Serve gzipped version of console asset if it exists

nexus/src/external_api/console_api.rs

@@ -619,8 +619,21 @@ pub async fn console_settings_page(
     console_index_or_login_redirect(rqctx).await
 }
 
+fn with_gz_ext(path: Vec<String>) -> Vec<String> {
+    if path.len() == 0 {
+        return path;
+    }
+
+    let mut new_path = path;
+    let last = new_path.pop().unwrap(); // we know there's one there
+    new_path.push(format!("{last}.gz"));
+    new_path
+}
+
 /// Fetch a static asset from `<static_dir>/assets`. 404 on virtually all
-/// errors. No auth. NO SENSITIVE FILES.
+/// errors. No auth. NO SENSITIVE FILES. Will serve a gzipped version if the
+/// `.gz` file is present in the directory and `Accept-Encoding: gzip` is
+/// present on the request.
 #[endpoint {
    method = GET,
    path = "/assets/{path:.*}",
@@ -633,25 +646,66 @@ pub async fn asset(
     let apictx = rqctx.context();
     let path = path_params.into_inner().path;
 
-    let file = match &apictx.console_config.static_dir {
-        // important: we only serve assets from assets/ within static_dir
-        Some(static_dir) => find_file(path, &static_dir.join("assets")),
-        _ => Err(not_found("static_dir undefined")),
-    }?;
-    let file_contents = tokio::fs::read(&file)
-        .await
-        .map_err(|e| not_found(&format!("accessing {:?}: {:#}", file, e)))?;
+    // Bail unless the extension is allowed
+    let filename =
+        PathBuf::from(path.last().ok_or_else(|| not_found("no path"))?);
+    let ext = filename
+        .extension()
+        .map(|ext| ext.to_os_string())
+        .unwrap_or_else(|| OsString::from("disallowed"));
+    if !ALLOWED_EXTENSIONS.contains(&ext) {
+        return Err(not_found("file extension not allowed"));
+    }
 
-    // Derive the MIME type from the file name
-    let content_type = mime_guess::from_path(&file)
+    // We only serve assets from assets/ within static_dir
+    let assets_dir = &apictx
+        .console_config
+        .static_dir
+        .as_ref()
+        .ok_or_else(|| not_found("static_dir undefined"))?
+        .join("assets");
+
+    let request = &rqctx.request.lock().await;
+    let accept_encoding = request.headers().get(http::header::ACCEPT_ENCODING);
+
+    let accept_gz = accept_encoding.map_or(false, |val| {
+        val.to_str().map_or(false, |s| s.contains("gzip"))
+    });
+
+    let path_gz = with_gz_ext(path.clone());
+
+    // If req accepts gzip and we have a gzipped version, serve that. Otherwise
+    // fall back to non-gz. If neither file found, bubble up 404.
+    let (file_path, set_content_encoding_gzip) =
+        match accept_gz.then(|| find_file(path_gz, &assets_dir)) {
+            Some(Ok(gzipped_file)) => (gzipped_file, true),
+            _ => (find_file(path, &assets_dir)?, false),
+        };
+
+    // File read is the same regardless of gzip
+    let file_contents = tokio::fs::read(&file_path).await.map_err(|e| {
+        not_found(&format!("accessing {:?}: {:#}", file_path, e))
+    })?;
+
+    // Derive the MIME type from the file name. Have to use filename and not
+    // file_path because the latter might have a .gz on the end.
+    let content_type = mime_guess::from_path(filename)
         .first()
         .map_or_else(|| "text/plain".to_string(), |m| m.to_string());
 
-    Ok(Response::builder()
+    let mut resp = Response::builder()
         .status(StatusCode::OK)
         .header(http::header::CONTENT_TYPE, &content_type)
-        .header(http::header::CACHE_CONTROL, cache_control_header_value(apictx))
-        .body(file_contents.into())?)
+        .header(
+            http::header::CACHE_CONTROL,
+            cache_control_header_value(apictx),
+        );
+
+    if set_content_encoding_gzip {
+        resp = resp.header(http::header::CONTENT_ENCODING, "gzip");
+    }
+
+    Ok(resp.body(file_contents.into())?)
 }
 
 fn cache_control_header_value(apictx: &Arc<ServerContext>) -> String {
@@ -694,14 +748,6 @@ lazy_static! {
     );
 }
 
-fn file_ext_allowed(path: &PathBuf) -> bool {
-    let ext = path
-        .extension()
-        .map(|ext| ext.to_os_string())
-        .unwrap_or_else(|| OsString::from("disallowed"));
-    ALLOWED_EXTENSIONS.contains(&ext)
-}
-
 /// Starting from `root_dir`, follow the segments of `path` down the file tree
 /// until we find a file (or not). Do not follow symlinks.
 fn find_file(
@@ -734,10 +780,6 @@ fn find_file(
         return Err(not_found("expected a non-directory"));
     }
 
-    if !file_ext_allowed(&current) {
-        return Err(not_found("file extension not allowed"));
-    }
-
     Ok(current)
 }
 
@@ -821,19 +863,4 @@ mod test {
         assert_eq!(error.status_code, StatusCode::NOT_FOUND);
         assert_eq!(error.internal_message, "attempted to follow a symlink");
     }
-
-    #[test]
-    fn test_find_file_404_on_disallowed_ext() {
-        let root = current_dir().unwrap();
-        let error =
-            find_file(get_path("tests/static/assets/blocked.ext"), &root)
-                .unwrap_err();
-        assert_eq!(error.status_code, StatusCode::NOT_FOUND);
-        assert_eq!(error.internal_message, "file extension not allowed",);
-
-        let error = find_file(get_path("tests/static/assets/no_ext"), &root)
-            .unwrap_err();
-        assert_eq!(error.status_code, StatusCode::NOT_FOUND);
-        assert_eq!(error.internal_message, "file extension not allowed");
-    }
 }

nexus/test-utils/src/http_testing.rs

@@ -85,6 +85,7 @@ impl<'a> RequestBuilder<'a> {
             expected_status: None,
             allowed_headers: Some(vec![
                 http::header::CACHE_CONTROL,
+                http::header::CONTENT_ENCODING,
                 http::header::CONTENT_LENGTH,
                 http::header::CONTENT_TYPE,
                 http::header::DATE,

nexus/tests/integration_tests/console_api.rs

@@ -189,11 +189,57 @@ async fn test_assets(cptestctx: &ControlPlaneTestContext) {
 
     // existing file is returned
     let resp = RequestBuilder::new(&testctx, Method::GET, "/assets/hello.txt")
+        .expect_status(Some(StatusCode::OK))
         .execute()
         .await
         .expect("failed to get existing file");
 
     assert_eq!(resp.body, "hello there".as_bytes());
+    // make sure we're not including the gzip header on non-gzipped files
+    assert_eq!(resp.headers.get(http::header::CONTENT_ENCODING), None);
+
+    // file with only gzipped version 404s if request doesn't have accept-encoding: gzip
+    let _ = RequestBuilder::new(&testctx, Method::GET, "/assets/gzip-only.txt")
+        .expect_status(Some(StatusCode::NOT_FOUND))
+        .execute()
+        .await
+        .expect("failed to 404 on gzip file without accept-encoding: gzip");
+
+    // file with only gzipped version is returned if request accepts gzip
+    let resp =
+        RequestBuilder::new(&testctx, Method::GET, "/assets/gzip-only.txt")
+            .header(http::header::ACCEPT_ENCODING, "gzip")
+            .expect_status(Some(StatusCode::OK))
+            .expect_response_header(http::header::CONTENT_ENCODING, "gzip")
+            .execute()
+            .await
+            .expect("failed to get existing file");
+
+    assert_eq!(resp.body, "nothing but gzip".as_bytes());
+
+    // file with both gzip and not returns gzipped if request accepts gzip
+    let resp =
+        RequestBuilder::new(&testctx, Method::GET, "/assets/gzip-and-not.txt")
+            .header(http::header::ACCEPT_ENCODING, "gzip")
+            .expect_status(Some(StatusCode::OK))
+            .expect_response_header(http::header::CONTENT_ENCODING, "gzip")
+            .execute()
+            .await
+            .expect("failed to get existing file");
+
+    assert_eq!(resp.body, "pretend this is gzipped beep boop".as_bytes());
+
+    // returns non-gzipped if request doesn't accept gzip
+    let resp =
+        RequestBuilder::new(&testctx, Method::GET, "/assets/gzip-and-not.txt")
+            .expect_status(Some(StatusCode::OK))
+            .execute()
+            .await
+            .expect("failed to get existing file");
+
+    assert_eq!(resp.body, "not gzipped but I know a guy".as_bytes());
+    // make sure we're not including the gzip header on non-gzipped files
+    assert_eq!(resp.headers.get(http::header::CONTENT_ENCODING), None);
 }
 
 #[tokio::test]

nexus/tests/static/assets/gzip-and-not.txt

@@ -0,0 +1 @@
+not gzipped but I know a guy

nexus/tests/static/assets/gzip-and-not.txt.gz

@@ -0,0 +1 @@
+pretend this is gzipped beep boop

nexus/tests/static/assets/gzip-only.txt.gz

@@ -0,0 +1 @@
+nothing but gzip