buzzfeed
diff --git a/‎internal/proxy/options.go
Lines changed: 23 additions & 22 deletions b/‎internal/proxy/options.go
Lines changed: 23 additions & 22 deletions
diff --git a/‎internal/proxy/options_test.go
Lines changed: 16 additions & 18 deletions b/‎internal/proxy/options_test.go
Lines changed: 16 additions & 18 deletions
diff --git a/‎internal/proxy/providers/provider_data.go
Lines changed: 12 additions & 13 deletions b/‎internal/proxy/providers/provider_data.go
Lines changed: 12 additions & 13 deletions
diff --git a/‎internal/proxy/providers/sso.go
Lines changed: 18 additions & 11 deletions b/‎internal/proxy/providers/sso.go
Lines changed: 18 additions & 11 deletions
@@ -48,11 +48,11 @@ import (
 type Options struct {
 	Port int `envconfig:"PORT" default:"4180"`
 
-	ProviderURLString      string `envconfig:"PROVIDER_URL"`
-	ProxyProviderURLString string `envconfig:"PROXY_PROVIDER_URL"`
-	UpstreamConfigsFile    string `envconfig:"UPSTREAM_CONFIGS"`
-	Cluster                string `envconfig:"CLUSTER"`
-	Scheme                 string `envconfig:"SCHEME" default:"https"`
+	ProviderURLString         string `envconfig:"PROVIDER_URL"`
+	ProviderURLInternalString string `envconfig:"PROVIDER_URL_INTERNAL"`
+	UpstreamConfigsFile       string `envconfig:"UPSTREAM_CONFIGS"`
+	Cluster                   string `envconfig:"CLUSTER"`
+	Scheme                    string `envconfig:"SCHEME" default:"https"`
 
 	SkipAuthPreflight bool `envconfig:"SKIP_AUTH_PREFLIGHT"`
 
@@ -133,9 +133,6 @@ func (o *Options) Validate() error {
 	if o.ProviderURLString == "" {
 		msgs = append(msgs, "missing setting: provider-url")
 	}
-	if o.ProxyProviderURLString == "" {
-		o.ProxyProviderURLString = o.ProviderURLString
-	}
 	if o.UpstreamConfigsFile == "" {
 		msgs = append(msgs, "missing setting: upstream-configs")
 	}
@@ -226,23 +223,27 @@ func parseProviderInfo(o *Options) error {
 		return errors.New("provider-url must include scheme and host")
 	}
 
-	proxyProviderURL, err := url.Parse(o.ProxyProviderURLString)
-	if err != nil {
-		return err
-	}
-	if proxyProviderURL.Scheme == "" || proxyProviderURL.Host == "" {
-		return errors.New("proxy provider url must include scheme and host")
+	var providerURLInternal *url.URL
+
+	if o.ProviderURLInternalString != "" {
+		providerURLInternal, err = url.Parse(o.ProviderURLInternalString)
+		if err != nil {
+			return err
+		}
+		if providerURLInternal.Scheme == "" || providerURLInternal.Host == "" {
+			return errors.New("proxy provider url must include scheme and host")
+		}
 	}
 
 	providerData := &providers.ProviderData{
-		ClientID:           o.ClientID,
-		ClientSecret:       o.ClientSecret,
-		ProviderURL:        providerURL,
-		ProxyProviderURL:   proxyProviderURL,
-		Scope:              o.Scope,
-		SessionLifetimeTTL: o.SessionLifetimeTTL,
-		SessionValidTTL:    o.SessionValidTTL,
-		GracePeriodTTL:     o.GracePeriodTTL,
+		ClientID:            o.ClientID,
+		ClientSecret:        o.ClientSecret,
+		ProviderURL:         providerURL,
+		ProviderURLInternal: providerURLInternal,
+		Scope:               o.Scope,
+		SessionLifetimeTTL:  o.SessionLifetimeTTL,
+		SessionValidTTL:     o.SessionValidTTL,
+		GracePeriodTTL:      o.GracePeriodTTL,
 	}
 
 	p := providers.New(o.Provider, providerData, o.StatsdClient)
 
@@ -71,8 +71,6 @@ func TestDefaultProviderApiSettings(t *testing.T) {
 		p.SignOutURL.String())
 	testutil.Equal(t, "https://www.example.com/redeem",
 		p.RedeemURL.String())
-	testutil.Equal(t, "https://www.example.com/redeem",
-		p.ProxyRedeemURL.String())
 	testutil.Equal(t, "https://www.example.com/validate",
 		p.ValidateURL.String())
 	testutil.Equal(t, "https://www.example.com/profile",
@@ -82,12 +80,12 @@ func TestDefaultProviderApiSettings(t *testing.T) {
 
 func TestProviderURLValidation(t *testing.T) {
 	testCases := []struct {
-		name                           string
-		providerURLString              string
-		proxyProviderURLString         string
-		expectedError                  string
-		expectedProxyProviderURLString string
-		expectedSignInURL              string
+		name                              string
+		providerURLString                 string
+		providerURLInternalString         string
+		expectedError                     string
+		expectedProviderURLInternalString string
+		expectedSignInURL                 string
 	}{
 		{
 			name:              "http scheme preserved",
@@ -100,15 +98,15 @@ func TestProviderURLValidation(t *testing.T) {
 			expectedSignInURL: "https://provider.example.com/sign_in",
 		},
 		{
-			name:                           "proxy provider url string based on providerURL",
-			providerURLString:              "https://provider.example.com",
-			expectedProxyProviderURLString: "https://provider.example.com",
+			name:                              "proxy provider url string based on providerURL",
+			providerURLString:                 "https://provider.example.com",
+			expectedProviderURLInternalString: "",
 		},
 		{
-			name:                           "proxy provider url string based on proxyProviderURL",
-			providerURLString:              "https://provider.example.com",
-			proxyProviderURLString:         "https://provider-internal.example.com",
-			expectedProxyProviderURLString: "https://provider-internal.example.com",
+			name:                              "proxy provider url string based on proxyProviderURL",
+			providerURLString:                 "https://provider.example.com",
+			providerURLInternalString:         "https://provider-internal.example.com",
+			expectedProviderURLInternalString: "https://provider-internal.example.com",
 		},
 		{
 			name:              "scheme required",
@@ -136,7 +134,7 @@ func TestProviderURLValidation(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			o := testOptions()
 			o.ProviderURLString = tc.providerURLString
-			o.ProxyProviderURLString = tc.proxyProviderURLString
+			o.ProviderURLInternalString = tc.providerURLInternalString
 			err := o.Validate()
 			if tc.expectedError != "" {
 				if err == nil {
@@ -148,8 +146,8 @@ func TestProviderURLValidation(t *testing.T) {
 			if tc.expectedSignInURL != "" {
 				testutil.Equal(t, o.provider.Data().SignInURL.String(), tc.expectedSignInURL)
 			}
-			if tc.expectedProxyProviderURLString != "" {
-				testutil.Equal(t, o.provider.Data().ProxyProviderURL.String(), tc.expectedProxyProviderURLString)
+			if tc.expectedProviderURLInternalString != "" {
+				testutil.Equal(t, o.provider.Data().ProviderURLInternal.String(), tc.expectedProviderURLInternalString)
 			}
 		})
 	}
 
@@ -8,19 +8,18 @@ import (
 // ProviderData holds the fields associated with providers
 // necessary to implement the Provider interface.
 type ProviderData struct {
-	ProviderName     string
-	ProviderURL      *url.URL
-	ProxyProviderURL *url.URL
-	ClientID         string
-	ClientSecret     string
-	SignInURL        *url.URL
-	SignOutURL       *url.URL
-	RedeemURL        *url.URL
-	ProxyRedeemURL   *url.URL
-	RefreshURL       *url.URL
-	ProfileURL       *url.URL
-	ValidateURL      *url.URL
-	Scope            string
+	ProviderName        string
+	ProviderURL         *url.URL
+	ProviderURLInternal *url.URL
+	ClientID            string
+	ClientSecret        string
+	SignInURL           *url.URL
+	SignOutURL          *url.URL
+	RedeemURL           *url.URL
+	RefreshURL          *url.URL
+	ProfileURL          *url.URL
+	ValidateURL         *url.URL
+	Scope               string
 
 	SessionValidTTL    time.Duration
 	SessionLifetimeTTL time.Duration
 
@@ -57,26 +57,34 @@ func init() {
 func NewSSOProvider(p *ProviderData, sc *statsd.Client) *SSOProvider {
 	p.ProviderName = "SSO"
 	base := p.ProviderURL
+	internalBase := base
+
+	if p.ProviderURLInternal != nil {
+		internalBase = p.ProviderURLInternal
+	}
+
 	p.SignInURL = base.ResolveReference(&url.URL{Path: "/sign_in"})
 	p.SignOutURL = base.ResolveReference(&url.URL{Path: "/sign_out"})
-	p.RedeemURL = base.ResolveReference(&url.URL{Path: "/redeem"})
-	p.RefreshURL = base.ResolveReference(&url.URL{Path: "/refresh"})
-	p.ValidateURL = base.ResolveReference(&url.URL{Path: "/validate"})
-	p.ProfileURL = base.ResolveReference(&url.URL{Path: "/profile"})
-	p.ProxyRedeemURL = p.ProxyProviderURL.ResolveReference(&url.URL{Path: "/redeem"})
+
+	p.RedeemURL = internalBase.ResolveReference(&url.URL{Path: "/redeem"})
+	p.RefreshURL = internalBase.ResolveReference(&url.URL{Path: "/refresh"})
+	p.ValidateURL = internalBase.ResolveReference(&url.URL{Path: "/validate"})
+	p.ProfileURL = internalBase.ResolveReference(&url.URL{Path: "/profile"})
+
 	return &SSOProvider{
 		ProviderData: p,
 		StatsdClient: sc,
 	}
 }
 
-func newRequest(method, url string, body io.Reader) (*http.Request, error) {
+func (p *SSOProvider) newRequest(method, url string, body io.Reader) (*http.Request, error) {
 	req, err := http.NewRequest(method, url, body)
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Set("User-Agent", userAgentString)
 	req.Header.Set("Accept", "application/json")
+	req.Host = p.ProviderData.ProviderURL.Host
 	return req, nil
 }
 
@@ -109,11 +117,10 @@ func (p *SSOProvider) Redeem(redirectURL, code string) (*SessionState, error) {
 	params.Add("code", code)
 	params.Add("grant_type", "authorization_code")
 
-	req, err := newRequest("POST", p.ProxyRedeemURL.String(), bytes.NewBufferString(params.Encode()))
+	req, err := p.newRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode()))
 	if err != nil {
 		return nil, err
 	}
-	req.Host = p.RedeemURL.Host
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	resp, err := httpClient.Do(req)
 	if err != nil {
@@ -194,7 +201,7 @@ func (p *SSOProvider) UserGroups(email string, groups []string) ([]string, error
 	params.Add("client_id", p.ClientID)
 	params.Add("groups", strings.Join(groups, ","))
 
-	req, err := newRequest("GET", fmt.Sprintf("%s?%s", p.ProfileURL.String(), params.Encode()), nil)
+	req, err := p.newRequest("GET", fmt.Sprintf("%s?%s", p.ProfileURL.String(), params.Encode()), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -284,7 +291,7 @@ func (p *SSOProvider) redeemRefreshToken(refreshToken string) (token string, exp
 	params.Add("client_secret", p.ClientSecret)
 	params.Add("refresh_token", refreshToken)
 	var req *http.Request
-	req, err = newRequest("POST", p.RefreshURL.String(), bytes.NewBufferString(params.Encode()))
+	req, err = p.newRequest("POST", p.RefreshURL.String(), bytes.NewBufferString(params.Encode()))
 	if err != nil {
 		return
 	}
@@ -329,7 +336,7 @@ func (p *SSOProvider) ValidateSessionState(s *SessionState, allowedGroups []stri
 	// we validate the user's access token is valid
 	params := url.Values{}
 	params.Add("client_id", p.ClientID)
-	req, err := newRequest("GET", fmt.Sprintf("%s?%s", p.ValidateURL.String(), params.Encode()), nil)
+	req, err := p.newRequest("GET", fmt.Sprintf("%s?%s", p.ValidateURL.String(), params.Encode()), nil)
 	if err != nil {
 		logger.WithUser(s.Email).Error(err, "error validating session state")
 		return false