enable fake TLS termination

This commit is contained in:
AshersLab 2021-05-13 15:40:27 +10:00 committed by Nikolay Stupak
parent 9f8461f71a
commit 67c63ca8cd
5 changed files with 36 additions and 23 deletions

View File

@ -13,18 +13,19 @@ import (
// ConsentReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process.
type ConsentReqDoer struct {
hydraURL string
rememberFor int
hydraURL string
fakeTlsTermination bool
rememberFor int
}
// NewConsentReqDoer creates a ConsentRequest.
func NewConsentReqDoer(hydraURL string, rememberFor int) *ConsentReqDoer {
return &ConsentReqDoer{hydraURL: hydraURL, rememberFor: rememberFor}
func NewConsentReqDoer(hydraURL string, fakeTlsTermination bool, rememberFor int) *ConsentReqDoer {
return &ConsentReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination, rememberFor: rememberFor}
}
// InitiateRequest fetches information on the OAuth2 request.
func (crd *ConsentReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
ri, err := initiateRequest(consent, crd.hydraURL, challenge)
ri, err := initiateRequest(consent, crd.hydraURL, crd.fakeTlsTermination, challenge)
return ri, errors.Wrap(err, "failed to initiate consent request")
}

View File

@ -44,7 +44,7 @@ type ReqInfo struct {
Subject string `json:"subject"`
}
func initiateRequest(typ reqType, hydraURL, challenge string) (*ReqInfo, error) {
func initiateRequest(typ reqType, hydraURL string, fakeTlsTermination bool, challenge string) (*ReqInfo, error) {
if challenge == "" {
return nil, ErrChallengeMissed
}
@ -58,7 +58,16 @@ func initiateRequest(typ reqType, hydraURL, challenge string) (*ReqInfo, error)
}
u = u.ResolveReference(ref)
resp, err := http.Get(u.String())
req, err := http.NewRequest("GET", u.String(), nil)
if err != nil {
return nil, err
}
if fakeTlsTermination {
req.Header.Add("X-Forwarded-Proto", "https")
}
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
return nil, err
}

View File

@ -13,18 +13,19 @@ import (
// LoginReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process.
type LoginReqDoer struct {
hydraURL string
rememberFor int
hydraURL string
fakeTlsTermination bool
rememberFor int
}
// NewLoginReqDoer creates a LoginRequest.
func NewLoginReqDoer(hydraURL string, rememberFor int) *LoginReqDoer {
return &LoginReqDoer{hydraURL: hydraURL, rememberFor: rememberFor}
func NewLoginReqDoer(hydraURL string, fakeTlsTermination bool, rememberFor int) *LoginReqDoer {
return &LoginReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination, rememberFor: rememberFor}
}
// InitiateRequest fetches information on the OAuth2 request.
func (lrd *LoginReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
ri, err := initiateRequest(login, lrd.hydraURL, challenge)
ri, err := initiateRequest(login, lrd.hydraURL, lrd.fakeTlsTermination, challenge)
return ri, errors.Wrap(err, "failed to initiate login request")
}

View File

@ -13,17 +13,18 @@ import (
// LogoutReqDoer fetches information on the OAuth2 request and then accepts or rejects the requested logout process.
type LogoutReqDoer struct {
hydraURL string
hydraURL string
fakeTlsTermination bool
}
// NewLogoutReqDoer creates a LogoutRequest.
func NewLogoutReqDoer(hydraURL string) *LogoutReqDoer {
return &LogoutReqDoer{hydraURL: hydraURL}
func NewLogoutReqDoer(hydraURL string, fakeTlsTermination bool) *LogoutReqDoer {
return &LogoutReqDoer{hydraURL: hydraURL, fakeTlsTermination: fakeTlsTermination}
}
// InitiateRequest fetches information on the OAuth2 request.
func (lrd *LogoutReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
ri, err := initiateRequest(logout, lrd.hydraURL, challenge)
ri, err := initiateRequest(logout, lrd.hydraURL, lrd.fakeTlsTermination, challenge)
return ri, errors.Wrap(err, "failed to initiate logout request")
}

View File

@ -27,9 +27,10 @@ const loginTmplName = "login.tmpl"
// Config is a Hydra configuration.
type Config struct {
HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
FakeTLSTermination bool `envconfig:"fake_tls_termination" default:"false" desc:"Fake tls termination by adding \"X-Forwarded-Proto: https\" to http headers "`
}
// UserManager is an interface that is used for authentication and providing user's claims.
@ -83,10 +84,10 @@ func NewHandler(cnf Config, um UserManager, tr TemplateRenderer) *Handler {
// AddRoutes registers all required routes for Login & Consent Provider.
func (h *Handler) AddRoutes(apply func(m, p string, h http.Handler, mws ...func(http.Handler) http.Handler)) {
sessionTTL := int(h.SessionTTL.Seconds())
apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, 0), h.tr))
apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, sessionTTL), h.um, h.tr))
apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, sessionTTL), h.um, h.ClaimScopes))
apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL)))
apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, 0), h.tr))
apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.tr))
apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.ClaimScopes))
apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL, h.FakeTLSTermination)))
}
// oa2LoginReqAcceptor is an interface that is used for accepting an OAuth2 login request.