From 934cdca38378b76150c69725687ba0ecf6bdd0b2 Mon Sep 17 00:00:00 2001
From: Chris Broadfoot <cbro@golang.org>
Date: Tue, 2 Oct 2018 16:44:50 -0700
Subject: [PATCH] [release-branch.go1.11] cmd/godoc: re-enable host checking,
 allow test versions

test.golang.org is no longer -- instead allow access to version-specific
App Engine URLs (like 20181002t1342-dot-golang-org.appspot.com).

App Engine Flex uses the X-Forwarded-Proto to signify the proto used by
the originating request (it always uses h1 on 8080 when proxying the
request).

Updates golang/go#28893
Updates golang/go#27205

Change-Id: I423ffe65df325500a2fa04c7b655797ecc6ad037
Reviewed-on: https://go-review.googlesource.com/c/139237
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/150679
---
 cmd/godoc/app.prod.yaml |  2 +-
 cmd/godoc/handlers.go   | 12 ++++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/cmd/godoc/app.prod.yaml b/cmd/godoc/app.prod.yaml
index 832db097..315c3dbc 100644
--- a/cmd/godoc/app.prod.yaml
+++ b/cmd/godoc/app.prod.yaml
@@ -3,7 +3,7 @@ env: flex
 
 env_variables:
   GODOC_PROD: true
-  #  GODOC_ENFORCE_HOSTS: true # TODO(cbro): modify host filter to allow version-specific URLs (see issue 27205).
+  GODOC_ENFORCE_HOSTS: true
   GODOC_REDIS_ADDR: 10.0.0.4:6379 # instance "gophercache"
   GODOC_ANALYTICS: UA-11222381-2
   DATASTORE_PROJECT_ID: golang-org
diff --git a/cmd/godoc/handlers.go b/cmd/godoc/handlers.go
index 4152a3ee..fabb6797 100644
--- a/cmd/godoc/handlers.go
+++ b/cmd/godoc/handlers.go
@@ -44,7 +44,7 @@ func (h hostEnforcerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.h.ServeHTTP(w, r)
 		return
 	}
-	if r.TLS == nil || !h.validHost(r.Host) {
+	if !h.isHTTPS(r) || !h.validHost(r.Host) {
 		r.URL.Scheme = "https"
 		if h.validHost(r.Host) {
 			r.URL.Host = r.Host
@@ -58,9 +58,17 @@ func (h hostEnforcerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	h.h.ServeHTTP(w, r)
 }
 
+func (h hostEnforcerHandler) isHTTPS(r *http.Request) bool {
+	return r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
+}
+
 func (h hostEnforcerHandler) validHost(host string) bool {
 	switch strings.ToLower(host) {
-	case "golang.org", "godoc-test.golang.org", "golang.google.cn":
+	case "golang.org", "golang.google.cn":
+		return true
+	}
+	if strings.HasSuffix(host, "-dot-golang-org.appspot.com") {
+		// staging/test
 		return true
 	}
 	return false