Added configuration options and route exemptions

cbonello · cbonello · commit 0875114c365e · 2013-09-20T08:36:26.000+05:30
diff --git a/exemptions.go b/exemptions.go
@@ -0,0 +1,82 @@
+// Management of routes exempted from CSRF checks.
+package csrf
+
+import (
+	"github.com/golang/glog"
+	"fmt"
+	pathPackage "path"
+	"sync"
+)
+
+// I'm not cetain that we need a mutex because exempted routes are generally
+// configured when the application starts and the list is read-only after.
+type globPath struct {
+	sync.RWMutex
+	list []string
+}
+
+var (
+	exemptionsFullPath = struct {
+		sync.RWMutex
+		list map[string]struct{}
+	} {
+			list: make(map[string]struct{}),
+		}
+
+	exemptionsGlobs globPath
+)
+
+// Checks if given path is exempt from CSRF checks.
+func IsExempted(path string) bool {
+	exemptionsFullPath.RLock()
+	_, found := exemptionsFullPath.list[path]
+	exemptionsFullPath.RUnlock()
+	if found {
+		glog.V(2).Infof("REVEL-CSRF: Ignoring exempted route '%s'...", path)
+		return true
+	}
+
+	for _, glob := range exemptionsGlobs.list {
+		exemptionsGlobs.RLock()
+		found, err := pathPackage.Match(glob, path)
+		exemptionsGlobs.RUnlock()
+		if err != nil {
+			// See http://golang.org/pkg/path/#Match for error description.
+			panic(fmt.Sprintf("REVEL-CSRF: malformed glob pattern: %#v", err))
+		}
+		if found {
+			glog.V(2).Infof("REVEL-CSRF: Ignoring exempted route '%s'...", path)
+			return true
+		}
+	}
+	return false
+}
+
+// Exempts an exact path from CSRF checks.
+func ExemptedFullPath(path string) {
+	glog.V(2).Infof("REVEL-CSRF: Adding exemption '%s'...", path)
+	exemptionsFullPath.Lock()
+	exemptionsFullPath.list[path] = struct{}{}
+	exemptionsFullPath.Unlock()
+}
+
+func ExemptedFullPaths(paths ...string) {
+	for _, v := range paths {
+		ExemptedFullPath(v)
+	}
+}
+
+// Exempts a path from CSRF checks using pattern matching.
+// See http://golang.org/pkg/path/#Match
+func ExemptedGlob(path string) {
+	glog.V(2).Infof("REVEL-CSRF: Adding exemption GLOB '%s'...", path)
+	exemptionsGlobs.Lock()
+	exemptionsGlobs.list = append(exemptionsGlobs.list, path)
+	exemptionsGlobs.Unlock()
+}
+
+func ExemptedGlobs(paths ...string) {
+	for _, v := range paths {
+		ExemptedGlob(v)
+	}
+}
diff --git a/exemptions_test.go b/exemptions_test.go
@@ -0,0 +1,91 @@
+package csrf
+
+import (
+	"testing"
+)
+
+func TestExemptedFullPath(t *testing.T) {
+	//hand := New(nil)
+	path := "/Hello"
+
+	ExemptedFullPath(path)
+	if !IsExempted(path) {
+		t.Errorf("%v is not exempted, but it should be", path)
+	}
+
+	other := "/Goodbye"
+	if IsExempted(other) {
+		t.Errorf("%v is exempted, but it shouldn't be", other)
+	}
+}
+
+func TestExemptedFullPaths(t *testing.T) {
+	//hand := New(nil)
+	paths := []string{"/home", "/news", "/help"}
+	ExemptedFullPaths(paths...)
+
+	for _, v := range paths {
+		if !IsExempted(v) {
+			t.Errorf("%v should be exempted, but it isn't", v)
+		}
+	}
+
+	other := "/accounts"
+
+	if IsExempted(other) {
+		t.Errorf("%v is exempted, but it shouldn't be")
+	}
+}
+
+func TestExemptedGlob(t *testing.T) {
+	//hand := New(nil)
+	glob := "/[m-n]ail"
+
+	ExemptedGlob(glob)
+
+	test := "/mail"
+	if !IsExempted(test) {
+		t.Errorf("%v should be exempted, but it isn't.", test)
+	}
+
+	test = "/nail"
+	if !IsExempted(test) {
+		t.Errorf("%v should be exempted, but it isn't.", test)
+	}
+
+	test = "/snail"
+	if IsExempted(test) {
+		t.Errorf("%v should not be exempted, but it is.", test)
+	}
+
+	test = "/mail/outbox"
+	if IsExempted(test) {
+		t.Errorf("%v should not be exempted, but it is.", test)
+	}
+}
+
+func TestExemptedGlobs(t *testing.T) {
+	slice := []string{"/", "/accounts/*", "/post/?*"}
+	matching := []string{"/", "/accounts/", "/accounts/johndoe", "/post/1", "/post/123"}
+
+	nonMatching := []string{"", "/accounts",
+		// Glob's * and ? don't match a forward slash.
+		"/accounts/johndoe/posts",
+		"/post/",
+	}
+
+	//hand := New(nil)
+	ExemptedGlobs(slice...)
+
+	for _, v := range matching {
+		if !IsExempted(v) {
+			t.Error("%v should be exempted, but it isn't.")
+		}
+	}
+
+	for _, v := range nonMatching {
+		if IsExempted(v) {
+			t.Error("%v shouldn't be exempted, but it is")
+		}
+	}
+}
diff --git a/samples/demo/app/views/App/Hello123Exempted.html b/samples/demo/app/views/App/Hello123Exempted.html
@@ -0,0 +1,52 @@
+{{set . "title" "Home"}}
+{{template "header.html" .}}
+
+<header class="hero-unit" style="background-color:#A9F16C">
+    <div class="container">
+        <div class="row">
+            <div class="hero-text">
+                <h1>{{if .name}}Hello {{ .name }}{{else}}Hello anonymous user{{end}}</h1>
+                <p></p>
+            </div>
+        </div>
+    </div>
+</header>
+
+<div class="container">
+    <div class="row">
+        <div class="span6">
+            {{template "flash.html" .}}
+        </div>
+    </div>
+    <div class="row">
+        <h2>This route is exempted from CSRF checks.</h2>
+        <p>
+            See <b>app/init.go</b>: csrf.ExemptedGlob("/Hello[0-9]?3/Exempted")
+        </p>
+    </div>
+    <div class="row">
+        <p>
+            Clicking on the Go Back link will trigger generation of a new index
+            page and reset the CSRF token to a valid value. Click on your browser's
+            Back button if you want to keep the altered CSRF token. This behaviour
+            is caused by the demo implementation and does not exhibits any bug in
+            revel-csrf.
+        </p>
+        <p>
+            <b>Note:</b> Clicking on Go Back is your best option if you reached
+            this page through an AJAX call. But that will reset the CSRF token to
+            a valid value!
+        </p>
+    </div>
+    <div class="row">
+        <p>{{.help1}}</p>
+        <p>{{.help2}}</p>
+    </div>
+    <div class="row">
+        <div class="span12">
+            <a href="/">Go Back</a>
+        </div>
+    </div>
+</div>
+
+{{template "footer.html" .}}
