mirror of
https://github.com/lukaszraczylo/traefikoidc.git
synced 2026-06-05 22:44:17 +00:00
lukaszraczylo
1b49e133da
* Fix bug affecting Azure OIDC authentication ( and most likely others ) * Fixes issue #51 * Ensure that appended roles are unique. Update the documentation. * Improvements targetting possible memory usage spikes. * Additional fixes and cleanup * Refactoring code to fix the issues identified by the users. * Modernize run * Fieldalignment * Multiple changes to improve performance and reduce complexity. - Optimise the errors and recovery. - Deduplicate code in metadata cache. - Remove unused performance monitoring code. - Simplify session management and settings handling. * Fix claims issue. * Add ability to overwrite the default scopes in the settings file * Well.. that escalated quickly. Completely forgot that Traefik uses outdated Yaegi and requires compatibility with 1.20 ( pre-generic Go code ). * Bugfix #51: Ensures that user provided scopes overrides work. * fixup! Bugfix #51: Ensures that user provided scopes overrides work. * fixup! fixup! Bugfix #51: Ensures that user provided scopes overrides work. * Abstract the provider logic into a separate package. * Additional micro fixes and cleanups. * Simplify all the things. * fixup! Simplify all the things. * fixup! fixup! Simplify all the things. * fixup! fixup! fixup! Simplify all the things. * fixup! fixup! fixup! fixup! Simplify all the things. * ... * Cleanup tests. * fixup! Cleanup tests. * fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! fixup! Cleanup tests. * Issue #53: Fix CSRF token handling in reverse proxy 1. ✅ HTTPS Detection Fixed (session.go:723) - Now uses X-Forwarded-Proto header instead of r.URL.Scheme - Properly detects HTTPS in reverse proxy environments 2. ✅ SameSite Cookie Attribute Fixed - Removed automatic SameSiteStrictMode for HTTPS (would break OAuth) - Keeps SameSiteLaxMode to allow OAuth callbacks from external domains - Only uses Strict for AJAX requests which don't involve OAuth redirects 3. ✅ Cookie Domain Handling Fixed - Now respects X-Forwarded-Host header for cookie domain - Ensures cookies are set for the public domain, not internal proxy domain 4. ✅ EnhanceSessionSecurity Properly Integrated - Function is now actually called during session save - Applies security enhancements without breaking OAuth flow Why Issue #53 Failed Before: 1. Cookies were not marked Secure in HTTPS environments (browser wouldn't send them back) 2. If they had been Secure with SameSite=Strict, Azure callbacks would still fail 3. Cookie domain might have been wrong (internal vs public domain) Why It Works Now: 1. Cookies are properly marked Secure for HTTPS 2. Uses SameSite=Lax to allow OAuth provider callbacks 3. Cookie domain uses public domain from X-Forwarded-Host 4. CSRF token persists through the entire OAuth flow * Next set of enhancements together with memory usage improvements. * Memory leak fixes and optimisations. * CSRF and Cookie Domain fixes * fixup! CSRF and Cookie Domain fixes * Metadata cache leak fix + profiling * fixup! Metadata cache leak fix + profiling * Memory leaks hunting, part 1337. * Further pursue of perfection. * fixup! Further pursue of perfection. * fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * Clear race conditions * fixup! Clear race conditions * Weekend fun with memory leaks * Splitting code into multiple files with reasonable testing coverage. ``` ok github.com/lukaszraczylo/traefikoidc 117.017s coverage: 72.6% of statements ok github.com/lukaszraczylo/traefikoidc/auth 0.505s coverage: 87.1% of statements ok github.com/lukaszraczylo/traefikoidc/circuit_breaker 0.283s coverage: 99.0% of statements github.com/lukaszraczylo/traefikoidc/config coverage: 0.0% of statements ok github.com/lukaszraczylo/traefikoidc/handlers 0.349s coverage: 98.2% of statements ok github.com/lukaszraczylo/traefikoidc/internal/providers (cached) coverage: 94.3% of statements ok github.com/lukaszraczylo/traefikoidc/middleware 0.808s coverage: 78.0% of statements ok github.com/lukaszraczylo/traefikoidc/recovery 0.653s coverage: 100.0% of statements ok github.com/lukaszraczylo/traefikoidc/session/chunking (cached) coverage: 87.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/core (cached) coverage: 85.6% of statements ok github.com/lukaszraczylo/traefikoidc/session/crypto (cached) coverage: 81.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/storage (cached) coverage: 93.5% of statements ok github.com/lukaszraczylo/traefikoidc/session/validators (cached) coverage: 98.8% of statements ```` * fixup! Splitting code into multiple files with reasonable testing coverage. * fixup! fixup! Splitting code into multiple files with reasonable testing coverage. * Weekend fun with further optimisations. * fixup! Weekend fun with further optimisations. * fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * Pre-release cleanup. * Enhance test coverage. * fixup! Enhance test coverage. * fixup! fixup! Enhance test coverage. * fixup! fixup! fixup! Enhance test coverage.
220 lines
6.1 KiB
Go
220 lines
6.1 KiB
Go
package traefikoidc
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"net"
|
|
"net/http"
|
|
"sync"
|
|
"sync/atomic"
|
|
"time"
|
|
)
|
|
|
|
// SharedTransportPool manages a pool of shared HTTP transports to prevent connection exhaustion
|
|
type SharedTransportPool struct {
|
|
mu sync.RWMutex
|
|
transports map[string]*sharedTransport
|
|
maxConns int
|
|
ctx context.Context
|
|
cancel context.CancelFunc
|
|
clientCount int32 // SECURITY FIX: Track total HTTP clients
|
|
maxClients int32 // SECURITY FIX: Limit total clients to 5
|
|
}
|
|
|
|
type sharedTransport struct {
|
|
transport *http.Transport
|
|
refCount int
|
|
lastUsed time.Time
|
|
}
|
|
|
|
var (
|
|
globalTransportPool *SharedTransportPool
|
|
globalTransportPoolOnce sync.Once
|
|
)
|
|
|
|
// GetGlobalTransportPool returns the singleton transport pool instance
|
|
func GetGlobalTransportPool() *SharedTransportPool {
|
|
globalTransportPoolOnce.Do(func() {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
globalTransportPool = &SharedTransportPool{
|
|
transports: make(map[string]*sharedTransport),
|
|
maxConns: 20, // SECURITY FIX: Reduced from 100 to prevent resource exhaustion
|
|
ctx: ctx,
|
|
cancel: cancel,
|
|
clientCount: 0,
|
|
maxClients: 5, // SECURITY FIX: Maximum 5 HTTP clients
|
|
}
|
|
// Start cleanup goroutine with context cancellation
|
|
go globalTransportPool.cleanupIdleTransports(ctx)
|
|
})
|
|
return globalTransportPool
|
|
}
|
|
|
|
// GetOrCreateTransport gets or creates a shared transport with the given config
|
|
func (p *SharedTransportPool) GetOrCreateTransport(config HTTPClientConfig) *http.Transport {
|
|
// SECURITY FIX: Check client limit before creating new transport
|
|
if atomic.LoadInt32(&p.clientCount) >= p.maxClients {
|
|
// Return existing transport if limit reached
|
|
p.mu.RLock()
|
|
defer p.mu.RUnlock()
|
|
for _, shared := range p.transports {
|
|
if shared != nil && shared.transport != nil {
|
|
shared.refCount++
|
|
shared.lastUsed = time.Now()
|
|
return shared.transport
|
|
}
|
|
}
|
|
// If no transport available, return nil (caller should handle)
|
|
return nil
|
|
}
|
|
|
|
p.mu.Lock()
|
|
defer p.mu.Unlock()
|
|
|
|
key := p.configKey(config)
|
|
|
|
if shared, exists := p.transports[key]; exists {
|
|
shared.refCount++
|
|
shared.lastUsed = time.Now()
|
|
return shared.transport
|
|
}
|
|
|
|
// Increment client count
|
|
atomic.AddInt32(&p.clientCount, 1)
|
|
|
|
// Create new transport with conservative limits
|
|
transport := &http.Transport{
|
|
Proxy: http.ProxyFromEnvironment,
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
dialer := &net.Dialer{
|
|
Timeout: config.DialTimeout,
|
|
KeepAlive: config.KeepAlive,
|
|
}
|
|
return dialer.DialContext(ctx, network, addr)
|
|
},
|
|
// SECURITY FIX: Enforce TLS 1.2+ and secure cipher suites
|
|
TLSClientConfig: &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
MaxVersion: tls.VersionTLS13,
|
|
CipherSuites: []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
},
|
|
PreferServerCipherSuites: true,
|
|
InsecureSkipVerify: false,
|
|
},
|
|
ForceAttemptHTTP2: config.ForceHTTP2,
|
|
TLSHandshakeTimeout: config.TLSHandshakeTimeout,
|
|
ExpectContinueTimeout: config.ExpectContinueTimeout,
|
|
MaxIdleConns: 10, // SECURITY FIX: Further reduced
|
|
MaxIdleConnsPerHost: 2, // SECURITY FIX: Limited connections
|
|
IdleConnTimeout: 30 * time.Second, // Reduced from 5 minutes
|
|
DisableKeepAlives: config.DisableKeepAlives,
|
|
MaxConnsPerHost: 5, // SECURITY FIX: Strict limit
|
|
ResponseHeaderTimeout: config.ResponseHeaderTimeout,
|
|
DisableCompression: config.DisableCompression,
|
|
WriteBufferSize: config.WriteBufferSize,
|
|
ReadBufferSize: config.ReadBufferSize,
|
|
}
|
|
|
|
p.transports[key] = &sharedTransport{
|
|
transport: transport,
|
|
refCount: 1,
|
|
lastUsed: time.Now(),
|
|
}
|
|
|
|
return transport
|
|
}
|
|
|
|
// ReleaseTransport decrements the reference count for a transport
|
|
func (p *SharedTransportPool) ReleaseTransport(transport *http.Transport) {
|
|
p.mu.Lock()
|
|
defer p.mu.Unlock()
|
|
|
|
for _, shared := range p.transports {
|
|
if shared.transport == transport {
|
|
shared.refCount--
|
|
if shared.refCount <= 0 {
|
|
// Mark for cleanup but don't immediately close
|
|
shared.lastUsed = time.Now()
|
|
}
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
// cleanupIdleTransports periodically cleans up unused transports
|
|
func (p *SharedTransportPool) cleanupIdleTransports(ctx context.Context) {
|
|
ticker := time.NewTicker(1 * time.Minute)
|
|
defer ticker.Stop()
|
|
|
|
for {
|
|
select {
|
|
case <-ctx.Done():
|
|
return
|
|
case <-ticker.C:
|
|
p.mu.Lock()
|
|
now := time.Now()
|
|
for transportKey, shared := range p.transports {
|
|
// Clean up transports not used for 2 minutes with no references
|
|
if shared.refCount <= 0 && now.Sub(shared.lastUsed) > 2*time.Minute {
|
|
shared.transport.CloseIdleConnections()
|
|
delete(p.transports, transportKey)
|
|
// SECURITY FIX: Decrement client count when removing transport
|
|
atomic.AddInt32(&p.clientCount, -1)
|
|
}
|
|
}
|
|
p.mu.Unlock()
|
|
}
|
|
}
|
|
}
|
|
|
|
// configKey generates a unique key for a config
|
|
func (p *SharedTransportPool) configKey(config HTTPClientConfig) string {
|
|
// Simple key based on main parameters
|
|
return string(rune(config.MaxConnsPerHost)) + string(rune(config.MaxIdleConnsPerHost))
|
|
}
|
|
|
|
// Cleanup closes all transports and stops the cleanup goroutine
|
|
func (p *SharedTransportPool) Cleanup() {
|
|
p.mu.Lock()
|
|
defer p.mu.Unlock()
|
|
|
|
// Stop the cleanup goroutine
|
|
if p.cancel != nil {
|
|
p.cancel()
|
|
}
|
|
|
|
for _, shared := range p.transports {
|
|
shared.transport.CloseIdleConnections()
|
|
}
|
|
p.transports = make(map[string]*sharedTransport)
|
|
}
|
|
|
|
// CreatePooledHTTPClient creates an HTTP client using the shared transport pool
|
|
func CreatePooledHTTPClient(config HTTPClientConfig) *http.Client {
|
|
pool := GetGlobalTransportPool()
|
|
transport := pool.GetOrCreateTransport(config)
|
|
|
|
client := &http.Client{
|
|
Timeout: config.Timeout,
|
|
Transport: transport,
|
|
}
|
|
|
|
// Configure redirect policy
|
|
maxRedirects := config.MaxRedirects
|
|
if maxRedirects == 0 {
|
|
maxRedirects = 10
|
|
}
|
|
client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
|
if len(via) >= maxRedirects {
|
|
return http.ErrUseLastResponse
|
|
}
|
|
return nil
|
|
}
|
|
|
|
return client
|
|
}
|