enable fake TLS termination

This commit is contained in:
AshersLab 2021-05-13 15:40:27 +10:00 committed by Nikolay Stupak
parent 9f8461f71a
commit 67c63ca8cd
5 changed files with 36 additions and 23 deletions

View File

@ -14,17 +14,18 @@ import (
// ConsentReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process. // ConsentReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process.
type ConsentReqDoer struct { type ConsentReqDoer struct {
hydraURL string hydraURL string
fakeTlsTermination bool
rememberFor int rememberFor int
} }
// NewConsentReqDoer creates a ConsentRequest. // NewConsentReqDoer creates a ConsentRequest.
func NewConsentReqDoer(hydraURL string, rememberFor int) *ConsentReqDoer { func NewConsentReqDoer(hydraURL string, fakeTlsTermination bool, rememberFor int) *ConsentReqDoer {
return &ConsentReqDoer{hydraURL: hydraURL, rememberFor: rememberFor} return &ConsentReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination, rememberFor: rememberFor}
} }
// InitiateRequest fetches information on the OAuth2 request. // InitiateRequest fetches information on the OAuth2 request.
func (crd *ConsentReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) { func (crd *ConsentReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
ri, err := initiateRequest(consent, crd.hydraURL, challenge) ri, err := initiateRequest(consent, crd.hydraURL, crd.fakeTlsTermination, challenge)
return ri, errors.Wrap(err, "failed to initiate consent request") return ri, errors.Wrap(err, "failed to initiate consent request")
} }

View File

@ -44,7 +44,7 @@ type ReqInfo struct {
Subject string `json:"subject"` Subject string `json:"subject"`
} }
func initiateRequest(typ reqType, hydraURL, challenge string) (*ReqInfo, error) { func initiateRequest(typ reqType, hydraURL string, fakeTlsTermination bool, challenge string) (*ReqInfo, error) {
if challenge == "" { if challenge == "" {
return nil, ErrChallengeMissed return nil, ErrChallengeMissed
} }
@ -58,7 +58,16 @@ func initiateRequest(typ reqType, hydraURL, challenge string) (*ReqInfo, error)
} }
u = u.ResolveReference(ref) u = u.ResolveReference(ref)
resp, err := http.Get(u.String()) req, err := http.NewRequest("GET", u.String(), nil)
if err != nil {
return nil, err
}
if fakeTlsTermination {
req.Header.Add("X-Forwarded-Proto", "https")
}
client := &http.Client{}
resp, err := client.Do(req)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -14,17 +14,18 @@ import (
// LoginReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process. // LoginReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process.
type LoginReqDoer struct { type LoginReqDoer struct {
hydraURL string hydraURL string
fakeTlsTermination bool
rememberFor int rememberFor int
} }
// NewLoginReqDoer creates a LoginRequest. // NewLoginReqDoer creates a LoginRequest.
func NewLoginReqDoer(hydraURL string, rememberFor int) *LoginReqDoer { func NewLoginReqDoer(hydraURL string, fakeTlsTermination bool, rememberFor int) *LoginReqDoer {
return &LoginReqDoer{hydraURL: hydraURL, rememberFor: rememberFor} return &LoginReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination, rememberFor: rememberFor}
} }
// InitiateRequest fetches information on the OAuth2 request. // InitiateRequest fetches information on the OAuth2 request.
func (lrd *LoginReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) { func (lrd *LoginReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
ri, err := initiateRequest(login, lrd.hydraURL, challenge) ri, err := initiateRequest(login, lrd.hydraURL, lrd.fakeTlsTermination, challenge)
return ri, errors.Wrap(err, "failed to initiate login request") return ri, errors.Wrap(err, "failed to initiate login request")
} }

View File

@ -14,16 +14,17 @@ import (
// LogoutReqDoer fetches information on the OAuth2 request and then accepts or rejects the requested logout process. // LogoutReqDoer fetches information on the OAuth2 request and then accepts or rejects the requested logout process.
type LogoutReqDoer struct { type LogoutReqDoer struct {
hydraURL string hydraURL string
fakeTlsTermination bool
} }
// NewLogoutReqDoer creates a LogoutRequest. // NewLogoutReqDoer creates a LogoutRequest.
func NewLogoutReqDoer(hydraURL string) *LogoutReqDoer { func NewLogoutReqDoer(hydraURL string, fakeTlsTermination bool) *LogoutReqDoer {
return &LogoutReqDoer{hydraURL: hydraURL} return &LogoutReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination}
} }
// InitiateRequest fetches information on the OAuth2 request. // InitiateRequest fetches information on the OAuth2 request.
func (lrd *LogoutReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) { func (lrd *LogoutReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
ri, err := initiateRequest(logout, lrd.hydraURL, challenge) ri, err := initiateRequest(logout, lrd.hydraURL, lrd.fakeTlsTermination, challenge)
return ri, errors.Wrap(err, "failed to initiate logout request") return ri, errors.Wrap(err, "failed to initiate logout request")
} }

View File

@ -30,6 +30,7 @@ type Config struct {
HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"` HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"` SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"` ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
FakeTLSTermination bool `envconfig:"fake_tls_termination" default:"false" desc:"Fake tls termination by adding \"X-Forwarded-Proto: https\" to http headers "`
} }
// UserManager is an interface that is used for authentication and providing user's claims. // UserManager is an interface that is used for authentication and providing user's claims.
@ -83,10 +84,10 @@ func NewHandler(cnf Config, um UserManager, tr TemplateRenderer) *Handler {
// AddRoutes registers all required routes for Login & Consent Provider. // AddRoutes registers all required routes for Login & Consent Provider.
func (h *Handler) AddRoutes(apply func(m, p string, h http.Handler, mws ...func(http.Handler) http.Handler)) { func (h *Handler) AddRoutes(apply func(m, p string, h http.Handler, mws ...func(http.Handler) http.Handler)) {
sessionTTL := int(h.SessionTTL.Seconds()) sessionTTL := int(h.SessionTTL.Seconds())
apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, 0), h.tr)) apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, 0), h.tr))
apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, sessionTTL), h.um, h.tr)) apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.tr))
apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, sessionTTL), h.um, h.ClaimScopes)) apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.ClaimScopes))
apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL))) apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL, h.FakeTLSTermination)))
} }
// oa2LoginReqAcceptor is an interface that is used for accepting an OAuth2 login request. // oa2LoginReqAcceptor is an interface that is used for accepting an OAuth2 login request.