Introduced HTTPClientConfig to consolidate OAuth2 and other common configurations.

Mimics upstream configuration so that json config remains similar.

- Added proxy settings, including `ProxyURL`, `NoProxy`, and `ProxyConnectHeader`, and ensured validation.
- Updated OAuth2 configuration to support proxy usage.
- Added tests for HTTP client, proxy configuration, and OAuth2 validation.

Author: JacobsonMT

http/client.go

@@ -23,9 +23,9 @@ import (
 var ErrInvalidMethod = errors.New("webhook only supports HTTP methods PUT or POST")
 
 type clientConfiguration struct {
-	userAgent    string
-	dialer       net.Dialer // We use Dialer here instead of DialContext as our mqtt client doesn't support DialContext.
-	ouath2Config *OAuth2Config
+	userAgent        string
+	dialer           net.Dialer // We use Dialer here instead of DialContext as our mqtt client doesn't support DialContext.
+	httpClientConfig HTTPClientConfig
 }
 
 // defaultDialTimeout is the default timeout for the dialer, 30 seconds to match http.DefaultTransport.
@@ -55,8 +55,8 @@ func NewClient(opts ...ClientOption) (*Client, error) {
 		cfg: cfg,
 	}
 
-	if cfg.ouath2Config != nil {
-		if err := ValidateOAuth2Config(*cfg.ouath2Config); err != nil {
+	if cfg.httpClientConfig.OAuth2 != nil {
+		if err := ValidateOAuth2Config(cfg.httpClientConfig.OAuth2); err != nil {
 			return nil, fmt.Errorf("invalid OAuth2 configuration: %w", err)
 		}
 		// If the user has provided an OAuth2 config, we need to prepare the OAuth2 token source. This needs to
@@ -85,9 +85,11 @@ func WithDialer(dialer net.Dialer) ClientOption {
 	}
 }
 
-func WithOAuth2(config *OAuth2Config) ClientOption {
+func WithHTTPClientConfig(config *HTTPClientConfig) ClientOption {
 	return func(c *clientConfiguration) {
-		c.ouath2Config = config
+		if config != nil {
+			c.httpClientConfig = *config
+		}
 	}
 }
 

http/client_test.go

@@ -57,10 +57,12 @@ func TestClient(t *testing.T) {
 			ClientSecret: "test-client-secret",
 			TokenURL:     "https://localhost:8080/oauth2/token",
 		}
-		client, err := NewClient(WithOAuth2(oauth2Config))
+		client, err := NewClient(WithHTTPClientConfig(&HTTPClientConfig{
+			OAuth2: oauth2Config,
+		}))
 		require.NoError(t, err)
 
-		require.Equal(t, oauth2Config, client.cfg.ouath2Config)
+		require.Equal(t, oauth2Config, client.cfg.httpClientConfig.OAuth2)
 	})
 
 	t.Run("WithOAuth2 invalid TLS", func(t *testing.T) {
@@ -72,7 +74,9 @@ func TestClient(t *testing.T) {
 				CACertificate: "invalid-ca-cert",
 			},
 		}
-		_, err := NewClient(WithOAuth2(oauth2Config))
+		_, err := NewClient(WithHTTPClientConfig(&HTTPClientConfig{
+			OAuth2: oauth2Config,
+		}))
 		require.ErrorIs(t, err, ErrOAuth2TLSConfigInvalid)
 	})
 }
@@ -245,6 +249,7 @@ func TestSendWebhookOAuth2(t *testing.T) {
 		expOAuth2RequestValues url.Values
 		expClientError         error
 		expOAuthError          error
+		expProxyRequests       bool
 	}{
 		{
 			name: "valid simple OAuth2 config",
@@ -408,11 +413,33 @@ func TestSendWebhookOAuth2(t *testing.T) {
 			},
 			expOAuthError: customDialError,
 		},
+		{
+			name: "proxy in OAuth2 config",
+			oauth2Config: OAuth2Config{
+				ClientID:     "test-client-id",
+				ClientSecret: "test-client-secret",
+				ProxyConfig: &ProxyConfig{
+					ProxyURL: "xxxx", // This will be replaced with the test server URL.
+				},
+			},
+			oauth2Response: oauth2Response{
+				AccessToken: "12345",
+				TokenType:   "Bearer",
+			},
+
+			expOAuth2RequestValues: url.Values{
+				"grant_type": []string{"client_credentials"},
+			},
+			expOAuth2AuthHeaders: http.Header{
+				"Authorization": []string{GetBasicAuthHeader("test-client-id", "test-client-secret")},
+			},
+			expProxyRequests: true,
+		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.name, func(t *testing.T) {
 			oathRequestCnt := 0
-			oauth2Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			oauthHandler := func(w http.ResponseWriter, r *http.Request) {
 				oathRequestCnt++
 
 				for k := range tc.expOAuth2AuthHeaders {
@@ -427,8 +454,22 @@ func TestSendWebhookOAuth2(t *testing.T) {
 				res, _ := json.Marshal(tc.oauth2Response)
 				w.Header().Add("Content-Type", "application/json")
 				_, _ = w.Write(res)
-			}))
+			}
+
+			oauth2Server := httptest.NewServer(http.HandlerFunc(oauthHandler))
 			defer oauth2Server.Close()
+			tokenUrl := oauth2Server.URL + "/oauth2/token"
+
+			proxyRequestCnt := 0
+			proxyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				proxyRequestCnt++
+				// Verify this is a proxy request.
+				assert.Equal(t, tokenUrl, r.RequestURI, "expected request to be sent to oauth server")
+
+				// Simulate forwarding the request to the OAuth2 handler.
+				oauthHandler(w, r)
+			}))
+			defer proxyServer.Close()
 
 			webhookRequestCnt := 0
 			webhookServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -440,8 +481,19 @@ func TestSendWebhookOAuth2(t *testing.T) {
 			defer webhookServer.Close()
 
 			oauthConfig := tc.oauth2Config
-			oauthConfig.TokenURL = oauth2Server.URL
-			client, err := NewClient(append(tc.otherClientOpts, WithOAuth2(&oauthConfig))...)
+			oauthConfig.TokenURL = tokenUrl
+
+			if oauthConfig.ProxyConfig != nil && oauthConfig.ProxyConfig.ProxyURL != "" {
+				oauthConfig.ProxyConfig.ProxyURL = proxyServer.URL
+			}
+			expectedProxyRequestCnt := 0
+			if tc.expProxyRequests {
+				expectedProxyRequestCnt = 1
+			}
+
+			client, err := NewClient(append(tc.otherClientOpts, WithHTTPClientConfig(&HTTPClientConfig{
+				OAuth2: &oauthConfig,
+			}))...)
 			if tc.expClientError != nil {
 				assert.ErrorIs(t, err, tc.expClientError, "expected client creation error to match")
 				return
@@ -454,11 +506,13 @@ func TestSendWebhookOAuth2(t *testing.T) {
 				HTTPMethod: http.MethodPost,
 			})
 			if tc.expOAuthError != nil {
-				assert.Equal(t, 0, oathRequestCnt, "expected %d OAuth2 request to be sent, got: %d", 1, oathRequestCnt)
-				assert.Equal(t, 0, webhookRequestCnt, "expected %d webhook request to be sent, got: %d", 1, webhookRequestCnt)
+				assert.Equal(t, 0, proxyRequestCnt, "expected %d Proxy request to be sent, got: %d", 0, oathRequestCnt)
+				assert.Equal(t, 0, oathRequestCnt, "expected %d OAuth2 request to be sent, got: %d", 0, oathRequestCnt)
+				assert.Equal(t, 0, webhookRequestCnt, "expected %d webhook request to be sent, got: %d", 0, webhookRequestCnt)
 				assert.ErrorIs(t, err, tc.expOAuthError, "expected error to match")
 				return
 			}
+			assert.Equal(t, expectedProxyRequestCnt, proxyRequestCnt, "expected %d proxy request to be sent, got: %d", expectedProxyRequestCnt, proxyRequestCnt)
 			assert.Equal(t, 1, oathRequestCnt, "expected %d OAuth2 request to be sent, got: %d", 1, oathRequestCnt)
 			assert.Equal(t, 1, webhookRequestCnt, "expected %d webhook request to be sent, got: %d", 1, webhookRequestCnt)
 			assert.NoError(t, err, "expected no error")
@@ -469,6 +523,7 @@ func TestSendWebhookOAuth2(t *testing.T) {
 				Body:       "test-body",
 				HTTPMethod: http.MethodPost,
 			})
+			assert.Equal(t, expectedProxyRequestCnt, proxyRequestCnt, "expected %d proxy request to be sent, got: %d", expectedProxyRequestCnt, proxyRequestCnt)
 			assert.Equal(t, 1, oathRequestCnt, "expected %d OAuth2 request to be sent, got: %d", 1, oathRequestCnt)
 			assert.Equal(t, 2, webhookRequestCnt, "expected %d webhook request to be sent, got: %d", 2, webhookRequestCnt)
 		})

http/config.go

@@ -0,0 +1,128 @@
+package http
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"golang.org/x/net/http/httpproxy"
+
+	"github.com/grafana/alerting/receivers"
+)
+
+var (
+	// ErrInvalidOAuth2Config is returned when the OAuth2 configuration is invalid.
+	ErrInvalidOAuth2Config = fmt.Errorf("invalid OAuth2 configuration")
+	// ErrInvalidProxyConfig is returned when the proxy configuration is invalid.
+	ErrInvalidProxyConfig = fmt.Errorf("invalid proxy configuration")
+)
+
+// HTTPClientConfig holds common configuration for notifier HTTP clients.
+type HTTPClientConfig struct {
+	// The OAuth2 client credentials used to fetch a token for the targets.
+	OAuth2 *OAuth2Config `yaml:"oauth2,omitempty" json:"oauth2,omitempty"`
+}
+
+// Decrypt decrypts sensitive fields in the HTTPClientConfig.
+func (c *HTTPClientConfig) Decrypt(decryptFn receivers.DecryptFunc) {
+	if c.OAuth2 != nil {
+		c.OAuth2.ClientSecret = decryptFn("http_config.oauth2.client_secret", c.OAuth2.ClientSecret)
+		if c.OAuth2.TLSConfig != nil {
+			c.OAuth2.TLSConfig.CACertificate = decryptFn("http_config.oauth2.tls_config.caCertificate", c.OAuth2.TLSConfig.CACertificate)
+			c.OAuth2.TLSConfig.ClientCertificate = decryptFn("http_config.oauth2.tls_config.clientCertificate", c.OAuth2.TLSConfig.ClientCertificate)
+			c.OAuth2.TLSConfig.ClientKey = decryptFn("http_config.oauth2.tls_config.clientKey", c.OAuth2.TLSConfig.ClientKey)
+		}
+	}
+}
+
+func ValidateHTTPClientConfig(cfg *HTTPClientConfig) error {
+	if cfg != nil {
+		if err := ValidateOAuth2Config(cfg.OAuth2); err != nil {
+			return fmt.Errorf("%w: %w", ErrInvalidOAuth2Config, err)
+		}
+	}
+	return nil
+}
+
+type ProxyConfig struct {
+	// ProxyURL is the HTTP proxy server to use to connect to the targets.
+	ProxyURL string `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"`
+	// NoProxy contains addresses that should not use a proxy.
+	NoProxy string `yaml:"no_proxy,omitempty" json:"no_proxy,omitempty"`
+	// ProxyFromEnvironment uses environment HTTP_PROXY, HTTPS_PROXY and NO_PROXY to determine proxies.
+	ProxyFromEnvironment bool `yaml:"proxy_from_environment,omitempty" json:"proxy_from_environment,omitempty"`
+	// ProxyConnectHeader optionally specifies headers to send to proxies during CONNECT requests.
+	ProxyConnectHeader map[string]string `yaml:"proxy_connect_header,omitempty" json:"proxy_connect_header,omitempty"`
+}
+
+// Proxy returns the Proxy URL for a request.
+func (cfg *ProxyConfig) Proxy() (fn func(*http.Request) (*url.URL, error), err error) {
+	if cfg == nil {
+		return nil, nil
+	}
+	if cfg.ProxyFromEnvironment {
+		proxyFn := httpproxy.FromEnvironment().ProxyFunc()
+		return func(req *http.Request) (*url.URL, error) {
+			return proxyFn(req.URL)
+		}, nil
+	}
+	if cfg.ProxyURL != "" {
+		proxyUrl, err := url.Parse(cfg.ProxyURL)
+		if err != nil {
+			return nil, fmt.Errorf("invalid proxy URL %q: %w", cfg.ProxyURL, err)
+		}
+		if cfg.NoProxy == "" {
+			return http.ProxyURL(proxyUrl), nil
+		}
+		proxy := &httpproxy.Config{
+			HTTPProxy:  proxyUrl.String(),
+			HTTPSProxy: proxyUrl.String(),
+			NoProxy:    cfg.NoProxy,
+		}
+		proxyFn := proxy.ProxyFunc()
+		return func(req *http.Request) (*url.URL, error) {
+			return proxyFn(req.URL)
+		}, nil
+	}
+	return nil, nil
+}
+
+func (cfg *ProxyConfig) GetProxyConnectHeader() http.Header {
+	if cfg == nil || len(cfg.ProxyConnectHeader) == 0 {
+		return nil
+	}
+	// Return a copy of the header to avoid modifying the original.
+	headerCopy := make(http.Header, len(cfg.ProxyConnectHeader))
+	for k, v := range cfg.ProxyConnectHeader {
+		headerCopy.Add(k, v)
+	}
+	return headerCopy
+}
+
+func ValidateProxyConfig(cfg *ProxyConfig) error {
+	if cfg == nil {
+		// If no proxy config is provided, we consider it valid.
+		return nil
+	}
+	if len(cfg.ProxyConnectHeader) > 0 && !cfg.ProxyFromEnvironment && cfg.ProxyURL == "" {
+		return errors.New("if proxy_connect_header is configured, proxy_url or proxy_from_environment must also be configured")
+	}
+	if cfg.ProxyFromEnvironment && cfg.ProxyURL != "" {
+		return errors.New("if proxy_from_environment is configured, proxy_url must not be configured")
+	}
+	if cfg.ProxyFromEnvironment && cfg.NoProxy != "" {
+		return errors.New("if proxy_from_environment is configured, no_proxy must not be configured")
+	}
+	if cfg.ProxyURL == "" && cfg.NoProxy != "" {
+		return errors.New("if no_proxy is configured, proxy_url must also be configured")
+	}
+
+	if cfg.ProxyURL != "" {
+		if _, err := url.Parse(cfg.ProxyURL); err != nil {
+			return fmt.Errorf("invalid proxy URL %q: %w", cfg.ProxyURL, err)
+		}
+	}
+
+	return nil
+}