in proxy/lib/proxy/proxy.go [114:160]
func New(ctx context.Context, r *mux.Router, opts *Options, logger *logging.Client, iamClient IAMClient, secretManagerClient SecretManagerClient, cacheClient func() cache.Client) (*Service, error) {
u, err := url.Parse(opts.ProxyTo)
if err != nil {
return nil, fmt.Errorf("url.Parse(%s): %v", opts.ProxyTo, err)
}
s := &Service{
opts: opts,
fhirProxy: httputil.NewSingleHostReverseProxy(u),
iamClient: iamClient,
secretManagerClient: secretManagerClient,
gcpAccessLastRequestStarted: time.Now(),
}
issSec, err := s.fetchFhirIssuerClientSecret(ctx)
if err != nil {
return nil, err
}
if len(issSec) > 0 {
s.opts.FhirIssuerClientSecret = issSec
}
clients, err := s.fetchClientsOfProxySecret(ctx)
if err != nil {
return nil, err
}
if len(clients) > 0 {
s.opts.ClientsOfProxy = clients
}
tok, expire, err := s.fetchAccessTokenForSA(ctx)
if err != nil {
return nil, fmt.Errorf("request access token for service account failed: %v", err)
}
// Lock is not needed at service bootstrap.
s.lockedUpdateToken(tok, expire)
proxyDirector(s.fhirProxy)
responseHeaderFilter(s.fhirProxy)
s.fhirProxy.Transport = Transport
checker := auth.NewChecker(logger, opts.FhirIssuer, nil, nil, nil, opts.UseUserinfoToVerifyAccessToken, cacheClient)
r.PathPrefix("/.well-known/smart-configuration").HandlerFunc(auth.MustWithAuth(s.wellKnownSmartConfigure, checker, auth.RequireNone))
r.PathPrefix("/").HandlerFunc(auth.MustWithAuth(s.proxy, checker, auth.Require{Role: auth.User, SelfClientID: opts.Audience}))
return s, nil
}