mirror of
https://github.com/lukaszraczylo/traefikoidc.git
synced 2026-06-05 22:44:17 +00:00
lukaszraczylo
1b49e133da
* Fix bug affecting Azure OIDC authentication ( and most likely others ) * Fixes issue #51 * Ensure that appended roles are unique. Update the documentation. * Improvements targetting possible memory usage spikes. * Additional fixes and cleanup * Refactoring code to fix the issues identified by the users. * Modernize run * Fieldalignment * Multiple changes to improve performance and reduce complexity. - Optimise the errors and recovery. - Deduplicate code in metadata cache. - Remove unused performance monitoring code. - Simplify session management and settings handling. * Fix claims issue. * Add ability to overwrite the default scopes in the settings file * Well.. that escalated quickly. Completely forgot that Traefik uses outdated Yaegi and requires compatibility with 1.20 ( pre-generic Go code ). * Bugfix #51: Ensures that user provided scopes overrides work. * fixup! Bugfix #51: Ensures that user provided scopes overrides work. * fixup! fixup! Bugfix #51: Ensures that user provided scopes overrides work. * Abstract the provider logic into a separate package. * Additional micro fixes and cleanups. * Simplify all the things. * fixup! Simplify all the things. * fixup! fixup! Simplify all the things. * fixup! fixup! fixup! Simplify all the things. * fixup! fixup! fixup! fixup! Simplify all the things. * ... * Cleanup tests. * fixup! Cleanup tests. * fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! fixup! Cleanup tests. * Issue #53: Fix CSRF token handling in reverse proxy 1. ✅ HTTPS Detection Fixed (session.go:723) - Now uses X-Forwarded-Proto header instead of r.URL.Scheme - Properly detects HTTPS in reverse proxy environments 2. ✅ SameSite Cookie Attribute Fixed - Removed automatic SameSiteStrictMode for HTTPS (would break OAuth) - Keeps SameSiteLaxMode to allow OAuth callbacks from external domains - Only uses Strict for AJAX requests which don't involve OAuth redirects 3. ✅ Cookie Domain Handling Fixed - Now respects X-Forwarded-Host header for cookie domain - Ensures cookies are set for the public domain, not internal proxy domain 4. ✅ EnhanceSessionSecurity Properly Integrated - Function is now actually called during session save - Applies security enhancements without breaking OAuth flow Why Issue #53 Failed Before: 1. Cookies were not marked Secure in HTTPS environments (browser wouldn't send them back) 2. If they had been Secure with SameSite=Strict, Azure callbacks would still fail 3. Cookie domain might have been wrong (internal vs public domain) Why It Works Now: 1. Cookies are properly marked Secure for HTTPS 2. Uses SameSite=Lax to allow OAuth provider callbacks 3. Cookie domain uses public domain from X-Forwarded-Host 4. CSRF token persists through the entire OAuth flow * Next set of enhancements together with memory usage improvements. * Memory leak fixes and optimisations. * CSRF and Cookie Domain fixes * fixup! CSRF and Cookie Domain fixes * Metadata cache leak fix + profiling * fixup! Metadata cache leak fix + profiling * Memory leaks hunting, part 1337. * Further pursue of perfection. * fixup! Further pursue of perfection. * fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * Clear race conditions * fixup! Clear race conditions * Weekend fun with memory leaks * Splitting code into multiple files with reasonable testing coverage. ``` ok github.com/lukaszraczylo/traefikoidc 117.017s coverage: 72.6% of statements ok github.com/lukaszraczylo/traefikoidc/auth 0.505s coverage: 87.1% of statements ok github.com/lukaszraczylo/traefikoidc/circuit_breaker 0.283s coverage: 99.0% of statements github.com/lukaszraczylo/traefikoidc/config coverage: 0.0% of statements ok github.com/lukaszraczylo/traefikoidc/handlers 0.349s coverage: 98.2% of statements ok github.com/lukaszraczylo/traefikoidc/internal/providers (cached) coverage: 94.3% of statements ok github.com/lukaszraczylo/traefikoidc/middleware 0.808s coverage: 78.0% of statements ok github.com/lukaszraczylo/traefikoidc/recovery 0.653s coverage: 100.0% of statements ok github.com/lukaszraczylo/traefikoidc/session/chunking (cached) coverage: 87.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/core (cached) coverage: 85.6% of statements ok github.com/lukaszraczylo/traefikoidc/session/crypto (cached) coverage: 81.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/storage (cached) coverage: 93.5% of statements ok github.com/lukaszraczylo/traefikoidc/session/validators (cached) coverage: 98.8% of statements ```` * fixup! Splitting code into multiple files with reasonable testing coverage. * fixup! fixup! Splitting code into multiple files with reasonable testing coverage. * Weekend fun with further optimisations. * fixup! Weekend fun with further optimisations. * fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * Pre-release cleanup. * Enhance test coverage. * fixup! Enhance test coverage. * fixup! fixup! Enhance test coverage. * fixup! fixup! fixup! Enhance test coverage.
273 lines
9.1 KiB
Go
273 lines
9.1 KiB
Go
package traefikoidc
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"net/http/cookiejar"
|
|
"time"
|
|
)
|
|
|
|
// HTTPClientConfig provides configuration for creating HTTP clients
|
|
type HTTPClientConfig struct {
|
|
// Timeout for the entire request
|
|
Timeout time.Duration
|
|
// MaxRedirects allowed (0 means follow Go's default of 10)
|
|
MaxRedirects int
|
|
// UseCookieJar enables cookie jar for the client
|
|
UseCookieJar bool
|
|
// Connection settings
|
|
DialTimeout time.Duration
|
|
KeepAlive time.Duration
|
|
TLSHandshakeTimeout time.Duration
|
|
ResponseHeaderTimeout time.Duration
|
|
ExpectContinueTimeout time.Duration
|
|
IdleConnTimeout time.Duration
|
|
// Connection pool settings
|
|
MaxIdleConns int
|
|
MaxIdleConnsPerHost int
|
|
MaxConnsPerHost int
|
|
// Buffer settings
|
|
WriteBufferSize int
|
|
ReadBufferSize int
|
|
// Feature flags
|
|
ForceHTTP2 bool
|
|
DisableKeepAlives bool
|
|
DisableCompression bool
|
|
}
|
|
|
|
// DefaultHTTPClientConfig returns the default configuration for general use
|
|
func DefaultHTTPClientConfig() HTTPClientConfig {
|
|
return HTTPClientConfig{
|
|
Timeout: 10 * time.Second, // SECURITY FIX: Reduced from 30s to prevent slowloris attacks
|
|
MaxRedirects: 5, // SECURITY FIX: Reduced from 10 to prevent redirect loops
|
|
UseCookieJar: false,
|
|
DialTimeout: 3 * time.Second, // SECURITY FIX: Reduced from 5s
|
|
KeepAlive: 15 * time.Second,
|
|
TLSHandshakeTimeout: 2 * time.Second,
|
|
ResponseHeaderTimeout: 3 * time.Second,
|
|
ExpectContinueTimeout: 1 * time.Second,
|
|
IdleConnTimeout: 5 * time.Second,
|
|
MaxIdleConns: 20, // SECURITY FIX: Reduced from 100 to limit resource usage
|
|
MaxIdleConnsPerHost: 2, // SECURITY FIX: Reduced from 10 to prevent connection exhaustion
|
|
MaxConnsPerHost: 5, // SECURITY FIX: Reduced from 10 to limit concurrent connections
|
|
WriteBufferSize: 4096,
|
|
ReadBufferSize: 4096,
|
|
ForceHTTP2: true,
|
|
DisableKeepAlives: false,
|
|
DisableCompression: false,
|
|
}
|
|
}
|
|
|
|
// TokenHTTPClientConfig returns configuration optimized for token operations
|
|
func TokenHTTPClientConfig() HTTPClientConfig {
|
|
config := DefaultHTTPClientConfig()
|
|
config.Timeout = 10 * time.Second // Shorter timeout for token operations
|
|
config.MaxRedirects = 50 // Token endpoints may redirect more
|
|
config.UseCookieJar = true // Enable cookie jar for token operations
|
|
return config
|
|
}
|
|
|
|
// HTTPClientFactory provides methods for creating configured HTTP clients
|
|
type HTTPClientFactory struct{}
|
|
|
|
// NewHTTPClientFactory creates a new HTTP client factory
|
|
func NewHTTPClientFactory() *HTTPClientFactory {
|
|
return &HTTPClientFactory{}
|
|
}
|
|
|
|
// ValidateHTTPClientConfig validates HTTP client configuration parameters
|
|
func (f *HTTPClientFactory) ValidateHTTPClientConfig(config *HTTPClientConfig) error {
|
|
// Validate connection pool limits
|
|
if config.MaxIdleConns < 0 {
|
|
return fmt.Errorf("MaxIdleConns cannot be negative: %d", config.MaxIdleConns)
|
|
}
|
|
if config.MaxIdleConns > 1000 {
|
|
return fmt.Errorf("MaxIdleConns too high (max 1000): %d", config.MaxIdleConns)
|
|
}
|
|
|
|
if config.MaxIdleConnsPerHost < 0 {
|
|
return fmt.Errorf("MaxIdleConnsPerHost cannot be negative: %d", config.MaxIdleConnsPerHost)
|
|
}
|
|
if config.MaxIdleConnsPerHost > 100 {
|
|
return fmt.Errorf("MaxIdleConnsPerHost too high (max 100): %d", config.MaxIdleConnsPerHost)
|
|
}
|
|
|
|
if config.MaxConnsPerHost < 0 {
|
|
return fmt.Errorf("MaxConnsPerHost cannot be negative: %d", config.MaxConnsPerHost)
|
|
}
|
|
if config.MaxConnsPerHost > 100 {
|
|
return fmt.Errorf("MaxConnsPerHost too high (max 100): %d", config.MaxConnsPerHost)
|
|
}
|
|
|
|
// Validate that MaxIdleConnsPerHost is not greater than MaxConnsPerHost
|
|
if config.MaxIdleConnsPerHost > config.MaxConnsPerHost && config.MaxConnsPerHost > 0 {
|
|
return fmt.Errorf("MaxIdleConnsPerHost (%d) cannot exceed MaxConnsPerHost (%d)",
|
|
config.MaxIdleConnsPerHost, config.MaxConnsPerHost)
|
|
}
|
|
|
|
// Validate timeout values
|
|
if config.Timeout <= 0 {
|
|
return fmt.Errorf("timeout must be positive: %v", config.Timeout)
|
|
}
|
|
if config.Timeout > 5*time.Minute {
|
|
return fmt.Errorf("timeout too high (max 5m): %v", config.Timeout)
|
|
}
|
|
|
|
if config.DialTimeout <= 0 {
|
|
return fmt.Errorf("DialTimeout must be positive: %v", config.DialTimeout)
|
|
}
|
|
if config.TLSHandshakeTimeout <= 0 {
|
|
return fmt.Errorf("TLSHandshakeTimeout must be positive: %v", config.TLSHandshakeTimeout)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CreateHTTPClient creates an HTTP client with the given configuration
|
|
// Validates configuration parameters before creating the client
|
|
func (f *HTTPClientFactory) CreateHTTPClient(config HTTPClientConfig) *http.Client {
|
|
// Set defaults for zero values before validation
|
|
if config.Timeout == 0 {
|
|
config.Timeout = 30 * time.Second
|
|
}
|
|
if config.DialTimeout == 0 {
|
|
config.DialTimeout = 5 * time.Second
|
|
}
|
|
if config.TLSHandshakeTimeout == 0 {
|
|
config.TLSHandshakeTimeout = 2 * time.Second
|
|
}
|
|
if config.KeepAlive == 0 {
|
|
config.KeepAlive = 15 * time.Second
|
|
}
|
|
if config.ResponseHeaderTimeout == 0 {
|
|
config.ResponseHeaderTimeout = 3 * time.Second
|
|
}
|
|
if config.ExpectContinueTimeout == 0 {
|
|
config.ExpectContinueTimeout = 1 * time.Second
|
|
}
|
|
if config.IdleConnTimeout == 0 {
|
|
config.IdleConnTimeout = 5 * time.Second
|
|
}
|
|
if config.MaxIdleConns == 0 {
|
|
config.MaxIdleConns = 100
|
|
}
|
|
if config.MaxIdleConnsPerHost == 0 {
|
|
config.MaxIdleConnsPerHost = 10
|
|
}
|
|
if config.MaxConnsPerHost == 0 {
|
|
config.MaxConnsPerHost = 10
|
|
}
|
|
if config.WriteBufferSize == 0 {
|
|
config.WriteBufferSize = 4096
|
|
}
|
|
if config.ReadBufferSize == 0 {
|
|
config.ReadBufferSize = 4096
|
|
}
|
|
|
|
// Validate configuration - only fail on critical errors
|
|
if err := f.ValidateHTTPClientConfig(&config); err != nil {
|
|
// Only use default config for critical validation failures
|
|
// For example, if timeout is negative or extremely high
|
|
if config.Timeout <= 0 || config.Timeout > 5*time.Minute {
|
|
config.Timeout = 30 * time.Second
|
|
}
|
|
}
|
|
// Create transport with configured settings
|
|
transport := &http.Transport{
|
|
Proxy: http.ProxyFromEnvironment,
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
dialer := &net.Dialer{
|
|
Timeout: config.DialTimeout,
|
|
KeepAlive: config.KeepAlive,
|
|
}
|
|
return dialer.DialContext(ctx, network, addr)
|
|
},
|
|
// SECURITY FIX: Enforce TLS 1.2+ and secure cipher suites
|
|
TLSClientConfig: &tls.Config{
|
|
MinVersion: tls.VersionTLS12, // Enforce TLS 1.2 minimum
|
|
MaxVersion: tls.VersionTLS13, // Support up to TLS 1.3
|
|
CipherSuites: []uint16{
|
|
// TLS 1.3 cipher suites (automatically selected when TLS 1.3 is negotiated)
|
|
// TLS 1.2 secure cipher suites
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
},
|
|
PreferServerCipherSuites: true,
|
|
InsecureSkipVerify: false, // Always verify certificates
|
|
},
|
|
ForceAttemptHTTP2: config.ForceHTTP2,
|
|
TLSHandshakeTimeout: config.TLSHandshakeTimeout,
|
|
ExpectContinueTimeout: config.ExpectContinueTimeout,
|
|
MaxIdleConns: config.MaxIdleConns,
|
|
MaxIdleConnsPerHost: config.MaxIdleConnsPerHost,
|
|
IdleConnTimeout: config.IdleConnTimeout,
|
|
DisableKeepAlives: config.DisableKeepAlives,
|
|
MaxConnsPerHost: config.MaxConnsPerHost,
|
|
ResponseHeaderTimeout: config.ResponseHeaderTimeout,
|
|
DisableCompression: config.DisableCompression,
|
|
WriteBufferSize: config.WriteBufferSize,
|
|
ReadBufferSize: config.ReadBufferSize,
|
|
}
|
|
|
|
client := &http.Client{
|
|
Timeout: config.Timeout,
|
|
Transport: transport,
|
|
}
|
|
|
|
// Configure redirect policy
|
|
maxRedirects := config.MaxRedirects
|
|
if maxRedirects == 0 {
|
|
maxRedirects = 10 // Go's default
|
|
}
|
|
client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
|
if len(via) >= maxRedirects {
|
|
return fmt.Errorf("stopped after %d redirects", maxRedirects)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Add cookie jar if requested
|
|
if config.UseCookieJar {
|
|
jar, _ := cookiejar.New(nil)
|
|
client.Jar = jar
|
|
}
|
|
|
|
return client
|
|
}
|
|
|
|
// CreateDefaultClient creates a client with default configuration
|
|
func (f *HTTPClientFactory) CreateDefaultClient() *http.Client {
|
|
return f.CreateHTTPClient(DefaultHTTPClientConfig())
|
|
}
|
|
|
|
// CreateTokenClient creates a client optimized for token operations
|
|
func (f *HTTPClientFactory) CreateTokenClient() *http.Client {
|
|
return f.CreateHTTPClient(TokenHTTPClientConfig())
|
|
}
|
|
|
|
// Global factory instance for convenience
|
|
var globalHTTPClientFactory = NewHTTPClientFactory()
|
|
|
|
// CreateHTTPClientWithConfig creates an HTTP client with the given configuration
|
|
// using the global factory instance
|
|
func CreateHTTPClientWithConfig(config HTTPClientConfig) *http.Client {
|
|
return globalHTTPClientFactory.CreateHTTPClient(config)
|
|
}
|
|
|
|
// CreateDefaultHTTPClient creates a default HTTP client using the global factory
|
|
func CreateDefaultHTTPClient() *http.Client {
|
|
// Use pooled client to prevent connection exhaustion
|
|
return CreatePooledHTTPClient(DefaultHTTPClientConfig())
|
|
}
|
|
|
|
// CreateTokenHTTPClient creates a token HTTP client using the global factory
|
|
func CreateTokenHTTPClient() *http.Client {
|
|
// Use pooled client to prevent connection exhaustion
|
|
return CreatePooledHTTPClient(TokenHTTPClientConfig())
|
|
}
|