enable fake TLS termination

internal/hydra/consent.go

@@ -14,17 +14,18 @@ import (
 // ConsentReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process.
 type ConsentReqDoer struct {
 	hydraURL           string
+	fakeTlsTermination bool
 	rememberFor        int
 }
 
 // NewConsentReqDoer creates a ConsentRequest.
-func NewConsentReqDoer(hydraURL string, rememberFor int) *ConsentReqDoer {
-	return &ConsentReqDoer{hydraURL: hydraURL, rememberFor: rememberFor}
+func NewConsentReqDoer(hydraURL string, fakeTlsTermination bool, rememberFor int) *ConsentReqDoer {
+	return &ConsentReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination, rememberFor: rememberFor}
 }
 
 // InitiateRequest fetches information on the OAuth2 request.
 func (crd *ConsentReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
-	ri, err := initiateRequest(consent, crd.hydraURL, challenge)
+	ri, err := initiateRequest(consent, crd.hydraURL, crd.fakeTlsTermination, challenge)
 	return ri, errors.Wrap(err, "failed to initiate consent request")
 }
 

internal/hydra/hydra.go

@@ -44,7 +44,7 @@ type ReqInfo struct {
 	Subject         string   `json:"subject"`
 }
 
-func initiateRequest(typ reqType, hydraURL, challenge string) (*ReqInfo, error) {
+func initiateRequest(typ reqType, hydraURL string, fakeTlsTermination bool, challenge string) (*ReqInfo, error) {
 	if challenge == "" {
 		return nil, ErrChallengeMissed
 	}
@@ -58,7 +58,16 @@ func initiateRequest(typ reqType, hydraURL, challenge string) (*ReqInfo, error)
 	}
 	u = u.ResolveReference(ref)
 
-	resp, err := http.Get(u.String())
+	req, err := http.NewRequest("GET", u.String(), nil)
+	if err != nil {
+		return nil, err
+	}
+	if fakeTlsTermination {
+		req.Header.Add("X-Forwarded-Proto", "https")
+	}
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}

internal/hydra/login.go

@@ -14,17 +14,18 @@ import (
 // LoginReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process.
 type LoginReqDoer struct {
 	hydraURL           string
+	fakeTlsTermination bool
 	rememberFor        int
 }
 
 // NewLoginReqDoer creates a LoginRequest.
-func NewLoginReqDoer(hydraURL string, rememberFor int) *LoginReqDoer {
-	return &LoginReqDoer{hydraURL: hydraURL, rememberFor: rememberFor}
+func NewLoginReqDoer(hydraURL string, fakeTlsTermination bool, rememberFor int) *LoginReqDoer {
+	return &LoginReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination, rememberFor: rememberFor}
 }
 
 // InitiateRequest fetches information on the OAuth2 request.
 func (lrd *LoginReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
-	ri, err := initiateRequest(login, lrd.hydraURL, challenge)
+	ri, err := initiateRequest(login, lrd.hydraURL, lrd.fakeTlsTermination, challenge)
 	return ri, errors.Wrap(err, "failed to initiate login request")
 }
 

internal/hydra/logout.go

@@ -14,16 +14,17 @@ import (
 // LogoutReqDoer fetches information on the OAuth2 request and then accepts or rejects the requested logout process.
 type LogoutReqDoer struct {
 	hydraURL           string
+	fakeTlsTermination bool
 }
 
 // NewLogoutReqDoer creates a LogoutRequest.
-func NewLogoutReqDoer(hydraURL string) *LogoutReqDoer {
-	return &LogoutReqDoer{hydraURL: hydraURL}
+func NewLogoutReqDoer(hydraURL string, fakeTlsTermination bool) *LogoutReqDoer {
+	return &LogoutReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination}
 }
 
 // InitiateRequest fetches information on the OAuth2 request.
 func (lrd *LogoutReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
-	ri, err := initiateRequest(logout, lrd.hydraURL, challenge)
+	ri, err := initiateRequest(logout, lrd.hydraURL, lrd.fakeTlsTermination, challenge)
 	return ri, errors.Wrap(err, "failed to initiate logout request")
 }
 

internal/identp/identp.go

@@ -30,6 +30,7 @@ type Config struct {
 	HydraURL           string            `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
 	SessionTTL         time.Duration     `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
 	ClaimScopes        map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
+	FakeTLSTermination bool              `envconfig:"fake_tls_termination" default:"false" desc:"Fake tls termination by adding \"X-Forwarded-Proto: https\" to http headers "`
 }
 
 // UserManager is an interface that is used for authentication and providing user's claims.
@@ -83,10 +84,10 @@ func NewHandler(cnf Config, um UserManager, tr TemplateRenderer) *Handler {
 // AddRoutes registers all required routes for Login & Consent Provider.
 func (h *Handler) AddRoutes(apply func(m, p string, h http.Handler, mws ...func(http.Handler) http.Handler)) {
 	sessionTTL := int(h.SessionTTL.Seconds())
-	apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, 0), h.tr))
-	apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, sessionTTL), h.um, h.tr))
-	apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, sessionTTL), h.um, h.ClaimScopes))
-	apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL)))
+	apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, 0), h.tr))
+	apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.tr))
+	apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.ClaimScopes))
+	apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL, h.FakeTLSTermination)))
 }
 
 // oa2LoginReqAcceptor is an interface that is used for accepting an OAuth2 login request.