From 67c63ca8cd1af7f84f91d24df7c7cf167e347f2d Mon Sep 17 00:00:00 2001 From: AshersLab Date: Thu, 13 May 2021 15:40:27 +1000 Subject: [PATCH] enable fake TLS termination --- internal/hydra/consent.go | 11 ++++++----- internal/hydra/hydra.go | 13 +++++++++++-- internal/hydra/login.go | 11 ++++++----- internal/hydra/logout.go | 9 +++++---- internal/identp/identp.go | 15 ++++++++------- 5 files changed, 36 insertions(+), 23 deletions(-) diff --git a/internal/hydra/consent.go b/internal/hydra/consent.go index dcac815..1b21f9b 100644 --- a/internal/hydra/consent.go +++ b/internal/hydra/consent.go @@ -13,18 +13,19 @@ import ( // ConsentReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process. type ConsentReqDoer struct { - hydraURL string - rememberFor int + hydraURL string + fakeTlsTermination bool + rememberFor int } // NewConsentReqDoer creates a ConsentRequest. -func NewConsentReqDoer(hydraURL string, rememberFor int) *ConsentReqDoer { - return &ConsentReqDoer{hydraURL: hydraURL, rememberFor: rememberFor} +func NewConsentReqDoer(hydraURL string, fakeTlsTermination bool, rememberFor int) *ConsentReqDoer { + return &ConsentReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination, rememberFor: rememberFor} } // InitiateRequest fetches information on the OAuth2 request. func (crd *ConsentReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) { - ri, err := initiateRequest(consent, crd.hydraURL, challenge) + ri, err := initiateRequest(consent, crd.hydraURL, crd.fakeTlsTermination, challenge) return ri, errors.Wrap(err, "failed to initiate consent request") } diff --git a/internal/hydra/hydra.go b/internal/hydra/hydra.go index 8e14479..2878ec1 100644 --- a/internal/hydra/hydra.go +++ b/internal/hydra/hydra.go @@ -44,7 +44,7 @@ type ReqInfo struct { Subject string `json:"subject"` } -func initiateRequest(typ reqType, hydraURL, challenge string) (*ReqInfo, error) { +func initiateRequest(typ reqType, hydraURL string, fakeTlsTermination bool, challenge string) (*ReqInfo, error) { if challenge == "" { return nil, ErrChallengeMissed } @@ -58,7 +58,16 @@ func initiateRequest(typ reqType, hydraURL, challenge string) (*ReqInfo, error) } u = u.ResolveReference(ref) - resp, err := http.Get(u.String()) + req, err := http.NewRequest("GET", u.String(), nil) + if err != nil { + return nil, err + } + if fakeTlsTermination { + req.Header.Add("X-Forwarded-Proto", "https") + } + + client := &http.Client{} + resp, err := client.Do(req) if err != nil { return nil, err } diff --git a/internal/hydra/login.go b/internal/hydra/login.go index 091fcd8..2469881 100644 --- a/internal/hydra/login.go +++ b/internal/hydra/login.go @@ -13,18 +13,19 @@ import ( // LoginReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process. type LoginReqDoer struct { - hydraURL string - rememberFor int + hydraURL string + fakeTlsTermination bool + rememberFor int } // NewLoginReqDoer creates a LoginRequest. -func NewLoginReqDoer(hydraURL string, rememberFor int) *LoginReqDoer { - return &LoginReqDoer{hydraURL: hydraURL, rememberFor: rememberFor} +func NewLoginReqDoer(hydraURL string, fakeTlsTermination bool, rememberFor int) *LoginReqDoer { + return &LoginReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination, rememberFor: rememberFor} } // InitiateRequest fetches information on the OAuth2 request. func (lrd *LoginReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) { - ri, err := initiateRequest(login, lrd.hydraURL, challenge) + ri, err := initiateRequest(login, lrd.hydraURL, lrd.fakeTlsTermination, challenge) return ri, errors.Wrap(err, "failed to initiate login request") } diff --git a/internal/hydra/logout.go b/internal/hydra/logout.go index 1f97c20..d9cf772 100644 --- a/internal/hydra/logout.go +++ b/internal/hydra/logout.go @@ -13,17 +13,18 @@ import ( // LogoutReqDoer fetches information on the OAuth2 request and then accepts or rejects the requested logout process. type LogoutReqDoer struct { - hydraURL string + hydraURL string + fakeTlsTermination bool } // NewLogoutReqDoer creates a LogoutRequest. -func NewLogoutReqDoer(hydraURL string) *LogoutReqDoer { - return &LogoutReqDoer{hydraURL: hydraURL} +func NewLogoutReqDoer(hydraURL string, fakeTlsTermination bool) *LogoutReqDoer { + return &LogoutReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination} } // InitiateRequest fetches information on the OAuth2 request. func (lrd *LogoutReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) { - ri, err := initiateRequest(logout, lrd.hydraURL, challenge) + ri, err := initiateRequest(logout, lrd.hydraURL, lrd.fakeTlsTermination, challenge) return ri, errors.Wrap(err, "failed to initiate logout request") } diff --git a/internal/identp/identp.go b/internal/identp/identp.go index a8b66da..7717583 100644 --- a/internal/identp/identp.go +++ b/internal/identp/identp.go @@ -27,9 +27,10 @@ const loginTmplName = "login.tmpl" // Config is a Hydra configuration. type Config struct { - HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"` - SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"` - ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"` + HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"` + SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"` + ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"` + FakeTLSTermination bool `envconfig:"fake_tls_termination" default:"false" desc:"Fake tls termination by adding \"X-Forwarded-Proto: https\" to http headers "` } // UserManager is an interface that is used for authentication and providing user's claims. @@ -83,10 +84,10 @@ func NewHandler(cnf Config, um UserManager, tr TemplateRenderer) *Handler { // AddRoutes registers all required routes for Login & Consent Provider. func (h *Handler) AddRoutes(apply func(m, p string, h http.Handler, mws ...func(http.Handler) http.Handler)) { sessionTTL := int(h.SessionTTL.Seconds()) - apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, 0), h.tr)) - apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, sessionTTL), h.um, h.tr)) - apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, sessionTTL), h.um, h.ClaimScopes)) - apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL))) + apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, 0), h.tr)) + apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.tr)) + apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.ClaimScopes)) + apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL, h.FakeTLSTermination))) } // oa2LoginReqAcceptor is an interface that is used for accepting an OAuth2 login request.