Add trust_env in aiohttp ClientSession for improved proxy handling (permitio#277)

* Add trust_env in aiohttp ClientSession for improved proxy handling

* Add NO_PROXY default environment variable to Dockerfile for local development

* Enable trust_env in ClientSession for improved proxy handling

* Updated opal-common and opal-client to version 0.8.2rc2 (for PDP v0.9.3-rc.1 release)

* Update opal to version 0.8.2

Author: danyi1212

Dockerfile

@@ -167,6 +167,7 @@ ENV PDP_HORIZON_HOST=0.0.0.0
 ENV PDP_HORIZON_PORT=7001
 ENV PDP_PORT=7000
 ENV PDP_PYTHON_PATH=python3
+ENV NO_PROXY=localhost,127.0.0.1,::1
 
 # 7000 pdp port
 # 7001 horizon port

horizon/enforcer/api.py

@@ -206,7 +206,7 @@ async def post_to_opa(request: Request, path: str, data: dict | None):
     _set_use_debugger(data)
     try:
         logger.debug(f"calling OPA at '{url}' with input: {data}")
-        async with aiohttp.ClientSession() as session:  # noqa: SIM117
+        async with aiohttp.ClientSession(trust_env=True) as session:  # noqa: SIM117
             async with session.post(
                 url,
                 data=json.dumps(data) if data is not None else None,

horizon/facts/client.py

@@ -27,6 +27,7 @@ def client(self) -> AsyncClient:
             self._client = AsyncClient(
                 base_url=sidecar_config.CONTROL_PLANE,
                 headers={"Authorization": f"Bearer {env_api_key}"},
+                trust_env=True,
             )
         return self._client
 

horizon/opal_relay_api.py

@@ -95,7 +95,7 @@ def _apply_context(self, context: dict[str, str]):
     def api_session(self) -> ClientSession:
         if self._api_session is None:
             env_api_key = get_env_api_key()
-            self._api_session = ClientSession(headers={"Authorization": f"Bearer {env_api_key}"})
+            self._api_session = ClientSession(headers={"Authorization": f"Bearer {env_api_key}"}, trust_env=True)
         return self._api_session
 
     async def relay_session(self) -> ClientSession:
@@ -133,7 +133,9 @@ async def relay_session(self) -> ClientSession:
                         f"Server responded to token request with an invalid result: {text}",
                     ) from e
             self._relay_token = obj.token
-            self._relay_session = ClientSession(headers={"Authorization": f"Bearer {self._relay_token}"})
+            self._relay_session = ClientSession(
+                headers={"Authorization": f"Bearer {self._relay_token}"}, trust_env=True
+            )
         return self._relay_session
 
     async def send_ping(self):

horizon/proxy/api.py

@@ -200,7 +200,9 @@ async def proxy_request_to_cloud_service(
 
     logger.info(f"Proxying request: {request.method} {path}")
 
-    async with aiohttp.ClientSession() as session:
+    async with aiohttp.ClientSession(
+        trust_env=True,
+    ) as session:
         if request.method == HTTP_GET:
             async with session.get(path, headers=headers, params=params) as backend_response:
                 return await proxy_response(backend_response)

horizon/state.py

@@ -198,7 +198,9 @@ async def _report(self, state: PersistentState | None = None):
         if state is not None:
             self._state = state.copy()
         config_url = f"{sidecar_config.CONTROL_PLANE}{sidecar_config.REMOTE_STATE_ENDPOINT}"
-        async with aiohttp.ClientSession() as session:
+        async with aiohttp.ClientSession(
+            trust_env=True,
+        ) as session:
             logger.info("Reporting status update to server...")
             response = await session.post(
                 url=config_url,

requirements.txt

@@ -14,5 +14,5 @@ httpx>=0.27.0,<1
 # TODO: change to use re2 in the future, currently not supported in alpine due to c++ library issues
 # google-re2 # use re2 instead of re for regex matching because it's simiplier and safer for user inputted regexes
 protobuf>=3.20.2 # not directly required, pinned by Snyk to avoid a vulnerability
-opal-common==0.8.1
-opal-client==0.8.1
+opal-common==0.8.2
+opal-client==0.8.2