From 15d133324d22e84e3c2839d19b112a96ced4dd66 Mon Sep 17 00:00:00 2001
From: Kevan Ahlquist <ahlqu039@umn.edu>
Date: Thu, 31 Mar 2016 23:54:12 -0500
Subject: [PATCH 1/5] add gorilla/csrf

#199
---
 app/app.js  | 10 ++++++++++
 dockerui.go | 25 ++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/app/app.js b/app/app.js
index 43b2e52..a9d2e06 100644
--- a/app/app.js
+++ b/app/app.js
@@ -25,6 +25,10 @@ angular.module('dockerui', [
     'volumes'])
     .config(['$routeProvider', '$httpProvider', function ($routeProvider, $httpProvider) {
         'use strict';
+
+        $httpProvider.defaults.xsrfCookieName = '_gorilla_csrf';
+        $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
+
         $routeProvider.when('/', {
             templateUrl: 'app/components/dashboard/dashboard.html',
             controller: 'DashboardController'
@@ -79,7 +83,13 @@ angular.module('dockerui', [
                             time: 10000
                         });
                     }
+                    console.log('response', response);
                     return response;
+                },
+                request: function(config) {
+                    console.log(document.cookie);
+                    console.log('request', config);
+                    return config;
                 }
             };
         });
diff --git a/dockerui.go b/dockerui.go
index 496308d..b72304f 100644
--- a/dockerui.go
+++ b/dockerui.go
@@ -10,12 +10,19 @@ import (
 	"net/url"
 	"os"
 	"strings"
+	"github.com/gorilla/csrf"
+	"github.com/gorilla/securecookie"
 )
 
 var (
 	endpoint = flag.String("e", "/var/run/docker.sock", "Dockerd endpoint")
 	addr     = flag.String("p", ":9000", "Address and port to serve dockerui")
 	assets   = flag.String("a", ".", "Path to the assets")
+	CSRF = csrf.Protect(
+		[]byte(securecookie.GenerateRandomKey(32)),
+		csrf.HttpOnly(false),
+		csrf.Secure(false),
+	)
 )
 
 type UnixHandler struct {
@@ -87,7 +94,23 @@ func createHandler(dir string, e string) http.Handler {
 
 	mux.Handle("/dockerapi/", http.StripPrefix("/dockerapi", h))
 	mux.Handle("/", fileHandler)
-	return mux
+	return logWrapper(CSRF(mux))
+}
+
+func logWrapper(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		log.Println("Request starting: " + r.URL.Path)
+		c, err := r.Cookie ("_gorilla_csrf")
+		if err != nil {
+			log.Println("Unable to find session cookie _gorilla_csrf")
+			h.ServeHTTP(w, r)
+		} else {
+			log.Println("Cookie:" + c.Value)
+			log.Println("Header:" + r.Header.Get("X-CSRF-Token"))
+			h.ServeHTTP(w, r)
+			log.Println("Request ending")
+		}
+	})
 }
 
 func main() {

From 7267516363c3cdf8711c1581d574cd803a910d17 Mon Sep 17 00:00:00 2001
From: Kevan Ahlquist <Kevan.Ahlquist@bluestembrands.com>
Date: Fri, 1 Apr 2016 11:10:30 -0500
Subject: [PATCH 2/5] Don't re-generate token on every startup for now.

---
 dockerui.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dockerui.go b/dockerui.go
index b72304f..3cd5abb 100644
--- a/dockerui.go
+++ b/dockerui.go
@@ -11,7 +11,6 @@ import (
 	"os"
 	"strings"
 	"github.com/gorilla/csrf"
-	"github.com/gorilla/securecookie"
 )
 
 var (
@@ -19,7 +18,7 @@ var (
 	addr     = flag.String("p", ":9000", "Address and port to serve dockerui")
 	assets   = flag.String("a", ".", "Path to the assets")
 	CSRF = csrf.Protect(
-		[]byte(securecookie.GenerateRandomKey(32)),
+		[]byte("32-byte-long-auth-key"), // FIXME: generate once, reuse on restarts
 		csrf.HttpOnly(false),
 		csrf.Secure(false),
 	)

From 0244bc73178e99e2b9e045fbbe35ab6387eb7e32 Mon Sep 17 00:00:00 2001
From: Kevan Ahlquist <ahlqu039@umn.edu>
Date: Sat, 2 Apr 2016 14:39:14 -0500
Subject: [PATCH 3/5] Fix csrf, send tokens back in header, pass token instead
 of cookie back to server.

---
 app/app.js  | 12 +++++-------
 dockerui.go | 17 ++++-------------
 2 files changed, 9 insertions(+), 20 deletions(-)

diff --git a/app/app.js b/app/app.js
index a9d2e06..28219cb 100644
--- a/app/app.js
+++ b/app/app.js
@@ -26,7 +26,7 @@ angular.module('dockerui', [
     .config(['$routeProvider', '$httpProvider', function ($routeProvider, $httpProvider) {
         'use strict';
 
-        $httpProvider.defaults.xsrfCookieName = '_gorilla_csrf';
+        $httpProvider.defaults.xsrfCookieName = 'csrfToken';
         $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
 
         $routeProvider.when('/', {
@@ -83,13 +83,11 @@ angular.module('dockerui', [
                             time: 10000
                         });
                     }
-                    console.log('response', response);
+                    var csrfToken = response.headers('X-Csrf-Token');
+                    if (csrfToken) {
+                        document.cookie = 'csrfToken=' + csrfToken;
+                    }
                     return response;
-                },
-                request: function(config) {
-                    console.log(document.cookie);
-                    console.log('request', config);
-                    return config;
                 }
             };
         });
diff --git a/dockerui.go b/dockerui.go
index 3cd5abb..5cff5c8 100644
--- a/dockerui.go
+++ b/dockerui.go
@@ -93,22 +93,13 @@ func createHandler(dir string, e string) http.Handler {
 
 	mux.Handle("/dockerapi/", http.StripPrefix("/dockerapi", h))
 	mux.Handle("/", fileHandler)
-	return logWrapper(CSRF(mux))
+	return CSRF(csrfWrapper(mux))
 }
 
-func logWrapper(h http.Handler) http.Handler {
+func csrfWrapper(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		log.Println("Request starting: " + r.URL.Path)
-		c, err := r.Cookie ("_gorilla_csrf")
-		if err != nil {
-			log.Println("Unable to find session cookie _gorilla_csrf")
-			h.ServeHTTP(w, r)
-		} else {
-			log.Println("Cookie:" + c.Value)
-			log.Println("Header:" + r.Header.Get("X-CSRF-Token"))
-			h.ServeHTTP(w, r)
-			log.Println("Request ending")
-		}
+		w.Header().Set("X-CSRF-Token", csrf.Token(r))
+		h.ServeHTTP(w, r)
 	})
 }
 

From 5f3d8565352354023db0e66b59e4ef807cd91087 Mon Sep 17 00:00:00 2001
From: Kevan Ahlquist <ahlqu039@umn.edu>
Date: Sat, 2 Apr 2016 16:55:06 -0500
Subject: [PATCH 4/5] Persist csrf authKey in container to allow restarts
 without breaking existing cookies.

---
 dockerui.go | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/dockerui.go b/dockerui.go
index 5cff5c8..c1ea616 100644
--- a/dockerui.go
+++ b/dockerui.go
@@ -11,17 +11,17 @@ import (
 	"os"
 	"strings"
 	"github.com/gorilla/csrf"
+	"io/ioutil"
+	"fmt"
+	"github.com/gorilla/securecookie"
 )
 
 var (
 	endpoint = flag.String("e", "/var/run/docker.sock", "Dockerd endpoint")
 	addr     = flag.String("p", ":9000", "Address and port to serve dockerui")
 	assets   = flag.String("a", ".", "Path to the assets")
-	CSRF = csrf.Protect(
-		[]byte("32-byte-long-auth-key"), // FIXME: generate once, reuse on restarts
-		csrf.HttpOnly(false),
-		csrf.Secure(false),
-	)
+	authKey  []byte
+	authKeyFile = "authKey.dat"
 )
 
 type UnixHandler struct {
@@ -91,6 +91,25 @@ func createHandler(dir string, e string) http.Handler {
 		h = createUnixHandler(e)
 	}
 
+	// Use existing csrf authKey if present or generate a new one.
+	dat, err := ioutil.ReadFile(authKeyFile)
+	if err != nil {
+		fmt.Println(err)
+		authKey = securecookie.GenerateRandomKey(32)
+		err := ioutil.WriteFile(authKeyFile, authKey, 0644)
+		if err != nil {
+			fmt.Println("unable to persist auth key", err)
+		}
+	} else {
+		authKey = dat
+	}
+
+	CSRF := csrf.Protect(
+		authKey,
+		csrf.HttpOnly(false),
+		csrf.Secure(false),
+	)
+
 	mux.Handle("/dockerapi/", http.StripPrefix("/dockerapi", h))
 	mux.Handle("/", fileHandler)
 	return CSRF(csrfWrapper(mux))

From a67206dd8df5942714290c2506e7c798f15bf730 Mon Sep 17 00:00:00 2001
From: Kevan Ahlquist <ahlqu039@umn.edu>
Date: Sat, 2 Apr 2016 21:04:51 -0500
Subject: [PATCH 5/5] Version bump, 0.10.1-beta

---
 app/app.js   | 2 +-
 bower.json   | 2 +-
 package.json | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/app.js b/app/app.js
index 28219cb..9e7781e 100644
--- a/app/app.js
+++ b/app/app.js
@@ -96,4 +96,4 @@ angular.module('dockerui', [
     // You need to set this to the api endpoint without the port i.e. http://192.168.1.9
     .constant('DOCKER_ENDPOINT', 'dockerapi')
     .constant('DOCKER_PORT', '') // Docker port, leave as an empty string if no port is requred.  If you have a port, prefix it with a ':' i.e. :4243
-    .constant('UI_VERSION', 'v0.9.0-beta');
\ No newline at end of file
+    .constant('UI_VERSION', 'v0.10.1-beta');
diff --git a/bower.json b/bower.json
index 47c92c4..6d13924 100644
--- a/bower.json
+++ b/bower.json
@@ -1,6 +1,6 @@
 {
   "name": "dockerui",
-  "version": "0.9.0-beta",
+  "version": "0.10.1-beta",
   "homepage": "https://github.com/crosbymichael/dockerui",
   "authors": [
     "Michael Crosby <crosbymichael@gmail.com>",
diff --git a/package.json b/package.json
index c442651..1962155 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Michael Crosby & Kevan Ahlquist",
   "name": "dockerui",
   "homepage": "https://github.com/crosbymichael/dockerui",
-  "version": "0.9.0-beta",
+  "version": "0.10.1-beta",
   "repository": {
     "type": "git",
     "url": "git@github.com:crosbymichael/dockerui.git"