feat: preserve_host feature for oauth2_introspect, better tracing, introspection prefixes (#1131)

This patch additionally allows selecting between the two authenticators based on a prefix to the token.

Author: alnr

.docker/Dockerfile-build

@@ -1,5 +1,5 @@
 # Workaround for https://github.com/GoogleContainerTools/distroless/issues/1342
-FROM golang:1.20-bullseye AS builder
+FROM golang:1.21-bullseye AS builder
 
 WORKDIR /go/src/github.com/ory/oathkeeper
 

.github/workflows/ci.yml

@@ -37,7 +37,7 @@ jobs:
           key: ${{ needs.sdk-generate.outputs.sdk-cache-key }}
       - uses: actions/setup-go@v2
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - run: go list -json > go.list
       - name: Run nancy
         uses: sonatype-nexus-community/[email protected]
@@ -70,7 +70,7 @@ jobs:
       - uses: ory/ci/checkout@master
       - uses: actions/setup-go@v2
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - run: |
           ./test/${{ matrix.name }}/run.sh
 
@@ -84,6 +84,9 @@ jobs:
         with:
           token: ${{ secrets.ORY_BOT_PAT }}
           output-dir: docs/oathkeeper/cli
+      - uses: actions/setup-go@v2
+        with:
+          go-version: "1.21"
 
   changelog:
     name: Generate changelog

.github/workflows/format.yml

@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - run: make format
       - name: Indicate formatting issues
         run: git diff HEAD --exit-code --color

.github/workflows/licenses.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: "1.20"
+          go-version: "1.21"
       - uses: actions/setup-node@v2
         with:
           node-version: "18"

Makefile

@@ -84,6 +84,12 @@ install:
 docker:
 	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t oryd/oathkeeper:${IMAGE_TAG} --progress=plain -f .docker/Dockerfile-build . 
 
+.PHONY: docker-k3d
+docker-k3d:
+	CGO_ENABLED=0 GOOS=linux go build
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t k3d-localhost:5111/oryd/oathkeeper:dev --push -f .docker/Dockerfile-distroless-static . 
+	rm oathkeeper
+
 docs/cli: .bin/clidoc
 	clidoc .
 

api/credential_doc.go

@@ -3,6 +3,8 @@
 
 package api
 
+//lint:file-ignore U1000 Used to generate Swagger/OpenAPI definitions.
+
 // swagger:model jsonWebKeySet
 type swaggerJSONWebKeySet struct {
 	// The value of the "keys" parameter is an array of JWK values.  By

api/health.go

@@ -3,6 +3,8 @@
 
 package api
 
+//lint:file-ignore U1000 Used to generate Swagger/OpenAPI definitions.
+
 // Alive returns an ok status if the instance is ready to handle HTTP requests.
 //
 // swagger:route GET /health/alive api isInstanceAlive

api/rule_doc.go

@@ -3,6 +3,8 @@
 
 package api
 
+//lint:file-ignore U1000 Used to generate Swagger/OpenAPI definitions.
+
 import "github.com/ory/oathkeeper/rule"
 
 // A rule

cmd/root_test.go

@@ -20,30 +20,12 @@ import (
 
 var apiPort, proxyPort int
 
-func freePort() (int, int) {
-	var err error
-	r := make([]int, 2)
-
-	if r[0], err = freeport.GetFreePort(); err != nil {
-		panic(err.Error())
-	}
-
-	tries := 0
-	for {
-		r[1], err = freeport.GetFreePort()
-		if r[0] != r[1] {
-			break
-		}
-		tries++
-		if tries > 10 {
-			panic("Unable to find free port")
-		}
-	}
-	return r[0], r[1]
-}
-
 func init() {
-	apiPort, proxyPort = freePort()
+	p, err := freeport.GetFreePorts(2)
+	if err != nil {
+		panic(err)
+	}
+	apiPort, proxyPort = p[0], p[1]
 
 	os.Setenv("SERVE_API_PORT", fmt.Sprintf("%d", apiPort))
 	os.Setenv("SERVE_PROXY_PORT", fmt.Sprintf("%d", proxyPort))

credentials/fetcher_default.go

@@ -14,6 +14,8 @@ import (
 	"sync"
 	"time"
 
+	"go.opentelemetry.io/otel/trace"
+
 	"github.com/ory/oathkeeper/internal/cloudstorage"
 
 	"github.com/pkg/errors"
@@ -49,6 +51,11 @@ type FetcherDefault struct {
 	mux         *blob.URLMux
 }
 
+type dependencies interface {
+	Logger() *logrusx.Logger
+	Tracer() trace.Tracer
+}
+
 type FetcherOption func(f *FetcherDefault)
 
 func WithURLMux(mux *blob.URLMux) FetcherOption {
@@ -60,15 +67,18 @@ func WithURLMux(mux *blob.URLMux) FetcherOption {
 //   - cancelAfter: If reached, the fetcher will stop waiting for responses and return an error.
 //   - waitForResponse: While the fetcher might stop waiting for responses, we will give the server more time to respond
 //     and add the keys to the registry unless waitForResponse is reached in which case we'll terminate the request.
-func NewFetcherDefault(l *logrusx.Logger, cancelAfter time.Duration, ttl time.Duration, opts ...FetcherOption) *FetcherDefault {
+func NewFetcherDefault(d dependencies, cancelAfter time.Duration, ttl time.Duration, opts ...FetcherOption) *FetcherDefault {
 	f := &FetcherDefault{
 		cancelAfter: cancelAfter,
-		l:           l,
+		l:           d.Logger(),
 		ttl:         ttl,
 		keys:        make(map[string]jose.JSONWebKeySet),
 		fetchedAt:   make(map[string]time.Time),
-		client:      httpx.NewResilientClient(httpx.ResilientClientWithConnectionTimeout(15 * time.Second)).StandardClient(),
-		mux:         cloudstorage.NewURLMux(),
+		client: httpx.NewResilientClient(
+			httpx.ResilientClientWithConnectionTimeout(15*time.Second),
+			httpx.ResilientClientWithTracer(d.Tracer()),
+		).StandardClient(),
+		mux: cloudstorage.NewURLMux(),
 	}
 	for _, o := range opts {
 		o(f)
@@ -94,8 +104,6 @@ func (s *FetcherDefault) ResolveSets(ctx context.Context, locations []url.URL) (
 }
 
 func (s *FetcherDefault) fetchParallel(ctx context.Context, locations []url.URL) error {
-	ctx, cancel := context.WithTimeout(ctx, s.cancelAfter)
-	defer cancel()
 	errs := make(chan error)
 	done := make(chan struct{})
 
@@ -112,12 +120,14 @@ func (s *FetcherDefault) fetchParallel(ctx context.Context, locations []url.URL)
 		}
 	}()
 
-	go s.resolveAll(done, errs, locations)
+	go s.resolveAll(ctx, done, errs, locations)
 
 	select {
 	case <-ctx.Done():
-		s.l.WithError(ctx.Err()).Errorf("Ignoring JSON Web Keys from at least one URI because the request timed out waiting for a response.")
 		return ctx.Err()
+	case <-time.After(s.cancelAfter):
+		s.l.Errorf("Ignoring JSON Web Keys from at least one URI because the request timed out waiting for a response.")
+		return context.DeadlineExceeded
 	case <-done:
 		// We're done!
 		return nil
@@ -183,25 +193,25 @@ func (s *FetcherDefault) set(locations []url.URL, staleKeyAcceptable bool) []jos
 }
 
 func (s *FetcherDefault) isKeyExpired(expiredKeyAcceptable bool, fetchedAt time.Time) bool {
-	return expiredKeyAcceptable == false &&
-		fetchedAt.Add(s.ttl).Before(time.Now().UTC())
+	return !expiredKeyAcceptable && time.Since(fetchedAt) > s.ttl
 }
 
-func (s *FetcherDefault) resolveAll(done chan struct{}, errs chan error, locations []url.URL) {
+func (s *FetcherDefault) resolveAll(ctx context.Context, done chan struct{}, errs chan error, locations []url.URL) {
+	ctx = context.WithoutCancel(ctx)
 	var wg sync.WaitGroup
 
 	for _, l := range locations {
 		l := l
 		wg.Add(1)
-		go s.resolve(&wg, errs, l)
+		go s.resolve(ctx, &wg, errs, l)
 	}
 
 	wg.Wait()
 	close(done)
 	close(errs)
 }
 
-func (s *FetcherDefault) resolve(wg *sync.WaitGroup, errs chan error, location url.URL) {
+func (s *FetcherDefault) resolve(ctx context.Context, wg *sync.WaitGroup, errs chan error, location url.URL) {
 	defer wg.Done()
 	var (
 		reader io.ReadCloser
@@ -210,7 +220,6 @@ func (s *FetcherDefault) resolve(wg *sync.WaitGroup, errs chan error, location u
 
 	switch location.Scheme {
 	case "azblob", "gs", "s3":
-		ctx := context.Background()
 		bucket, err := s.mux.OpenBucket(ctx, location.Scheme+"://"+location.Host)
 		if err != nil {
 			errs <- errors.WithStack(herodot.
@@ -255,7 +264,19 @@ func (s *FetcherDefault) resolve(wg *sync.WaitGroup, errs chan error, location u
 		defer reader.Close()
 
 	case "http", "https":
-		res, err := s.client.Get(location.String())
+		req, err := http.NewRequestWithContext(ctx, "GET", location.String(), nil)
+		if err != nil {
+			errs <- errors.WithStack(herodot.
+				ErrInternalServerError.
+				WithReasonf(
+					`Unable to fetch JSON Web Keys from location "%s" because "%s".`,
+					location.String(),
+					err,
+				),
+			)
+			return
+		}
+		res, err := s.client.Do(req)
 		if err != nil {
 			errs <- errors.WithStack(herodot.
 				ErrInternalServerError.

credentials/fetcher_default_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/x/logrusx"
 
@@ -33,6 +34,16 @@ var sets = [...]json.RawMessage{
 	json.RawMessage(`invalid json ¯\_(ツ)_/¯`),
 }
 
+type reg struct{}
+
+func (*reg) Logger() *logrusx.Logger {
+	return logrusx.New("", "", logrusx.ForceLevel(logrus.DebugLevel))
+}
+
+func (*reg) Tracer() trace.Tracer {
+	return trace.NewNoopTracerProvider().Tracer("")
+}
+
 func TestFetcherDefault(t *testing.T) {
 	t.Parallel()
 
@@ -42,7 +53,7 @@ func TestFetcherDefault(t *testing.T) {
 
 	l := logrusx.New("", "", logrusx.ForceLevel(logrus.DebugLevel))
 	w := herodot.NewJSONWriter(l)
-	s := NewFetcherDefault(l, maxWait, JWKsTTL)
+	s := NewFetcherDefault(&reg{}, maxWait, JWKsTTL)
 
 	timeOutServer := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		time.Sleep(timeoutServerDelay)
@@ -177,7 +188,7 @@ func TestFetcherDefault(t *testing.T) {
 	t.Run("name=should fetch from s3 object storage", func(t *testing.T) {
 		t.Parallel()
 		ctx := context.Background()
-		s := NewFetcherDefault(l, maxWait, JWKsTTL, WithURLMux(cloudstorage.NewTestURLMux(t)))
+		s := NewFetcherDefault(&reg{}, maxWait, JWKsTTL, WithURLMux(cloudstorage.NewTestURLMux(t)))
 
 		key, err := s.ResolveKey(ctx, []url.URL{
 			*urlx.ParseOrPanic("s3://oathkeeper-test-bucket/path/prefix/jwks.json"),
@@ -189,7 +200,7 @@ func TestFetcherDefault(t *testing.T) {
 	t.Run("name=should fetch from gs object storage", func(t *testing.T) {
 		t.Parallel()
 		ctx := context.Background()
-		s := NewFetcherDefault(l, maxWait, JWKsTTL, WithURLMux(cloudstorage.NewTestURLMux(t)))
+		s := NewFetcherDefault(&reg{}, maxWait, JWKsTTL, WithURLMux(cloudstorage.NewTestURLMux(t)))
 
 		key, err := s.ResolveKey(ctx, []url.URL{
 			*urlx.ParseOrPanic("gs://oathkeeper-test-bucket/path/prefix/jwks.json"),
@@ -201,7 +212,7 @@ func TestFetcherDefault(t *testing.T) {
 	t.Run("name=should fetch from azure object storage", func(t *testing.T) {
 		t.Parallel()
 		ctx := context.Background()
-		s := NewFetcherDefault(l, maxWait, JWKsTTL, WithURLMux(cloudstorage.NewTestURLMux(t)))
+		s := NewFetcherDefault(&reg{}, maxWait, JWKsTTL, WithURLMux(cloudstorage.NewTestURLMux(t)))
 
 		jwkKey, err := s.ResolveKey(ctx, []url.URL{
 			*urlx.ParseOrPanic("azblob://path/prefix/jwks.json"),

credentials/signer_default_test.go

@@ -15,15 +15,14 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/ory/oathkeeper/x"
-	"github.com/ory/x/logrusx"
 )
 
 type defaultSignerMockRegistry struct {
 	f Fetcher
 }
 
 func newDefaultSignerMockRegistry() *defaultSignerMockRegistry {
-	return &defaultSignerMockRegistry{f: NewFetcherDefault(logrusx.New("", ""), time.Millisecond*100, time.Millisecond*500)}
+	return &defaultSignerMockRegistry{f: NewFetcherDefault(&reg{}, time.Millisecond*100, time.Millisecond*500)}
 }
 
 func (m *defaultSignerMockRegistry) CredentialsFetcher() Fetcher {
@@ -42,7 +41,7 @@ func TestSignerDefault(t *testing.T) {
 			token, err := signer.Sign(context.Background(), x.ParseURLOrPanic(src), jwt.MapClaims{"sub": "foo"})
 			require.NoError(t, err)
 
-			fetcher := NewFetcherDefault(logrusx.New("", ""), time.Second, time.Second)
+			fetcher := NewFetcherDefault(&reg{}, time.Second, time.Second)
 
 			_, err = verify(t, token, fetcher, src)
 			require.NoError(t, err)

doc_swagger.go

@@ -3,6 +3,8 @@
 
 package main
 
+//lint:file-ignore U1000 Used to generate Swagger/OpenAPI definitions.
+
 // The standard error format
 // swagger:model genericError
 type genericError struct {

driver/configuration/provider_koanf_public_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/rs/cors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/x/configx"
 	"github.com/ory/x/logrusx"
@@ -47,7 +48,7 @@ func TestPipelineConfig(t *testing.T) {
 		p := setup(t)
 
 		require.NoError(t, p.PipelineConfig("authenticators", "oauth2_introspection", nil, &res))
-		assert.JSONEq(t, `{"cache":{"enabled":false, "max_cost":1000},"introspection_url":"https://override/path","pre_authorization":{"client_id":"some_id","client_secret":"some_secret","enabled":true,"audience":"some_audience","scope":["foo","bar"],"token_url":"https://my-website.com/oauth2/token"},"retry":{"max_delay":"100ms", "give_up_after":"1s"},"scope_strategy":"exact"}`, string(res), "%s", res)
+		assert.JSONEq(t, `{"cache":{"enabled":false, "max_cost":1000},"introspection_url":"https://override/path","preserve_host":false,"pre_authorization":{"client_id":"some_id","client_secret":"some_secret","enabled":true,"audience":"some_audience","scope":["foo","bar"],"token_url":"https://my-website.com/oauth2/token"},"retry":{"max_delay":"100ms", "give_up_after":"1s"},"scope_strategy":"exact"}`, string(res), "%s", res)
 	})
 
 	t.Run("case=should setup", func(t *testing.T) {
@@ -247,7 +248,7 @@ func TestKoanfProvider(t *testing.T) {
 		})
 
 		t.Run("authenticator=cookie_session", func(t *testing.T) {
-			a := authn.NewAuthenticatorCookieSession(p, nil)
+			a := authn.NewAuthenticatorCookieSession(p, trace.NewNoopTracerProvider())
 			assert.True(t, p.AuthenticatorIsEnabled(a.GetID()))
 			require.NoError(t, a.Validate(nil))
 
@@ -285,7 +286,7 @@ func TestKoanfProvider(t *testing.T) {
 		})
 
 		t.Run("authenticator=oauth2_introspection", func(t *testing.T) {
-			a := authn.NewAuthenticatorOAuth2Introspection(p, logger)
+			a := authn.NewAuthenticatorOAuth2Introspection(p, logger, trace.NewNoopTracerProvider())
 			assert.True(t, p.AuthenticatorIsEnabled(a.GetID()))
 			require.NoError(t, a.Validate(nil))
 
@@ -433,7 +434,7 @@ func TestAuthenticatorOAuth2TokenIntrospectionPreAuthorization(t *testing.T) {
 		{enabled: true, id: "a", secret: "b", turl: "https://some-url", err: false},
 	} {
 		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
-			a := authn.NewAuthenticatorOAuth2Introspection(p, logrusx.New("", ""))
+			a := authn.NewAuthenticatorOAuth2Introspection(p, logrusx.New("", ""), trace.NewNoopTracerProvider())
 
 			config, _, err := a.Config(json.RawMessage(fmt.Sprintf(`{
 	"pre_authorization": {