Compare commits
9 Commits
v2024.11.8
...
v2025.3.17
| Author | SHA1 | Date | |
|---|---|---|---|
| 8b132dddd4 | |||
| 6a4a144c97 | |||
| ac7b7e8189 | |||
| 2df74bad4f | |||
| 076a3d784e | |||
| 826edef358 | |||
| ce7415af20 | |||
| 7cc9de180c | |||
| 74c2a2c055 |
@ -17,9 +17,7 @@ const (
|
||||
)
|
||||
|
||||
func RunCommand() *cli.Command {
|
||||
flags := append(
|
||||
common.Flags(),
|
||||
)
|
||||
flags := common.Flags()
|
||||
|
||||
return &cli.Command{
|
||||
Name: "run",
|
||||
|
||||
@ -20,6 +20,10 @@ func NewDefaultLayersConfig() LayersConfig {
|
||||
TransportConfig: NewDefaultTransportConfig(),
|
||||
Timeout: NewInterpolatedDuration(10 * time.Second),
|
||||
},
|
||||
ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
|
||||
},
|
||||
Sessions: AuthnLayerSessionConfig{
|
||||
TTL: NewInterpolatedDuration(time.Hour),
|
||||
},
|
||||
},
|
||||
}
|
||||
@ -31,13 +35,19 @@ type QueueLayerConfig struct {
|
||||
}
|
||||
|
||||
type AuthnLayerConfig struct {
|
||||
Debug InterpolatedBool `yaml:"debug"`
|
||||
TemplateDir InterpolatedString `yaml:"templateDir"`
|
||||
OIDC AuthnOIDCLayerConfig `yaml:"oidc"`
|
||||
Debug InterpolatedBool `yaml:"debug"`
|
||||
TemplateDir InterpolatedString `yaml:"templateDir"`
|
||||
OIDC AuthnOIDCLayerConfig `yaml:"oidc"`
|
||||
Sessions AuthnLayerSessionConfig `yaml:"sessions"`
|
||||
}
|
||||
|
||||
type AuthnLayerSessionConfig struct {
|
||||
TTL *InterpolatedDuration `yaml:"ttl"`
|
||||
}
|
||||
|
||||
type AuthnOIDCLayerConfig struct {
|
||||
HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
|
||||
HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
|
||||
ProviderCacheTimeout *InterpolatedDuration `yaml:"providerCacheTimeout"`
|
||||
}
|
||||
|
||||
type AuthnOIDCHTTPClientConfig struct {
|
||||
|
||||
@ -6,6 +6,7 @@ import (
|
||||
"net/url"
|
||||
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
||||
"github.com/getsentry/sentry-go"
|
||||
"github.com/pkg/errors"
|
||||
"gitlab.com/wpetit/goweb/logger"
|
||||
)
|
||||
@ -17,6 +18,7 @@ const (
|
||||
contextKeyLayers contextKey = "layers"
|
||||
contextKeyOriginalURL contextKey = "originalURL"
|
||||
contextKeyHandleError contextKey = "handleError"
|
||||
contextKeySentryScope contextKey = "sentryScope"
|
||||
)
|
||||
|
||||
var (
|
||||
@ -82,3 +84,16 @@ func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, st
|
||||
|
||||
fn(w, r, status, err)
|
||||
}
|
||||
|
||||
func withSentryScope(ctx context.Context, scope *sentry.Scope) context.Context {
|
||||
return context.WithValue(ctx, contextKeySentryScope, scope)
|
||||
}
|
||||
|
||||
func SentryScope(ctx context.Context) (*sentry.Scope, error) {
|
||||
scope, err := ctxValue[*sentry.Scope](ctx, contextKeySentryScope)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return scope, nil
|
||||
}
|
||||
|
||||
@ -9,6 +9,7 @@ import (
|
||||
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/cache"
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
||||
"github.com/getsentry/sentry-go"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
"gitlab.com/wpetit/goweb/logger"
|
||||
@ -76,6 +77,13 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
|
||||
proxyCtx = withLayers(proxyCtx, layers)
|
||||
r = r.WithContext(proxyCtx)
|
||||
|
||||
if sentryScope, _ := SentryScope(ctx); sentryScope != nil {
|
||||
sentryScope.SetContext("bouncer", sentry.Context{
|
||||
"proxy_name": p.Name,
|
||||
"proxy_target": r.URL.String(),
|
||||
})
|
||||
}
|
||||
|
||||
return r, nil
|
||||
}
|
||||
}
|
||||
@ -216,40 +224,43 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
|
||||
func (d *Director) Middleware() proxy.Middleware {
|
||||
return func(next http.Handler) http.Handler {
|
||||
fn := func(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := withHandleError(r.Context(), d.handleError)
|
||||
r = r.WithContext(ctx)
|
||||
sentry.ConfigureScope(func(scope *sentry.Scope) {
|
||||
ctx := withHandleError(r.Context(), d.handleError)
|
||||
ctx = withSentryScope(ctx, scope)
|
||||
r = r.WithContext(ctx)
|
||||
|
||||
r, err := d.rewriteRequest(r)
|
||||
if err != nil {
|
||||
HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
|
||||
return
|
||||
}
|
||||
|
||||
ctx = r.Context()
|
||||
|
||||
layers, err := ctxLayers(ctx)
|
||||
if err != nil {
|
||||
if errors.Is(err, errContextKeyNotFound) {
|
||||
r, err := d.rewriteRequest(r)
|
||||
if err != nil {
|
||||
HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
|
||||
return
|
||||
}
|
||||
|
||||
HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
|
||||
return
|
||||
}
|
||||
ctx = r.Context()
|
||||
|
||||
httpMiddlewares := make([]proxy.Middleware, 0)
|
||||
for _, layer := range layers {
|
||||
middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
|
||||
if !ok {
|
||||
continue
|
||||
layers, err := ctxLayers(ctx)
|
||||
if err != nil {
|
||||
if errors.Is(err, errContextKeyNotFound) {
|
||||
return
|
||||
}
|
||||
|
||||
HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
|
||||
return
|
||||
}
|
||||
|
||||
httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
|
||||
}
|
||||
httpMiddlewares := make([]proxy.Middleware, 0)
|
||||
for _, layer := range layers {
|
||||
middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
|
||||
handler := createMiddlewareChain(next, httpMiddlewares)
|
||||
httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
|
||||
}
|
||||
|
||||
handler.ServeHTTP(w, r)
|
||||
handler := createMiddlewareChain(next, httpMiddlewares)
|
||||
|
||||
handler.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
return http.HandlerFunc(fn)
|
||||
|
||||
@ -13,6 +13,7 @@ import (
|
||||
"time"
|
||||
|
||||
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/cache"
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
||||
@ -27,6 +28,7 @@ type Authenticator struct {
|
||||
store sessions.Store
|
||||
httpTransport *http.Transport
|
||||
httpClientTimeout time.Duration
|
||||
oidcProviderCache cache.Cache[string, *oidc.Provider]
|
||||
}
|
||||
|
||||
func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
|
||||
@ -378,15 +380,23 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
|
||||
Transport: transport,
|
||||
}
|
||||
|
||||
ctx = oidc.ClientContext(ctx, httpClient)
|
||||
provider, exists := a.oidcProviderCache.Get(options.OIDC.IssuerURL)
|
||||
if !exists {
|
||||
var err error
|
||||
ctx = oidc.ClientContext(ctx, httpClient)
|
||||
|
||||
if options.OIDC.SkipIssuerVerification {
|
||||
ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
|
||||
}
|
||||
if options.OIDC.SkipIssuerVerification {
|
||||
ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
|
||||
}
|
||||
|
||||
provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "could not create oidc provider")
|
||||
logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", options.OIDC.IssuerURL))
|
||||
|
||||
provider, err = oidc.NewProvider(ctx, options.OIDC.IssuerURL)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "could not create oidc provider")
|
||||
}
|
||||
|
||||
a.oidcProviderCache.Set(options.OIDC.IssuerURL, provider)
|
||||
}
|
||||
|
||||
client := NewClient(
|
||||
|
||||
@ -1,8 +1,13 @@
|
||||
package oidc
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
|
||||
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
||||
"github.com/coreos/go-oidc/v3/oidc"
|
||||
"github.com/gorilla/sessions"
|
||||
)
|
||||
|
||||
@ -14,5 +19,10 @@ func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
|
||||
httpTransport: opts.HTTPTransport,
|
||||
httpClientTimeout: opts.HTTPClientTimeout,
|
||||
store: store,
|
||||
oidcProviderCache: ttl.NewCache(
|
||||
memory.NewCache[string, *oidc.Provider](),
|
||||
memory.NewCache[string, time.Time](),
|
||||
opts.OIDCProviderCacheTimeout,
|
||||
),
|
||||
}, opts.AuthnOptions...)
|
||||
}
|
||||
|
||||
@ -8,9 +8,10 @@ import (
|
||||
)
|
||||
|
||||
type Options struct {
|
||||
HTTPTransport *http.Transport
|
||||
HTTPClientTimeout time.Duration
|
||||
AuthnOptions []authn.OptionFunc
|
||||
HTTPTransport *http.Transport
|
||||
HTTPClientTimeout time.Duration
|
||||
AuthnOptions []authn.OptionFunc
|
||||
OIDCProviderCacheTimeout time.Duration
|
||||
}
|
||||
|
||||
type OptionFunc func(opts *Options)
|
||||
@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
|
||||
}
|
||||
}
|
||||
|
||||
func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
|
||||
return func(opts *Options) {
|
||||
opts.OIDCProviderCacheTimeout = timeout
|
||||
}
|
||||
}
|
||||
|
||||
func NewOptions(funcs ...OptionFunc) *Options {
|
||||
opts := &Options{
|
||||
HTTPTransport: http.DefaultTransport.(*http.Transport),
|
||||
HTTPClientTimeout: 30 * time.Second,
|
||||
AuthnOptions: make([]authn.OptionFunc, 0),
|
||||
HTTPTransport: http.DefaultTransport.(*http.Transport),
|
||||
HTTPClientTimeout: 30 * time.Second,
|
||||
AuthnOptions: make([]authn.OptionFunc, 0),
|
||||
OIDCProviderCacheTimeout: time.Hour,
|
||||
}
|
||||
|
||||
for _, fn := range funcs {
|
||||
|
||||
@ -233,9 +233,7 @@ func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
|
||||
func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
|
||||
err = errors.WithStack(err)
|
||||
|
||||
if errors.Is(err, context.Canceled) {
|
||||
logger.Warn(r.Context(), err.Error(), logger.E(err))
|
||||
} else {
|
||||
if !errors.Is(err, context.Canceled) {
|
||||
logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
|
||||
}
|
||||
|
||||
|
||||
@ -10,6 +10,7 @@ import (
|
||||
type Options struct {
|
||||
Session sessions.Options
|
||||
KeyPrefix string
|
||||
TTL time.Duration
|
||||
}
|
||||
|
||||
type OptionFunc func(opts *Options)
|
||||
@ -25,6 +26,7 @@ func NewOptions(funcs ...OptionFunc) *Options {
|
||||
SameSite: http.SameSiteDefaultMode,
|
||||
},
|
||||
KeyPrefix: "session:",
|
||||
TTL: time.Hour,
|
||||
}
|
||||
|
||||
for _, fn := range funcs {
|
||||
@ -45,3 +47,9 @@ func WithKeyPrefix(prefix string) OptionFunc {
|
||||
opts.KeyPrefix = prefix
|
||||
}
|
||||
}
|
||||
|
||||
func WithTTL(ttl time.Duration) OptionFunc {
|
||||
return func(opts *Options) {
|
||||
opts.TTL = ttl
|
||||
}
|
||||
}
|
||||
|
||||
@ -31,6 +31,7 @@ type Store struct {
|
||||
keyPrefix string
|
||||
keyGen KeyGenFunc
|
||||
serializer SessionSerializer
|
||||
ttl time.Duration
|
||||
}
|
||||
|
||||
type KeyGenFunc func() (string, error)
|
||||
@ -43,6 +44,7 @@ func NewStore(adapter StoreAdapter, funcs ...OptionFunc) *Store {
|
||||
keyPrefix: opts.KeyPrefix,
|
||||
keyGen: generateRandomKey,
|
||||
serializer: GobSerializer{},
|
||||
ttl: opts.TTL,
|
||||
}
|
||||
|
||||
return rs
|
||||
@ -62,20 +64,21 @@ func (s *Store) New(r *http.Request, name string) (*sessions.Session, error) {
|
||||
if err != nil {
|
||||
return session, nil
|
||||
}
|
||||
|
||||
session.ID = c.Value
|
||||
|
||||
err = s.load(r.Context(), session)
|
||||
if err == nil {
|
||||
session.IsNew = false
|
||||
} else if !errors.Is(err, ErrNotFound) {
|
||||
return nil, errors.WithStack(err)
|
||||
return session, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return session, nil
|
||||
}
|
||||
|
||||
func (s *Store) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
|
||||
if session.Options.MaxAge <= 0 {
|
||||
if session.Options.MaxAge < 0 {
|
||||
if err := s.delete(r.Context(), session); err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
@ -120,7 +123,12 @@ func (s *Store) save(ctx context.Context, session *sessions.Session) error {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, time.Duration(session.Options.MaxAge)*time.Second); err != nil {
|
||||
ttl := time.Duration(session.Options.MaxAge) * time.Second
|
||||
if s.ttl < ttl || ttl == 0 {
|
||||
ttl = s.ttl
|
||||
}
|
||||
|
||||
if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, ttl); err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
|
||||
@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
|
||||
authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
|
||||
authn.WithDebug(bool(conf.Layers.Authn.Debug)),
|
||||
),
|
||||
oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
|
||||
), nil
|
||||
}
|
||||
|
||||
@ -218,6 +218,11 @@ layers:
|
||||
authn:
|
||||
# Répertoire contenant les templates
|
||||
templateDir: "/etc/bouncer/layers/authn/templates"
|
||||
# Configuration des sessions
|
||||
sessions:
|
||||
# Temps de persistence sans actualisation des sessions dans le store
|
||||
# (prévalent sur le MaxAge de la session)
|
||||
ttl: "1h"
|
||||
|
||||
# Configuration d'une série de proxy/layers
|
||||
# à créer par défaut par le serveur d'administration
|
||||
|
||||
Reference in New Issue
Block a user