Add flag for Oauth request timeout

cmd/skipper/main.go

@@ -57,6 +57,9 @@ const (
 	defaultTLSHandshakeTimeoutBackend = 60 * time.Second
 	defaultMaxIdleConnsBackend        = 0
 
+	// OAuth2:
+	defaultOAuthTokeninfoTimeout = 2 * time.Second // Not sure if this makes sense
+
 	// generic:
 	addressUsage                         = "network address that skipper should listen on"
 	ignoreTrailingSlashUsage             = "flag indicating to ignore trailing slashes in paths when routing"
@@ -128,10 +131,11 @@ const (
 	kubernetesNamespaceUsage        = "watch only this namespace for ingresses"
 
 	// OAuth2:
-	oauthURLUsage            = "OAuth2 URL for Innkeeper authentication"
-	oauthCredentialsDirUsage = "directory where oauth credentials are stored: client.json and user.json"
-	oauthScopeUsage          = "the whitespace separated list of oauth scopes"
-	oauth2TokeninfoURLUsage  = "sets the default tokeninfo URL to query information about an incoming OAuth2 token in oauth2Tokeninfo filters"
+	oauthURLUsage               = "OAuth2 URL for Innkeeper authentication"
+	oauthCredentialsDirUsage    = "directory where oauth credentials are stored: client.json and user.json"
+	oauthScopeUsage             = "the whitespace separated list of oauth scopes"
+	oauth2TokeninfoURLUsage     = "sets the default tokeninfo URL to query information about an incoming OAuth2 token in oauth2Tokeninfo filters"
+	oauth2TokeninfoTimeoutUsage = "sets the default tokeninfo request timeout duration to 1500ms"
 
 	// connections, timeouts:
 	idleConnsPerHostUsage           = "maximum idle connections per backend host"
@@ -235,10 +239,11 @@ var (
 	kubernetesNamespace        string
 
 	// OAuth2:
-	oauthURL            string
-	oauthScope          string
-	oauthCredentialsDir string
-	oauth2TokeninfoURL  string
+	oauthURL               string
+	oauthScope             string
+	oauthCredentialsDir    string
+	oauth2TokeninfoURL     string
+	oauth2TokeninfoTimeout time.Duration
 
 	// connections, timeouts:
 	idleConnsPerHost           int
@@ -344,6 +349,7 @@ func init() {
 	flag.StringVar(&oauthScope, "oauth-scope", "", oauthScopeUsage)
 	flag.StringVar(&oauthCredentialsDir, "oauth-credentials-dir", "", oauthCredentialsDirUsage)
 	flag.StringVar(&oauth2TokeninfoURL, "oauth2-tokeninfo-url", "", oauth2TokeninfoURLUsage)
+	flag.DurationVar(&oauth2TokeninfoTimeout, "oauth2-tokeninfo-timeout", defaultOAuthTokeninfoTimeout, oauth2TokeninfoTimeoutUsage)
 
 	// connections, timeouts:
 	flag.IntVar(&idleConnsPerHost, "idle-conns-num", proxy.DefaultIdleConnsPerHost, idleConnsPerHostUsage)
@@ -499,10 +505,11 @@ func main() {
 		KubernetesNamespace:        kubernetesNamespace,
 
 		// OAuth2:
-		OAuthUrl:            oauthURL,
-		OAuthScope:          oauthScope,
-		OAuthCredentialsDir: oauthCredentialsDir,
-		OAuthTokeninfoURL:   oauth2TokeninfoURL,
+		OAuthUrl:              oauthURL,
+		OAuthScope:            oauthScope,
+		OAuthCredentialsDir:   oauthCredentialsDir,
+		OAuthTokeninfoURL:     oauth2TokeninfoURL,
+		OAuthTokeninfoTimeout: oauth2TokeninfoTimeout,
 
 		// connections, timeouts:
 		IdleConnectionsPerHost:     idleConnsPerHost,

filters/auth/doc.go

@@ -116,7 +116,7 @@ the key value pairs match. Here "uid" has to have the value "jdoe" and
 "foo" has to have the value "bar". Additionally the second will
 check if there is a "realm" "/employees":
 
-    a: Path("/") -> oauthTokeninfoAllKV("uid", jdoe", "foo", "bar") -> "https://internal.example.org/";
+    a: Path("/") -> oauthTokeninfoAllKV("uid", "jdoe", "foo", "bar") -> "https://internal.example.org/";
     b: Path("/") -> oauthTokeninfoAllKV("realm", "/employees", "uid", "jdoe", "foo", "bar") -> "https://internal.example.org/";
 
 Example json output of this information response:

filters/auth/oauth.go

@@ -4,9 +4,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/zalando/skipper/filters"
@@ -49,13 +51,16 @@ const (
 
 type (
 	authClient struct {
-		url *url.URL
+		url    *url.URL
+		client *http.Client
+		quit   chan struct{}
 	}
 
 	tokeninfoSpec struct {
-		typ          roleCheckType
-		tokeninfoURL string
-		authClient   *authClient
+		typ              roleCheckType
+		tokeninfoURL     string
+		tokenInfoTimeout time.Duration
+		authClient       *authClient
 	}
 
 	filter struct {
@@ -145,9 +150,32 @@ func intersect(left []string, right []string) bool {
 	return false
 }
 
+func createHTTPClient(timeout time.Duration, quit chan struct{}) (*http.Client, error) {
+	transport := &http.Transport{
+		DialContext: (&net.Dialer{
+			Timeout: timeout,
+		}).DialContext,
+	}
+
+	go func() {
+		for {
+			select {
+			case <-time.After(10 * time.Second):
+				transport.CloseIdleConnections()
+			case <-quit:
+				return
+			}
+		}
+	}()
+
+	return &http.Client{
+		Transport: transport,
+	}, nil
+}
+
 // jsonGet requests url with access token in the URL query specified
 // by accessTokenQueryKey, if auth was given and writes into doc.
-func jsonGet(url *url.URL, auth string, doc interface{}) error {
+func jsonGet(url *url.URL, auth string, doc interface{}, client *http.Client) error {
 	if auth != "" {
 		q := url.Query()
 		q.Set(accessTokenQueryKey, auth)
@@ -159,7 +187,7 @@ func jsonGet(url *url.URL, auth string, doc interface{}) error {
 		return err
 	}
 
-	rsp, err := http.DefaultClient.Do(req)
+	rsp, err := client.Do(req)
 	if err != nil {
 		return err
 	}
@@ -173,50 +201,56 @@ func jsonGet(url *url.URL, auth string, doc interface{}) error {
 	return d.Decode(doc)
 }
 
-func newAuthClient(baseURL string) (*authClient, error) {
+func newAuthClient(baseURL string, timeout time.Duration) (*authClient, error) {
 	u, err := url.Parse(baseURL)
 	if err != nil {
 		return nil, err
 	}
-	return &authClient{url: u}, nil
+
+	quit := make(chan struct{})
+	client, err := createHTTPClient(timeout, quit)
+	if err != nil {
+		log.Error("Unable to create http client")
+	}
+	return &authClient{url: u, client: client, quit: quit}, nil
 }
 
 func (ac *authClient) getTokeninfo(token string) (map[string]interface{}, error) {
 	var a map[string]interface{}
-	err := jsonGet(ac.url, token, &a)
+	err := jsonGet(ac.url, token, &a, ac.client)
 	return a, err
 }
 
 // NewOAuthTokeninfoAllScope creates a new auth filter specification
 // to validate authorization for requests. Current implementation uses
 // Bearer tokens to authorize requests and checks that the token
 // contains all scopes.
-func NewOAuthTokeninfoAllScope(OAuthTokeninfoURL string) filters.Spec {
-	return &tokeninfoSpec{typ: checkOAuthTokeninfoAllScopes, tokeninfoURL: OAuthTokeninfoURL}
+func NewOAuthTokeninfoAllScope(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec {
+	return &tokeninfoSpec{typ: checkOAuthTokeninfoAllScopes, tokeninfoURL: OAuthTokeninfoURL, tokenInfoTimeout: OAuthTokeninfoTimeout}
 }
 
 // NewOAuthTokeninfoAnyScope creates a new auth filter specification
 // to validate authorization for requests. Current implementation uses
 // Bearer tokens to authorize requests and checks that the token
 // contains at least one scope.
-func NewOAuthTokeninfoAnyScope(OAuthTokeninfoURL string) filters.Spec {
-	return &tokeninfoSpec{typ: checkOAuthTokeninfoAnyScopes, tokeninfoURL: OAuthTokeninfoURL}
+func NewOAuthTokeninfoAnyScope(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec {
+	return &tokeninfoSpec{typ: checkOAuthTokeninfoAnyScopes, tokeninfoURL: OAuthTokeninfoURL, tokenInfoTimeout: OAuthTokeninfoTimeout}
 }
 
 // NewOAuthTokeninfoAllKV creates a new auth filter specification
 // to validate authorization for requests. Current implementation uses
 // Bearer tokens to authorize requests and checks that the token
 // contains all key value pairs provided.
-func NewOAuthTokeninfoAllKV(OAuthTokeninfoURL string) filters.Spec {
-	return &tokeninfoSpec{typ: checkOAuthTokeninfoAllKV, tokeninfoURL: OAuthTokeninfoURL}
+func NewOAuthTokeninfoAllKV(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec {
+	return &tokeninfoSpec{typ: checkOAuthTokeninfoAllKV, tokeninfoURL: OAuthTokeninfoURL, tokenInfoTimeout: OAuthTokeninfoTimeout}
 }
 
 // NewOAuthTokeninfoAnyKV creates a new auth filter specification
 // to validate authorization for requests. Current implementation uses
 // Bearer tokens to authorize requests and checks that the token
 // contains at least one key value pair provided.
-func NewOAuthTokeninfoAnyKV(OAuthTokeninfoURL string) filters.Spec {
-	return &tokeninfoSpec{typ: checkOAuthTokeninfoAnyKV, tokeninfoURL: OAuthTokeninfoURL}
+func NewOAuthTokeninfoAnyKV(OAuthTokeninfoURL string, OAuthTokeninfoTimeout time.Duration) filters.Spec {
+	return &tokeninfoSpec{typ: checkOAuthTokeninfoAnyKV, tokeninfoURL: OAuthTokeninfoURL, tokenInfoTimeout: OAuthTokeninfoTimeout}
 }
 
 func (s *tokeninfoSpec) Name() string {
@@ -251,7 +285,7 @@ func (s *tokeninfoSpec) CreateFilter(args []interface{}) (filters.Filter, error)
 		return nil, filters.ErrInvalidFilterParameters
 	}
 
-	ac, err := newAuthClient(s.tokeninfoURL)
+	ac, err := newAuthClient(s.tokeninfoURL, s.tokenInfoTimeout)
 	if err != nil {
 		return nil, filters.ErrInvalidFilterParameters
 	}
@@ -280,6 +314,13 @@ func (s *tokeninfoSpec) CreateFilter(args []interface{}) (filters.Filter, error)
 	return f, nil
 }
 
+// Close cleans-up the quit channel used for this spec
+func (s *tokeninfoSpec) Close() {
+	if s.authClient.quit != nil {
+		close(s.authClient.quit)
+	}
+}
+
 func (kv kv) String() string {
 	var res []string
 	for k, v := range kv {