feat: add proxy information in sentry context

closes #49

internal/config/layers.go

@@ -20,6 +20,7 @@ func NewDefaultLayersConfig() LayersConfig {
 					TransportConfig: NewDefaultTransportConfig(),
 					Timeout:         NewInterpolatedDuration(10 * time.Second),
 				},
+				ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
 			},
 			Sessions: AuthnLayerSessionConfig{
 				TTL: NewInterpolatedDuration(time.Hour),
@@ -45,7 +46,8 @@ type AuthnLayerSessionConfig struct {
 }
 
 type AuthnOIDCLayerConfig struct {
-	HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	HTTPClient           AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	ProviderCacheTimeout *InterpolatedDuration     `yaml:"providerCacheTimeout"`
 }
 
 type AuthnOIDCHTTPClientConfig struct {

internal/proxy/director/context.go

@@ -6,6 +6,7 @@ import (
 	"net/url"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 )
@@ -17,6 +18,7 @@ const (
 	contextKeyLayers      contextKey = "layers"
 	contextKeyOriginalURL contextKey = "originalURL"
 	contextKeyHandleError contextKey = "handleError"
+	contextKeySentryScope contextKey = "sentryScope"
 )
 
 var (
@@ -82,3 +84,16 @@ func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, st
 
 	fn(w, r, status, err)
 }
+
+func withSentryScope(ctx context.Context, scope *sentry.Scope) context.Context {
+	return context.WithValue(ctx, contextKeySentryScope, scope)
+}
+
+func SentryScope(ctx context.Context) (*sentry.Scope, error) {
+	scope, err := ctxValue[*sentry.Scope](ctx, contextKeySentryScope)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return scope, nil
+}

internal/proxy/director/director.go

@@ -9,6 +9,7 @@ import (
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"gitlab.com/wpetit/goweb/logger"
@@ -76,6 +77,13 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 			proxyCtx = withLayers(proxyCtx, layers)
 			r = r.WithContext(proxyCtx)
 
+			if sentryScope, _ := SentryScope(ctx); sentryScope != nil {
+				sentryScope.SetContext("bouncer", sentry.Context{
+					"proxy_name":   p.Name,
+					"proxy_target": r.URL.String(),
+				})
+			}
+
 			return r, nil
 		}
 	}
@@ -216,40 +224,43 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
 func (d *Director) Middleware() proxy.Middleware {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
-			ctx := withHandleError(r.Context(), d.handleError)
+			sentry.ConfigureScope(func(scope *sentry.Scope) {
-			r = r.WithContext(ctx)
+				ctx := withHandleError(r.Context(), d.handleError)
+				ctx = withSentryScope(ctx, scope)
+				r = r.WithContext(ctx)
 
-			r, err := d.rewriteRequest(r)
+				r, err := d.rewriteRequest(r)
-			if err != nil {
+				if err != nil {
-				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
-				return
-			}
-
-			ctx = r.Context()
-
-			layers, err := ctxLayers(ctx)
-			if err != nil {
-				if errors.Is(err, errContextKeyNotFound) {
 					return
 				}
 
-				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
+				ctx = r.Context()
-				return
-			}
 
-			httpMiddlewares := make([]proxy.Middleware, 0)
+				layers, err := ctxLayers(ctx)
-			for _, layer := range layers {
+				if err != nil {
-				middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
+					if errors.Is(err, errContextKeyNotFound) {
-				if !ok {
+						return
-					continue
+					}
+
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
+					return
 				}
 
-				httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
+				httpMiddlewares := make([]proxy.Middleware, 0)
-			}
+				for _, layer := range layers {
+					middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
+					if !ok {
+						continue
+					}
 
-			handler := createMiddlewareChain(next, httpMiddlewares)
+					httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
+				}
 
-			handler.ServeHTTP(w, r)
+				handler := createMiddlewareChain(next, httpMiddlewares)
+
+				handler.ServeHTTP(w, r)
+			})
 		}
 
 		return http.HandlerFunc(fn)

internal/proxy/director/layer/authn/oidc/authenticator.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@@ -27,6 +28,7 @@ type Authenticator struct {
 	store             sessions.Store
 	httpTransport     *http.Transport
 	httpClientTimeout time.Duration
+	oidcProviderCache cache.Cache[string, *oidc.Provider]
 }
 
 func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@@ -378,15 +380,23 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		Transport: transport,
 	}
 
-	ctx = oidc.ClientContext(ctx, httpClient)
+	provider, exists := a.oidcProviderCache.Get(options.OIDC.IssuerURL)
+	if !exists {
+		var err error
+		ctx = oidc.ClientContext(ctx, httpClient)
 
-	if options.OIDC.SkipIssuerVerification {
+		if options.OIDC.SkipIssuerVerification {
-		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
+			ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
-	}
+		}
 
-	provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
+		logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", options.OIDC.IssuerURL))
-	if err != nil {
+
-		return nil, errors.Wrap(err, "could not create oidc provider")
+		provider, err = oidc.NewProvider(ctx, options.OIDC.IssuerURL)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not create oidc provider")
+		}
+
+		a.oidcProviderCache.Set(options.OIDC.IssuerURL, provider)
 	}
 
 	client := NewClient(

internal/proxy/director/layer/authn/oidc/layer.go

@@ -1,8 +1,13 @@
 package oidc
 
 import (
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/sessions"
 )
 
@@ -14,5 +19,10 @@ func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
 		httpTransport:     opts.HTTPTransport,
 		httpClientTimeout: opts.HTTPClientTimeout,
 		store:             store,
+		oidcProviderCache: ttl.NewCache(
+			memory.NewCache[string, *oidc.Provider](),
+			memory.NewCache[string, time.Time](),
+			opts.OIDCProviderCacheTimeout,
+		),
 	}, opts.AuthnOptions...)
 }

internal/proxy/director/layer/authn/oidc/options.go

@@ -8,9 +8,10 @@ import (
 )
 
 type Options struct {
-	HTTPTransport     *http.Transport
+	HTTPTransport            *http.Transport
-	HTTPClientTimeout time.Duration
+	HTTPClientTimeout        time.Duration
-	AuthnOptions      []authn.OptionFunc
+	AuthnOptions             []authn.OptionFunc
+	OIDCProviderCacheTimeout time.Duration
 }
 
 type OptionFunc func(opts *Options)
@@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
 	}
 }
 
+func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.OIDCProviderCacheTimeout = timeout
+	}
+}
+
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
-		HTTPTransport:     http.DefaultTransport.(*http.Transport),
+		HTTPTransport:            http.DefaultTransport.(*http.Transport),
-		HTTPClientTimeout: 30 * time.Second,
+		HTTPClientTimeout:        30 * time.Second,
-		AuthnOptions:      make([]authn.OptionFunc, 0),
+		AuthnOptions:             make([]authn.OptionFunc, 0),
+		OIDCProviderCacheTimeout: time.Hour,
 	}
 
 	for _, fn := range funcs {

internal/proxy/server.go

@@ -233,9 +233,7 @@ func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
 func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
 	err = errors.WithStack(err)
 
-	if errors.Is(err, context.Canceled) {
+	if !errors.Is(err, context.Canceled) {
-		logger.Warn(r.Context(), err.Error(), logger.E(err))
-	} else {
 		logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
 	}
 

internal/setup/authn_oidc_layer.go

@@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
 			authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
 			authn.WithDebug(bool(conf.Layers.Authn.Debug)),
 		),
+		oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
 	), nil
 }