Add "fake ssl termination" capability to the hydra client

Replicating de "--fake-ssl-termination" option of the official hydra client
2020-05-21 13:12:17 +02:00 · 2020-05-21 13:12:17 +02:00 · 44338f06e3
parent 389eb3885b
commit 44338f06e3
4 changed files with 37 additions and 9 deletions
--- a/cmd/server/container.go
+++ b/cmd/server/container.go
@ -3,7 +3,6 @@ package main
 import (
 	"log"
 	"net/http"
-	"time"

 	"gitlab.com/wpetit/goweb/cqrs"
 	"gitlab.com/wpetit/goweb/template/html"
@ -104,7 +103,14 @@ func getServiceContainer(conf *config.Config) (*service.Container, error) {
 	// Create and expose config service provider
 	ctn.Provide(config.ServiceName, config.ServiceProvider(conf))

-	ctn.Provide(hydra.ServiceName, hydra.ServiceProvider(conf.Hydra.BaseURL, 30*time.Second))
+	ctn.Provide(
+		hydra.ServiceName,
+		hydra.ServiceProvider(
+			conf.Hydra.BaseURL,
+			conf.Hydra.FakeSSLTermination,
+			conf.Hydra.HTTPClientTimeout,
+		),
+	)

 	ctn.Provide(mail.ServiceName, mail.ServiceProvider(
 		mail.WithServer(conf.SMTP.Host, conf.SMTP.Port),
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -60,6 +60,11 @@ type SMTPConfig struct {

 type HydraConfig struct {
 	BaseURL string `yaml:"baseURL" env:"HYDRA_BASE_URL"`
+	// Fake upstream SSL termination adding the "X-Forwarded-Proto: https" to the OIDC client
+	// HTTP request headers.
+	// Required by ory/hydra in some networks topologies
+	FakeSSLTermination bool          `yaml:"fakeSSLTermination" env:"HYDRA_FAKE_SSL_TERMINATION"`
+	HTTPClientTimeout  time.Duration `yaml:"httpClientTimeout" env:"HYDRA_HTTP_CLIENT_TIMEOUT"`
 }

 func NewDumpDefault() *Config {
@ -90,7 +95,9 @@ func NewDefault() *Config {
 			SenderName:    "noreply",
 		},
 		Hydra: HydraConfig{
-			BaseURL: "http://localhost:4445/",
+			BaseURL:            "http://localhost:4445/",
+			FakeSSLTermination: false,
+			HTTPClientTimeout:  time.Second * 30, //nolint: gomnb
 		},
 	}
 }
--- a/internal/hydra/client.go
+++ b/internal/hydra/client.go
@ -188,11 +188,26 @@ func fromURL(url url.URL, path string, query url.Values) string {
 	return url.String()
 }

-func NewClient(baseURL *url.URL, httpTimeout time.Duration) *Client {
+type fakeSSLTerminationTransport struct {
+	T http.RoundTripper
+}
+
+func (t *fakeSSLTerminationTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Add("X-Forwarded-Proto", "https")
+	return t.T.RoundTrip(req)
+}
+
+func NewClient(baseURL *url.URL, fakeSSLTermination bool, httpTimeout time.Duration) *Client {
+	httpClient := &http.Client{
+		Timeout: httpTimeout,
+	}
+
+	if fakeSSLTermination {
+		httpClient.Transport = &fakeSSLTerminationTransport{http.DefaultTransport}
+	}
+
 	return &Client{
 		baseURL: baseURL,
-		http: &http.Client{
-			Timeout: 30 * time.Second,
-		},
+		http:    httpClient,
 	}
 }
--- a/internal/hydra/provider.go
+++ b/internal/hydra/provider.go
@ -8,7 +8,7 @@ import (
 	"gitlab.com/wpetit/goweb/service"
 )

-func ServiceProvider(rawBaseURL string, httpTimeout time.Duration) service.Provider {
+func ServiceProvider(rawBaseURL string, fakeSSLTermination bool, httpTimeout time.Duration) service.Provider {
 	var (
 		baseURL *url.URL
 		err     error
@ -19,7 +19,7 @@ func ServiceProvider(rawBaseURL string, httpTimeout time.Duration) service.Provi
 		err = errors.Wrap(err, "could not parse base url")
 	}

-	client := NewClient(baseURL, httpTimeout)
+	client := NewClient(baseURL, fakeSSLTermination, httpTimeout)

 	return func(ctn *service.Container) (interface{}, error) {
 		if err != nil {