Compare commits

..

No commits in common. "83b42a04c7e3a813a9d10230255611e5918ef4ea" and "499bb3696d0447b6b3479d15cbb064bffcb62ada" have entirely different histories.

16 changed files with 81 additions and 393 deletions

View File

@ -65,7 +65,7 @@ func (s *Server) bootstrapProxies(ctx context.Context) error {
for layerName, layerConfig := range proxyConfig.Layers { for layerName, layerConfig := range proxyConfig.Layers {
layerType := store.LayerType(layerConfig.Type) layerType := store.LayerType(layerConfig.Type)
layerOptions := store.LayerOptions(layerConfig.Options.Data) layerOptions := store.LayerOptions(layerConfig.Options)
if _, err := layerRepo.CreateLayer(ctx, proxyName, layerName, layerType, layerOptions); err != nil { if _, err := layerRepo.CreateLayer(ctx, proxyName, layerName, layerType, layerOptions); err != nil {
return errors.WithStack(err) return errors.WithStack(err)
@ -109,7 +109,7 @@ func (s *Server) validateBootstrap(ctx context.Context) error {
} }
rawOptions := func(opts config.InterpolatedMap) map[string]any { rawOptions := func(opts config.InterpolatedMap) map[string]any {
return opts.Data return opts
}(layerConf.Options) }(layerConf.Options)
if err := schema.Validate(ctx, layerOptionsSchema, rawOptions); err != nil { if err := schema.Validate(ctx, layerOptionsSchema, rawOptions); err != nil {

View File

@ -101,10 +101,7 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
return nil return nil
} }
type InterpolatedMap struct { type InterpolatedMap map[string]interface{}
Data map[string]interface{}
env map[string]string
}
func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error { func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
var data map[string]interface{} var data map[string]interface{}
@ -113,50 +110,24 @@ func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line) return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line)
} }
im.Data = im.interpolateRecursive(data).(map[string]any) for key, value := range data {
strVal, ok := value.(string)
if !ok {
continue
}
if match := reVar.FindStringSubmatch(strVal); len(match) > 0 {
strVal = os.Getenv(match[1])
}
data[key] = strVal
}
*im = data
return nil return nil
} }
func (im *InterpolatedMap) interpolateRecursive(data any) any {
if im.env == nil {
im.env = osEnvironment()
}
switch typ := data.(type) {
case map[string]any:
for key, value := range typ {
typ[key] = im.interpolateRecursive(value)
}
case string:
if match := reVar.FindStringSubmatch(typ); len(match) > 0 {
value, exists := im.env[match[1]]
if !exists {
data = ""
}
data = value
}
case []any:
for idx := range typ {
typ[idx] = im.interpolateRecursive(typ[idx])
}
}
return data
}
func osEnvironment() map[string]string {
environ := os.Environ()
env := make(map[string]string, len(environ))
for _, key := range environ {
env[key] = os.Getenv(key)
}
return env
}
type InterpolatedStringSlice []string type InterpolatedStringSlice []string
func (iss *InterpolatedStringSlice) UnmarshalYAML(value *yaml.Node) error { func (iss *InterpolatedStringSlice) UnmarshalYAML(value *yaml.Node) error {

View File

@ -1,69 +0,0 @@
package config
import (
"fmt"
"os"
"testing"
"github.com/pkg/errors"
"gopkg.in/yaml.v3"
)
func TestInterpolatedMap(t *testing.T) {
type testCase struct {
Path string
Env map[string]string
Assert func(t *testing.T, parsed InterpolatedMap)
}
testCases := []testCase{
{
Path: "testdata/environment/interpolated-map-1.yml",
Env: map[string]string{
"TEST_PROP1": "foo",
"TEST_SUB_PROP1": "bar",
"TEST_SUB2_PROP1": "baz",
},
Assert: func(t *testing.T, parsed InterpolatedMap) {
if e, g := "foo", parsed.Data["prop1"]; e != g {
t.Errorf("parsed.Data[\"prop1\"]: expected '%v', got '%v'", e, g)
}
if e, g := "bar", parsed.Data["sub"].(map[string]any)["subProp1"]; e != g {
t.Errorf("parsed.Data[\"sub\"][\"subProp1\"]: expected '%v', got '%v'", e, g)
}
if e, g := "baz", parsed.Data["sub2"].(map[string]any)["sub2Prop1"].([]any)[0]; e != g {
t.Errorf("parsed.Data[\"sub2\"][\"sub2Prop1\"][0]: expected '%v', got '%v'", e, g)
}
if e, g := "test", parsed.Data["sub2"].(map[string]any)["sub2Prop1"].([]any)[1]; e != g {
t.Errorf("parsed.Data[\"sub2\"][\"sub2Prop1\"][1]: expected '%v', got '%v'", e, g)
}
},
},
}
for idx, tc := range testCases {
t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
data, err := os.ReadFile(tc.Path)
if err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
var interpolatedMap InterpolatedMap
if tc.Env != nil {
interpolatedMap.env = tc.Env
}
if err := yaml.Unmarshal(data, &interpolatedMap); err != nil {
t.Fatalf("%+v", errors.WithStack(err))
}
if tc.Assert != nil {
tc.Assert(t, interpolatedMap)
}
})
}
}

View File

@ -15,12 +15,6 @@ func NewDefaultLayersConfig() LayersConfig {
}, },
Authn: AuthnLayerConfig{ Authn: AuthnLayerConfig{
TemplateDir: "./layers/authn/templates", TemplateDir: "./layers/authn/templates",
OIDC: AuthnOIDCLayerConfig{
HTTPClient: AuthnOIDCHTTPClientConfig{
TransportConfig: NewDefaultTransportConfig(),
Timeout: NewInterpolatedDuration(10 * time.Second),
},
},
}, },
} }
} }
@ -32,14 +26,4 @@ type QueueLayerConfig struct {
type AuthnLayerConfig struct { type AuthnLayerConfig struct {
TemplateDir InterpolatedString `yaml:"templateDir"` TemplateDir InterpolatedString `yaml:"templateDir"`
OIDC AuthnOIDCLayerConfig `yaml:"oidc"`
}
type AuthnOIDCLayerConfig struct {
HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
}
type AuthnOIDCHTTPClientConfig struct {
TransportConfig
Timeout *InterpolatedDuration `yaml:"timeout"`
} }

View File

@ -17,9 +17,9 @@ func (c *BasicAuthConfig) CredentialsMap() map[string]string {
return map[string]string{} return map[string]string{}
} }
credentials := make(map[string]string, len(c.Credentials.Data)) credentials := make(map[string]string, len(*c.Credentials))
for k, v := range c.Credentials.Data { for k, v := range *c.Credentials {
credentials[k] = fmt.Sprintf("%v", v) credentials[k] = fmt.Sprintf("%v", v)
} }

View File

@ -1,10 +1,6 @@
package config package config
import ( import "time"
"crypto/tls"
"net/http"
"time"
)
type ProxyServerConfig struct { type ProxyServerConfig struct {
HTTP HTTPConfig `yaml:"http"` HTTP HTTPConfig `yaml:"http"`
@ -29,33 +25,6 @@ type TransportConfig struct {
WriteBufferSize InterpolatedInt `yaml:"writeBufferSize"` WriteBufferSize InterpolatedInt `yaml:"writeBufferSize"`
ReadBufferSize InterpolatedInt `yaml:"readBufferSize"` ReadBufferSize InterpolatedInt `yaml:"readBufferSize"`
MaxResponseHeaderBytes InterpolatedInt `yaml:"maxResponseHeaderBytes"` MaxResponseHeaderBytes InterpolatedInt `yaml:"maxResponseHeaderBytes"`
InsecureSkipVerify InterpolatedBool `yaml:"insecureSkipVerify"`
}
func (c TransportConfig) AsTransport() *http.Transport {
httpTransport := http.DefaultTransport.(*http.Transport).Clone()
httpTransport.Proxy = http.ProxyFromEnvironment
httpTransport.ForceAttemptHTTP2 = bool(c.ForceAttemptHTTP2)
httpTransport.MaxIdleConns = int(c.MaxIdleConns)
httpTransport.MaxIdleConnsPerHost = int(c.MaxIdleConnsPerHost)
httpTransport.MaxConnsPerHost = int(c.MaxConnsPerHost)
httpTransport.IdleConnTimeout = time.Duration(*c.IdleConnTimeout)
httpTransport.TLSHandshakeTimeout = time.Duration(*c.TLSHandshakeTimeout)
httpTransport.ExpectContinueTimeout = time.Duration(*c.ExpectContinueTimeout)
httpTransport.DisableKeepAlives = bool(c.DisableKeepAlives)
httpTransport.DisableCompression = bool(c.DisableCompression)
httpTransport.ResponseHeaderTimeout = time.Duration(*c.ResponseHeaderTimeout)
httpTransport.WriteBufferSize = int(c.WriteBufferSize)
httpTransport.ReadBufferSize = int(c.ReadBufferSize)
httpTransport.MaxResponseHeaderBytes = int64(c.MaxResponseHeaderBytes)
if httpTransport.TLSClientConfig == nil {
httpTransport.TLSClientConfig = &tls.Config{}
}
httpTransport.TLSClientConfig.InsecureSkipVerify = bool(c.InsecureSkipVerify)
return httpTransport
} }
func NewDefaultProxyServerConfig() ProxyServerConfig { func NewDefaultProxyServerConfig() ProxyServerConfig {
@ -100,6 +69,5 @@ func NewDefaultTransportConfig() TransportConfig {
ReadBufferSize: 4096, ReadBufferSize: 4096,
WriteBufferSize: 4096, WriteBufferSize: 4096,
MaxResponseHeaderBytes: 0, MaxResponseHeaderBytes: 0,
InsecureSkipVerify: false,
} }
} }

View File

@ -1,6 +0,0 @@
prop1: "${TEST_PROP1}"
prop2: 1
sub:
subProp1: "${TEST_SUB_PROP1}"
sub2:
sub2Prop1: ["${TEST_SUB2_PROP1}", "test"]

View File

@ -1,16 +1,11 @@
package oidc package oidc
import ( import (
"bytes"
"context" "context"
"crypto/tls"
"fmt" "fmt"
"net/http" "net/http"
"net/url" "net/url"
"text/template"
"time"
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director" "forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn" "forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
"forge.cadoles.com/cadoles/bouncer/internal/store" "forge.cadoles.com/cadoles/bouncer/internal/store"
@ -23,8 +18,6 @@ import (
type Authenticator struct { type Authenticator struct {
store sessions.Store store sessions.Store
httpTransport *http.Transport
httpClientTimeout time.Duration
} }
func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error { func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@ -35,9 +28,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
return errors.WithStack(err) return errors.WithStack(err)
} }
baseURL := originalURL.Scheme + "://" + originalURL.Host options, err := fromStoreOptions(layer.Options)
options, err := fromStoreOptions(layer.Options, baseURL)
if err != nil { if err != nil {
return errors.WithStack(err) return errors.WithStack(err)
} }
@ -47,30 +38,16 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err))) logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
} }
loginCallbackURL, err := a.getLoginCallbackURL(layer.Proxy, layer.Name, options) redirectURL := a.getRedirectURL(layer.Proxy, layer.Name, originalURL, options)
logoutURL := a.getLogoutURL(layer.Proxy, layer.Name, originalURL, options)
client, err := a.getClient(options, redirectURL.String())
if err != nil { if err != nil {
return errors.WithStack(err) return errors.WithStack(err)
} }
client, err := a.getClient(options, loginCallbackURL.String()) switch r.URL.Path {
if err != nil { case redirectURL.Path:
return errors.WithStack(err)
}
loginCallbackURLPattern, err := a.templatize(options.OIDC.MatchLoginCallbackURL, layer.Proxy, layer.Name)
if err != nil {
return errors.WithStack(err)
}
logoutURLPattern, err := a.templatize(options.OIDC.MatchLogoutURL, layer.Proxy, layer.Name)
if err != nil {
return errors.WithStack(err)
}
logger.Debug(ctx, "checking url", logger.F("loginCallbackURLPattern", loginCallbackURLPattern), logger.F("logoutURLPattern", logoutURLPattern))
switch {
case wildcard.Match(originalURL.String(), loginCallbackURLPattern):
if err := client.HandleCallback(w, r, sess); err != nil { if err := client.HandleCallback(w, r, sess); err != nil {
return errors.WithStack(err) return errors.WithStack(err)
} }
@ -80,7 +57,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
metricLabelProxy: string(layer.Proxy), metricLabelProxy: string(layer.Proxy),
}).Add(1) }).Add(1)
case wildcard.Match(originalURL.String(), logoutURLPattern): case logoutURL.Path:
postLogoutRedirectURL := options.OIDC.PostLogoutRedirectURL postLogoutRedirectURL := options.OIDC.PostLogoutRedirectURL
if options.OIDC.PostLogoutRedirectURL == "" { if options.OIDC.PostLogoutRedirectURL == "" {
postLogoutRedirectURL = originalURL.Scheme + "://" + originalURL.Host postLogoutRedirectURL = originalURL.Scheme + "://" + originalURL.Host
@ -108,9 +85,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
return nil, errors.WithStack(err) return nil, errors.WithStack(err)
} }
baseURL := originalURL.Scheme + "://" + originalURL.Host options, err := fromStoreOptions(layer.Options)
options, err := fromStoreOptions(layer.Options, baseURL)
if err != nil { if err != nil {
return nil, errors.WithStack(err) return nil, errors.WithStack(err)
} }
@ -142,12 +117,9 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
sess.Options.SameSite = http.SameSiteDefaultMode sess.Options.SameSite = http.SameSiteDefaultMode
} }
loginCallbackURL, err := a.getLoginCallbackURL(layer.Proxy, layer.Name, options) redirectURL := a.getRedirectURL(layer.Proxy, layer.Name, originalURL, options)
if err != nil {
return nil, errors.WithStack(err)
}
client, err := a.getClient(options, loginCallbackURL.String()) client, err := a.getClient(options, redirectURL.String())
if err != nil { if err != nil {
return nil, errors.WithStack(err) return nil, errors.WithStack(err)
} }
@ -166,7 +138,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
return nil, errors.WithStack(err) return nil, errors.WithStack(err)
} }
user, err := a.toUser(idToken, layer.Proxy, layer.Name, options, sess) user, err := a.toUser(idToken, layer.Proxy, layer.Name, originalURL, options, sess)
if err != nil { if err != nil {
return nil, errors.WithStack(err) return nil, errors.WithStack(err)
} }
@ -224,7 +196,7 @@ func (c claims) AsAttrs() map[string]any {
return attrs return attrs
} }
func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions, sess *sessions.Session) (*authn.User, error) { func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName, layerName store.LayerName, originalURL *url.URL, options *LayerOptions, sess *sessions.Session) (*authn.User, error) {
var claims claims var claims claims
if err := idToken.Claims(&claims); err != nil { if err := idToken.Claims(&claims); err != nil {
@ -237,11 +209,7 @@ func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName,
attrs := claims.AsAttrs() attrs := claims.AsAttrs()
logoutURL, err := a.getLogoutURL(proxyName, layerName, options) logoutURL := a.getLogoutURL(proxyName, layerName, originalURL, options)
if err != nil {
return nil, errors.WithStack(err)
}
attrs["logout_url"] = logoutURL.String() attrs["logout_url"] = logoutURL.String()
if accessToken, exists := sess.Values[sessionKeyAccessToken]; exists && accessToken != nil { if accessToken, exists := sess.Values[sessionKeyAccessToken]; exists && accessToken != nil {
@ -261,80 +229,25 @@ func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName,
return user, nil return user, nil
} }
func (a *Authenticator) getLoginCallbackURL(proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) (*url.URL, error) { func (a *Authenticator) getRedirectURL(proxyName store.ProxyName, layerName store.LayerName, u *url.URL, options *LayerOptions) *url.URL {
url, err := a.generateURL(options.OIDC.LoginCallbackURL, proxyName, layerName) return &url.URL{
if err != nil { Scheme: u.Scheme,
return nil, errors.WithStack(err) Host: u.Host,
Path: fmt.Sprintf(options.OIDC.LoginCallbackPath, fmt.Sprintf("%s/%s", proxyName, layerName)),
}
} }
return url, nil func (a *Authenticator) getLogoutURL(proxyName store.ProxyName, layerName store.LayerName, u *url.URL, options *LayerOptions) *url.URL {
return &url.URL{
Scheme: u.Scheme,
Host: u.Host,
Path: fmt.Sprintf(options.OIDC.LogoutPath, fmt.Sprintf("%s/%s", proxyName, layerName)),
} }
func (a *Authenticator) getLogoutURL(proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) (*url.URL, error) {
url, err := a.generateURL(options.OIDC.LogoutURL, proxyName, layerName)
if err != nil {
return nil, errors.WithStack(err)
}
return url, nil
}
func (a *Authenticator) generateURL(rawURLTemplate string, proxyName store.ProxyName, layerName store.LayerName) (*url.URL, error) {
rawURL, err := a.templatize(rawURLTemplate, proxyName, layerName)
if err != nil {
return nil, errors.WithStack(err)
}
url, err := url.Parse(rawURL)
if err != nil {
return nil, errors.WithStack(err)
}
return url, nil
}
func (a *Authenticator) templatize(rawTemplate string, proxyName store.ProxyName, layerName store.LayerName) (string, error) {
tmpl, err := template.New("").Parse(rawTemplate)
if err != nil {
return "", errors.WithStack(err)
}
var raw bytes.Buffer
err = tmpl.Execute(&raw, struct {
ProxyName store.ProxyName
LayerName store.LayerName
}{
ProxyName: proxyName,
LayerName: layerName,
})
if err != nil {
return "", errors.WithStack(err)
}
return raw.String(), nil
} }
func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*Client, error) { func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*Client, error) {
ctx := context.Background() ctx := context.Background()
transport := a.httpTransport.Clone()
if options.OIDC.TLSInsecureSkipVerify {
if transport.TLSClientConfig == nil {
transport.TLSClientConfig = &tls.Config{}
}
transport.TLSClientConfig.InsecureSkipVerify = true
}
httpClient := &http.Client{
Timeout: a.httpClientTimeout,
Transport: transport,
}
ctx = oidc.ClientContext(ctx, httpClient)
if options.OIDC.SkipIssuerVerification { if options.OIDC.SkipIssuerVerification {
ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL) ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
} }
@ -350,7 +263,6 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
WithRedirectURL(redirectURL), WithRedirectURL(redirectURL),
WithScopes(options.OIDC.Scopes...), WithScopes(options.OIDC.Scopes...),
WithAuthParams(options.OIDC.AuthParams), WithAuthParams(options.OIDC.AuthParams),
WithHTTPClient(httpClient),
) )
return client, nil return client, nil

View File

@ -30,7 +30,6 @@ var (
) )
type Client struct { type Client struct {
httpClient *http.Client
oauth2 *oauth2.Config oauth2 *oauth2.Config
provider *oidc.Provider provider *oidc.Provider
verifier *oidc.IDTokenVerifier verifier *oidc.IDTokenVerifier
@ -211,7 +210,6 @@ func (c *Client) sessionEndURL(idTokenHint, state, postLogoutRedirectURL string)
func (c *Client) validate(r *http.Request, sess *sessions.Session) (*oauth2.Token, *oidc.IDToken, string, error) { func (c *Client) validate(r *http.Request, sess *sessions.Session) (*oauth2.Token, *oidc.IDToken, string, error) {
ctx := r.Context() ctx := r.Context()
ctx = oidc.ClientContext(ctx, c.httpClient)
rawStoredState := sess.Values[sessionKeyLoginState] rawStoredState := sess.Values[sessionKeyLoginState]
receivedState := r.URL.Query().Get("state") receivedState := r.URL.Query().Get("state")
@ -289,6 +287,5 @@ func NewClient(funcs ...ClientOptionFunc) *Client {
provider: opts.Provider, provider: opts.Provider,
verifier: verifier, verifier: verifier,
authParams: opts.AuthParams, authParams: opts.AuthParams,
httpClient: opts.HTTPClient,
} }
} }

View File

@ -2,7 +2,6 @@ package oidc
import ( import (
"context" "context"
"net/http"
"github.com/coreos/go-oidc/v3/oidc" "github.com/coreos/go-oidc/v3/oidc"
) )
@ -15,7 +14,6 @@ type ClientOptions struct {
Scopes []string Scopes []string
AuthParams map[string]string AuthParams map[string]string
SkipIssuerCheck bool SkipIssuerCheck bool
HTTPClient *http.Client
} }
type ClientOptionFunc func(*ClientOptions) type ClientOptionFunc func(*ClientOptions)
@ -65,16 +63,9 @@ func WithProvider(provider *oidc.Provider) ClientOptionFunc {
} }
} }
func WithHTTPClient(client *http.Client) ClientOptionFunc {
return func(opt *ClientOptions) {
opt.HTTPClient = client
}
}
func NewClientOptions(funcs ...ClientOptionFunc) *ClientOptions { func NewClientOptions(funcs ...ClientOptionFunc) *ClientOptions {
opt := &ClientOptions{ opt := &ClientOptions{
Scopes: []string{oidc.ScopeOpenID, "profile"}, Scopes: []string{oidc.ScopeOpenID, "profile"},
HTTPClient: http.DefaultClient,
} }
for _, f := range funcs { for _, f := range funcs {

View File

@ -42,39 +42,22 @@
} }
} }
}, },
"loginCallbackURL": { "loginCallbackPath": {
"title": "Chemin associé à l'URL de callback OpenID Connect", "title": "Chemin associé à l'URL de callback OpenID Connect",
"default": "<scheme>://<host>/.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback", "default": "/.bouncer/authn/oidc/%s/callback",
"description": "Les marqueurs '{{ .ProxyName }}' et '{{ .LayerName }}' peuvent être utilisés pour injecter le nom du proxy ainsi que celui du layer.", "description": "Le marqueur '%s' peut être utilisé pour injecter l'espace de nom '<proxy>/<layer>'.",
"type": "string" "type": "string"
}, },
"matchLoginCallbackURL": { "logoutPath": {
"title": "Patron de correspondance de l'URL interne de callback OpenID Connect",
"default": "*/.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback",
"description": "Les marqueurs '{{ .ProxyName }}' et '{{ .LayerName }}' peuvent être utilisés pour injecter le nom du proxy ainsi que celui du layer.",
"type": "string"
},
"logoutURL": {
"title": "Chemin associé à l'URL de déconnexion", "title": "Chemin associé à l'URL de déconnexion",
"default": "<scheme>://<host>/.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/logout", "default": "/.bouncer/authn/oidc/%s/logout",
"description": "Les marqueurs '{{ .ProxyName }}' et '{{ .LayerName }}' peuvent être utilisés pour injecter le nom du proxy ainsi que celui du layer.", "description": "Le marqueur '%s' peut être utilisé pour injecter l'espace de nom '<proxy>/<layer>'.",
"type": "string"
},
"matchLogoutURL": {
"title": "Patron de correspondance l'URL interne de déconnexion",
"default": "*/.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/logout",
"description": "Les marqueurs '{{ .ProxyName }}' et '{{ .LayerName }}' peuvent être utilisés pour injecter le nom du proxy ainsi que celui du layer.",
"type": "string" "type": "string"
}, },
"skipIssuerVerification": { "skipIssuerVerification": {
"title": "Activer/désactiver la vérification de concordance de l'identifiant du fournisseur d'identité", "title": "Activer/désactiver la vérification de concordance de l'identifiant du fournisseur d'identité",
"default": false, "default": false,
"type": "boolean" "type": "boolean"
},
"tlsInsecureSkipVerify": {
"title": "Activer/désactiver la vérification du certificat TLS distant",
"default": false,
"type": "boolean"
} }
}, },
"additionalProperties": false, "additionalProperties": false,

View File

@ -8,11 +8,6 @@ import (
const LayerType store.LayerType = "authn-oidc" const LayerType store.LayerType = "authn-oidc"
func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer { func NewLayer(store sessions.Store) *authn.Layer {
opts := NewOptions(funcs...) return authn.NewLayer(LayerType, &Authenticator{store: store})
return authn.NewLayer(LayerType, &Authenticator{
httpTransport: opts.HTTPTransport,
httpClientTimeout: opts.HTTPClientTimeout,
store: store,
})
} }

View File

@ -19,14 +19,11 @@ type LayerOptions struct {
type OIDCOptions struct { type OIDCOptions struct {
ClientID string `mapstructure:"clientId"` ClientID string `mapstructure:"clientId"`
ClientSecret string `mapstructure:"clientSecret"` ClientSecret string `mapstructure:"clientSecret"`
LoginCallbackURL string `mapstructure:"loginCallbackURL"` LoginCallbackPath string `mapstructure:"loginCallbackPath"`
MatchLoginCallbackURL string `mapstructure:"matchLoginCallbackURL"` LogoutPath string `mapstructure:"logoutPath"`
LogoutURL string `mapstructure:"logoutURL"`
MatchLogoutURL string `mapstructure:"matchLogoutURL"`
IssuerURL string `mapstructure:"issuerURL"` IssuerURL string `mapstructure:"issuerURL"`
SkipIssuerVerification bool `mapstructure:"skipIssuerVerification"` SkipIssuerVerification bool `mapstructure:"skipIssuerVerification"`
PostLogoutRedirectURL string `mapstructure:"postLogoutRedirectURL"` PostLogoutRedirectURL string `mapstructure:"postLogoutRedirectURL"`
TLSInsecureSkipVerify bool `mapstructure:"tlsInsecureSkipVerify"`
Scopes []string `mapstructure:"scopes"` Scopes []string `mapstructure:"scopes"`
AuthParams map[string]string `mapstructure:"authParams"` AuthParams map[string]string `mapstructure:"authParams"`
} }
@ -41,17 +38,12 @@ type CookieOptions struct {
MaxAge time.Duration `mapstructure:"maxAge"` MaxAge time.Duration `mapstructure:"maxAge"`
} }
func fromStoreOptions(storeOptions store.LayerOptions, baseURL string) (*LayerOptions, error) { func fromStoreOptions(storeOptions store.LayerOptions) (*LayerOptions, error) {
loginCallbackPath := "/.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback"
logoutPath := "/.bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/logout"
layerOptions := LayerOptions{ layerOptions := LayerOptions{
LayerOptions: authn.DefaultLayerOptions(), LayerOptions: authn.DefaultLayerOptions(),
OIDC: OIDCOptions{ OIDC: OIDCOptions{
LoginCallbackURL: baseURL + loginCallbackPath, LoginCallbackPath: "/.bouncer/authn/oidc/%s/callback",
MatchLoginCallbackURL: "*" + loginCallbackPath, LogoutPath: "/.bouncer/authn/oidc/%s/logout",
LogoutURL: baseURL + logoutPath,
MatchLogoutURL: "*" + logoutPath,
Scopes: []string{"openid"}, Scopes: []string{"openid"},
}, },
Cookie: CookieOptions{ Cookie: CookieOptions{

View File

@ -1,38 +0,0 @@
package oidc
import (
"net/http"
"time"
)
type Options struct {
HTTPTransport *http.Transport
HTTPClientTimeout time.Duration
}
type OptionFunc func(opts *Options)
func WithHTTPTransport(transport *http.Transport) OptionFunc {
return func(opts *Options) {
opts.HTTPTransport = transport
}
}
func WithHTTPClientTimeout(timeout time.Duration) OptionFunc {
return func(opts *Options) {
opts.HTTPClientTimeout = timeout
}
}
func NewOptions(funcs ...OptionFunc) *Options {
opts := &Options{
HTTPTransport: http.DefaultTransport.(*http.Transport),
HTTPClientTimeout: 30 * time.Second,
}
for _, fn := range funcs {
fn(opts)
}
return opts
}

View File

@ -159,10 +159,26 @@ func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httpu
DualStack: bool(dialConfig.DualStack), DualStack: bool(dialConfig.DualStack),
} }
httpTransport := s.serverConfig.Transport.AsTransport() transportConfig := s.serverConfig.Transport
httpTransport.DialContext = dialer.DialContext
reverseProxy.Transport = &http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: dialer.DialContext,
ForceAttemptHTTP2: bool(transportConfig.ForceAttemptHTTP2),
MaxIdleConns: int(transportConfig.MaxIdleConns),
MaxIdleConnsPerHost: int(transportConfig.MaxIdleConnsPerHost),
MaxConnsPerHost: int(transportConfig.MaxConnsPerHost),
IdleConnTimeout: time.Duration(*transportConfig.IdleConnTimeout),
TLSHandshakeTimeout: time.Duration(*transportConfig.TLSHandshakeTimeout),
ExpectContinueTimeout: time.Duration(*transportConfig.ExpectContinueTimeout),
DisableKeepAlives: bool(transportConfig.DisableKeepAlives),
DisableCompression: bool(transportConfig.DisableCompression),
ResponseHeaderTimeout: time.Duration(*transportConfig.ResponseHeaderTimeout),
WriteBufferSize: int(transportConfig.WriteBufferSize),
ReadBufferSize: int(transportConfig.ReadBufferSize),
MaxResponseHeaderBytes: int64(transportConfig.MaxResponseHeaderBytes),
}
reverseProxy.Transport = httpTransport
reverseProxy.ErrorHandler = s.errorHandler reverseProxy.ErrorHandler = s.errorHandler
return reverseProxy return reverseProxy

View File

@ -1,8 +1,6 @@
package setup package setup
import ( import (
"time"
"forge.cadoles.com/cadoles/bouncer/internal/config" "forge.cadoles.com/cadoles/bouncer/internal/config"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director" "forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn" "forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
@ -27,11 +25,5 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
adapter := redis.NewStoreAdapter(rdb) adapter := redis.NewStoreAdapter(rdb)
store := session.NewStore(adapter) store := session.NewStore(adapter)
transport := conf.Layers.Authn.OIDC.HTTPClient.AsTransport() return oidc.NewLayer(store), nil
return oidc.NewLayer(
store,
oidc.WithHTTPTransport(transport),
oidc.WithHTTPClientTimeout(time.Duration(*conf.Layers.Authn.OIDC.HTTPClient.Timeout)),
), nil
} }