From 7eb1d1c0ff7189bcd76792ac38e7425e9b7c6f86 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Fri, 17 Jun 2022 21:40:41 +0200 Subject: [PATCH] feat: respect local DNS restrictions --- client/validator.go | 26 ++++++++++++-------------- client/validator_test.go | 20 +++++++++++++++++--- consent/registry.go | 1 + consent/strategy_default.go | 6 +----- driver/registry.go | 2 +- driver/registry_base.go | 8 +++++--- driver/registry_base_test.go | 19 +++++++++++++++++++ fositex/config.go | 4 ++-- go.mod | 7 ++++--- go.sum | 22 ++++++++-------------- oauth2/hook.go | 17 ++++++++++------- 11 files changed, 80 insertions(+), 52 deletions(-) diff --git a/client/validator.go b/client/validator.go index 9420e5eb31..61f67ebf97 100644 --- a/client/validator.go +++ b/client/validator.go @@ -24,10 +24,12 @@ import ( "context" "encoding/json" "fmt" - "net/http" "net/url" "strings" + "github.com/ory/hydra/driver/config" + "github.com/ory/hydra/x" + "github.com/ory/x/errorsx" "github.com/ory/x/stringslice" @@ -47,21 +49,17 @@ var ( } ) -type Validator struct { - c *http.Client - r Registry +type validatorRegistry interface { + x.HTTPClientProvider + config.Provider } -func NewValidator(registry Registry) *Validator { - return &Validator{ - c: http.DefaultClient, - r: registry, - } +type Validator struct { + r validatorRegistry } -func NewValidatorWithClient(registry Registry, client *http.Client) *Validator { +func NewValidator(registry validatorRegistry) *Validator { return &Validator{ - c: client, r: registry, } } @@ -116,7 +114,7 @@ func (v *Validator) Validate(ctx context.Context, c *Client) error { c.SecretExpiresAt = 0 if len(c.SectorIdentifierURI) > 0 { - if err := v.ValidateSectorIdentifierURL(c.SectorIdentifierURI, c.GetRedirectURIs()); err != nil { + if err := v.ValidateSectorIdentifierURL(ctx, c.SectorIdentifierURI, c.GetRedirectURIs()); err != nil { return err } } @@ -189,7 +187,7 @@ func (v *Validator) ValidateDynamicRegistration(ctx context.Context, c *Client) return v.Validate(ctx, c) } -func (v *Validator) ValidateSectorIdentifierURL(location string, redirectURIs []string) error { +func (v *Validator) ValidateSectorIdentifierURL(ctx context.Context, location string, redirectURIs []string) error { l, err := url.Parse(location) if err != nil { return errorsx.WithStack(ErrInvalidClientMetadata.WithHintf("Value of sector_identifier_uri could not be parsed because %s.", err)) @@ -199,7 +197,7 @@ func (v *Validator) ValidateSectorIdentifierURL(location string, redirectURIs [] return errorsx.WithStack(ErrInvalidClientMetadata.WithDebug("Value sector_identifier_uri must be an HTTPS URL but it is not.")) } - response, err := v.c.Get(location) + response, err := v.r.HTTPClient(ctx).Get(location) if err != nil { return errorsx.WithStack(ErrInvalidClientMetadata.WithDebug(fmt.Sprintf("Unable to connect to URL set by sector_identifier_uri: %s", err))) } diff --git a/client/validator_test.go b/client/validator_test.go index 68afda1788..b709927ea4 100644 --- a/client/validator_test.go +++ b/client/validator_test.go @@ -27,6 +27,11 @@ import ( "net/http/httptest" "testing" + "github.com/hashicorp/go-retryablehttp" + + "github.com/ory/hydra/driver" + "github.com/ory/x/httpx" + "github.com/gofrs/uuid" "github.com/stretchr/testify/assert" @@ -154,7 +159,17 @@ func TestValidate(t *testing.T) { } } +type fakeHTTP struct { + driver.Registry + c *http.Client +} + +func (f *fakeHTTP) HTTPClient(ctx context.Context, opts ...httpx.ResilientOptions) *retryablehttp.Client { + return httpx.NewResilientClient(httpx.ResilientClientWithClient(f.c)) +} + func TestValidateSectorIdentifierURL(t *testing.T) { + reg := internal.NewMockedRegistry(t, &contextx.Default{}) var payload string var h http.HandlerFunc = func(w http.ResponseWriter, r *http.Request) { @@ -163,8 +178,7 @@ func TestValidateSectorIdentifierURL(t *testing.T) { ts := httptest.NewTLSServer(h) defer ts.Close() - v := NewValidatorWithClient(nil, ts.Client()) - + v := NewValidator(&fakeHTTP{Registry: reg, c: ts.Client()}) for k, tc := range []struct { p string r []string @@ -198,7 +212,7 @@ func TestValidateSectorIdentifierURL(t *testing.T) { } { t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) { payload = tc.p - err := v.ValidateSectorIdentifierURL(tc.u, tc.r) + err := v.ValidateSectorIdentifierURL(context.Background(), tc.u, tc.r) if tc.expectErr { require.Error(t, err) } else { diff --git a/consent/registry.go b/consent/registry.go index f3b34204aa..2f9ed0387d 100644 --- a/consent/registry.go +++ b/consent/registry.go @@ -12,6 +12,7 @@ type InternalRegistry interface { x.RegistryWriter x.RegistryCookieStore x.RegistryLogger + x.HTTPClientProvider Registry client.Registry diff --git a/consent/strategy_default.go b/consent/strategy_default.go index f1e9df5265..0b4c44c302 100644 --- a/consent/strategy_default.go +++ b/consent/strategy_default.go @@ -43,8 +43,6 @@ import ( "github.com/ory/x/sqlxx" - "github.com/ory/x/httpx" - "github.com/ory/fosite" "github.com/ory/fosite/handler/openid" "github.com/ory/fosite/token/jwt" @@ -672,14 +670,12 @@ func (s *DefaultStrategy) executeBackChannelLogout(ctx context.Context, r *http. tasks = append(tasks, task{url: c.BackChannelLogoutURI, clientID: c.GetID(), token: t}) } - hc := httpx.NewResilientClient() - var execute = func(t task) { log := s.r.Logger().WithRequest(r). WithField("client_id", t.clientID). WithField("backchannel_logout_url", t.url) - res, err := hc.PostForm(t.url, url.Values{"logout_token": {t.token}}) + res, err := s.r.HTTPClient(ctx).PostForm(t.url, url.Values{"logout_token": {t.token}}) if err != nil { log.WithError(err).Error("Unable to execute OpenID Connect Back-Channel Logout Request") return diff --git a/driver/registry.go b/driver/registry.go index ebc8ba628c..d2dcf30876 100644 --- a/driver/registry.go +++ b/driver/registry.go @@ -42,7 +42,7 @@ type Registry interface { WithContextualizer(ctxer contextx.Contextualizer) Registry WithLogger(l *logrusx.Logger) Registry x.HTTPClientProvider - GetJWKSFetcherStrategy(ctx context.Context) fosite.JWKSFetcherStrategy + GetJWKSFetcherStrategy() fosite.JWKSFetcherStrategy config.Provider persistence.Provider diff --git a/driver/registry_base.go b/driver/registry_base.go index 0f819c0f11..79279938d3 100644 --- a/driver/registry_base.go +++ b/driver/registry_base.go @@ -99,9 +99,11 @@ type RegistryBase struct { publicCORS *cors.Cors } -func (m *RegistryBase) GetJWKSFetcherStrategy(ctx context.Context) fosite.JWKSFetcherStrategy { +func (m *RegistryBase) GetJWKSFetcherStrategy() fosite.JWKSFetcherStrategy { if m.jfs == nil { - m.jfs = fosite.NewDefaultJWKSFetcherStrategy(fosite.JWKSFetcherWithHTTPClient(m.HTTPClient(ctx))) + m.jfs = fosite.NewDefaultJWKSFetcherStrategy(fosite.JWKSFetcherWithHTTPClientSource(func(ctx context.Context) *retryablehttp.Client { + return m.HTTPClient(ctx) + })) } return m.jfs } @@ -492,7 +494,7 @@ func (m *RegistryBase) WithConsentStrategy(c consent.Strategy) { func (m *RegistryBase) AccessRequestHooks() []oauth2.AccessRequestHook { if m.arhs == nil { m.arhs = []oauth2.AccessRequestHook{ - oauth2.RefreshTokenHook(m.Config()), + oauth2.RefreshTokenHook(m), } } return m.arhs diff --git a/driver/registry_base_test.go b/driver/registry_base_test.go index 4122d36189..55889e3f94 100644 --- a/driver/registry_base_test.go +++ b/driver/registry_base_test.go @@ -6,6 +6,10 @@ import ( "io/ioutil" "testing" + "github.com/stretchr/testify/require" + + "github.com/ory/x/httpx" + "github.com/sirupsen/logrus" "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" @@ -18,6 +22,21 @@ import ( "github.com/gorilla/sessions" ) +func TestGetJWKSFetcherStrategyHostEnforcment(t *testing.T) { + ctx := context.Background() + l := logrusx.New("", "") + c := config.MustNew(context.Background(), l, configx.WithConfigFiles("../internal/.hydra.yaml")) + c.MustSet(ctx, config.KeyDSN, "memory") + c.MustSet(ctx, config.HSMEnabled, "false") + c.MustSet(ctx, config.ViperKeyClientHTTPNoPrivateIPRanges, true) + + registry, err := NewRegistryWithoutInit(c, l) + require.NoError(t, err) + + _, err = registry.GetJWKSFetcherStrategy().Resolve(ctx, "http://localhost:8080", true) + require.ErrorAs(t, err, new(httpx.ErrPrivateIPAddressDisallowed)) +} + func TestRegistryBase_newKeyStrategy_handlesNetworkError(t *testing.T) { // Test ensures any network specific error is logged with a // specific message when attempting to create a new key strategy: issue #2338 diff --git a/fositex/config.go b/fositex/config.go index 6d88c60787..33b75ed82c 100644 --- a/fositex/config.go +++ b/fositex/config.go @@ -25,7 +25,7 @@ type configDependencies interface { config.Provider persistence.Provider x.HTTPClientProvider - GetJWKSFetcherStrategy(ctx context.Context) fosite.JWKSFetcherStrategy + GetJWKSFetcherStrategy() fosite.JWKSFetcherStrategy } type factory func(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} @@ -84,7 +84,7 @@ func (c *Config) LoadDefaultHanlders(strategy interface{}) { } func (c *Config) GetJWKSFetcherStrategy(ctx context.Context) fosite.JWKSFetcherStrategy { - return c.deps.GetJWKSFetcherStrategy(ctx) + return c.deps.GetJWKSFetcherStrategy() } func (c *Config) GetHTTPClient(ctx context.Context) *retryablehttp.Client { diff --git a/go.mod b/go.mod index 34653f1e71..32edf51b55 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ replace ( github.com/oleiade/reflections => github.com/oleiade/reflections v1.0.1 ) -replace github.com/ory/fosite => github.com/ory/fosite v0.42.3-0.20220513181618-5f156bd07d5d +replace github.com/ory/fosite => github.com/ory/fosite v0.42.3-0.20220617175535-a88d4431f12d replace github.com/gobuffalo/pop/v6 => github.com/gobuffalo/pop/v6 v6.0.4-0.20220524160009-195240e4a669 @@ -44,6 +44,7 @@ require ( github.com/gorilla/websocket v1.5.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.10.2 // indirect github.com/gtank/cryptopasta v0.0.0-20170601214702-1f550f6f2f69 + github.com/hashicorp/go-retryablehttp v0.7.1 github.com/hashicorp/go-cleanhttp v0.5.2 github.com/instana/testify v1.6.2-0.20200721153833-94b1851f4d65 github.com/jackc/pgx/v4 v4.16.1 @@ -63,13 +64,13 @@ require ( github.com/ory/go-acc v0.2.8 github.com/ory/graceful v0.1.1 github.com/ory/herodot v0.9.13 - github.com/ory/x v0.0.415 + github.com/ory/x v0.0.418 github.com/pborman/uuid v1.2.1 github.com/pelletier/go-toml v1.9.5 // indirect github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.11.0 - github.com/rs/cors v1.8.0 + github.com/rs/cors v1.8.2 github.com/sawadashota/encrypta v0.0.2 github.com/sirupsen/logrus v1.8.1 github.com/spf13/afero v1.8.2 // indirect diff --git a/go.sum b/go.sum index f42cc7c1da..34b89f44e1 100644 --- a/go.sum +++ b/go.sum @@ -516,7 +516,6 @@ github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2H github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= -github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmCsR2Do= github.com/gin-gonic/gin v1.7.0/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY= github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= @@ -654,10 +653,8 @@ github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhO github.com/go-pg/pg/v10 v10.0.0/go.mod h1:XHU1AkQW534GFuUdSiQ46+Xw6Ah+9+b8DlT4YwhiXL8= github.com/go-pg/zerochecker v0.2.0/go.mod h1:NJZ4wKL0NmTtz0GKCoJ8kym6Xn/EQzXRl2OnAe7MmDo= github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= -github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM= github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q= github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8= -github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY= github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no= github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= github.com/go-playground/validator/v10 v10.4.1 h1:pH2c5ADXtd66mxoE0Zm9SUhxE20r7aM3F26W0hOn+GE= @@ -1037,8 +1034,9 @@ github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es github.com/hashicorp/go-retryablehttp v0.5.4/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-retryablehttp v0.6.8/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= -github.com/hashicorp/go-retryablehttp v0.7.0 h1:eu1EI/mbirUgP5C8hVsTNaGZreBDlYiwC1FZWkvQPQ4= github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ= +github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= @@ -1279,7 +1277,6 @@ github.com/labstack/echo v3.3.10+incompatible/go.mod h1:0INS7j/VjnFxD4E2wkz67b8c github.com/labstack/echo/v4 v4.2.0/go.mod h1:AA49e0DZ8kk5jTOOCKNuPR6oTnBS0dYiM4FW1e6jwpg= github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k= github.com/labstack/gommon v0.3.1/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM= -github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw= github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y= github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= github.com/lib/pq v0.0.0-20180327071824-d34b9ff171c2/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= @@ -1533,8 +1530,8 @@ github.com/ory/dockertest/v3 v3.5.4/go.mod h1:J8ZUbNB2FOhm1cFZW9xBpDsODqsSWcyYgt github.com/ory/dockertest/v3 v3.6.3/go.mod h1:EFLcVUOl8qCwp9NyDAcCDtq/QviLtYswW/VbWzUnTNE= github.com/ory/dockertest/v3 v3.9.0 h1:U7M9FfYEwF4uqEE6WUSFs7K+Hvb31CsCX5uZUZD3olI= github.com/ory/dockertest/v3 v3.9.0/go.mod h1:jgm0rnguArPXsVduy+oUjzFtD0Na+DDNbUl8W5v+ez8= -github.com/ory/fosite v0.42.3-0.20220513181618-5f156bd07d5d h1:+6pj38oTZ72Pt9TIOXbmZvVq3R44nhf1g0fJsZhDOx8= -github.com/ory/fosite v0.42.3-0.20220513181618-5f156bd07d5d/go.mod h1:UZqP9A6ust3zwOe6pp5yfX2V1+FhZlnsEqDGdPvM4Os= +github.com/ory/fosite v0.42.3-0.20220617175535-a88d4431f12d h1:56LlJXhIUt/Ch1QWxsERTL1ThYssNa0X4kPdBlhZPIk= +github.com/ory/fosite v0.42.3-0.20220617175535-a88d4431f12d/go.mod h1:2d/7KFPecmGtUgIEWlD2f0t0gXlZ9+X2z+BtytIJS4Q= github.com/ory/go-acc v0.0.0-20181118080137-ddc355013f90/go.mod h1:sxnvPCxChFuSmTJGj8FdMupeq1BezCiEpDjTUXQ4hf4= github.com/ory/go-acc v0.2.6/go.mod h1:4Kb/UnPcT8qRAk3IAxta+hvVapdxTLWtrr7bFLlEgpw= github.com/ory/go-acc v0.2.8 h1:rOHHAPQjf0u7eHFGWpiXK+gIu/e0GRSJNr9pDukdNC4= @@ -1563,8 +1560,8 @@ github.com/ory/x v0.0.93/go.mod h1:lfcTaGXpTZs7IEQAW00r9EtTCOxD//SiP5uWtNiz31g= github.com/ory/x v0.0.110/go.mod h1:DJfkE3GdakhshNhw4zlKoRaL/ozg/lcTahA9OCih2BE= github.com/ory/x v0.0.127/go.mod h1:FwUujfFuCj5d+xgLn4fGMYPnzriR5bdAIulFXMtnK0M= github.com/ory/x v0.0.214/go.mod h1:aRl57gzyD4GF0HQCekovXhv0xTZgAgiht3o8eVhsm9Q= -github.com/ory/x v0.0.415 h1:er86z/KGP8mHxsepoDh3XxpI7wXZstwApIzcWhzoPMw= -github.com/ory/x v0.0.415/go.mod h1:Rchv+ANloKAhmN3LZ5KUIAU2TIRlHPF7EYEB2i3xL0Q= +github.com/ory/x v0.0.418 h1:SE7Ekb10GyRaOSg8Egg4UXv7PZVDQovAdhB/kSDndiE= +github.com/ory/x v0.0.418/go.mod h1:+CZc3VvpVc34WyDRMcvm9hZ9MV36FVdbRFzRQou8Bo8= github.com/parnurzeal/gorequest v0.2.15/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= @@ -1676,8 +1673,8 @@ github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTE github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= -github.com/rs/cors v1.8.0 h1:P2KMzcFwrPoSjkF1WLRPsp3UMLyql8L4v9hQpVeK5so= -github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM= +github.com/rs/cors v1.8.2 h1:KCooALfAYGs415Cwu5ABvv9n9509fSiG5SQJn/AQo4U= +github.com/rs/cors v1.8.2/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= @@ -2167,7 +2164,6 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2540,7 +2536,6 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= -golang.org/x/tools v0.1.8-0.20211029000441-d6a9af8af023/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20= golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -2762,7 +2757,6 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= gopkg.in/go-playground/mold.v2 v2.2.0/go.mod h1:XMyyRsGtakkDPbxXbrA5VODo6bUXyvoDjLd5l3T0XoA= -gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw= gopkg.in/gorp.v1 v1.7.2/go.mod h1:Wo3h+DBQZIxATwftsglhdD/62zRFPhGhTiu5jUJmCaw= gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s= diff --git a/oauth2/hook.go b/oauth2/hook.go index 8f14d0fc7d..e1e81de1bb 100644 --- a/oauth2/hook.go +++ b/oauth2/hook.go @@ -6,7 +6,9 @@ import ( "encoding/json" "net/http" - "github.com/hashicorp/go-cleanhttp" + "github.com/hashicorp/go-retryablehttp" + + "github.com/ory/hydra/x" "github.com/ory/fosite" "github.com/ory/hydra/consent" @@ -58,11 +60,12 @@ type RefreshTokenHookResponse struct { } // RefreshTokenHook is an AccessRequestHook called for `refresh_token` grant type. -func RefreshTokenHook(config *config.DefaultProvider) AccessRequestHook { - client := cleanhttp.DefaultPooledClient() - +func RefreshTokenHook(reg interface { + config.Provider + x.HTTPClientProvider +}) AccessRequestHook { return func(ctx context.Context, requester fosite.AccessRequester) error { - hookURL := config.TokenRefreshHookURL(ctx) + hookURL := reg.Config().TokenRefreshHookURL(ctx) if hookURL == nil { return nil } @@ -100,7 +103,7 @@ func RefreshTokenHook(config *config.DefaultProvider) AccessRequestHook { ) } - req, err := http.NewRequestWithContext(ctx, http.MethodPost, hookURL.String(), bytes.NewReader(reqBodyBytes)) + req, err := retryablehttp.NewRequestWithContext(ctx, http.MethodPost, hookURL.String(), bytes.NewReader(reqBodyBytes)) if err != nil { return errorsx.WithStack( fosite.ErrServerError. @@ -110,7 +113,7 @@ func RefreshTokenHook(config *config.DefaultProvider) AccessRequestHook { } req.Header.Set("Content-Type", "application/json; charset=UTF-8") - resp, err := client.Do(req) + resp, err := reg.HTTPClient(ctx).Do(req) if err != nil { return errorsx.WithStack( fosite.ErrServerError.