise designated in writing by the copyright -owner as "Not a Contribution." - -"Contributor" shall mean Licensor and any individual or Legal Entity on behalf -of whom a Contribution has been received by Licensor and subsequently -incorporated within the Work. - -2. Grant of Copyright License. - -Subject to the terms and conditions of this License, each Contributor hereby -grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, -irrevocable copyright license to reproduce, prepare Derivative Works of, -publicly display, publicly perform, sublicense, and distribute the Work and such -Derivative Works in Source or Object form. - -3. Grant of Patent License. - -Subject to the terms and conditions of this License, each Contributor hereby -grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, -irrevocable (except as stated in this section) patent license to make, have -made, use, offer to sell, sell, import, and otherwise transfer the Work, where -such license applies only to those patent claims licensable by such Contributor -that are necessarily infringed by their Contribution(s) alone or by combination -of their Contribution(s) with the Work to which such Contribution(s) was -submitted. If You institute patent litigation against any entity (including a -cross-claim or counterclaim in a lawsuit) alleging that the Work or a -Contribution incorporated within the Work constitutes direct or contributory -patent infringement, then any patent licenses granted to You under this License -for that Work shall terminate as of the date such litigation is filed. - -4. Redistribution. - -You may reproduce and distribute copies of the Work or Derivative Works thereof -in any medium, with or without modifications, and in Source or Object form, -provided that You meet the following conditions: - -You must give any other recipients of the Work or Derivative Works a copy of -this License; and -You must cause any modified files to carry prominent notices stating that You -changed the files; and -You must retain, in the Source form of any Derivative Works that You distribute, -all copyright, patent, trademark, and attribution notices from the Source form -of the Work, excluding those notices that do not pertain to any part of the -Derivative Works; and -If the Work includes a "NOTICE" text file as part of its distribution, then any -Derivative Works that You distribute must include a readable copy of the -attribution notices contained within such NOTICE file, excluding those notices -that do not pertain to any part of the Derivative Works, in at least one of the -following places: within a NOTICE text file distributed as part of the -Derivative Works; within the Source form or documentation, if provided along -with the Derivative Works; or, within a display generated by the Derivative -Works, if and wherever such third-party notices normally appear. The contents of -the NOTICE file are for informational purposes only and do not modify the -License. You may add Your own attribution notices within Derivative Works that -You distribute, alongside or as an addendum to the NOTICE text from the Work, -provided that such additional attribution notices cannot be construed as -modifying the License. -You may add Your own copyright statement to Your modifications and may provide -additional or different license terms and conditions for use, reproduction, or -distribution of Your modifications, or for any such Derivative Works as a whole, -provided Your use, reproduction, and distribution of the Work otherwise complies -with the conditions stated in this License. - -5. Submission of Contributions. - -Unless You explicitly state otherwise, any Contribution intentionally submitted -for inclusion in the Work by You to the Licensor shall be under the terms and -conditions of this License, without any additional terms or conditions. -Notwithstanding the above, nothing herein shall supersede or modify the terms of -any separate license agreement you may have executed with Licensor regarding -such Contributions. - -6. Trademarks. - -This License does not grant permission to use the trade names, trademarks, -service marks, or product names of the Licensor, except as required for -reasonable and customary use in describing the origin of the Work and -reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. - -Unless required by applicable law or agreed to in writing, Licensor provides the -Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, -including, without limitation, any warranties or conditions of TITLE, -NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are -solely responsible for determining the appropriateness of using or -redistributing the Work and assume any risks associated with Your exercise of -permissions under this License. - -8. Limitation of Liability. - -In no event and under no legal theory, whether in tort (including negligence), -contract, or otherwise, unless required by applicable law (such as deliberate -and grossly negligent acts) or agreed to in writing, shall any Contributor be -liable to You for damages, including any direct, indirect, special, incidental, -or consequential damages of any character arising as a result of this License or -out of the use or inability to use the Work (including but not limited to -damages for loss of goodwill, work stoppage, computer failure or malfunction, or -any and all other commercial damages or losses), even if such Contributor has -been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. - -While redistributing the Work or Derivative Works thereof, You may choose to -offer, and charge a fee for, acceptance of support, warranty, indemnity, or -other liability obligations and/or rights consistent with this License. However, -in accepting such obligations, You may act only on Your own behalf and on Your -sole responsibility, not on behalf of any other Contributor, and only if You -agree to indemnify, defend, and hold each Contributor harmless for any liability -incurred by, or claims asserted against, such Contributor by reason of your -accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work - -To apply the Apache License to your work, attach the following boilerplate -notice, with the fields enclosed by brackets "[]" replaced with your own -identifying information. (Don't include the brackets!) The text should be -enclosed in the appropriate comment syntax for the file format. We also -recommend that a file or class name and description of purpose be included on -the same "printed page" as the copyright notice for easier identification within -third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License.
\ No newline at end of file diff --git a/vendor/github.com/go-macaron/csrf/README.md b/vendor/github.com/go-macaron/csrf/README.md deleted file mode 100644 index ff3e10a0..00000000 --- a/vendor/github.com/go-macaron/csrf/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# csrf [](https://travis-ci.org/go-macaron/csrf) [](http://gocover.io/github.com/go-macaron/csrf) - -Middleware csrf generates and validates CSRF tokens for [Macaron](https://github.com/go-macaron/macaron). - -[API Reference](https://gowalker.org/github.com/go-macaron/csrf) - -### Installation - - go get github.com/go-macaron/csrf - -## Getting Help - -- [API Reference](https://gowalker.org/github.com/go-macaron/csrf) -- [Documentation](http://go-macaron.com/docs/middlewares/csrf) - -## License - -This project is under the Apache License, Version 2.0. See the [LICENSE](LICENSE) file for the full license text.
\ No newline at end of file diff --git a/vendor/github.com/go-macaron/csrf/csrf.go b/vendor/github.com/go-macaron/csrf/csrf.go deleted file mode 100644 index affc95ab..00000000 --- a/vendor/github.com/go-macaron/csrf/csrf.go +++ /dev/null @@ -1,251 +0,0 @@ -// Copyright 2013 Martini Authors -// Copyright 2014 The Macaron Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"): you may -// not use this file except in compliance with the License. You may obtain -// a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -// License for the specific language governing permissions and limitations -// under the License. - -// Package csrf is a middleware that generates and validates CSRF tokens for Macaron. -package csrf - -import ( - "net/http" - "time" - - "github.com/Unknwon/com" - "github.com/go-macaron/session" - "gopkg.in/macaron.v1" -) - -const _VERSION = "0.1.0" - -func Version() string { - return _VERSION -} - -// CSRF represents a CSRF service and is used to get the current token and validate a suspect token. -type CSRF interface { - // Return HTTP header to search for token. - GetHeaderName() string - // Return form value to search for token. - GetFormName() string - // Return cookie name to search for token. - GetCookieName() string - // Return cookie path - GetCookiePath() string - // Return the token. - GetToken() string - // Validate by token. - ValidToken(t string) bool - // Error replies to the request with a custom function when ValidToken fails. - Error(w http.ResponseWriter) -} - -type csrf struct { - // Header name value for setting and getting csrf token. - Header string - // Form name value for setting and getting csrf token. - Form string - // Cookie name value for setting and getting csrf token. - Cookie string - //Cookie path - CookiePath string - // Token generated to pass via header, cookie, or hidden form value. - Token string - // This value must be unique per user. - ID string - // Secret used along with the unique id above to generate the Token. - Secret string - // ErrorFunc is the custom function that replies to the request when ValidToken fails. - ErrorFunc func(w http.ResponseWriter) -} - -// GetHeaderName returns the name of the HTTP header for csrf token. -func (c *csrf) GetHeaderName() string { - return c.Header -} - -// GetFormName returns the name of the form value for csrf token. -func (c *csrf) GetFormName() string { - return c.Form -} - -// GetCookieName returns the name of the cookie for csrf token. -func (c *csrf) GetCookieName() string { - return c.Cookie -} - -// GetCookiePath returns the path of the cookie for csrf token. -func (c *csrf) GetCookiePath() string { - return c.CookiePath -} - -// GetToken returns the current token. This is typically used -// to populate a hidden form in an HTML template. -func (c *csrf) GetToken() string { - return c.Token -} - -// ValidToken validates the passed token against the existing Secret and ID. -func (c *csrf) ValidToken(t string) bool { - return ValidToken(t, c.Secret, c.ID, "POST") -} - -// Error replies to the request when ValidToken fails. -func (c *csrf) Error(w http.ResponseWriter) { - c.ErrorFunc(w) -} - -// Options maintains options to manage behavior of Generate. -type Options struct { - // The global secret value used to generate Tokens. - Secret string - // HTTP header used to set and get token. - Header string - // Form value used to set and get token. - Form string - // Cookie value used to set and get token. - Cookie string - // Cookie path. - CookiePath string - // Key used for getting the unique ID per user. - SessionKey string - // oldSeesionKey saves old value corresponding to SessionKey. - oldSeesionKey string - // If true, send token via X-CSRFToken header. - SetHeader bool - // If true, send token via _csrf cookie. - SetCookie bool - // Set the Secure flag to true on the cookie. - Secure bool - // Disallow Origin appear in request header. - Origin bool - // The function called when Validate fails. - ErrorFunc func(w http.ResponseWriter) -} - -func prepareOptions(options []Options) Options { - var opt Options - if len(options) > 0 { - opt = options[0] - } - - // Defaults. - if len(opt.Secret) == 0 { - opt.Secret = string(com.RandomCreateBytes(10)) - } - if len(opt.Header) == 0 { - opt.Header = "X-CSRFToken" - } - if len(opt.Form) == 0 { - opt.Form = "_csrf" - } - if len(opt.Cookie) == 0 { - opt.Cookie = "_csrf" - } - if len(opt.CookiePath) == 0 { - opt.CookiePath = "/" - } - if len(opt.SessionKey) == 0 { - opt.SessionKey = "uid" - } - opt.oldSeesionKey = "_old_" + opt.SessionKey - if opt.ErrorFunc == nil { - opt.ErrorFunc = func(w http.ResponseWriter) { - http.Error(w, "Invalid csrf token.", http.StatusBadRequest) - } - } - - return opt -} - -// Generate maps CSRF to each request. If this request is a Get request, it will generate a new token. -// Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie. -func Generate(options ...Options) macaron.Handler { - opt := prepareOptions(options) - return func(ctx *macaron.Context, sess session.Store) { - x := &csrf{ - Secret: opt.Secret, - Header: opt.Header, - Form: opt.Form, - Cookie: opt.Cookie, - CookiePath: opt.CookiePath, - ErrorFunc: opt.ErrorFunc, - } - ctx.MapTo(x, (*CSRF)(nil)) - - if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 { - return - } - - x.ID = "0" - uid := sess.Get(opt.SessionKey) - if uid != nil { - x.ID = com.ToStr(uid) - } - - needsNew := false - oldUid := sess.Get(opt.oldSeesionKey) - if oldUid == nil || oldUid.(string) != x.ID { - needsNew = true - sess.Set(opt.oldSeesionKey, x.ID) - } else { - // If cookie present, map existing token, else generate a new one. - if val := ctx.GetCookie(opt.Cookie); len(val) > 0 { - // FIXME: test coverage. - x.Token = val - } else { - needsNew = true - } - } - - if needsNew { - // FIXME: actionId. - x.Token = GenerateToken(x.Secret, x.ID, "POST") - if opt.SetCookie { - ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1)) - } - } - - if opt.SetHeader { - ctx.Resp.Header().Add(opt.Header, x.Token) - } - } -} - -// Csrfer maps CSRF to each request. If this request is a Get request, it will generate a new token. -// Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie. -func Csrfer(options ...Options) macaron.Handler { - return Generate(options...) -} - -// Validate should be used as a per route middleware. It attempts to get a token from a "X-CSRFToken" -// HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated -// using ValidToken. If this validation fails, custom Error is sent in the reply. -// If neither a header or form value is found, http.StatusBadRequest is sent. -func Validate(ctx *macaron.Context, x CSRF) { - if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 { - if !x.ValidToken(token) { - ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath()) - x.Error(ctx.Resp) - } - return - } - if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 { - if !x.ValidToken(token) { - ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath()) - x.Error(ctx.Resp) - } - return - } - - http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest) -} diff --git a/vendor/github.com/go-macaron/csrf/xsrf.go b/vendor/github.com/go-macaron/csrf/xsrf.go deleted file mode 100644 index 81ed5d0f..00000000 --- a/vendor/github.com/go-macaron/csrf/xsrf.go +++ /dev/null @@ -1,97 +0,0 @@ -// Copyright 2012 Google Inc. All Rights Reserved. -// Copyright 2014 The Macaron Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package csrf - -import ( - "bytes" - "crypto/hmac" - "crypto/sha1" - "crypto/subtle" - "encoding/base64" - "fmt" - "strconv" - "strings" - "time" -) - -// The duration that XSRF tokens are valid. -// It is exported so clients may set cookie timeouts that match generated tokens. -const TIMEOUT = 24 * time.Hour - -// clean sanitizes a string for inclusion in a token by replacing all ":"s. -func clean(s string) string { - return strings.Replace(s, ":", "_", -1) -} - -// GenerateToken returns a URL-safe secure XSRF token that expires in 24 hours. -// -// key is a secret key for your application. -// userID is a unique identifier for the user. -// actionID is the action the user is taking (e.g. POSTing to a particular path). -func GenerateToken(key, userID, actionID string) string { - return generateTokenAtTime(key, userID, actionID, time.Now()) -} - -// generateTokenAtTime is like Generate, but returns a token that expires 24 hours from now. -func generateTokenAtTime(key, userID, actionID string, now time.Time) string { - h := hmac.New(sha1.New, []byte(key)) - fmt.Fprintf(h, "%s:%s:%d", clean(userID), clean(actionID), now.UnixNano()) - tok := fmt.Sprintf("%s:%d", h.Sum(nil), now.UnixNano()) - return base64.URLEncoding.EncodeToString([]byte(tok)) -} - -// Valid returns true if token is a valid, unexpired token returned by Generate. -func ValidToken(token, key, userID, actionID string) bool { - return validTokenAtTime(token, key, userID, actionID, time.Now()) -} - -// validTokenAtTime is like Valid, but it uses now to check if the token is expired. -func validTokenAtTime(token, key, userID, actionID string, now time.Time) bool { - // Decode the token. - data, err := base64.URLEncoding.DecodeString(token) - if err != nil { - return false - } - - // Extract the issue time of the token. - sep := bytes.LastIndex(data, []byte{':'}) - if sep < 0 { - return false - } - nanos, err := strconv.ParseInt(string(data[sep+1:]), 10, 64) - if err != nil { - return false - } - issueTime := time.Unix(0, nanos) - - // Check that the token is not expired. - if now.Sub(issueTime) >= TIMEOUT { - return false - } - - // Check that the token is not from the future. - // Allow 1 minute grace period in case the token is being verified on a - // machine whose clock is behind the machine that issued the token. - if issueTime.After(now.Add(1 * time.Minute)) { - return false - } - - expected := generateTokenAtTime(key, userID, actionID, issueTime) - - // Check that the token matches the expected value. - // Use constant time comparison to avoid timing attacks. - return subtle.ConstantTimeCompare([]byte(token), []byte(expected)) == 1 -} |