Use forked http-reverse-proxy, better regex substitution

bin/update-project-dependencies

@@ -18,8 +18,8 @@ fi
 # with the `sha256sum` result calculated on the `cabal.project` and
 # `cabal.project.freeze`. This ensures the files stay deterministic so that CI
 # cache can kick in.
-expected_cabal_project_hash="3d88bb97cd394b645692343591ae3230d5393ee07b4e805251fffb9aed4a52dd"
-expected_cabal_project_freeze_hash="09930a2fa36e4325d46e5d069595d300c6017472f405f8ac67158377816d132a"
+expected_cabal_project_hash="1059c049512dc2241d0b24e276206204ed007ba4b036719f3c397f2649801086"
+expected_cabal_project_freeze_hash="3c64f68973846df84c31708abefcc95119eef58317a569d9a5940821b27b9d66"
 
 cabal --store-dir=$STORE_DIR v2-build --dry-run
 cabal2stack --system-ghc --allow-newer --resolver lts-21.17 --resolver-file devops/stack/lts-21.17.yaml -o stack.yaml

cabal.project

@@ -7,7 +7,6 @@ optimization: 2
 
 packages:
     ./
-    ../../../../../programming/haskell/http-reverse-proxy
 
 source-repository-package
     type: git
@@ -166,7 +165,12 @@ source-repository-package
     type: git
     location: https://github.com/robstewart57/rdf4h.git
     tag: 4fd2edf30c141600ffad6d730cc4c1c08a6dbce4
-    
+
+source-repository-package
+    type: git
+    location: https://github.com/adinapoli/http-reverse-proxy.git
+    tag: 38c67da5c50972c6ff25be6aad5bb295d4badd3f
+
 allow-older: *
 allow-newer: *
 

cabal.project.freeze

@@ -283,6 +283,7 @@ constraints: any.Cabal ==3.8.1.0,
              http-conduit +aeson,
              any.http-date ==0.0.11,
              any.http-media ==0.8.1.1,
+             any.http-reverse-proxy ==0.6.0.3,
              any.http-types ==0.12.3,
              any.http2 ==4.1.4,
              http2 -devel -h2spec,
@@ -453,8 +454,10 @@ constraints: any.Cabal ==3.8.1.0,
              any.refact ==0.3.0.2,
              any.reflection ==2.1.7,
              reflection -slow +template-haskell,
+             any.regex ==1.1.0.2,
              any.regex-base ==0.94.0.2,
              any.regex-compat ==0.95.2.1,
+             any.regex-pcre-builtin ==0.95.2.3.8.44,
              any.regex-posix ==0.96.0.1,
              regex-posix -_regex-posix-clib,
              any.regex-tdfa ==1.3.2.2,

gargantext.cabal

@@ -619,6 +619,7 @@ library
     , random ^>= 1.2.1
     , rdf4h ^>= 3.1.1
     , recover-rtti >= 0.4 && < 0.5
+    , regex
     , regex-compat ^>= 0.95.2.1
     , regex-tdfa ^>= 1.3.1.2
     , replace-attoparsec ^>= 1.4.5.0

src/Gargantext/MicroServices/ReverseProxy.hs

 {-# LANGUAGE TypeOperators #-}
 {-# LANGUAGE DeriveGeneric #-}
-{-# OPTIONS_GHC -Wno-deprecations #-}
+{-# LANGUAGE QuasiQuotes   #-}
 
 module Gargantext.MicroServices.ReverseProxy (
   microServicesProxyApp
+
+  -- * Internals
+  , replaceIt
   ) where
 
 import Prelude
@@ -24,13 +27,15 @@ import Gargantext.Database.Prelude (hasConfig)
 import Gargantext.Prelude
 import Gargantext.Prelude.Config (gc_frame_write_url)
 import Network.HTTP.ReverseProxy
-import Network.HTTP.Types (hCacheControl, RequestHeaders, hReferer)
+import Network.HTTP.Types (hCacheControl, RequestHeaders, hReferer, ResponseHeaders)
 import Network.HTTP.Types.Header (hHost)
 import Network.URI as URI
 import Network.Wai (Request, rawPathInfo, requestHeaders)
 import Servant
 import Servant.Auth.Swagger ()
 import Servant.Server.Generic
+import Text.RE.TDFA.ByteString
+import Text.RE.Replace hiding (Capture)
 
 --
 -- Types
@@ -89,12 +94,12 @@ forwardServer env =
     writeFrameURL :: T.Text
     writeFrameURL = env ^. hasConfig . gc_frame_write_url
 
-    assetPath :: T.Text
+    assetPath :: B.ByteString
     assetPath
       | snd forwardedHost /= 80
-      = writeFrameURL <> ":" <> T.pack (Prelude.show $ snd forwardedHost)
+      = TE.encodeUtf8 $ writeFrameURL <> ":" <> T.pack (Prelude.show $ snd forwardedHost)
       | otherwise
-      = writeFrameURL
+      = TE.encodeUtf8 writeFrameURL
 
     removeProxyPath :: ByteString -> ByteString
     removeProxyPath = TE.encodeUtf8
@@ -102,23 +107,13 @@ forwardServer env =
                     . TE.decodeUtf8
 
     proxySettings :: WaiProxySettings
-    proxySettings = defaultWaiProxySettings { wpsLogRequest = \req -> traceShow req $ pure ()
-                                            , wpsProcessBody =
-                                                \_req _res -> Just replaceRelativeLinks
+    proxySettings = defaultWaiProxySettings { wpsProcessBody = \_req _res -> Just replaceRelativeLinks
+                                            , wpsModifyResponseHeaders = \_req _res -> tweakResponseHeaders
                                             }
 
     replaceRelativeLinks :: ConduitT B.ByteString (Flush Builder) IO ()
-    replaceRelativeLinks = CC.map flushReplace
+    replaceRelativeLinks = CC.map (flushReplace assetPath)
       where
-        -- FIXME(adn) performance.
-        flushReplace :: B.ByteString -> Flush Builder
-        flushReplace bs = Chunk $ byteString $ traceShowId $ TE.encodeUtf8 . replaceIt . TE.decodeUtf8 $ bs
-
-        replaceIt :: T.Text -> T.Text
-        replaceIt t = t & T.replace "src=\"/build/" ("src=\"" <> assetPath <> "/build/")
-                        & T.replace "href=\"/build/" ("href=\"" <> assetPath <> "/build/")
-                        & T.replace "src=\"/config" ("src=\"" <> assetPath <> "/config")
-                        & T.replace "src=\"/js" ("src=\"" <> assetPath <> "/js")
 
     noCache :: RequestHeaders -> RequestHeaders
     noCache hdrs = (hCacheControl, fromString "no-cache") :
@@ -155,4 +150,28 @@ forwardServer env =
                            rawPathInfo = removeProxyPath (rawPathInfo originalRequest)
                          , requestHeaders = (newReferer . newHost . noCache $ (requestHeaders originalRequest))
                          }
-      pure $ traceShow ("I'm PROXYING ===> " <> (Prelude.show originalRequest)) $ WPRModifiedRequest (traceShowId proxiedReq) $ traceShowId $ mkProxyDest
+      pure $ WPRModifiedRequest proxiedReq mkProxyDest
+
+tweakResponseHeaders :: ResponseHeaders -> ResponseHeaders
+tweakResponseHeaders = Prelude.map tweakHeader
+  where
+    tweakHeader (k,v)
+      | k == "Content-Security-Policy"
+      = (k, fromString "default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;")
+      | otherwise
+      = (k,v)
+
+-- | Replaces the relative links in the proxied page content with proper urls.
+flushReplace :: B.ByteString -> B.ByteString -> Flush Builder
+flushReplace assetPath = Chunk . byteString . replaceIt assetPath
+
+replaceIt :: B.ByteString -> B.ByteString -> B.ByteString
+replaceIt assetPath htmlBlob =
+  replaceAllCaptures ALL makeAbsolute $ htmlBlob *=~ [re|src="\/build\/|href="\/build\/|src="\/config|src="\/js\/|]
+  where
+    makeAbsolute _ _loc cap = case capturedText cap of
+      "src=\"/build/"  -> Just $ "src=\"" <> assetPath <> "/build/"
+      "href=\"/build/" -> Just $ "href=\"" <> assetPath <> "/build/"
+      "src=\"/config"  -> Just $ "src=\"" <> assetPath <> "/config"
+      "src=\"/js/"     -> Just $ "src=\"" <> assetPath <> "/js/"
+      _                -> Just $ assetPath <> capturedText cap

stack.yaml

@@ -62,6 +62,10 @@
   git: "https://github.com/MercuryTechnologies/ekg-json.git"
   subdirs:
   - .
+- commit: 38c67da5c50972c6ff25be6aad5bb295d4badd3f
+  git: "https://github.com/adinapoli/http-reverse-proxy.git"
+  subdirs:
+  - .
 - commit: 7533a9ccd3bfe77141745f6b61039a26aaf5c83b
   git: "https://github.com/adinapoli/llvm-hs.git"
   subdirs:
@@ -309,7 +313,7 @@ flags:
     "build-search-demo": false
   gargantext:
     "disable-db-obfuscation-executable": false
-    "no-phylo-debug-logs": false
+    "no-phylo-debug-logs": true
     "test-crypto": false
   "ghc-lib-parser":
     "threaded-rts": true