-
Notifications
You must be signed in to change notification settings - Fork 350
feat #524 Support mapping additional request paths to different upstream URLs #526
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,10 +16,12 @@ limitations under the License. | |
package main | ||
|
||
import ( | ||
"errors" | ||
"fmt" | ||
"os" | ||
"os/signal" | ||
"reflect" | ||
"strings" | ||
"syscall" | ||
"time" | ||
|
||
|
@@ -217,9 +219,54 @@ func parseCLIOptions(cx *cli.Context, config *Config) (err error) { | |
if err != nil { | ||
return fmt.Errorf("invalid resource %s, %s", x, err) | ||
} | ||
|
||
config.Resources = append(config.Resources, resource) | ||
} | ||
} | ||
|
||
if cx.IsSet("upstream-url-paths") { | ||
for _, x := range cx.StringSlice("upstream-url-paths") { | ||
path, err := cliParseUpstreamURLPath(x) | ||
if err != nil { | ||
return fmt.Errorf("invalid upstream-url-paths %s, %s", x, err) | ||
} | ||
|
||
config.UpstreamPaths = append(config.UpstreamPaths, path) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. append only allowed to cuddle with appended value (from |
||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func cliParseUpstreamURLPath(resource string) (r UpstreamURLPath, err error) { | ||
if resource == "" { | ||
return r, errors.New("no value given") | ||
} | ||
|
||
for _, x := range strings.Split(resource, "|") { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ranges should only be cuddled with assignments used in the iteration (from |
||
kp := strings.Split(x, "=") | ||
if len(kp) != 2 { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. mnd: Magic number: 2, in detected (from |
||
return r, errors.New("config pair, should be (uri|upstream-url)=value") | ||
} | ||
|
||
switch kp[0] { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. only one cuddle assignment allowed before switch statement (from |
||
//nolint:goconst | ||
case "uri": | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. string |
||
r.URL = kp[1] | ||
case "upstream-url": | ||
r.Upstream = kp[1] | ||
default: | ||
return r, fmt.Errorf("invalid identifier '%s', should be uri or upstream-url", kp[0]) | ||
} | ||
} | ||
|
||
if r.URL == "" { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. if statements should only be cuddled with assignments (from |
||
return r, errors.New("uri config missing") | ||
} | ||
|
||
if r.Upstream == "" { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. if statements should only be cuddled with assignments (from |
||
return r, errors.New("upstream-url config missing") | ||
} | ||
|
||
return r, err | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. return statements should not be cuddled if block has more than two lines (from |
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -155,9 +155,10 @@ func createLogger(config *Config) (*zap.Logger, error) { | |
// createReverseProxy creates a reverse proxy | ||
func (r *oauthProxy) createReverseProxy() error { | ||
r.log.Info("enabled reverse proxy mode, upstream url", zap.String("url", r.config.Upstream)) | ||
if err := r.createUpstreamProxy(r.endpoint); err != nil { | ||
if err := r.createDefaultUpstreamProxy(); err != nil { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. if statements should only be cuddled with assignments (from |
||
return err | ||
} | ||
|
||
engine := chi.NewRouter() | ||
engine.MethodNotAllowed(emptyHandler) | ||
engine.NotFound(emptyHandler) | ||
|
@@ -287,20 +288,22 @@ func (r *oauthProxy) createReverseProxy() error { | |
} | ||
|
||
// createForwardingProxy creates a forwarding proxy | ||
//nolint:funlen | ||
func (r *oauthProxy) createForwardingProxy() error { | ||
r.log.Info("enabling forward signing mode, listening on", zap.String("interface", r.config.Listen)) | ||
|
||
if r.config.SkipUpstreamTLSVerify { | ||
r.log.Warn("tls verification switched off. In forward signing mode it's recommended you verify! (--skip-upstream-tls-verify=false)") | ||
} | ||
if err := r.createUpstreamProxy(nil); err != nil { | ||
|
||
proxy, err := r.createUpstreamProxy(nil) | ||
if err != nil { | ||
return err | ||
} | ||
//nolint:bodyclose | ||
forwardingHandler := r.forwardProxyHandler() | ||
|
||
// set the http handler | ||
proxy := r.upstream.(*goproxy.ProxyHttpServer) | ||
r.router = proxy | ||
|
||
// setup the tls configuration | ||
|
@@ -553,8 +556,44 @@ func (r *oauthProxy) createHTTPListener(config listenerConfig) (net.Listener, er | |
return listener, nil | ||
} | ||
|
||
func (r *oauthProxy) createDefaultUpstreamProxy() error { | ||
defaultUpstream, err := r.createUpstreamProxy(r.endpoint) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if len(r.config.UpstreamPaths) > 0 { | ||
engine := chi.NewRouter() | ||
|
||
for _, x := range r.config.UpstreamPaths { | ||
path := x | ||
|
||
upstreamURL, err := url.Parse(path.Upstream) | ||
if err != nil { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. only one cuddle assignment allowed before if statement (from |
||
return err | ||
} | ||
|
||
proxy, err := r.createUpstreamProxy(upstreamURL) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
engine.Mount(path.URL, r.forwardToUpstream(upstreamURL, proxy)) | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. block should not end with a whitespace (or comment) (from |
||
|
||
engine.NotFound(r.forwardToUpstream(r.endpoint, defaultUpstream).ServeHTTP) | ||
|
||
r.upstream = engine | ||
} else { | ||
r.upstream = r.forwardToUpstream(r.endpoint, defaultUpstream) | ||
} | ||
|
||
return nil | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. return statements should not be cuddled if block has more than two lines (from |
||
} | ||
|
||
// createUpstreamProxy create a reverse http proxy from the upstream | ||
func (r *oauthProxy) createUpstreamProxy(upstream *url.URL) error { | ||
//nolint:funlen | ||
func (r *oauthProxy) createUpstreamProxy(upstream *url.URL) (*goproxy.ProxyHttpServer, error) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Function 'createUpstreamProxy' is too long (72 > 60) (from |
||
dialer := (&net.Dialer{ | ||
KeepAlive: r.config.UpstreamKeepaliveTimeout, | ||
Timeout: r.config.UpstreamTimeout, | ||
|
@@ -583,7 +622,7 @@ func (r *oauthProxy) createUpstreamProxy(upstream *url.URL) error { | |
cert, err := ioutil.ReadFile(r.config.TLSClientCertificate) | ||
if err != nil { | ||
r.log.Error("unable to read client certificate", zap.String("path", r.config.TLSClientCertificate), zap.Error(err)) | ||
return err | ||
return nil, err | ||
} | ||
pool := x509.NewCertPool() | ||
pool.AppendCertsFromPEM(cert) | ||
|
@@ -597,7 +636,7 @@ func (r *oauthProxy) createUpstreamProxy(upstream *url.URL) error { | |
r.log.Info("loading the upstream ca", zap.String("path", r.config.UpstreamCA)) | ||
ca, err := ioutil.ReadFile(r.config.UpstreamCA) | ||
if err != nil { | ||
return err | ||
return nil, err | ||
} | ||
pool := x509.NewCertPool() | ||
pool.AppendCertsFromPEM(ca) | ||
|
@@ -614,10 +653,9 @@ func (r *oauthProxy) createUpstreamProxy(upstream *url.URL) error { | |
proxy.KeepDestinationHeaders = true | ||
proxy.Logger = httplog.New(ioutil.Discard, "", 0) | ||
proxy.KeepDestinationHeaders = true | ||
r.upstream = proxy | ||
|
||
// update the tls configuration of the reverse proxy | ||
r.upstream.(*goproxy.ProxyHttpServer).Tr = &http.Transport{ | ||
proxy.Tr = &http.Transport{ | ||
Dial: dialer, | ||
DisableKeepAlives: !r.config.UpstreamKeepalives, | ||
ExpectContinueTimeout: r.config.UpstreamExpectContinueTimeout, | ||
|
@@ -628,7 +666,7 @@ func (r *oauthProxy) createUpstreamProxy(upstream *url.URL) error { | |
MaxIdleConnsPerHost: r.config.MaxIdleConnsPerHost, | ||
} | ||
|
||
return nil | ||
return proxy, nil | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. return statements should not be cuddled if block has more than two lines (from |
||
} | ||
|
||
// createTemplates loads the custom template | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
/* | ||
Copyright 2015 All rights reserved. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package main | ||
|
||
import ( | ||
"fmt" | ||
"net/http" | ||
"net/http/httptest" | ||
"sync/atomic" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
// fakeUpstreamService acts as a fake upstream service, returns the headers and request | ||
type counterService struct { | ||
Name string | ||
HitCounter int64 | ||
} | ||
|
||
func (f *counterService) ServeHTTP(w http.ResponseWriter, r *http.Request) { | ||
fmt.Printf("counter %s\n", f.Name) | ||
atomic.AddInt64(&f.HitCounter, 1) | ||
} | ||
|
||
//TestWebSocket is used to validate that the proxy reverse proxy WebSocket connections. | ||
func TestUpstreamPaths(t *testing.T) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. block should not start with a whitespace (from |
||
// Setup an upstream service. | ||
defaultSvc := &counterService{Name: "default"} | ||
|
||
defaultSvcServer := httptest.NewServer(defaultSvc) | ||
defer defaultSvcServer.Close() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. only one cuddle assignment allowed before defer statement (from |
||
|
||
adminSvc := &counterService{Name: "admin"} | ||
|
||
adminSvcServer := httptest.NewServer(adminSvc) | ||
defer adminSvcServer.Close() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. only one cuddle assignment allowed before defer statement (from |
||
|
||
dataSvc := &counterService{Name: "data"} | ||
|
||
dataSvcServer := httptest.NewServer(dataSvc) | ||
defer dataSvcServer.Close() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. only one cuddle assignment allowed before defer statement (from |
||
|
||
counters := func() []int64 { | ||
return []int64{ | ||
atomic.AddInt64(&defaultSvc.HitCounter, 0), | ||
atomic.AddInt64(&adminSvc.HitCounter, 0), | ||
atomic.AddInt64(&dataSvc.HitCounter, 0), | ||
} | ||
} | ||
|
||
// Setup the proxy. | ||
config := newFakeKeycloakConfig() | ||
config.Upstream = defaultSvcServer.URL | ||
config.UpstreamPaths = []UpstreamURLPath{ | ||
{ | ||
URL: "/auth_all/white_listed/admin", | ||
Upstream: adminSvcServer.URL, | ||
}, | ||
{ | ||
URL: "/auth_all/white_listed/data", | ||
Upstream: dataSvcServer.URL, | ||
}, | ||
} | ||
|
||
auth := newFakeAuthServer() | ||
config.DiscoveryURL = auth.getLocation() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. assignments should only be cuddled with other assignments (from |
||
config.RevocationEndpoint = auth.getRevocationURL() | ||
|
||
proxy, err := newProxy(config) | ||
require.NoError(t, err) | ||
|
||
proxyServer := httptest.NewServer(proxy.router) | ||
defer proxyServer.Close() | ||
|
||
resp, err := http.Get(proxyServer.URL + "/auth_all/white_listed/admin") | ||
require.NoError(t, err) | ||
resp.Body.Close() | ||
require.Equal(t, []int64{0, 1, 0}, counters()) | ||
|
||
resp, err = http.Get(proxyServer.URL + "/auth_all/white_listed/other") | ||
require.NoError(t, err) | ||
resp.Body.Close() | ||
require.Equal(t, []int64{1, 1, 0}, counters()) | ||
|
||
resp, err = http.Get(proxyServer.URL + "/auth_all/white_listed/data") | ||
require.NoError(t, err) | ||
resp.Body.Close() | ||
require.Equal(t, []int64{1, 1, 1}, counters()) | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. block should not end with a whitespace (or comment) (from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if statements should only be cuddled with assignments (from
wsl
)