fix: Improve http.Client usage for security and performance

This change switches us from maintaining a tls config which we then on-demand initialize an `http.Client` with to instead maintain and reuse an `http.Client` instance.
This enables us to utilize the connection pooling which occurs within the `http.Transport` to reduce ssl handshakes and thus reduce latency.

In addition this change provides us a central place to configure out `http.Client` (`httputil`). Allowing us to easily set configuration options to reduce the security risks of using an unconfigured `http.Client`. Notably timeouts to reduce DoS risks, and control around following redirects to prevent blind SSRF's.

Author: jentfoo

go.work.sum

@@ -2043,6 +2043,7 @@ golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -2192,6 +2193,7 @@ golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240208230135-b75ee8823808 h1:+Kc94D8UVEVxJnLXp/+FMfqQARZtWHfVrcRtcG8aT3g=
@@ -2225,6 +2227,7 @@ golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

sdk/auth/oauth/oauth.go

@@ -2,7 +2,6 @@ package oauth
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -24,8 +23,8 @@ const (
 )
 
 type CertExchangeInfo struct {
-	TLSConfig *tls.Config
-	Audience  []string
+	HTTPClient *http.Client
+	Audience   []string
 }
 
 type ClientCredentials struct {
@@ -313,13 +312,8 @@ func DoCertExchange(ctx context.Context, tokenEndpoint string, exchangeInfo Cert
 	if err != nil {
 		return nil, err
 	}
-	client := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: exchangeInfo.TLSConfig,
-		},
-	}
 
-	resp, err := client.Do(req)
+	resp, err := exchangeInfo.HTTPClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("error making request to IdP for certificate exchange: %w", err)
 	}

sdk/auth/oauth/oauth_test.go

@@ -23,6 +23,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jws"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/opentdf/platform/lib/fixtures"
+	"github.com/opentdf/platform/sdk/httputil"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 	tc "github.com/testcontainers/testcontainers-go"
@@ -78,12 +79,15 @@ func (s *OAuthSuite) TestCertExchangeFromKeycloak() {
 	rootCAs, _ := x509.SystemCertPool()
 	rootCAs.AppendCertsFromPEM(ca)
 	s.Require().NoError(err)
-	tlsConfig := tls.Config{
+	tlsConfig := &tls.Config{
 		MinVersion:   tls.VersionTLS12,
 		Certificates: []tls.Certificate{cert},
 		RootCAs:      rootCAs,
 	}
-	exhcangeInfo := CertExchangeInfo{TLSConfig: &tlsConfig, Audience: []string{"opentdf-sdk"}}
+	exhcangeInfo := CertExchangeInfo{
+		HTTPClient: httputil.SafeHTTPClientWithTLSConfig(tlsConfig),
+		Audience:   []string{"opentdf-sdk"},
+	}
 
 	tok, err := DoCertExchange(
 		context.Background(),

sdk/auth/token_adding_interceptor.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
-	"crypto/tls"
 	"encoding/base64"
 	"fmt"
 	"log/slog"
@@ -24,16 +23,16 @@ const (
 	JTILength = 14
 )
 
-func NewTokenAddingInterceptor(t AccessTokenSource, c *tls.Config) TokenAddingInterceptor {
+func NewTokenAddingInterceptor(t AccessTokenSource, c *http.Client) TokenAddingInterceptor {
 	return TokenAddingInterceptor{
 		tokenSource: t,
-		tlsConfig:   c,
+		httpClient:  c,
 	}
 }
 
 type TokenAddingInterceptor struct {
 	tokenSource AccessTokenSource
-	tlsConfig   *tls.Config
+	httpClient  *http.Client
 }
 
 func (i TokenAddingInterceptor) AddCredentials(
@@ -45,12 +44,7 @@ func (i TokenAddingInterceptor) AddCredentials(
 	opts ...grpc.CallOption,
 ) error {
 	newMetadata := make([]string, 0)
-	client := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: i.tlsConfig,
-		},
-	}
-	accessToken, err := i.tokenSource.AccessToken(ctx, client)
+	accessToken, err := i.tokenSource.AccessToken(ctx, i.httpClient)
 	if err == nil {
 		newMetadata = append(newMetadata, "Authorization", fmt.Sprintf("DPoP %s", accessToken))
 	} else {

sdk/auth/token_adding_interceptor_test.go

@@ -18,6 +18,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jws"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/opentdf/platform/protocol/go/kas"
+	"github.com/opentdf/platform/sdk/httputil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@@ -42,9 +43,9 @@ func TestAddingTokensToOutgoingRequest(t *testing.T) {
 		accessToken: "thisisafakeaccesstoken",
 	}
 	server := FakeAccessServiceServer{}
-	oo := NewTokenAddingInterceptor(&ts, &tls.Config{
+	oo := NewTokenAddingInterceptor(&ts, httputil.SafeHTTPClientWithTLSConfig(&tls.Config{
 		MinVersion: tls.VersionTLS12,
-	})
+	}))
 
 	client, stop := runServer(&server, oo)
 	defer stop()
@@ -97,9 +98,9 @@ func TestAddingTokensToOutgoingRequest(t *testing.T) {
 func Test_InvalidCredentials_DoesNotSendMessage(t *testing.T) {
 	ts := FakeTokenSource{key: nil, accessToken: ""}
 	server := FakeAccessServiceServer{}
-	oo := NewTokenAddingInterceptor(&ts, &tls.Config{
+	oo := NewTokenAddingInterceptor(&ts, httputil.SafeHTTPClientWithTLSConfig(&tls.Config{
 		MinVersion: tls.VersionTLS12,
-	})
+	}))
 
 	client, stop := runServer(&server, oo)
 	defer stop()

sdk/httputil/http.go

@@ -0,0 +1,64 @@
+package httputil
+
+import (
+	"crypto/tls"
+	"net/http"
+	"time"
+)
+
+const (
+	defaultTimeout = 120 * time.Second
+	// defaults to match DefaultTransport - defined to satisfy lint
+	maxIdleConns          = 100
+	idleConnTimeout       = 90 * time.Second
+	tLSHandshakeTimeout   = 10 * time.Second
+	expectContinueTimeout = 1 * time.Second
+)
+
+var preventRedirectCheck = func(_ *http.Request, _ []*http.Request) error {
+	return http.ErrUseLastResponse // Prevent following redirects
+}
+
+var safeHTTPClient = &http.Client{
+	Transport:     http.DefaultTransport,
+	Timeout:       defaultTimeout,
+	CheckRedirect: preventRedirectCheck,
+}
+
+// SafeHTTPClient returns a default http client which has sensible timeouts, won't follow redirects, and enables idle
+// connection pooling.
+func SafeHTTPClient() *http.Client {
+	return safeHTTPClient
+}
+
+// SafeHTTPClientWithTLSConfig returns a http client which has sensible timeouts, won't follow redirects, and if
+// specified a http.Transport with the tls.Config provided.
+func SafeHTTPClientWithTLSConfig(cfg *tls.Config) *http.Client {
+	if cfg == nil {
+		return safeHTTPClient
+	}
+	return SafeHTTPClientWithTransport(&http.Transport{
+		TLSClientConfig: cfg,
+		// config below matches DefaultTransport
+		Proxy:                 http.ProxyFromEnvironment,
+		ForceAttemptHTTP2:     true,
+		MaxIdleConns:          maxIdleConns,
+		IdleConnTimeout:       idleConnTimeout,
+		TLSHandshakeTimeout:   tLSHandshakeTimeout,
+		ExpectContinueTimeout: expectContinueTimeout,
+	})
+}
+
+// SafeHTTPClientWithTransport returns a http client which has sensible timeouts, won't follow redirects, and if
+// specified the provided http.Transport.
+func SafeHTTPClientWithTransport(transport *http.Transport) *http.Client {
+	if transport == nil {
+		return safeHTTPClient
+	}
+	return &http.Client{
+		Transport: transport,
+		// config below matches our values for safeHttpClient
+		Timeout:       defaultTimeout,
+		CheckRedirect: preventRedirectCheck,
+	}
+}

sdk/options.go

@@ -3,10 +3,12 @@ package sdk
 import (
 	"crypto/rsa"
 	"crypto/tls"
+	"net/http"
 
 	"github.com/opentdf/platform/lib/ocrypto"
 	"github.com/opentdf/platform/sdk/auth"
 	"github.com/opentdf/platform/sdk/auth/oauth"
+	"github.com/opentdf/platform/sdk/httputil"
 	"golang.org/x/oauth2"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
@@ -20,7 +22,7 @@ type config struct {
 	// Platform configuration structure is subject to change. Consume via accessor methods.
 	PlatformConfiguration   PlatformConfiguration
 	dialOption              grpc.DialOption
-	tlsConfig               *tls.Config
+	httpClient              *http.Client
 	clientCredentials       *oauth.ClientCredentials
 	tokenExchange           *oauth.TokenExchangeInfo
 	tokenEndpoint           string
@@ -66,7 +68,7 @@ func WithInsecureSkipVerifyConn() Option {
 		}
 		c.dialOption = grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))
 		// used by http client
-		c.tlsConfig = tlsConfig
+		c.httpClient = httputil.SafeHTTPClientWithTLSConfig(tlsConfig)
 	}
 }
 
@@ -83,7 +85,7 @@ func WithInsecurePlaintextConn() Option {
 		c.dialOption = grpc.WithTransportCredentials(insecure.NewCredentials())
 		// used by http client
 		// FIXME anything to do here
-		c.tlsConfig = &tls.Config{}
+		c.httpClient = httputil.SafeHTTPClient()
 	}
 }
 
@@ -97,7 +99,7 @@ func WithClientCredentials(clientID, clientSecret string, scopes []string) Optio
 
 func WithTLSCredentials(tls *tls.Config, audience []string) Option {
 	return func(c *config) {
-		c.certExchange = &oauth.CertExchangeInfo{TLSConfig: tls, Audience: audience}
+		c.certExchange = &oauth.CertExchangeInfo{HTTPClient: httputil.SafeHTTPClientWithTLSConfig(tls), Audience: audience}
 	}
 }
 

sdk/sdk.go

@@ -154,7 +154,7 @@ func New(platformEndpoint string, opts ...Option) (*SDK, error) {
 		return nil, err
 	}
 	if accessTokenSource != nil {
-		interceptor := auth.NewTokenAddingInterceptor(accessTokenSource, cfg.tlsConfig)
+		interceptor := auth.NewTokenAddingInterceptor(accessTokenSource, cfg.httpClient)
 		uci = append(uci, interceptor.AddCredentials)
 	}
 
@@ -452,13 +452,7 @@ func getTokenEndpoint(c config) (string, error) {
 		return "", err
 	}
 
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: c.tlsConfig,
-		},
-	}
-
-	resp, err := httpClient.Do(req)
+	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return "", err
 	}

service/internal/auth/authn_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/opentdf/platform/protocol/go/kas"
 	"github.com/opentdf/platform/protocol/go/kas/kasconnect"
 	sdkauth "github.com/opentdf/platform/sdk/auth"
+	"github.com/opentdf/platform/sdk/httputil"
 	"github.com/opentdf/platform/service/internal/server/memhttp"
 	"github.com/opentdf/platform/service/logger"
 	ctxAuth "github.com/opentdf/platform/service/pkg/auth"
@@ -461,9 +462,9 @@ func (s *AuthSuite) TestDPoPEndToEnd_GRPC() {
 	addingInterceptor := sdkauth.NewTokenAddingInterceptor(&FakeTokenSource{
 		key:         dpopKey,
 		accessToken: string(signedTok),
-	}, &tls.Config{
+	}, httputil.SafeHTTPClientWithTLSConfig(&tls.Config{
 		MinVersion: tls.VersionTLS12,
-	})
+	}))
 
 	conn, _ := grpc.NewClient("passthrough://bufconn", grpc.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) {
 		return server.Listener.DialContext(ctx, "tcp", "http://localhost:8080")
@@ -522,16 +523,16 @@ func (s *AuthSuite) TestDPoPEndToEnd_HTTP() {
 	addingInterceptor := sdkauth.NewTokenAddingInterceptor(&FakeTokenSource{
 		key:         dpopKey,
 		accessToken: string(signedTok),
-	}, &tls.Config{
+	}, httputil.SafeHTTPClientWithTLSConfig(&tls.Config{
 		MinVersion: tls.VersionTLS12,
-	})
+	}))
 	s.Require().NoError(err)
 	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", signedTok))
 	dpopTok, err := addingInterceptor.GetDPoPToken(server.URL+"/attributes", "GET", string(signedTok))
 	s.Require().NoError(err)
 	req.Header.Set("DPoP", dpopTok)
 
-	client := http.Client{}
+	client := httputil.SafeHTTPClient() // use safe client to help validate the client
 	_, err = client.Do(req)
 	s.Require().NoError(err)
 	var dpopKeyFromRequest jwk.Key

service/pkg/server/start.go

@@ -16,6 +16,7 @@ import (
 	"github.com/opentdf/platform/sdk"
 	sdkauth "github.com/opentdf/platform/sdk/auth"
 	"github.com/opentdf/platform/sdk/auth/oauth"
+	"github.com/opentdf/platform/sdk/httputil"
 	"github.com/opentdf/platform/service/internal/auth"
 	"github.com/opentdf/platform/service/internal/config"
 	"github.com/opentdf/platform/service/internal/server"
@@ -231,7 +232,7 @@ func Start(f ...StartOptions) error {
 					return fmt.Errorf("error creating ERS tokensource: %w", err)
 				}
 
-				interceptor := sdkauth.NewTokenAddingInterceptor(ts, tlsConfig)
+				interceptor := sdkauth.NewTokenAddingInterceptor(ts, httputil.SafeHTTPClientWithTLSConfig(tlsConfig))
 
 				ersDialOptions = append(ersDialOptions, grpc.WithChainUnaryInterceptor(interceptor.AddCredentials))
 			}