feat: configurable ignore of tls verification for hydra connections
Cadoles/hydra-werther/pipeline/pr-develop This commit looks good Details

This commit is contained in:
Philippe Caseiro 2023-07-26 10:33:54 +02:00 committed by William Petit
parent 592749eebf
commit 271d62dc27
4 changed files with 28 additions and 7 deletions

View File

@ -14,6 +14,8 @@ import (
"net/url"
"os"
"crypto/tls"
"github.com/i-core/rlog"
"github.com/i-core/routegroup"
"github.com/i-core/werther/internal/identp"
@ -30,11 +32,12 @@ var version = ""
// Config is a server's configuration.
type Config struct {
DevMode bool `envconfig:"dev_mode" default:"false" desc:"a development mode"`
Listen string `default:":8080" desc:"a host and port to listen on (<host>:<port>)"`
Identp identp.Config
LDAP ldapclient.Config
Web web.Config
DevMode bool `envconfig:"dev_mode" default:"false" desc:"Enable development mode"`
Listen string `default:":8080" desc:"a host and port to listen on (<host>:<port>)"`
InsecureSkipVerify bool `envconfig:"insecure_skip_verify" default:"false" desc:"Disable TLS verification on Hydra connection"`
Identp identp.Config
LDAP ldapclient.Config
Web web.Config
}
func main() {
@ -80,6 +83,11 @@ func main() {
os.Exit(1)
}
if cnf.InsecureSkipVerify {
log.Warn("All ssl verifications are disabled !")
http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
}
ldap := ldapclient.New(cnf.LDAP)
router := routegroup.NewRouter(nosurf.NewPure, rlog.NewMiddleware(log))

View File

@ -122,4 +122,10 @@ WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=myorg,dc=com
# [description] LDAP server connection timeout
# [type] Duration
# [default] 60s
# [required]
# [required]
# WERTHER_INSECURE_SKIP_VERIFY=
# [description] Disable TLS verification on Hydra connection
# [type] True or False
# [default] false
# [required]

View File

@ -26,6 +26,8 @@ var (
ErrChallengeNotFound = errors.New("challenge not found")
// ErrChallengeExpired is an error that happens when a challenge is already used.
ErrChallengeExpired = errors.New("challenge expired")
//ErrServiceUnavailable is an error that happens when the hydra admin service is unavailable
ErrServiceUnavailable = errors.New("hydra service unavailable")
)
type reqType string
@ -52,6 +54,7 @@ func initiateRequest(typ reqType, hydraURL string, fakeTLSTermination bool, chal
if err != nil {
return nil, err
}
u, err := parseURL(hydraURL)
if err != nil {
return nil, err
@ -145,6 +148,8 @@ func checkResponse(resp *http.Response) error {
return ErrChallengeNotFound
case 409:
return ErrChallengeExpired
case 503:
return ErrServiceUnavailable
default:
var rs struct {
Message string `json:"error"`

View File

@ -11,6 +11,7 @@ package identp
import (
"context"
"fmt"
"net/http"
"net/url"
"strings"
@ -127,7 +128,8 @@ func newLoginStartHandler(rproc oa2LoginReqProcessor, tmplRenderer TemplateRende
return
}
log.Infow("Failed to initiate an OAuth2 login request", zap.Error(err), "challenge", challenge)
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
errMsg := fmt.Sprintf("%s - %s - %s", http.StatusText(http.StatusInternalServerError), err, errors.Cause(err))
http.Error(w, errMsg, http.StatusInternalServerError)
return
}
log.Infow("A login request is initiated", "challenge", challenge, "username", ri.Subject)