From 969e796c411d70a0b3e5a49ca6bbf33f8fd0f534 Mon Sep 17 00:00:00 2001 From: Nathan Smith <12156185+nsmith5@users.noreply.github.com> Date: Sat, 7 May 2022 04:27:41 -0700 Subject: [PATCH] Add timeout to OIDC discovery (#560) Limit HTTP requests to OIDC discovery endpoints to 10 seconds before cancelling and returning an error Signed-off-by: Nathan Smith --- pkg/config/config.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pkg/config/config.go b/pkg/config/config.go index c73c50b15..4aa15f77e 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -25,12 +25,15 @@ import ( "os" "regexp" "strings" + "time" "github.com/coreos/go-oidc/v3/oidc" lru "github.com/hashicorp/golang-lru" "github.com/sigstore/fulcio/pkg/log" ) +const defaultOIDCDiscoveryTimeout = 10 * time.Second + type FulcioConfig struct { OIDCIssuers map[string]OIDCIssuer `json:"OIDCIssuers,omitempty"` @@ -132,7 +135,9 @@ func (fc *FulcioConfig) GetVerifier(issuerURL string) (*oidc.IDTokenVerifier, bo return nil, false } - provider, err := oidc.NewProvider(context.Background(), issuerURL) + ctx, cancel := context.WithTimeout(context.Background(), defaultOIDCDiscoveryTimeout) + defer cancel() + provider, err := oidc.NewProvider(ctx, issuerURL) if err != nil { log.Logger.Warnf("Failed to create provider for issuer URL %q: %v", issuerURL, err) return nil, false @@ -145,7 +150,9 @@ func (fc *FulcioConfig) GetVerifier(issuerURL string) (*oidc.IDTokenVerifier, bo func (fc *FulcioConfig) prepare() error { fc.verifiers = make(map[string]*oidc.IDTokenVerifier, len(fc.OIDCIssuers)) for _, iss := range fc.OIDCIssuers { - provider, err := oidc.NewProvider(context.Background(), iss.IssuerURL) + ctx, cancel := context.WithTimeout(context.Background(), defaultOIDCDiscoveryTimeout) + defer cancel() + provider, err := oidc.NewProvider(ctx, iss.IssuerURL) if err != nil { return fmt.Errorf("provider %s: %w", iss.IssuerURL, err) }