Skip to content

Commit

Permalink
feat: backchannel logout request client tls configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
aarmam committed Mar 23, 2022
1 parent e3236dd commit 5ee9ded
Show file tree
Hide file tree
Showing 6 changed files with 196 additions and 9 deletions.
28 changes: 19 additions & 9 deletions consent/strategy_default.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ package consent

import (
"context"
"crypto/tls"
"net/http"
"net/url"
"strconv"
Expand Down Expand Up @@ -67,17 +68,20 @@ const (
)

type DefaultStrategy struct {
c *config.Provider
r InternalRegistry
c *config.Provider
r InternalRegistry
tlsClientConfig *tls.Config
}

func NewStrategy(
r InternalRegistry,
c *config.Provider,
) *DefaultStrategy {
func NewStrategy(r InternalRegistry, c *config.Provider) *DefaultStrategy {
tlsClientConfig, err := c.TLSClientConfig()
if err != nil {
r.Logger().WithError(err).Fatalf("Unable to setup backchannel logout request client TLS configuration.")
}
return &DefaultStrategy{
c: c,
r: r,
c: c,
r: r,
tlsClientConfig: tlsClientConfig,
}
}

Expand Down Expand Up @@ -697,7 +701,13 @@ func (s *DefaultStrategy) executeBackChannelLogout(ctx context.Context, r *http.
}

var wg sync.WaitGroup
hc := httpx.NewResilientClient()
hc := httpx.NewResilientClient(
httpx.ResilientClientWithClient(&http.Client{
Timeout: time.Minute,
Transport: &http.Transport{
TLSClientConfig: s.tlsClientConfig,
},
}))
wg.Add(len(tasks))

var execute = func(t task) {
Expand Down
41 changes: 41 additions & 0 deletions driver/config/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ package config

import (
"crypto/tls"
"strings"

"github.com/hashicorp/go-secure-stdlib/tlsutil"
"github.com/pkg/errors"

"github.com/ory/x/tlsx"
)
Expand All @@ -19,6 +23,10 @@ const (
KeyTLSKeyString = "serve." + KeySuffixTLSKeyString
KeyTLSCertPath = "serve." + KeySuffixTLSCertPath
KeyTLSKeyPath = "serve." + KeySuffixTLSKeyPath

KeyClientTLSCipherSuites = "client.tls.cipher_suites"
KeyClientTLSMinVer = "client.tls.min_version"
KeyClientTLSMaxVer = "client.tls.max_version"
)

type TLSConfig interface {
Expand Down Expand Up @@ -47,6 +55,39 @@ func (p *Provider) TLS(iface ServeInterface) TLSConfig {
}
}

func (p *Provider) TLSClientConfig() (*tls.Config, error) {
tlsClientConfig := new(tls.Config)

if p.p.Exists(KeyClientTLSCipherSuites) {
keyCipherSuites := p.p.Strings(KeyClientTLSCipherSuites)
cipherSuites, err := tlsutil.ParseCiphers(strings.Join(keyCipherSuites[:], ","))
if err != nil {
return nil, errors.WithMessage(err, "Unable to setup client TLS configuration")
}
tlsClientConfig.CipherSuites = cipherSuites
}

if p.p.Exists(KeyClientTLSMinVer) {
keyMinVer := p.p.String(KeyClientTLSMinVer)
if tlsMinVer, found := tlsutil.TLSLookup[keyMinVer]; !found {
return nil, errors.Errorf("Unable to setup client TLS configuration. Invalid minimum TLS version: %s", keyMinVer)
} else {
tlsClientConfig.MinVersion = tlsMinVer
}
}

if p.p.Exists(KeyClientTLSMaxVer) {
keyMaxVer := p.p.String(KeyClientTLSMaxVer)
if tlsMaxVer, found := tlsutil.TLSLookup[keyMaxVer]; !found {
return nil, errors.Errorf("Unable to setup client TLS configuration. Invalid maximum TLS version: %s", keyMaxVer)
} else {
tlsClientConfig.MaxVersion = tlsMaxVer
}
}

return tlsClientConfig, nil
}

type tlsConfig struct {
enabled bool
allowTerminationFrom []string
Expand Down
72 changes: 72 additions & 0 deletions driver/config/tls_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
package config

import (
"context"
"crypto/tls"
"testing"

"github.com/stretchr/testify/assert"

"github.com/ory/x/configx"
"github.com/ory/x/logrusx"
)

func TestTLSClientConfig_CipherSuite(t *testing.T) {
l := logrusx.New("", "")
c := MustNew(context.TODO(), l, configx.WithValue("client.tls.cipher_suites", []string{"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"}))

tlsClientConfig, err := c.TLSClientConfig()
assert.NoError(t, err)
cipherSuites := tlsClientConfig.CipherSuites

assert.Len(t, cipherSuites, 2)
assert.Equal(t, tls.TLS_AES_128_GCM_SHA256, cipherSuites[0])
assert.Equal(t, tls.TLS_AES_256_GCM_SHA384, cipherSuites[1])
}

func TestTLSClientConfig_InvalidCipherSuite(t *testing.T) {
l := logrusx.New("", "")
c := MustNew(context.TODO(), l, configx.WithValue("client.tls.cipher_suites", []string{"TLS_AES_128_GCM_SHA256", "TLS_INVALID_CIPHER_SUITE"}))

_, err := c.TLSClientConfig()

assert.EqualError(t, err, "Unable to setup client TLS configuration: unsupported cipher \"TLS_INVALID_CIPHER_SUITE\"")
}

func TestTLSClientConfig_MinVersion(t *testing.T) {
l := logrusx.New("", "")
c := MustNew(context.TODO(), l, configx.WithValue("client.tls.min_version", "tls13"))

tlsClientConfig, err := c.TLSClientConfig()

assert.NoError(t, err)
assert.Equal(t, uint16(tls.VersionTLS13), tlsClientConfig.MinVersion)
}

func TestTLSClientConfig_InvalidMinVersion(t *testing.T) {
l := logrusx.New("", "")
c := MustNew(context.TODO(), l, configx.WithValue("client.tls.min_version", "tlsx"))

_, err := c.TLSClientConfig()

assert.EqualError(t, err, "Unable to setup client TLS configuration. Invalid minimum TLS version: tlsx")
}

func TestTLSClientConfig_MaxVersion(t *testing.T) {
l := logrusx.New("", "")
c := MustNew(context.TODO(), l, configx.WithValue("client.tls.max_version", "tls10"))

tlsClientConfig, err := c.TLSClientConfig()

assert.NoError(t, err)
assert.Equal(t, uint16(tls.VersionTLS10), tlsClientConfig.MaxVersion)
}

func TestTLSClientConfig_InvalidMaxTlsVersion(t *testing.T) {
l := logrusx.New("", "")
c := MustNew(context.TODO(), l, configx.WithValue("client.tls.max_version", "tlsx"))

_, err := c.TLSClientConfig()

assert.EqualError(t, err, "Unable to setup client TLS configuration. Invalid maximum TLS version: tlsx")
}
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ require (
github.com/gorilla/sessions v1.2.0
github.com/gtank/cryptopasta v0.0.0-20170601214702-1f550f6f2f69
github.com/hashicorp/go-cleanhttp v0.5.2
github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1
github.com/jackc/pgx/v4 v4.13.0
github.com/jmoiron/sqlx v1.3.4
github.com/julienschmidt/httprouter v1.3.0
Expand Down
8 changes: 8 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -922,8 +922,15 @@ github.com/hashicorp/go-retryablehttp v0.7.0 h1:eu1EI/mbirUgP5C8hVsTNaGZreBDlYiw
github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 h1:78ki3QBevHwYrVxnyVeaEz+7WtifHhauYF23es/0KlI=
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 h1:nd0HIW15E6FG1MsnArYaHfuw9C2zgzM8LxkG5Ty/788=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1 h1:Yc026VyMyIpq1UWRnakHRG01U8fJm+nEfEmjoAb00n8=
github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs=
github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
Expand Down Expand Up @@ -1501,6 +1508,7 @@ github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfF
github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
Expand Down
55 changes: 55 additions & 0 deletions spec/config.json
Original file line number Diff line number Diff line change
Expand Up @@ -452,6 +452,61 @@
}
}
},
"client.tls": {
"type": "object",
"additionalProperties": false,
"description": "Configures http client TLS settings.",
"properties": {
"min_version": {
"type": "string",
"description": "Minimum supported TLS version.",
"examples": [
"tls10","tls11","tls12","tls13"
]
},
"max_version": {
"type": "string",
"description": "Maximum supported TLS version.",
"examples": [
"tls10","tls11","tls12","tls13"
]
},
"cipher_suites": {
"type": "array",
"description": "A list of supported cipher suites.",
"items": {
"type": "string"
},
"examples": [
"TLS_RSA_WITH_RC4_128_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
]
}
}
},
"dsn": {
"type": "string",
"description": "Sets the data source name. This configures the backend where Ory Hydra persists data. If dsn is \"memory\", data will be written to memory and is lost when you restart this instance. Ory Hydra supports popular SQL databases. For more detailed configuration information go to: https://www.ory.sh/docs/hydra/dependencies-environment#sql"
Expand Down

0 comments on commit 5ee9ded

Please sign in to comment.