Skip to content

Commit cac5a03

Browse files
reinkrulreinkrul
committed
Add HTTP-client timeout
1 parent 4630dcb commit cac5a03

File tree

6 files changed

+49
-25
lines changed

6 files changed

+49
-25
lines changed

README.rst

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,7 @@ The following options can be configured on the server:
187187
strictmode true When set, insecure settings are forbidden.
188188
url Public facing URL of the server (required). Must be HTTPS when strictmode is set.
189189
verbosity info Log level (trace, debug, info, warn, error)
190+
httpclient.timeout 30s Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax.
190191
tls.certfile PEM file containing the certificate for the server (also used as client certificate).
191192
tls.certheader Name of the HTTP header that will contain the client certificate when TLS is offloaded.
192193
tls.certkeyfile PEM file containing the private key of the server certificate.
@@ -208,7 +209,7 @@ The following options can be configured on the server:
208209
crypto.vault.timeout 5s Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s).
209210
crypto.vault.token The Vault token. If set it overwrites the VAULT_TOKEN env var.
210211
**Discovery**
211-
discovery.client.update_interval 1m0s How often to check for Discovery Services updates, specified as Golang duration (e.g. 1m, 1h30m).
212+
discovery.client.update_interval 10m0s How often to check for Discovery Services updates, specified as Golang duration (e.g. 1m, 1h30m).
212213
discovery.definitions.directory Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start.
213214
discovery.server.definition_ids [] IDs of the Discovery Service Definitions for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start.
214215
**Events**
@@ -228,7 +229,7 @@ The following options can be configured on the server:
228229
http.default.auth.type Whether to enable authentication for the default interface, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode.
229230
http.default.cors.origin [] When set, enables CORS from the specified origins on the default HTTP interface.
230231
**JSONLD**
231-
jsonld.contexts.localmapping [https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist.
232+
jsonld.contexts.localmapping [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist.
232233
jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json,https://w3id.org/vc/status-list/2021/v1] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here.
233234
**Network**
234235
network.bootstrapnodes [] List of bootstrap nodes ('<host>:<port>') which the node initially connect to.

core/server_config.go

Lines changed: 35 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ import (
3333
"net/url"
3434
"reflect"
3535
"strings"
36+
"time"
3637
)
3738

3839
const defaultConfigFile = "nuts.yaml"
@@ -58,13 +59,20 @@ type ServerConfig struct {
5859
Strictmode bool `koanf:"strictmode"`
5960
InternalRateLimiter bool `koanf:"internalratelimiter"`
6061
Datadir string `koanf:"datadir"`
62+
HTTPClient HTTPClientConfig `koanf:"httpclient"`
6163
TLS TLSConfig `koanf:"tls"`
6264
LegacyTLS *NetworkTLSConfig `koanf:"network"`
6365
// URL contains the base URL for public-facing HTTP services.
6466
URL string `koanf:"url"`
6567
configMap *koanf.Koanf
6668
}
6769

70+
// HTTPClientConfig contains settings for HTTP clients.
71+
type HTTPClientConfig struct {
72+
// Timeout specifies the timeout for HTTP requests.
73+
Timeout time.Duration `koanf:"timeout"`
74+
}
75+
6876
// TLSConfig specifies how TLS should be configured for connections.
6977
// For v5, network.enabletls, network.truststorefile, network.certfile and network.certkeyfile must be moved to this struct.
7078
type TLSConfig struct {
@@ -177,10 +185,20 @@ const (
177185
func NewServerConfig() *ServerConfig {
178186
legacyTLS := &NetworkTLSConfig{}
179187
return &ServerConfig{
180-
configMap: koanf.New(defaultDelimiter),
181-
LegacyTLS: legacyTLS,
188+
configMap: koanf.New(defaultDelimiter),
189+
LegacyTLS: legacyTLS,
190+
LoggerFormat: "text",
191+
Verbosity: "info",
192+
Strictmode: true,
193+
InternalRateLimiter: true,
194+
Datadir: "./data",
182195
TLS: TLSConfig{
183-
legacyTLS: legacyTLS,
196+
legacyTLS: legacyTLS,
197+
TrustStoreFile: "truststore.pem",
198+
Offload: NoOffloading,
199+
},
200+
HTTPClient: HTTPClientConfig{
201+
Timeout: 30 * time.Second,
184202
},
185203
}
186204
}
@@ -258,20 +276,23 @@ func resolveConfigFilePath(flags *pflag.FlagSet) string {
258276
// FlagSet returns the default server flags
259277
func FlagSet() *pflag.FlagSet {
260278
flagSet := pflag.NewFlagSet("server", pflag.ContinueOnError)
279+
defaultCfg := NewServerConfig()
280+
261281
flagSet.String(configFileFlag, defaultConfigFile, "Nuts config file")
262282
flagSet.String("cpuprofile", "", "When set, a CPU profile is written to the given path. Ignored when strictmode is set.")
263-
flagSet.String("verbosity", "info", "Log level (trace, debug, info, warn, error)")
264-
flagSet.String("loggerformat", "text", "Log format (text, json)")
265-
flagSet.Bool("strictmode", true, "When set, insecure settings are forbidden.")
266-
flagSet.Bool("internalratelimiter", true, "When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode.")
267-
flagSet.String("datadir", "./data", "Directory where the node stores its files.")
268-
flagSet.String("url", "", "Public facing URL of the server (required). Must be HTTPS when strictmode is set.")
269-
flagSet.String("tls.certfile", "", "PEM file containing the certificate for the server (also used as client certificate).")
270-
flagSet.String("tls.certkeyfile", "", "PEM file containing the private key of the server certificate.")
271-
flagSet.String("tls.truststorefile", "truststore.pem", "PEM file containing the trusted CA certificates for authenticating remote servers.")
272-
flagSet.String("tls.offload", string(NoOffloading), fmt.Sprintf("Whether to enable TLS offloading for incoming connections. "+
283+
flagSet.String("verbosity", defaultCfg.Verbosity, "Log level (trace, debug, info, warn, error)")
284+
flagSet.String("loggerformat", defaultCfg.LoggerFormat, "Log format (text, json)")
285+
flagSet.Bool("strictmode", defaultCfg.Strictmode, "When set, insecure settings are forbidden.")
286+
flagSet.Bool("internalratelimiter", defaultCfg.InternalRateLimiter, "When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode.")
287+
flagSet.String("datadir", defaultCfg.Datadir, "Directory where the node stores its files.")
288+
flagSet.String("url", defaultCfg.URL, "Public facing URL of the server (required). Must be HTTPS when strictmode is set.")
289+
flagSet.Duration("httpclient.timeout", defaultCfg.HTTPClient.Timeout, "Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax.")
290+
flagSet.String("tls.certfile", defaultCfg.TLS.CertFile, "PEM file containing the certificate for the server (also used as client certificate).")
291+
flagSet.String("tls.certkeyfile", defaultCfg.TLS.CertKeyFile, "PEM file containing the private key of the server certificate.")
292+
flagSet.String("tls.truststorefile", defaultCfg.TLS.TrustStoreFile, "PEM file containing the trusted CA certificates for authenticating remote servers.")
293+
flagSet.String("tls.offload", string(defaultCfg.TLS.Offload), fmt.Sprintf("Whether to enable TLS offloading for incoming connections. "+
273294
"Enable by setting it to '%s'. If enabled 'tls.certheader' must be configured as well.", OffloadIncomingTLS))
274-
flagSet.String("tls.certheader", "", "Name of the HTTP header that will contain the client certificate when TLS is offloaded.")
295+
flagSet.String("tls.certheader", defaultCfg.TLS.ClientCertHeaderName, "Name of the HTTP header that will contain the client certificate when TLS is offloaded.")
275296

276297
// Maxvaliditydays has been deprecated in v5.x
277298
flagSet.Int("tls.crl.maxvaliditydays", 0, "The number of days a CRL can be outdated, after that it will hard-fail.")

discovery/client.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,10 +32,10 @@ type clientUpdater struct {
3232
services map[string]ServiceDefinition
3333
store *sqlStore
3434
client client.HTTPClient
35-
verifier registrationVerifier
35+
verifier presentationVerifier
3636
}
3737

38-
func newClientUpdater(services map[string]ServiceDefinition, store *sqlStore, verifier registrationVerifier, client client.HTTPClient) *clientUpdater {
38+
func newClientUpdater(services map[string]ServiceDefinition, store *sqlStore, verifier presentationVerifier, client client.HTTPClient) *clientUpdater {
3939
return &clientUpdater{
4040
services: services,
4141
store: store,
@@ -78,7 +78,7 @@ func (u *clientUpdater) updateService(ctx context.Context, service ServiceDefini
7878
return fmt.Errorf("failed to get presentations from discovery service (id=%s): %w", service.ID, err)
7979
}
8080
for _, presentation := range presentations {
81-
if err := u.verifier.verifyRegistration(service, presentation); err != nil {
81+
if err := u.verifier(service, presentation); err != nil {
8282
log.Logger().WithError(err).Warnf("Presentation verification failed, not adding it (service=%s, id=%s)", service.ID, presentation.ID)
8383
continue
8484
}

discovery/module.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -112,7 +112,7 @@ func (m *Module) Configure(serverConfig core.ServerConfig) error {
112112
}
113113
m.serverDefinitions = serverDefinitions
114114
}
115-
m.httpClient = client.New(serverConfig.Strictmode, 10*time.Second, nil)
115+
m.httpClient = client.New(serverConfig.Strictmode, serverConfig.HTTPClient.Timeout, nil)
116116
return nil
117117
}
118118

@@ -122,7 +122,7 @@ func (m *Module) Start() error {
122122
if err != nil {
123123
return err
124124
}
125-
m.clientUpdater = newClientUpdater(m.serverDefinitions, m.store, m, m.httpClient)
125+
m.clientUpdater = newClientUpdater(m.serverDefinitions, m.store, m.verifyRegistration, m.httpClient)
126126
m.routines.Add(1)
127127
go func() {
128128
defer m.routines.Done()

0 commit comments

Comments
 (0)