1% Licensed under the Apache License, Version 2.0 (the "License"); you may not
2% use this file except in compliance with the License. You may obtain a copy of
3% the License at
4%
5%   http://www.apache.org/licenses/LICENSE-2.0
6%
7% Unless required by applicable law or agreed to in writing, software
8% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10% License for the specific language governing permissions and limitations under
11% the License.
12
13-module(chttpd_util).
14
15
16-export([
17    get_chttpd_config/1,
18    get_chttpd_config/2,
19    get_chttpd_config_integer/2,
20    get_chttpd_config_boolean/2,
21    get_chttpd_auth_config/1,
22    get_chttpd_auth_config/2,
23    get_chttpd_auth_config_integer/2,
24    get_chttpd_auth_config_boolean/2,
25    maybe_add_csp_header/3
26]).
27
28
29get_chttpd_config(Key) ->
30    config:get("chttpd", Key, config:get("httpd", Key)).
31
32
33get_chttpd_config(Key, Default) ->
34    config:get("chttpd", Key, config:get("httpd", Key, Default)).
35
36
37get_chttpd_config_integer(Key, Default) ->
38    config:get_integer("chttpd", Key,
39        config:get_integer("httpd", Key, Default)).
40
41
42get_chttpd_config_boolean(Key, Default) ->
43    config:get_boolean("chttpd", Key,
44        config:get_boolean("httpd", Key, Default)).
45
46
47get_chttpd_auth_config(Key) ->
48    config:get("chttpd_auth", Key, config:get("couch_httpd_auth", Key)).
49
50
51get_chttpd_auth_config(Key, Default) ->
52    config:get("chttpd_auth", Key,
53        config:get("couch_httpd_auth", Key, Default)).
54
55
56get_chttpd_auth_config_integer(Key, Default) ->
57    config:get_integer("chttpd_auth", Key,
58        config:get_integer("couch_httpd_auth", Key, Default)).
59
60
61get_chttpd_auth_config_boolean(Key, Default) ->
62    config:get_boolean("chttpd_auth", Key,
63        config:get_boolean("couch_httpd_auth", Key, Default)).
64
65
66maybe_add_csp_header(Component, OriginalHeaders, DefaultHeaderValue) ->
67    Enabled = config:get_boolean("csp", Component ++ "_enable", true),
68    case Enabled of
69        true ->
70            HeaderValue = config:get("csp", Component ++ "_header_value", DefaultHeaderValue),
71            % As per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies
72            % The top most CSP header defines the most open policy,
73            % subsequent CSP headers set by show/list functions can
74            % only further restrict the policy.
75            %
76            % Ours goes on top and we don’t have to worry about additional
77            % headers set by users.
78            [{"Content-Security-Policy", HeaderValue} | OriginalHeaders];
79        false ->
80            % Fallback for old config vars
81            case Component of
82                "utils" ->
83                    handle_legacy_config(OriginalHeaders, DefaultHeaderValue);
84                _ ->
85                    OriginalHeaders
86            end
87    end.
88
89handle_legacy_config(OriginalHeaders, DefaultHeaderValue) ->
90    LegacyUtilsEnabled = config:get_boolean("csp", "enable", true),
91    case LegacyUtilsEnabled of
92        true ->
93            LegacyUtilsHeaderValue = config:get("csp", "header_value", DefaultHeaderValue),
94            [{"Content-Security-Policy", LegacyUtilsHeaderValue} | OriginalHeaders];
95        false ->
96            OriginalHeaders
97    end.
98