From 0e937edd4d841d33240a9838f2c592a8e9626baf Mon Sep 17 00:00:00 2001
From: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Date: Tue, 5 Jul 2022 08:50:24 -0400
Subject: [PATCH] Add timeout to auth http requests (#13976)

Sets the `Timeout` of the http.Client  used by the auth client
to 30s to prevent requests from blocking indefinitely. There
have been several failure scenarios that result in teleport being
completely stuck due to never receiving a response from an
http request. The 30s upper bound should prevent this, while
also being long enough that it shouldn't impact any requests
which may be slow.
---
 lib/auth/clt.go          | 5 ++++-
 lib/defaults/defaults.go | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/auth/clt.go b/lib/auth/clt.go
index 69e747c72d4..d012ab836ea 100644
--- a/lib/auth/clt.go
+++ b/lib/auth/clt.go
@@ -193,7 +193,10 @@ func NewHTTPClient(cfg client.Config, tls *tls.Config, params ...roundtrip.Clien
 
 	clientParams := append(
 		[]roundtrip.ClientParam{
-			roundtrip.HTTPClient(&http.Client{Transport: otelhttp.NewTransport(breaker.NewRoundTripper(cb, transport))}),
+			roundtrip.HTTPClient(&http.Client{
+				Timeout:   defaults.HTTPRequestTimeout,
+				Transport: otelhttp.NewTransport(breaker.NewRoundTripper(cb, transport)),
+			}),
 			roundtrip.SanitizerEnabled(true),
 		},
 		params...,
diff --git a/lib/defaults/defaults.go b/lib/defaults/defaults.go
index d03097c1ad6..0dfc6a89a19 100644
--- a/lib/defaults/defaults.go
+++ b/lib/defaults/defaults.go
@@ -112,6 +112,9 @@ const (
 	// HTTPIdleTimeout is a default timeout for idle HTTP connections
 	HTTPIdleTimeout = 30 * time.Second
 
+	// HTTPRequestTimeout is a default timeout for HTTP requests
+	HTTPRequestTimeout = 30 * time.Second
+
 	// WebHeadersTimeout is a timeout that is set for web requests
 	// before browsers raise "Timeout waiting web headers" error in
 	// the browser