oauth2-proxy/pkg/http/server.go

package http

import (
	"context"
	"crypto/tls"
	"errors"
	"fmt"
	"net"
	"net/http"
	"strings"
	"time"

	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options/util"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
	"golang.org/x/sync/errgroup"
)

// Server represents an HTTP or HTTPS server.
type Server interface {
	// Start blocks and runs the server.
	Start(ctx context.Context) error
}

// Opts contains the information required to set up the server.
type Opts struct {
	// Handler is the http.Handler to be used to serve http pages by the server.
	Handler http.Handler

	// BindAddress is the address the HTTP server should listen on.
	BindAddress string

	// SecureBindAddress is the address the HTTPS server should listen on.
	SecureBindAddress string

	// TLS is the TLS configuration for the server.
	TLS *options.TLS
}

// NewServer creates a new Server from the options given.
func NewServer(opts Opts) (Server, error) {
	s := &server{
		handler: opts.Handler,
	}
	if err := s.setupListener(opts); err != nil {
		return nil, fmt.Errorf("error setting up listener: %v", err)
	}
	if err := s.setupTLSListener(opts); err != nil {
		return nil, fmt.Errorf("error setting up TLS listener: %v", err)
	}

	return s, nil
}

// server is an implementation of the Server interface.
type server struct {
	handler http.Handler

	listener    net.Listener
	tlsListener net.Listener
}

// setupListener sets the server listener if the HTTP server is enabled.
// The HTTP server can be disabled by setting the BindAddress to "-" or by
// leaving it empty.
func (s *server) setupListener(opts Opts) error {
	if opts.BindAddress == "" || opts.BindAddress == "-" {
		// No HTTP listener required
		return nil
	}

	networkType := getNetworkScheme(opts.BindAddress)
	listenAddr := getListenAddress(opts.BindAddress)

	listener, err := net.Listen(networkType, listenAddr)
	if err != nil {
		return fmt.Errorf("listen (%s, %s) failed: %v", networkType, listenAddr, err)
	}
	s.listener = listener

	return nil
}

func parseCipherSuites(names []string) ([]uint16, error) {
	cipherNameMap := make(map[string]uint16)

	for _, cipherSuite := range tls.CipherSuites() {
		cipherNameMap[cipherSuite.Name] = cipherSuite.ID
	}
	for _, cipherSuite := range tls.InsecureCipherSuites() {
		cipherNameMap[cipherSuite.Name] = cipherSuite.ID
	}

	result := make([]uint16, len(names))
	for i, name := range names {
		id, present := cipherNameMap[name]
		if !present {
			return nil, fmt.Errorf("unknown TLS cipher suite name specified %q", name)
		}
		result[i] = id
	}
	return result, nil
}

// setupTLSListener sets the server TLS listener if the HTTPS server is enabled.
// The HTTPS server can be disabled by setting the SecureBindAddress to "-" or by
// leaving it empty.
func (s *server) setupTLSListener(opts Opts) error {
	if opts.SecureBindAddress == "" || opts.SecureBindAddress == "-" {
		// No HTTPS listener required
		return nil
	}

	config := &tls.Config{
		MinVersion: tls.VersionTLS12, // default, override below
		MaxVersion: tls.VersionTLS13,
		NextProtos: []string{"http/1.1"},
	}
	if opts.TLS == nil {
		return errors.New("no TLS config provided")
	}
	cert, err := getCertificate(opts.TLS)
	if err != nil {
		return fmt.Errorf("could not load certificate: %v", err)
	}
	config.Certificates = []tls.Certificate{cert}

	if len(opts.TLS.CipherSuites) > 0 {
		cipherSuites, err := parseCipherSuites(opts.TLS.CipherSuites)
		if err != nil {
			return fmt.Errorf("could not parse cipher suites: %v", err)
		}
		config.CipherSuites = cipherSuites
	}

	if len(opts.TLS.MinVersion) > 0 {
		switch opts.TLS.MinVersion {
		case "TLS1.2":
			config.MinVersion = tls.VersionTLS12
		case "TLS1.3":
			config.MinVersion = tls.VersionTLS13
		default:
			return errors.New("unknown TLS MinVersion config provided")
		}
	}

	listenAddr := getListenAddress(opts.SecureBindAddress)

	listener, err := net.Listen("tcp", listenAddr)
	if err != nil {
		return fmt.Errorf("listen (%s) failed: %v", listenAddr, err)
	}

	s.tlsListener = tls.NewListener(tcpKeepAliveListener{listener.(*net.TCPListener)}, config)
	return nil
}

// Start starts the HTTP and HTTPS server if applicable.
// It will block until the context is cancelled.
// If any errors occur, only the first error will be returned.
func (s *server) Start(ctx context.Context) error {
	g, groupCtx := errgroup.WithContext(ctx)

	if s.listener != nil {
		g.Go(func() error {
			if err := s.startServer(groupCtx, s.listener); err != nil {
				return fmt.Errorf("error starting insecure server: %v", err)
			}
			return nil
		})
	}

	if s.tlsListener != nil {
		g.Go(func() error {
			if err := s.startServer(groupCtx, s.tlsListener); err != nil {
				return fmt.Errorf("error starting secure server: %v", err)
			}
			return nil
		})
	}

	return g.Wait()
}

// startServer creates and starts a new server with the given listener.
// When the given context is cancelled the server will be shutdown.
// If any errors occur, only the first error will be returned.
func (s *server) startServer(ctx context.Context, listener net.Listener) error {
	srv := &http.Server{Handler: s.handler, ReadHeaderTimeout: time.Minute}
	g, groupCtx := errgroup.WithContext(ctx)

	g.Go(func() error {
		<-groupCtx.Done()

		if err := srv.Shutdown(context.Background()); err != nil {
			return fmt.Errorf("error shutting down server: %v", err)
		}
		return nil
	})

	g.Go(func() error {
		if err := srv.Serve(listener); err != nil && !errors.Is(err, http.ErrServerClosed) {
			return fmt.Errorf("could not start server: %v", err)
		}
		return nil
	})

	return g.Wait()
}

// getNetworkScheme gets the scheme for the HTTP server.
func getNetworkScheme(addr string) string {
	var scheme string
	i := strings.Index(addr, "://")
	if i > -1 {
		scheme = addr[0:i]
	}

	switch scheme {
	case "", "http":
		return "tcp"
	default:
		return scheme
	}
}

// getListenAddress gets the address for the HTTP server.
func getListenAddress(addr string) string {
	slice := strings.SplitN(addr, "//", 2)
	return slice[len(slice)-1]
}

// getCertificate loads the certificate data from the TLS config.
func getCertificate(opts *options.TLS) (tls.Certificate, error) {
	keyData, err := getSecretValue(opts.Key)
	if err != nil {
		return tls.Certificate{}, fmt.Errorf("could not load key data: %v", err)
	}

	certData, err := getSecretValue(opts.Cert)
	if err != nil {
		return tls.Certificate{}, fmt.Errorf("could not load cert data: %v", err)
	}

	cert, err := tls.X509KeyPair(certData, keyData)
	if err != nil {
		return tls.Certificate{}, fmt.Errorf("could not parse certificate data: %v", err)
	}

	return cert, nil
}

// getSecretValue wraps util.GetSecretValue so that we can return an error if no
// source is provided.
func getSecretValue(src *options.SecretSource) ([]byte, error) {
	if src == nil {
		return nil, errors.New("no configuration provided")
	}
	return util.GetSecretValue(src)
}

// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
// connections. It's used by so that dead TCP connections (e.g. closing laptop
// mid-download) eventually go away.
type tcpKeepAliveListener struct {
	*net.TCPListener
}

// Accept implements the TCPListener interface.
// It sets the keep alive period to 3 minutes for each connection.
func (ln tcpKeepAliveListener) Accept() (net.Conn, error) {
	tc, err := ln.AcceptTCP()
	if err != nil {
		return nil, err
	}
	err = tc.SetKeepAlive(true)
	if err != nil {
		logger.Errorf("Error setting Keep-Alive: %v", err)
	}
	err = tc.SetKeepAlivePeriod(3 * time.Minute)
	if err != nil {
		logger.Printf("Error setting Keep-Alive period: %v", err)
	}
	return tc, nil
}