130 lines
3.5 KiB
Go
130 lines
3.5 KiB
Go
// This file is part of the happyDomain (R) project.
|
|
// Copyright (c) 2020-2026 happyDomain
|
|
// Authors: Pierre-Olivier Mercier, et al.
|
|
|
|
package checker
|
|
|
|
import (
|
|
"strconv"
|
|
"strings"
|
|
)
|
|
|
|
// HSTSDirectives is the parsed form of a Strict-Transport-Security header
|
|
// (RFC 6797 §6.1).
|
|
type HSTSDirectives struct {
|
|
MaxAge int64
|
|
IncludeSub bool
|
|
Preload bool
|
|
}
|
|
|
|
// ParseHSTS pulls max-age, includeSubDomains and preload out of an HSTS
|
|
// value. Returns nil for an empty value so callers can distinguish "header
|
|
// absent" from "header present with max-age=0".
|
|
func ParseHSTS(v string) *HSTSDirectives {
|
|
v = strings.TrimSpace(v)
|
|
if v == "" {
|
|
return nil
|
|
}
|
|
h := &HSTSDirectives{}
|
|
for _, part := range strings.Split(v, ";") {
|
|
part = strings.TrimSpace(part)
|
|
switch {
|
|
case strings.HasPrefix(strings.ToLower(part), "max-age="):
|
|
val := strings.Trim(part[len("max-age="):], "\"")
|
|
if n, err := strconv.ParseInt(val, 10, 64); err == nil {
|
|
h.MaxAge = n
|
|
}
|
|
case strings.EqualFold(part, "includeSubDomains"):
|
|
h.IncludeSub = true
|
|
case strings.EqualFold(part, "preload"):
|
|
h.Preload = true
|
|
}
|
|
}
|
|
return h
|
|
}
|
|
|
|
// CSPDirectives is the parsed form of a Content-Security-Policy header
|
|
// (W3C CSP3). Directive names are lowercased; source tokens keep their
|
|
// original casing because keywords like 'unsafe-inline' must round-trip
|
|
// verbatim when reported back to the user.
|
|
type CSPDirectives struct {
|
|
Raw string
|
|
Directives map[string][]string
|
|
}
|
|
|
|
// ParseCSP splits a CSP header into its directive → sources map.
|
|
func ParseCSP(v string) *CSPDirectives {
|
|
v = strings.TrimSpace(v)
|
|
if v == "" {
|
|
return nil
|
|
}
|
|
c := &CSPDirectives{Raw: v, Directives: map[string][]string{}}
|
|
for _, d := range strings.Split(v, ";") {
|
|
d = strings.TrimSpace(d)
|
|
if d == "" {
|
|
continue
|
|
}
|
|
fields := strings.Fields(d)
|
|
name := strings.ToLower(fields[0])
|
|
c.Directives[name] = fields[1:]
|
|
}
|
|
return c
|
|
}
|
|
|
|
// HasDirective reports whether the named directive is declared at all.
|
|
func (c *CSPDirectives) HasDirective(name string) bool {
|
|
if c == nil {
|
|
return false
|
|
}
|
|
_, ok := c.Directives[strings.ToLower(name)]
|
|
return ok
|
|
}
|
|
|
|
// HasSource reports whether the named directive lists the given source
|
|
// token (case-insensitive comparison; pass keywords with their quotes,
|
|
// e.g. "'unsafe-inline'").
|
|
func (c *CSPDirectives) HasSource(directive, source string) bool {
|
|
if c == nil {
|
|
return false
|
|
}
|
|
for _, s := range c.Directives[strings.ToLower(directive)] {
|
|
if strings.EqualFold(s, source) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// HasUnsafe reports whether any directive uses 'unsafe-inline' or
|
|
// 'unsafe-eval' — the two keywords that nullify most of CSP's value.
|
|
func (c *CSPDirectives) HasUnsafe() bool {
|
|
if c == nil {
|
|
return false
|
|
}
|
|
for _, sources := range c.Directives {
|
|
for _, s := range sources {
|
|
ls := strings.ToLower(s)
|
|
if ls == "'unsafe-inline'" || ls == "'unsafe-eval'" {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// ParsedHeaders bundles the structured headers we parse repeatedly. Fields
|
|
// are nil when the underlying header is absent on the probe; rules can
|
|
// nil-check or rely on the typed accessors which already handle nil.
|
|
type ParsedHeaders struct {
|
|
HSTS *HSTSDirectives
|
|
CSP *CSPDirectives
|
|
}
|
|
|
|
// ParseHeaders builds a ParsedHeaders from a probe's raw header map.
|
|
// Header lookups use the lowercase keys produced by the collector.
|
|
func ParseHeaders(p HTTPProbe) ParsedHeaders {
|
|
return ParsedHeaders{
|
|
HSTS: ParseHSTS(p.Headers["strict-transport-security"]),
|
|
CSP: ParseCSP(p.Headers["content-security-policy"]),
|
|
}
|
|
}
|