Skip to content

fix: Service utilize httputil.SafeHttpClient #1926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 5, 2025
Merged

fix: Service utilize httputil.SafeHttpClient #1926

merged 1 commit into from
Mar 5, 2025

Conversation

jentfoo
Copy link
Contributor

@jentfoo jentfoo commented Feb 18, 2025

Proposed Changes

This PR follows #1910 by updating service to utilize the new httputil helper for constructing a client which wont follow redirects, and has sensible timeouts. To quote that description:

This change switches us from maintaining a tls config which we then on-demand initialize an http.Client with to instead maintain and reuse an http.Client instance. This enables us to utilize the connection pooling which occurs within the http.Transport to reduce ssl handshakes and thus reduce latency.

In addition this change provides us a central place to configure out http.Client (httputil). Allowing us to easily set configuration options to reduce the security risks of using an unconfigured http.Client. Notably timeouts to reduce DoS risks, and control around following redirects to prevent blind SSRF's.

The prior auth API was marked as deprecated. There is no remaining use within this repo, so it may be able to be removed.

Merging this should fully resolve #1891.

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

@jentfoo jentfoo self-assigned this Feb 18, 2025
@jentfoo jentfoo requested review from a team as code owners February 18, 2025 22:52
@jentfoo jentfoo marked this pull request as draft February 18, 2025 22:57
@jentfoo
fix: Service utilize httputil.SafeHttpClient
25dede0 
This PR follows #1910 by updating `service` to utilize the new `httputil` helper for constructing a client which wont follow redirects, and has sensible timeouts.

The prior auth API was marked as deprecated. There is no remaining use within this repo, so it may be able to be removed.

Merging this should fully resolve #1891.
@jentfoo jentfoo force-pushed the jent/http.Client_handling branch from f6d0965 to 25dede0 Compare March 5, 2025 17:57
@jentfoo jentfoo marked this pull request as ready for review March 5, 2025 18:27
@jentfoo jentfoo added this pull request to the merge queue Mar 5, 2025
Merged via the queue into main with commit af32700 Mar 5, 2025
22 checks passed
@jentfoo jentfoo deleted the jent/http.Client_handling branch March 5, 2025 19:19
This was referenced Mar 5, 2025
Merged
Merged
github-merge-queue bot pushed a commit that referenced this pull request Mar 10, 2025
@opentdf-automation
chore(main): release sdk 0.3.29 (#1964)
ad901e2 
🤖 I have created a release *beep* *boop*
---


##
[0.3.29](sdk/v0.3.28...sdk/v0.3.29)
(2025-03-08)


### Bug Fixes

* **core:** Autobump sdk
([#1968](#1968))
([7084061](7084061))
* **core:** Autobump sdk
([#1972](#1972))
([7258f5d](7258f5d))
* **core:** Updates ec-wrapped to newer salt
([#1961](#1961))
([0e17968](0e17968))
* Service utilize `httputil.SafeHttpClient`
([#1926](#1926))
([af32700](af32700))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
github-merge-queue bot pushed a commit that referenced this pull request Mar 11, 2025
@opentdf-automation
chore(main): release service 0.4.40 (#1963)
141193e 
🤖 I have created a release *beep* *boop*
---


##
[0.4.40](service/v0.4.39...service/v0.4.40)
(2025-03-10)


### Bug Fixes

* **core:** Autobump service
([#1970](#1970))
([c0bbb11](c0bbb11))
* **core:** Autobump service
([#1976](#1976))
([c79fe0d](c79fe0d))
* **core:** Fixes merge fail in bulk logic
([#1966](#1966))
([c93bf62](c93bf62))
* **policy:** remove new public keys rpc's
([#1962](#1962))
([5049bab](5049bab))
* Service utilize `httputil.SafeHttpClient`
([#1926](#1926))
([af32700](af32700))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
@opentdf-automation opentdf-automation bot mentioned this pull request Jul 29, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Aug 26, 2025
@opentdf-automation
chore(main): release sdk 0.7.0 (#2589)
5874ce6 
🤖 I have created a release *beep* *boop*
---


##
[0.7.0](sdk/v0.6.1...sdk/v0.7.0)
(2025-08-25)


### ⚠ BREAKING CHANGES

* **core:** Require go 1.23+
([#1979](#1979))

### Features

* add system metadata assertions to TDFConfig
([#2446](#2446))
([4eb9fff](4eb9fff))
* **authz:** authz v2 versioning implementation
([#2173](#2173))
([557fc21](557fc21))
* **core:** adds bulk rewrap to sdk and service
([#1835](#1835))
([11698ae](11698ae))
* **core:** Adds EC withSalt options
([#2126](#2126))
([67b6fb8](67b6fb8))
* **core:** Adds ErrInvalidPerSchema
([#1860](#1860))
([456639e](456639e))
* **core:** DSPX-608 - Deprecate public_client_id
([#2185](#2185))
([0f58efa](0f58efa))
* **core:** EXPERIMENTAL: EC-wrapped key support
([#1902](#1902))
([652266f](652266f))
* **core:** Expose version info
([#1841](#1841))
([92a9f5e](92a9f5e))
* **core:** Require go 1.23+
([#1979](#1979))
([164c922](164c922))
* **core:** v2 ERS with proto updates
([#2210](#2210))
([a161ef8](a161ef8))
* **policy:** actions service RPCs should actually hit storage layer
CRUD ([#2063](#2063))
([da4faf5](da4faf5))
* **policy:** Add list key mappings rpc.
([#2533](#2533))
([fbc2724](fbc2724))
* **policy:** adds new public keys table
([#1836](#1836))
([cad5048](cad5048))
* **policy:** Allow the deletion of a key.
([#2575](#2575))
([82b96f0](82b96f0))
* **policy:** Default Platform Keys
([#2254](#2254))
([d7447fe](d7447fe))
* **policy:** DSPX-902 NDR service crud implementation (2/2)
([#2066](#2066))
([030ad33](030ad33))
* **policy:** key management crud
([#2110](#2110))
([4c3d53d](4c3d53d))
* **sdk:** Add a KAS allowlist
([#2085](#2085))
([d7cfdf3](d7cfdf3))
* **sdk:** add nanotdf plaintext policy
([#2182](#2182))
([e5c56db](e5c56db))
* **sdk:** adds seeker interface to TDF Reader
([#2385](#2385))
([63ccd9a](63ccd9a))
* **sdk:** Allow key splits with same algo
([#2454](#2454))
([7422b15](7422b15))
* **sdk:** Allow schema validation during TDF decrypt
([#1870](#1870))
([b7e6fb2](b7e6fb2))
* **sdk:** autoconfig kaos with kids
([#2438](#2438))
([c272016](c272016))
* **sdk:** bump protocol/go v0.6.0
([#2536](#2536))
([23e4c2b](23e4c2b))
* **sdk:** CreateTDF option to run with specific target schema version
([#2045](#2045))
([0976b15](0976b15))
* **sdk:** Enable base key support.
([#2425](#2425))
([9ff3806](9ff3806))
* **sdk:** Expose connectrpc wrapper codegen for re-use
([#2322](#2322))
([8b29392](8b29392))
* **sdk:** MIC-1436: User can decrypt TDF files created with
FileWatcher2.0.8 and older.
([#1833](#1833))
([f77d110](f77d110))
* **sdk:** remove hex encoding for segment hash
([#1805](#1805))
([d7179c2](d7179c2))
* **sdk:** sdk.New should validate platform connectivity and provide
precise error ([#1937](#1937))
([aa3696d](aa3696d))
* **sdk:** Use ConnectRPC in the go client
([#2200](#2200))
([fc34ee6](fc34ee6))


### Bug Fixes

* Allow parsing IPs as hostnames
([#1999](#1999))
([d54b550](d54b550))
* **ci:** Fix intermittent failures from auth tests
([#2345](#2345))
([395988a](395988a))
* **ci:** Update expired ca and certs in oauth unit tests
([#2113](#2113))
([5440fcc](5440fcc))
* **core:** Autobump sdk
([#1863](#1863))
([855cb2b](855cb2b))
* **core:** Autobump sdk
([#1873](#1873))
([085ac7a](085ac7a))
* **core:** Autobump sdk
([#1894](#1894))
([201244e](201244e))
* **core:** Autobump sdk
([#1917](#1917))
([edeeb74](edeeb74))
* **core:** Autobump sdk
([#1941](#1941))
([0a5a948](0a5a948))
* **core:** Autobump sdk
([#1948](#1948))
([4dfb457](4dfb457))
* **core:** Autobump sdk
([#1968](#1968))
([7084061](7084061))
* **core:** Autobump sdk
([#1972](#1972))
([7258f5d](7258f5d))
* **core:** Autobump sdk
([#2102](#2102))
([0315635](0315635))
* **core:** Fixes protoJSON parse bug on ec rewrap
([#1943](#1943))
([9bebfd0](9bebfd0))
* **core:** Improves errors when under heavy load
([#2132](#2132))
([4490a14](4490a14))
* **core:** Update fixtures and flattening in sdk and service
([#1827](#1827))
([d6d6a7a](d6d6a7a))
* **core:** Updates ec-wrapped to newer salt
([#1961](#1961))
([0e17968](0e17968))
* **deps:** bump github.com/docker/docker from 28.2.2+incompatible to
28.3.3+incompatible in /sdk
([#2597](#2597))
([a68d00d](a68d00d))
* **deps:** bump github.com/opentdf/platform/lib/ocrypto from 0.2.0 to
0.3.0 in /sdk ([#2502](#2502))
([3ec8b35](3ec8b35))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.3.6 to
0.4.0 in /sdk ([#2397](#2397))
([99e3aa4](99e3aa4))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.4.0 to
0.5.0 in /sdk ([#2471](#2471))
([e8f97e0](e8f97e0))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.5.0 to
0.5.1 in /sdk ([#2505](#2505))
([4edab72](4edab72))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.6.0 to
0.6.2 in /sdk ([#2586](#2586))
([4ed9856](4ed9856))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.6.2 to
0.7.0 in /sdk ([#2627](#2627))
([e775e14](e775e14))
* **deps:** bump golang.org/x/oauth2 from 0.26.0 to 0.30.0 in /sdk
([#2252](#2252))
([9b775a2](9b775a2))
* **deps:** bump google.golang.org/grpc from 1.71.0 to 1.72.1 in /sdk
([#2244](#2244))
([49484e0](49484e0))
* **deps:** bump the external group across 1 directory with 5 updates
([#2400](#2400))
([0b7ea79](0b7ea79))
* **deps:** bump toolchain in /lib/fixtures and /examples to resolve CVE
GO-2025-3563 ([#2061](#2061))
([9c16843](9c16843))
* Improve http.Client usage for security and performance
([#1910](#1910))
([e6a53a3](e6a53a3))
* **sdk:** adds connection options to getPlatformConfiguration
([#2286](#2286))
([a3af31e](a3af31e))
* **sdk:** Allow reuse of session key
([#2016](#2016))
([d48c11e](d48c11e))
* **sdk:** bump lib/ocrypto to 0.1.8
([#1938](#1938))
([53fa8ab](53fa8ab))
* **sdk:** bump protocol/go module dependencies
([#2078](#2078))
([e027f43](e027f43))
* **sdk:** Display proper error on kas rewrap failure
([#2081](#2081))
([508cbcd](508cbcd))
* **sdk:** everything is `mixedSplits` now
([#1861](#1861))
([ba78f14](ba78f14))
* **sdk:** Fix compatibility between bulk and non-bulk rewrap
([#1914](#1914))
([74abbb6](74abbb6))
* **sdk:** Fixed token expiration time
([#1854](#1854))
([c3cda1b](c3cda1b))
* **sdk:** perfsprint lint issues
([#2208](#2208))
([d36a078](d36a078))
* **sdk:** Prefer KID and Algorithm selection from key maps
([#2475](#2475))
([98fd392](98fd392))
* **sdk:** Removes unnecessary down-cast of `int`
([#1869](#1869))
([66f0c14](66f0c14))
* **sdk:** Version config fix
([#1847](#1847))
([be5d817](be5d817))
* Service utilize `httputil.SafeHttpClient`
([#1926](#1926))
([af32700](af32700))
* set consistent system metadata id and schema
([#2451](#2451))
([5db3cf2](5db3cf2))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmihalcik-virtru dmihalcik-virtru dmihalcik-virtru approved these changes

@jakedoublev jakedoublev jakedoublev approved these changes

Assignees

@jentfoo jentfoo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve http.Client usage
3 participants
@jentfoo @dmihalcik-virtru @jakedoublev