1// Copyright 2016 The CMux Authors. All rights reserved.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
12// implied. See the License for the specific language governing
13// permissions and limitations under the License.
14
15package cmux
16
17import (
18	"bufio"
19	"crypto/tls"
20	"io"
21	"io/ioutil"
22	"net/http"
23	"strings"
24
25	"golang.org/x/net/http2"
26	"golang.org/x/net/http2/hpack"
27)
28
29// Any is a Matcher that matches any connection.
30func Any() Matcher {
31	return func(r io.Reader) bool { return true }
32}
33
34// PrefixMatcher returns a matcher that matches a connection if it
35// starts with any of the strings in strs.
36func PrefixMatcher(strs ...string) Matcher {
37	pt := newPatriciaTreeString(strs...)
38	return pt.matchPrefix
39}
40
41func prefixByteMatcher(list ...[]byte) Matcher {
42	pt := newPatriciaTree(list...)
43	return pt.matchPrefix
44}
45
46var defaultHTTPMethods = []string{
47	"OPTIONS",
48	"GET",
49	"HEAD",
50	"POST",
51	"PUT",
52	"DELETE",
53	"TRACE",
54	"CONNECT",
55}
56
57// HTTP1Fast only matches the methods in the HTTP request.
58//
59// This matcher is very optimistic: if it returns true, it does not mean that
60// the request is a valid HTTP response. If you want a correct but slower HTTP1
61// matcher, use HTTP1 instead.
62func HTTP1Fast(extMethods ...string) Matcher {
63	return PrefixMatcher(append(defaultHTTPMethods, extMethods...)...)
64}
65
66// TLS matches HTTPS requests.
67//
68// By default, any TLS handshake packet is matched. An optional whitelist
69// of versions can be passed in to restrict the matcher, for example:
70//  TLS(tls.VersionTLS11, tls.VersionTLS12)
71func TLS(versions ...int) Matcher {
72	if len(versions) == 0 {
73		versions = []int{
74			tls.VersionSSL30,
75			tls.VersionTLS10,
76			tls.VersionTLS11,
77			tls.VersionTLS12,
78		}
79	}
80	prefixes := [][]byte{}
81	for _, v := range versions {
82		prefixes = append(prefixes, []byte{22, byte(v >> 8 & 0xff), byte(v & 0xff)})
83	}
84	return prefixByteMatcher(prefixes...)
85}
86
87const maxHTTPRead = 4096
88
89// HTTP1 parses the first line or upto 4096 bytes of the request to see if
90// the conection contains an HTTP request.
91func HTTP1() Matcher {
92	return func(r io.Reader) bool {
93		br := bufio.NewReader(&io.LimitedReader{R: r, N: maxHTTPRead})
94		l, part, err := br.ReadLine()
95		if err != nil || part {
96			return false
97		}
98
99		_, _, proto, ok := parseRequestLine(string(l))
100		if !ok {
101			return false
102		}
103
104		v, _, ok := http.ParseHTTPVersion(proto)
105		return ok && v == 1
106	}
107}
108
109// grabbed from net/http.
110func parseRequestLine(line string) (method, uri, proto string, ok bool) {
111	s1 := strings.Index(line, " ")
112	s2 := strings.Index(line[s1+1:], " ")
113	if s1 < 0 || s2 < 0 {
114		return
115	}
116	s2 += s1 + 1
117	return line[:s1], line[s1+1 : s2], line[s2+1:], true
118}
119
120// HTTP2 parses the frame header of the first frame to detect whether the
121// connection is an HTTP2 connection.
122func HTTP2() Matcher {
123	return hasHTTP2Preface
124}
125
126// HTTP1HeaderField returns a matcher matching the header fields of the first
127// request of an HTTP 1 connection.
128func HTTP1HeaderField(name, value string) Matcher {
129	return func(r io.Reader) bool {
130		return matchHTTP1Field(r, name, func(gotValue string) bool {
131			return gotValue == value
132		})
133	}
134}
135
136// HTTP1HeaderFieldPrefix returns a matcher matching the header fields of the
137// first request of an HTTP 1 connection. If the header with key name has a
138// value prefixed with valuePrefix, this will match.
139func HTTP1HeaderFieldPrefix(name, valuePrefix string) Matcher {
140	return func(r io.Reader) bool {
141		return matchHTTP1Field(r, name, func(gotValue string) bool {
142			return strings.HasPrefix(gotValue, valuePrefix)
143		})
144	}
145}
146
147// HTTP2HeaderField returns a matcher matching the header fields of the first
148// headers frame.
149func HTTP2HeaderField(name, value string) Matcher {
150	return func(r io.Reader) bool {
151		return matchHTTP2Field(ioutil.Discard, r, name, func(gotValue string) bool {
152			return gotValue == value
153		})
154	}
155}
156
157// HTTP2HeaderFieldPrefix returns a matcher matching the header fields of the
158// first headers frame. If the header with key name has a value prefixed with
159// valuePrefix, this will match.
160func HTTP2HeaderFieldPrefix(name, valuePrefix string) Matcher {
161	return func(r io.Reader) bool {
162		return matchHTTP2Field(ioutil.Discard, r, name, func(gotValue string) bool {
163			return strings.HasPrefix(gotValue, valuePrefix)
164		})
165	}
166}
167
168// HTTP2MatchHeaderFieldSendSettings matches the header field and writes the
169// settings to the server. Prefer HTTP2HeaderField over this one, if the client
170// does not block on receiving a SETTING frame.
171func HTTP2MatchHeaderFieldSendSettings(name, value string) MatchWriter {
172	return func(w io.Writer, r io.Reader) bool {
173		return matchHTTP2Field(w, r, name, func(gotValue string) bool {
174			return gotValue == value
175		})
176	}
177}
178
179// HTTP2MatchHeaderFieldPrefixSendSettings matches the header field prefix
180// and writes the settings to the server. Prefer HTTP2HeaderFieldPrefix over
181// this one, if the client does not block on receiving a SETTING frame.
182func HTTP2MatchHeaderFieldPrefixSendSettings(name, valuePrefix string) MatchWriter {
183	return func(w io.Writer, r io.Reader) bool {
184		return matchHTTP2Field(w, r, name, func(gotValue string) bool {
185			return strings.HasPrefix(gotValue, valuePrefix)
186		})
187	}
188}
189
190func hasHTTP2Preface(r io.Reader) bool {
191	var b [len(http2.ClientPreface)]byte
192	last := 0
193
194	for {
195		n, err := r.Read(b[last:])
196		if err != nil {
197			return false
198		}
199
200		last += n
201		eq := string(b[:last]) == http2.ClientPreface[:last]
202		if last == len(http2.ClientPreface) {
203			return eq
204		}
205		if !eq {
206			return false
207		}
208	}
209}
210
211func matchHTTP1Field(r io.Reader, name string, matches func(string) bool) (matched bool) {
212	req, err := http.ReadRequest(bufio.NewReader(r))
213	if err != nil {
214		return false
215	}
216
217	return matches(req.Header.Get(name))
218}
219
220func matchHTTP2Field(w io.Writer, r io.Reader, name string, matches func(string) bool) (matched bool) {
221	if !hasHTTP2Preface(r) {
222		return false
223	}
224
225	done := false
226	framer := http2.NewFramer(w, r)
227	hdec := hpack.NewDecoder(uint32(4<<10), func(hf hpack.HeaderField) {
228		if hf.Name == name {
229			done = true
230			if matches(hf.Value) {
231				matched = true
232			}
233		}
234	})
235	for {
236		f, err := framer.ReadFrame()
237		if err != nil {
238			return false
239		}
240
241		switch f := f.(type) {
242		case *http2.SettingsFrame:
243			// Sender acknoweldged the SETTINGS frame. No need to write
244			// SETTINGS again.
245			if f.IsAck() {
246				break
247			}
248			if err := framer.WriteSettings(); err != nil {
249				return false
250			}
251		case *http2.ContinuationFrame:
252			if _, err := hdec.Write(f.HeaderBlockFragment()); err != nil {
253				return false
254			}
255			done = done || f.FrameHeader.Flags&http2.FlagHeadersEndHeaders != 0
256		case *http2.HeadersFrame:
257			if _, err := hdec.Write(f.HeaderBlockFragment()); err != nil {
258				return false
259			}
260			done = done || f.FrameHeader.Flags&http2.FlagHeadersEndHeaders != 0
261		}
262
263		if done {
264			return matched
265		}
266	}
267}
268