From e07503add4fd0f72808aedef1d8442fcd562b0ef Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Wed, 17 Jan 2024 09:29:31 -0800 Subject: [PATCH] Remove some long-standing commented code (#4242) This actually was implemented elsewhere for eventing but the commented code wasn't removed. We can finally be free. --- internal/daemon/controller/handler.go | 90 --------------------------- 1 file changed, 90 deletions(-) diff --git a/internal/daemon/controller/handler.go b/internal/daemon/controller/handler.go index e6ce252de6..9d6f90d8e8 100644 --- a/internal/daemon/controller/handler.go +++ b/internal/daemon/controller/handler.go @@ -711,93 +711,3 @@ func wrapHandlerWithCallbackInterceptor(h http.Handler, c *Controller) http.Hand h.ServeHTTP(w, req) }) } - -/* -func WrapForwardedForHandler(h http.Handler, authorizedAddrs []*sockaddr.SockAddrMarshaler, rejectNotPresent, rejectNonAuthz bool, hopSkips int) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - headers, headersOK := r.Header[textproto.CanonicalMIMEHeaderKey("X-Forwarded-For")] - if !headersOK || len(headers) == 0 { - if !rejectNotPresent { - h.ServeHTTP(w, r) - return - } - respondError(w, http.StatusBadRequest, fmt.Errorf("missing x-forwarded-for header and configured to reject when not present")) - return - } - - host, port, err := net.SplitHostPort(r.RemoteAddr) - if err != nil { - // If not rejecting treat it like we just don't have a valid - // header because we can't do a comparison against an address we - // can't understand - if !rejectNotPresent { - h.ServeHTTP(w, r) - return - } - respondError(w, http.StatusBadRequest, errwrap.Wrapf("error parsing client hostport: {{err}}", err)) - return - } - - addr, err := sockaddr.NewIPAddr(host) - if err != nil { - // We treat this the same as the case above - if !rejectNotPresent { - h.ServeHTTP(w, r) - return - } - respondError(w, http.StatusBadRequest, errwrap.Wrapf("error parsing client address: {{err}}", err)) - return - } - - var found bool - for _, authz := range authorizedAddrs { - if authz.Contains(addr) { - found = true - break - } - } - if !found { - // If we didn't find it and aren't configured to reject, simply - // don't trust it - if !rejectNonAuthz { - h.ServeHTTP(w, r) - return - } - respondError(w, http.StatusBadRequest, fmt.Errorf("client address not authorized for x-forwarded-for and configured to reject connection")) - return - } - - // At this point we have at least one value and it's authorized - - // Split comma separated ones, which are common. This brings it in line - // to the multiple-header case. - var acc []string - for _, header := range headers { - vals := strings.Split(header, ",") - for _, v := range vals { - acc = append(acc, strings.TrimSpace(v)) - } - } - - indexToUse := len(acc) - 1 - hopSkips - if indexToUse < 0 { - // This is likely an error in either configuration or other - // infrastructure. We could either deny the request, or we - // could simply not trust the value. Denying the request is - // "safer" since if this logic is configured at all there may - // be an assumption it can always be trusted. Given that we can - // deny accepting the request at all if it's not from an - // authorized address, if we're at this point the address is - // authorized (or we've turned off explicit rejection) and we - // should assume that what comes in should be properly - // formatted. - respondError(w, http.StatusBadRequest, fmt.Errorf("malformed x-forwarded-for configuration or request, hops to skip (%d) would skip before earliest chain link (chain length %d)", hopSkips, len(headers))) - return - } - - r.RemoteAddr = net.JoinHostPort(acc[indexToUse], port) - h.ServeHTTP(w, r) - return - }) -} -*/