devapp: redirect to TLS when autocert is turned on

Updates golang/go#20691

Change-Id: I5247683f62cbe922a880246dbd2e99e31686e2d3
Reviewed-on: https://go-review.googlesource.com/46911
Reviewed-by: Brad Fitzpatrick <[email protected]>

Author: andybons

devapp/devapp.go

@@ -20,7 +20,6 @@ import (
 	"os"
 	"strconv"
 	"strings"
-	"sync"
 	"sync/atomic"
 	"time"
 
@@ -37,11 +36,6 @@ func init() {
 		os.Stderr.WriteString("devapp generates the dashboard that powers dev.golang.org.\n")
 		flag.PrintDefaults()
 	}
-
-	// TODO don't bind relative to a working directory.
-	http.Handle("/", http.FileServer(http.Dir("./static/")))
-	http.HandleFunc("/favicon.ico", faviconHandler)
-	http.Handle("/release", hstsHandler(func(w http.ResponseWriter, r *http.Request) { servePage(w, r, "release") }))
 }
 
 func main() {
@@ -50,11 +44,14 @@ func main() {
 		devTLSPort     = flag.Int("dev-tls-port", 0, "if non-zero, port number to run localhost self-signed TLS server")
 		autocertBucket = flag.String("autocert-bucket", "", "if non-empty, listen on port 443 and serve a LetsEncrypt TLS cert using this Google Cloud Storage bucket as a cache")
 		updateInterval = flag.Duration("update-interval", 5*time.Minute, "how often to update the dashboard data")
+		staticDir      = flag.String("static-dir", "./static/", "location of static directory relative to binary location")
 	)
 	flag.Parse()
 
 	go updateLoop(*updateInterval)
 
+	s := newServer(http.NewServeMux(), *staticDir)
+
 	ln, err := net.Listen("tcp", *listen)
 	if err != nil {
 		log.Fatalf("Error listening on %s: %v\n", *listen, err)
@@ -63,13 +60,19 @@ func main() {
 
 	errc := make(chan error)
 	if ln != nil {
-		go func() { errc <- fmt.Errorf("http.Serve = %v", http.Serve(ln, nil)) }()
+		go func() {
+			handler := http.Handler(s)
+			if *autocertBucket != "" {
+				handler = http.HandlerFunc(redirectHTTP)
+			}
+			errc <- fmt.Errorf("http.Serve = %v", http.Serve(ln, handler))
+		}()
 	}
 	if *autocertBucket != "" {
-		go func() { errc <- serveAutocertTLS(*autocertBucket) }()
+		go func() { errc <- serveAutocertTLS(s, *autocertBucket) }()
 	}
 	if *devTLSPort != 0 {
-		go func() { errc <- serveDevTLS(*devTLSPort) }()
+		go func() { errc <- serveDevTLS(s, *devTLSPort) }()
 	}
 
 	log.Fatal(<-errc)
@@ -85,15 +88,23 @@ func updateLoop(interval time.Duration) {
 	}
 }
 
-func serveDevTLS(port int) error {
+func redirectHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.TLS != nil || r.Host == "" {
+		http.NotFound(w, r)
+		return
+	}
+	http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusFound)
+}
+
+func serveDevTLS(h http.Handler, port int) error {
 	ln, err := net.Listen("tcp", "localhost:"+strconv.Itoa(port))
 	if err != nil {
 		return err
 	}
 	defer ln.Close()
 	log.Printf("Serving self-signed TLS at https://%s", ln.Addr())
 	// Abuse httptest for its localhost TLS setup code:
-	ts := httptest.NewUnstartedServer(http.DefaultServeMux)
+	ts := httptest.NewUnstartedServer(h)
 	// Ditch the provided listener, replace with our own:
 	ts.Listener.Close()
 	ts.Listener = ln
@@ -106,7 +117,7 @@ func serveDevTLS(port int) error {
 	select {}
 }
 
-func serveAutocertTLS(bucket string) error {
+func serveAutocertTLS(h http.Handler, bucket string) error {
 	ln, err := net.Listen("tcp", ":443")
 	if err != nil {
 		return err
@@ -132,7 +143,8 @@ func serveAutocertTLS(bucket string) error {
 	}
 	tlsLn := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, config)
 	server := &http.Server{
-		Addr: ln.Addr().String(),
+		Addr:    ln.Addr().String(),
+		Handler: h,
 	}
 	if err := http2.ConfigureServer(server, nil); err != nil {
 		log.Fatalf("http2.ConfigureServer: %v", err)
@@ -155,55 +167,6 @@ func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
 	return tc, nil
 }
 
-// hstsHandler wraps an http.HandlerFunc such that it sets the HSTS header.
-func hstsHandler(fn http.HandlerFunc) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Strict-Transport-Security", "max-age=31536000; preload")
-		fn(w, r)
-	})
-}
-
-type page struct {
-	// Content is the complete HTML of the page.
-	Content []byte
-}
-
-var (
-	pageStore   = map[string]*page{}
-	pageStoreMu sync.Mutex
-)
-
-func getPage(name string) (*page, error) {
-	pageStoreMu.Lock()
-	defer pageStoreMu.Unlock()
-	p, ok := pageStore[name]
-	if ok {
-		return p, nil
-	}
-	return nil, fmt.Errorf("page key %s not found", name)
-}
-
-func writePage(pageStr string, content []byte) error {
-	pageStoreMu.Lock()
-	defer pageStoreMu.Unlock()
-	entity := &page{
-		Content: content,
-	}
-	pageStore[pageStr] = entity
-	return nil
-}
-
-func servePage(w http.ResponseWriter, r *http.Request, pageStr string) {
-	entity, err := getPage(pageStr)
-	if err != nil {
-		log.Printf("getPage(%s) = %v", pageStr, err)
-		http.NotFound(w, r)
-		return
-	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	w.Write(entity.Content)
-}
-
 type countTransport struct {
 	http.RoundTripper
 	count int64
@@ -270,11 +233,3 @@ func newTransport(ctx context.Context) http.RoundTripper {
 	}
 	return t
 }
-
-// GET /favicon.ico
-func faviconHandler(w http.ResponseWriter, r *http.Request) {
-	// Need to specify content type for consistent tests, without this it's
-	// determined from mime.types on the box the test is running on
-	w.Header().Set("Content-Type", "image/x-icon")
-	http.ServeFile(w, r, "./static/favicon.ico")
-}

devapp/server.go

@@ -0,0 +1,74 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"sync"
+)
+
+// A server is an http.Handler that serves content within staticDir at root and
+// the dynamically-generated dashboards at their respective endpoints.
+type server struct {
+	mux       *http.ServeMux
+	staticDir string
+}
+
+func newServer(mux *http.ServeMux, staticDir string) *server {
+	s := &server{
+		mux:       mux,
+		staticDir: staticDir,
+	}
+	s.mux.Handle("/", http.FileServer(http.Dir(s.staticDir)))
+	s.mux.HandleFunc("/release", handleRelease)
+	return s
+}
+
+// ServeHTTP satisfies the http.Handler interface.
+func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.TLS != nil {
+		w.Header().Set("Strict-Transport-Security", "max-age=31536000; preload")
+	}
+	s.mux.ServeHTTP(w, r)
+}
+
+var (
+	pageStoreMu sync.Mutex
+	pageStore   = map[string][]byte{}
+)
+
+func getPage(name string) ([]byte, error) {
+	pageStoreMu.Lock()
+	defer pageStoreMu.Unlock()
+	p, ok := pageStore[name]
+	if ok {
+		return p, nil
+	}
+	return nil, fmt.Errorf("page key %s not found", name)
+}
+
+func writePage(key string, content []byte) error {
+	pageStoreMu.Lock()
+	defer pageStoreMu.Unlock()
+	pageStore[key] = content
+	return nil
+}
+
+func servePage(w http.ResponseWriter, r *http.Request, key string) {
+	b, err := getPage(key)
+	if err != nil {
+		log.Printf("getPage(%q) = %v", key, err)
+		http.NotFound(w, r)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Write(b)
+}
+
+func handleRelease(w http.ResponseWriter, r *http.Request) {
+	servePage(w, r, "release")
+}

devapp/devapp_test.go renamed to devapp/server_test.go

@@ -5,18 +5,20 @@
 package main
 
 import (
-	"fmt"
+	"crypto/tls"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 )
 
+var testServer = newServer(http.DefaultServeMux, "./static/")
+
 func TestStaticAssetsFound(t *testing.T) {
 	req := httptest.NewRequest("GET", "/", nil)
 	w := httptest.NewRecorder()
-	http.DefaultServeMux.ServeHTTP(w, req)
-	if w.Code != 200 {
-		t.Errorf("expected code 200, got %d", w.Code)
+	testServer.ServeHTTP(w, req)
+	if w.Code != http.StatusOK {
+		t.Errorf("expected code %d, got %d", http.StatusOK, w.Code)
 	}
 	if hdr := w.Header().Get("Content-Type"); hdr != "text/html; charset=utf-8" {
 		t.Errorf("incorrect Content-Type header, got headers: %v", w.Header())
@@ -26,22 +28,20 @@ func TestStaticAssetsFound(t *testing.T) {
 func TestFaviconFound(t *testing.T) {
 	req := httptest.NewRequest("GET", "/favicon.ico", nil)
 	w := httptest.NewRecorder()
-	http.DefaultServeMux.ServeHTTP(w, req)
-	if w.Code != 200 {
-		t.Errorf("expected code 200, got %d", w.Code)
+	testServer.ServeHTTP(w, req)
+	if w.Code != http.StatusOK {
+		t.Errorf("expected code %d, got %d", http.StatusOK, w.Code)
 	}
 	if hdr := w.Header().Get("Content-Type"); hdr != "image/x-icon" {
 		t.Errorf("incorrect Content-Type header, got headers: %v", w.Header())
 	}
 }
 
 func TestHSTSHeaderSet(t *testing.T) {
-	http.Handle("/test_hsts", hstsHandler(func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintln(w, "much secure")
-	}))
-	req := httptest.NewRequest("GET", "/test_hsts", nil)
+	req := httptest.NewRequest("GET", "/", nil)
+	req.TLS = &tls.ConnectionState{}
 	w := httptest.NewRecorder()
-	http.DefaultServeMux.ServeHTTP(w, req)
+	testServer.ServeHTTP(w, req)
 	if hdr := w.Header().Get("Strict-Transport-Security"); hdr == "" {
 		t.Errorf("missing Strict-Transport-Security header; headers = %v", w.Header())
 	}