Use golang ProxyFunc net library function for UpstreamProxy/NoProxy (#…

…444)
gogatekeeper · Apr 5, 2024 · 0f70b45 · 0f70b45
1 parent 442a95a
commit 0f70b45
Show file tree

Hide file tree

Showing 5 changed files with 244 additions and 174 deletions.
diff --git a/pkg/keycloak/config/config.go b/pkg/keycloak/config/config.go
@@ -77,6 +77,8 @@ type Config struct {
 	OpenIDProviderHeaders map[string]string `json:"openid-provider-headers" usage:"http headers sent to idp provider" yaml:"openid-provider-headers"`
 	// UpstreamProxy proxy for upstream communication
 	UpstreamProxy string `env:"UPSTREAM_PROXY" json:"upstream-proxy" usage:"proxy for communication with upstream" yaml:"upstream-proxy"`
+	// UpstreamNoProxy list of upstream destinations which should be not proxied
+	UpstreamNoProxy string `env:"UPSTREAM_NO_PROXY" json:"upstream-no-proxy" usage:"list of upstream destinations which should be not proxied" yaml:"upstream-no-proxy"`
 	// BaseURI is prepended to all the generated URIs
 	BaseURI string `env:"BASE_URI" json:"base-uri" usage:"common prefix for all URIs" yaml:"base-uri"`
 	// OAuthURI is the uri for the oauth endpoints for the proxy
@@ -457,6 +459,7 @@ func (r *Config) IsValid() error {
 		r.isAdminTLSFilesValid,
 		r.isLetsEncryptValid,
 		r.isTLSMinValid,
+		r.isUpstreamProxyValid,
 		r.isForwardingProxySettingsValid,
 		r.isReverseProxySettingsValid,
 	}
@@ -628,6 +631,15 @@ func (r *Config) isTLSMinValid() error {
 	return nil
 }
 
+func (r *Config) isUpstreamProxyValid() error {
+	if r.UpstreamProxy != "" {
+		if _, err := url.ParseRequestURI(r.UpstreamProxy); err != nil {
+			return fmt.Errorf("the upstream proxy is invalid, %s", err)
+		}
+	}
+	return nil
+}
+
 func (r *Config) isForwardingProxySettingsValid() error {
 	if r.EnableForwarding {
 		validationRegistry := []func() error{

diff --git a/pkg/keycloak/config/config_test.go b/pkg/keycloak/config/config_test.go
@@ -1383,6 +1383,53 @@ func TestIsUpstreamValid(t *testing.T) {
 	}
 }
 
+func TestIsUpstreamProxyValid(t *testing.T) {
+	testCases := []struct {
+		Name   string
+		Config *Config
+		Valid  bool
+	}{
+		{
+			Name: "ValidUpstream",
+			Config: &Config{
+				UpstreamProxy: "http://aklsdsdo",
+			},
+			Valid: true,
+		},
+		{
+			Name: "ValidUpstreamEmpty",
+			Config: &Config{
+				UpstreamProxy: "",
+			},
+			Valid: true,
+		},
+		{
+			Name: "InValidUpstreamInvalidURI",
+			Config: &Config{
+				UpstreamProxy: "asas",
+			},
+			Valid: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(
+			testCase.Name,
+			func(t *testing.T) {
+				err := testCase.Config.isUpstreamProxyValid()
+				if err != nil && testCase.Valid {
+					t.Fatalf("Expected test not to fail")
+				}
+
+				if err == nil && !testCase.Valid {
+					t.Fatalf("Expected test to fail")
+				}
+			},
+		)
+	}
+}
+
 func TestIsClientIDValid(t *testing.T) {
 	testCases := []struct {
 		Name   string

diff --git a/pkg/keycloak/proxy/server.go b/pkg/keycloak/proxy/server.go
@@ -32,6 +32,8 @@ import (
 	"strings"
 	"time"
 
+	"golang.org/x/net/http/httpproxy"
+
 	"go.uber.org/zap/zapcore"
 
 	"golang.org/x/crypto/acme/autocert"
@@ -1270,8 +1272,15 @@ func (r *OauthProxy) createUpstreamProxy(upstream *url.URL) error {
 
 	var upstreamProxyFunc func(*http.Request) (*url.URL, error)
 	if r.Config.UpstreamProxy != "" {
+		prConfig := httpproxy.Config{
+			HTTPProxy:  r.Config.UpstreamProxy,
+			HTTPSProxy: r.Config.UpstreamProxy,
+		}
+		if r.Config.UpstreamNoProxy != "" {
+			prConfig.NoProxy = r.Config.UpstreamNoProxy
+		}
 		upstreamProxyFunc = func(req *http.Request) (*url.URL, error) {
-			return url.Parse(r.Config.UpstreamProxy)
+			return prConfig.ProxyFunc()(req.URL)
 		}
 	}
 	upstreamProxy.Tr = &http.Transport{

diff --git a/pkg/testsuite/fake_upstream.go b/pkg/testsuite/fake_upstream.go
@@ -3,11 +3,9 @@ package testsuite
 import (
 	"encoding/json"
 	"io"
-	"net"
 	"net/http"
 	"strings"
 
-	"github.com/elazarl/goproxy"
 	"golang.org/x/net/websocket"
 )
 
@@ -72,20 +70,22 @@ func (f *FakeUpstreamService) ServeHTTP(wrt http.ResponseWriter, req *http.Reque
 	}
 }
 
-func createTestProxy() (*http.Server, net.Listener, error) {
-	proxy := goproxy.NewProxyHttpServer()
-	proxy.OnRequest().DoFunc(
-		func(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
-			r.Header.Set(TestProxyHeaderKey, TestProxyHeaderVal)
-			return r, nil
-		},
-	)
-	proxyHTTPServer := &http.Server{
-		Handler: proxy,
-	}
-	ln, err := net.Listen("tcp", randomLocalHost)
-	if err != nil {
-		return nil, nil, err
-	}
-	return proxyHTTPServer, ln, nil
-}
+// commented out see TestUpstreamProxy test comment
+// func createTestProxy() (*http.Server, net.Listener, error) {
+// 	proxy := goproxy.NewProxyHttpServer()
+// 	proxy.OnRequest().DoFunc(
+// 		func(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
+// 			r.Header.Set(TestProxyHeaderKey, TestProxyHeaderVal)
+// 			return r, nil
+// 		},
+// 	)
+// 	proxyHTTPServer := &http.Server{
+// 		Handler: proxy,
+// 	}
+// 	ln, err := net.Listen("tcp", randomLocalHost)
+// 	if err != nil {
+//nolint:dupword
+// 		return nil, nil, err
+// 	}
+// 	return proxyHTTPServer, ln, nil
+// }