From 271d62dc272a63c31f0d3632a37da90bd80957f9 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 26 Jul 2023 10:33:54 +0200 Subject: [PATCH] feat: configurable ignore of tls verification for hydra connections --- cmd/werther/main.go | 18 +++++++++++++----- conf/hydra-werther.conf | 8 +++++++- internal/hydra/hydra.go | 5 +++++ internal/identp/identp.go | 4 +++- 4 files changed, 28 insertions(+), 7 deletions(-) diff --git a/cmd/werther/main.go b/cmd/werther/main.go index f3685a2..429c205 100644 --- a/cmd/werther/main.go +++ b/cmd/werther/main.go @@ -14,6 +14,8 @@ import ( "net/url" "os" + "crypto/tls" + "github.com/i-core/rlog" "github.com/i-core/routegroup" "github.com/i-core/werther/internal/identp" @@ -30,11 +32,12 @@ var version = "" // Config is a server's configuration. type Config struct { - DevMode bool `envconfig:"dev_mode" default:"false" desc:"a development mode"` - Listen string `default:":8080" desc:"a host and port to listen on (:)"` - Identp identp.Config - LDAP ldapclient.Config - Web web.Config + DevMode bool `envconfig:"dev_mode" default:"false" desc:"Enable development mode"` + Listen string `default:":8080" desc:"a host and port to listen on (:)"` + InsecureSkipVerify bool `envconfig:"insecure_skip_verify" default:"false" desc:"Disable TLS verification on Hydra connection"` + Identp identp.Config + LDAP ldapclient.Config + Web web.Config } func main() { @@ -80,6 +83,11 @@ func main() { os.Exit(1) } + if cnf.InsecureSkipVerify { + log.Warn("All ssl verifications are disabled !") + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + } + ldap := ldapclient.New(cnf.LDAP) router := routegroup.NewRouter(nosurf.NewPure, rlog.NewMiddleware(log)) diff --git a/conf/hydra-werther.conf b/conf/hydra-werther.conf index f818785..061c99e 100644 --- a/conf/hydra-werther.conf +++ b/conf/hydra-werther.conf @@ -122,4 +122,10 @@ WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=myorg,dc=com # [description] LDAP server connection timeout # [type] Duration # [default] 60s - # [required] \ No newline at end of file + # [required] + +# WERTHER_INSECURE_SKIP_VERIFY= +# [description] Disable TLS verification on Hydra connection +# [type] True or False +# [default] false +# [required] \ No newline at end of file diff --git a/internal/hydra/hydra.go b/internal/hydra/hydra.go index 8a6a826..b9b47b2 100644 --- a/internal/hydra/hydra.go +++ b/internal/hydra/hydra.go @@ -26,6 +26,8 @@ var ( ErrChallengeNotFound = errors.New("challenge not found") // ErrChallengeExpired is an error that happens when a challenge is already used. ErrChallengeExpired = errors.New("challenge expired") + //ErrServiceUnavailable is an error that happens when the hydra admin service is unavailable + ErrServiceUnavailable = errors.New("hydra service unavailable") ) type reqType string @@ -52,6 +54,7 @@ func initiateRequest(typ reqType, hydraURL string, fakeTLSTermination bool, chal if err != nil { return nil, err } + u, err := parseURL(hydraURL) if err != nil { return nil, err @@ -145,6 +148,8 @@ func checkResponse(resp *http.Response) error { return ErrChallengeNotFound case 409: return ErrChallengeExpired + case 503: + return ErrServiceUnavailable default: var rs struct { Message string `json:"error"` diff --git a/internal/identp/identp.go b/internal/identp/identp.go index c1b4ba1..cbab516 100644 --- a/internal/identp/identp.go +++ b/internal/identp/identp.go @@ -11,6 +11,7 @@ package identp import ( "context" + "fmt" "net/http" "net/url" "strings" @@ -127,7 +128,8 @@ func newLoginStartHandler(rproc oa2LoginReqProcessor, tmplRenderer TemplateRende return } log.Infow("Failed to initiate an OAuth2 login request", zap.Error(err), "challenge", challenge) - http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + errMsg := fmt.Sprintf("%s - %s - %s", http.StatusText(http.StatusInternalServerError), err, errors.Cause(err)) + http.Error(w, errMsg, http.StatusInternalServerError) return } log.Infow("A login request is initiated", "challenge", challenge, "username", ri.Subject)