Add httpProxyURL support in OAuth2 (#500)

Allows operators to specify an external HTTP Proxy to do OAuth. Often the On-Prem deployments don't have a direct external (internet) access to do OAuth2 and is usually enabled through an external Proxy. This commit allows operators of Flyte to provide an HTTP Proxy URL to do the OAuth. Signed-off-by: Ankit Goyal <[email protected]> Signed-off-by: Ankit Goyal <[email protected]>
flyteorg · Dec 8, 2022 · 5df4f41 · 5df4f41
1 parent 8f27daa
commit 5df4f41
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 0 deletions.
diff --git a/auth/auth_context.go b/auth/auth_context.go
@@ -133,6 +133,11 @@ func NewAuthenticationContext(ctx context.Context, sm core.SecretManager, oauth2
 		Timeout: IdpConnectionTimeout,
 	}
 
+	if len(options.UserAuth.HTTPProxyURL.String()) > 0 {
+		logger.Infof(ctx, "HTTPProxy URL for OAuth2 is: %s", options.UserAuth.HTTPProxyURL.String())
+		httpClient.Transport = &http.Transport{Proxy: http.ProxyURL(&options.UserAuth.HTTPProxyURL.URL)}
+	}
+
 	// Construct an oidc Provider, which needs its own http Client.
 	oidcCtx := oidc.ClientContext(ctx, httpClient)
 	baseURL := options.UserAuth.OpenID.BaseURL.String()

diff --git a/auth/config/config.go b/auth/config/config.go
@@ -215,6 +215,9 @@ type UserAuthConfig struct {
 	OpenID OpenIDOptions `json:"openId" pflag:",OpenID Configuration for User Auth"`
 	// Possibly add basicAuth & SAML/p support.
 
+	// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
+	HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`
+
 	// Secret names, defaults are set in DefaultConfig variable above but are possible to override through configs.
 	CookieHashKeySecretName  string         `json:"cookieHashKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie hash key."`
 	CookieBlockKeySecretName string         `json:"cookieBlockKeySecretName" pflag:",OPTIONAL: Secret name to use for cookie block key."`

diff --git a/auth/config/config_flags.go b/auth/config/config_flags.go
diff --git a/auth/config/config_flags_test.go b/auth/config/config_flags_test.go
diff --git a/auth/handlers.go b/auth/handlers.go
@@ -57,6 +57,7 @@ func RegisterHandlers(ctx context.Context, handler interfaces.HandlerRegisterer,
 func RefreshTokensIfExists(ctx context.Context, authCtx interfaces.AuthenticationContext, authHandler http.HandlerFunc) http.HandlerFunc {
 
 	return func(writer http.ResponseWriter, request *http.Request) {
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, authCtx.GetHTTPClient())
 		// Since we only do one thing if there are no errors anywhere along the chain, we can save code by just
 		// using one variable and checking for errors at the end.
 		idToken, accessToken, refreshToken, err := authCtx.CookieManager().RetrieveTokenValues(ctx, request)
@@ -140,6 +141,8 @@ func GetCallbackHandler(ctx context.Context, authCtx interfaces.AuthenticationCo
 		logger.Debugf(ctx, "Running callback handler... for RequestURI %v", request.RequestURI)
 		authorizationCode := request.FormValue(AuthorizationResponseCodeType)
 
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, authCtx.GetHTTPClient())
+
 		err := VerifyCsrfCookie(ctx, request)
 		if err != nil {
 			logger.Errorf(ctx, "Invalid CSRF token cookie %s", err)

diff --git a/auth/handlers_test.go b/auth/handlers_test.go
@@ -43,10 +43,14 @@ func setupMockedAuthContextAtEndpoint(endpoint string) *mocks.AuthenticationCont
 		},
 		Scopes: []string{"openid", "other"},
 	}
+	dummyHTTPClient := &http.Client{
+		Timeout: IdpConnectionTimeout,
+	}
 	mockAuthCtx.OnCookieManagerMatch().Return(mockCookieHandler)
 	mockCookieHandler.OnSetTokenCookiesMatch(mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil)
 	mockCookieHandler.OnSetUserInfoCookieMatch(mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil)
 	mockAuthCtx.OnOAuth2ClientConfigMatch(mock.Anything).Return(&dummyOAuth2Config)
+	mockAuthCtx.OnGetHTTPClient().Return(dummyHTTPClient)
 	return mockAuthCtx
 }