buildPreAuthChain constructs a chain that should process every request before the OAuth2 Proxy authentication logic kicks in. For example forcing HTTPS or health checks.
(opts *options.Options, sessionStore sessionsapi.SessionStore, trustedProxies *ip.NetSet)
| 359 | // the OAuth2 Proxy authentication logic kicks in. |
| 360 | // For example forcing HTTPS or health checks. |
| 361 | func buildPreAuthChain(opts *options.Options, sessionStore sessionsapi.SessionStore, trustedProxies *ip.NetSet) (alice.Chain, error) { |
| 362 | chain := alice.New(middleware.NewScope(opts.ReverseProxy, opts.Logging.RequestIDHeader, trustedProxies)) |
| 363 | |
| 364 | if opts.ForceHTTPS { |
| 365 | _, httpsPort, err := net.SplitHostPort(opts.Server.SecureBindAddress) |
| 366 | if err != nil { |
| 367 | return alice.Chain{}, fmt.Errorf("invalid HTTPS address %q: %v", opts.Server.SecureBindAddress, err) |
| 368 | } |
| 369 | chain = chain.Append(middleware.NewRedirectToHTTPS(httpsPort)) |
| 370 | } |
| 371 | |
| 372 | healthCheckPaths := []string{opts.PingPath} |
| 373 | healthCheckUserAgents := []string{opts.PingUserAgent} |
| 374 | if opts.GCPHealthChecks { |
| 375 | logger.Printf("WARNING: GCP HealthChecks are now deprecated: Reconfigure apps to use the ping path for liveness and readiness checks, set the ping user agent to \"GoogleHC/1.0\" to preserve existing behaviour") |
| 376 | healthCheckPaths = append(healthCheckPaths, "/liveness_check", "/readiness_check") |
| 377 | healthCheckUserAgents = append(healthCheckUserAgents, "GoogleHC/1.0") |
| 378 | } |
| 379 | |
| 380 | // To silence logging of health checks, register the health check handler before |
| 381 | // the logging handler |
| 382 | if opts.Logging.SilencePing { |
| 383 | chain = chain.Append( |
| 384 | middleware.NewHealthCheck(healthCheckPaths, healthCheckUserAgents), |
| 385 | middleware.NewReadynessCheck(opts.ReadyPath, sessionStore), |
| 386 | middleware.NewRequestLogger(), |
| 387 | ) |
| 388 | } else { |
| 389 | chain = chain.Append( |
| 390 | middleware.NewRequestLogger(), |
| 391 | middleware.NewHealthCheck(healthCheckPaths, healthCheckUserAgents), |
| 392 | middleware.NewReadynessCheck(opts.ReadyPath, sessionStore), |
| 393 | ) |
| 394 | } |
| 395 | |
| 396 | chain = chain.Append(middleware.NewRequestMetricsWithDefaultRegistry()) |
| 397 | |
| 398 | return chain, nil |
| 399 | } |
| 400 | |
| 401 | func buildTrustedProxyNetSet(opts *options.Options) (*ip.NetSet, error) { |
| 402 | trustedProxyIPs := opts.TrustedProxyIPs |
no test coverage detected