add timeout to oidc & add validation to timeout (#344)

Signed-off-by: spacewander <[email protected]>

plugins/ext_auth/config.proto

@@ -39,7 +39,9 @@ message HttpService {
   // We don't use HttpUri like Envoy because we set the Host directly instead of using
   // the result from Cluster.
   string url = 1 [(validate.rules).string = {uri: true}];
-  google.protobuf.Duration timeout = 2;
+  google.protobuf.Duration timeout = 2 [(validate.rules).duration = {
+    gt: {},
+  }];
 
   // Settings used for controlling authorization request metadata.
   AuthorizationRequest authorization_request = 3;

plugins/ext_auth/config_test.go

@@ -48,6 +48,11 @@ func TestBadConfig(t *testing.T) {
 			input: `{"httpService":{"url":"127.0.0.1"}}`,
 			err:   "invalid HttpService.Url: value must be absolute",
 		},
+		{
+			name:  "invalid HttpService.Timeout",
+			input: `{"httpService":{"url":"http://127.0.0.1","timeout":"-1s"}}`,
+			err:   "invalid HttpService.Timeout: value must be greater than 0s",
+		},
 	}
 
 	for _, tt := range tests {

plugins/oidc/config.go

@@ -61,13 +61,14 @@ func (p *plugin) Config() api.PluginConfig {
 type config struct {
 	Config
 
+	opTimeout      time.Duration
 	oauth2Config   *oauth2.Config
 	verifier       *oidc.IDTokenVerifier
 	cookieEncoding *securecookie.SecureCookie
 }
 
-func ctxWithClient(ctx context.Context) context.Context {
-	httpClient := &http.Client{Timeout: 3 * time.Second}
+func (conf *config) ctxWithClient(ctx context.Context) context.Context {
+	httpClient := &http.Client{Timeout: conf.opTimeout}
 	return context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 }
 
@@ -76,7 +77,14 @@ func (conf *config) Init(cb api.ConfigCallbackHandler) error {
 		conf.IdTokenHeader = "x-id-token"
 	}
 
-	ctx := ctxWithClient(context.Background())
+	du := 3 * time.Second
+	timeout := conf.GetTimeout()
+	if timeout != nil {
+		du = timeout.AsDuration()
+	}
+	conf.opTimeout = du
+
+	ctx := conf.ctxWithClient(context.Background())
 	var provider *oidc.Provider
 	var err error
 	err = retry.Do(

plugins/oidc/config.proto

@@ -16,6 +16,7 @@ syntax = "proto3";
 
 package plugins.oidc;
 
+import "google/protobuf/duration.proto";
 import "validate/validate.proto";
 
 option go_package = "mosn.io/htnn/plugins/oidc";
@@ -36,4 +37,9 @@ message Config {
 
   // Default to "x-id-token"
   string id_token_header = 7;
+
+  // The timeout to wait for the OIDC provider to respond. Default to 3s.
+  google.protobuf.Duration timeout = 8 [(validate.rules).duration = {
+    gt: {},
+  }];
 }

plugins/oidc/config_test.go

@@ -19,12 +19,14 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/durationpb"
 )
 
 func TestBadIssuer(t *testing.T) {
 	c := config{
 		Config: Config{
-			Issuer: "http://github.com",
+			Issuer:  "http://github.com",
+			Timeout: &durationpb.Duration{Seconds: 1}, // quick fail
 		},
 	}
 	err := c.Init(nil)
@@ -34,7 +36,8 @@ func TestBadIssuer(t *testing.T) {
 func TestDefaultValue(t *testing.T) {
 	c := config{
 		Config: Config{
-			Issuer: "http://github.com",
+			Issuer:  "http://github.com",
+			Timeout: &durationpb.Duration{Seconds: 1}, // quick fail
 		},
 	}
 	// we set default value before communicating with the issuer

plugins/oidc/filter.go

@@ -138,7 +138,7 @@ func (f *filter) handleCallback(headers api.RequestHeaderMap, query url.Values)
 	b, _ := base64.URLEncoding.DecodeString(encodedUrl)
 	originUrl := string(b)
 
-	ctx = ctxWithClient(ctx)
+	ctx = config.ctxWithClient(ctx)
 	oauth2Token, err := o2conf.Exchange(ctx, code, oauth2.VerifierOption(verifier))
 	if err != nil {
 		api.LogErrorf("failed to exchange code to the token: %v", err)