hydra_oidc_poc/cmd/app/main.go

package main

import (
	"context"
	"crypto/tls"
	"encoding/base64"
	"fmt"
	"net/http"
	"os"
	"os/signal"
	"strings"
	"sync/atomic"
	"time"

	"github.com/knadh/koanf"
	"github.com/knadh/koanf/parsers/toml"
	"github.com/knadh/koanf/providers/confmap"
	"github.com/knadh/koanf/providers/env"
	"github.com/knadh/koanf/providers/file"
	"github.com/knadh/koanf/providers/posflag"
	log "github.com/sirupsen/logrus"
	flag "github.com/spf13/pflag"

	"git.cacert.org/oidc_login/app/handlers"
	"git.cacert.org/oidc_login/app/services"
	commonHandlers "git.cacert.org/oidc_login/common/handlers"
	commonServices "git.cacert.org/oidc_login/common/services"
)

func main() {
	f := flag.NewFlagSet("config", flag.ContinueOnError)
	f.Usage = func() {
		fmt.Println(f.FlagUsages())
		os.Exit(0)
	}
	f.StringSlice("conf", []string{"resource_app.toml"}, "path to one or more .toml files")
	logger := log.New()
	var err error

	if err = f.Parse(os.Args[1:]); err != nil {
		logger.Fatal(err)
	}

	config := koanf.New(".")

	_ = config.Load(confmap.Provider(map[string]interface{}{
		"server.port":        4000,
		"server.name":        "app.cacert.localhost",
		"server.key":         "certs/app.cacert.localhost.key",
		"server.certificate": "certs/app.cacert.localhost.crt.pem",
		"oidc.server":        "https://auth.cacert.localhost:4444/",
		"session.path":       "sessions/app",
		"i18n.languages":     []string{"en", "de"},
	}, "."), nil)
	cFiles, _ := f.GetStringSlice("conf")
	for _, c := range cFiles {
		if err := config.Load(file.Provider(c), toml.Parser()); err != nil {
			logger.Fatalf("error loading config file: %s", err)
		}
	}
	if err := config.Load(posflag.Provider(f, ".", config), nil); err != nil {
		logger.Fatalf("error loading configuration: %s", err)
	}
	if err := config.Load(file.Provider("resource_app.toml"), toml.Parser()); err != nil && !os.IsNotExist(err) {
		log.Fatalf("error loading config: %v", err)
	}
	const prefix = "RESOURCE_APP_"
	if err := config.Load(env.Provider(prefix, ".", func(s string) string {
		return strings.Replace(strings.ToLower(
			strings.TrimPrefix(s, prefix)), "_", ".", -1)
	}), nil); err != nil {
		log.Fatalf("error loading config: %v", err)
	}

	oidcServer := config.MustString("oidc.server")
	oidcClientId := config.MustString("oidc.client-id")
	oidcClientSecret := config.MustString("oidc.client-secret")

	ctx := context.Background()
	ctx = commonServices.InitI18n(ctx, logger, config.Strings("i18n.languages"))
	services.AddMessages(ctx)

	sessionPath := config.MustString("session.path")
	sessionAuthKey, err := base64.StdEncoding.DecodeString(config.String("session.auth-key"))
	if err != nil {
		log.Fatalf("could not decode session auth key: %s", err)
	}
	sessionEncKey, err := base64.StdEncoding.DecodeString(config.String("session.enc-key"))
	if err != nil {
		log.Fatalf("could not decode session encryption key: %s", err)
	}

	generated := false
	if len(sessionAuthKey) != 64 {
		sessionAuthKey = commonServices.GenerateKey(64)
		generated = true
	}
	if len(sessionEncKey) != 32 {
		sessionEncKey = commonServices.GenerateKey(32)
		generated = true
	}

	if generated {
		_ = config.Load(confmap.Provider(map[string]interface{}{
			"session.auth-key": sessionAuthKey,
			"session.enc-key":  sessionEncKey,
		}, "."), nil)
		tomlData, err := config.Marshal(toml.Parser())
		if err != nil {
			log.Fatalf("could not encode session config")
		}
		log.Infof("put the following in your resource_app.toml:\n%s", string(tomlData))
	}

	if ctx, err = commonServices.DiscoverOIDC(ctx, logger, &commonServices.OidcParams{
		OidcServer:       oidcServer,
		OidcClientId:     oidcClientId,
		OidcClientSecret: oidcClientSecret,
		APIClient:        &http.Client{},
	}); err != nil {
		log.Fatalf("OpenID Connect discovery failed: %s", err)
	}

	services.InitSessionStore(logger, sessionPath, sessionAuthKey, sessionEncKey)

	authMiddleware := handlers.Authenticate(ctx, oidcClientId)

	serverAddr := fmt.Sprintf("%s:%d", config.String("server.name"), config.Int("server.port"))

	indexHandler, err := handlers.NewIndexHandler(ctx, serverAddr)
	if err != nil {
		logger.Fatalf("could not initialize index handler: %v", err)
	}
	callbackHandler := handlers.NewCallbackHandler(ctx)
	afterLogoutHandler := handlers.NewAfterLogoutHandler(logger)

	router := http.NewServeMux()
	router.Handle("/", authMiddleware(indexHandler))
	router.Handle("/callback", callbackHandler)
	router.Handle("/after-logout", afterLogoutHandler)

	nextRequestId := func() string {
		return fmt.Sprintf("%d", time.Now().UnixNano())
	}

	tracing := commonHandlers.Tracing(nextRequestId)
	logging := commonHandlers.Logging(logger)
	hsts := commonHandlers.EnableHSTS()

	tlsConfig := &tls.Config{
		ServerName: config.String("server.name"),
		MinVersion: tls.VersionTLS12,
	}
	server := &http.Server{
		Addr:         serverAddr,
		Handler:      tracing(logging(hsts(router))),
		ReadTimeout:  5 * time.Second,
		WriteTimeout: 10 * time.Second,
		IdleTimeout:  15 * time.Second,
		TLSConfig:    tlsConfig,
	}

	done := make(chan bool)
	quit := make(chan os.Signal, 1)
	signal.Notify(quit, os.Interrupt)

	go func() {
		<-quit
		logger.Infoln("Server is shutting down...")
		atomic.StoreInt32(&commonHandlers.Healthy, 0)

		ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
		defer cancel()

		server.SetKeepAlivesEnabled(false)
		if err := server.Shutdown(ctx); err != nil {
			logger.Fatalf("Could not gracefully shutdown the server: %v\n", err)
		}
		close(done)
	}()

	logger.Infof("Server is ready to handle requests at https://%s/", server.Addr)
	atomic.StoreInt32(&commonHandlers.Healthy, 1)
	if err := server.ListenAndServeTLS(
		config.String("server.certificate"), config.String("server.key"),
	); err != nil && err != http.ErrServerClosed {
		logger.Fatalf("Could not listen on %s: %v\n", server.Addr, err)
	}

	<-done
	logger.Infoln("Server stopped")
}
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`package main`

			`import (`
			`"context"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`"crypto/tls"`
Implement login flow 2020-12-30 19:31:10 +01:00			`"encoding/base64"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`"fmt"`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`"net/http"`
Implement login flow 2020-12-30 19:31:10 +01:00			`"os"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`"os/signal"`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`"strings"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`"sync/atomic"`
			`"time"`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00
Implement login flow 2020-12-30 19:31:10 +01:00			`"github.com/knadh/koanf"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`"github.com/knadh/koanf/parsers/toml"`
Implement login flow 2020-12-30 19:31:10 +01:00			`"github.com/knadh/koanf/providers/confmap"`
			`"github.com/knadh/koanf/providers/env"`
			`"github.com/knadh/koanf/providers/file"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`"github.com/knadh/koanf/providers/posflag"`
Implement login flow 2020-12-30 19:31:10 +01:00			`log "github.com/sirupsen/logrus"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`flag "github.com/spf13/pflag"`
Implement login flow 2020-12-30 19:31:10 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`"git.cacert.org/oidc_login/app/handlers"`
			`"git.cacert.org/oidc_login/app/services"`
			`commonHandlers "git.cacert.org/oidc_login/common/handlers"`
			`commonServices "git.cacert.org/oidc_login/common/services"`
Implement login flow 2020-12-30 19:31:10 +01:00			`)`

Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`func main() {`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`f := flag.NewFlagSet("config", flag.ContinueOnError)`
			`f.Usage = func() {`
			`fmt.Println(f.FlagUsages())`
			`os.Exit(0)`
			`}`
			`f.StringSlice("conf", []string{"resource_app.toml"}, "path to one or more .toml files")`
			`logger := log.New()`
			`var err error`

			`if err = f.Parse(os.Args[1:]); err != nil {`
			`logger.Fatal(err)`
			`}`

			`config := koanf.New(".")`

			`_ = config.Load(confmap.Provider(map[string]interface{}{`
			`"server.port": 4000,`
			`"server.name": "app.cacert.localhost",`
			`"server.key": "certs/app.cacert.localhost.key",`
			`"server.certificate": "certs/app.cacert.localhost.crt.pem",`
			`"oidc.server": "https://auth.cacert.localhost:4444/",`
			`"session.path": "sessions/app",`
Refactor i18n, add templating for resource app 2021-01-01 09:20:49 +01:00			`"i18n.languages": []string{"en", "de"},`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`}, "."), nil)`
			`cFiles, _ := f.GetStringSlice("conf")`
			`for _, c := range cFiles {`
			`if err := config.Load(file.Provider(c), toml.Parser()); err != nil {`
			`logger.Fatalf("error loading config file: %s", err)`
			`}`
			`}`
			`if err := config.Load(posflag.Provider(f, ".", config), nil); err != nil {`
			`logger.Fatalf("error loading configuration: %s", err)`
			`}`
			`if err := config.Load(file.Provider("resource_app.toml"), toml.Parser()); err != nil && !os.IsNotExist(err) {`
Implement login flow 2020-12-30 19:31:10 +01:00			`log.Fatalf("error loading config: %v", err)`
			`}`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`const prefix = "RESOURCE_APP_"`
			`if err := config.Load(env.Provider(prefix, ".", func(s string) string {`
Implement login flow 2020-12-30 19:31:10 +01:00			`return strings.Replace(strings.ToLower(`
			`strings.TrimPrefix(s, prefix)), "_", ".", -1)`
			`}), nil); err != nil {`
			`log.Fatalf("error loading config: %v", err)`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`}`

Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`oidcServer := config.MustString("oidc.server")`
			`oidcClientId := config.MustString("oidc.client-id")`
			`oidcClientSecret := config.MustString("oidc.client-secret")`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00
Refactor i18n, add templating for resource app 2021-01-01 09:20:49 +01:00			`ctx := context.Background()`
			`ctx = commonServices.InitI18n(ctx, logger, config.Strings("i18n.languages"))`
			`services.AddMessages(ctx)`

Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`sessionPath := config.MustString("session.path")`
			`sessionAuthKey, err := base64.StdEncoding.DecodeString(config.String("session.auth-key"))`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`if err != nil {`
Implement login flow 2020-12-30 19:31:10 +01:00			`log.Fatalf("could not decode session auth key: %s", err)`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`}`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`sessionEncKey, err := base64.StdEncoding.DecodeString(config.String("session.enc-key"))`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`if err != nil {`
Implement login flow 2020-12-30 19:31:10 +01:00			`log.Fatalf("could not decode session encryption key: %s", err)`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`}`
Implement login flow 2020-12-30 19:31:10 +01:00
			`generated := false`
			`if len(sessionAuthKey) != 64 {`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`sessionAuthKey = commonServices.GenerateKey(64)`
Implement login flow 2020-12-30 19:31:10 +01:00			`generated = true`
			`}`
			`if len(sessionEncKey) != 32 {`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`sessionEncKey = commonServices.GenerateKey(32)`
Implement login flow 2020-12-30 19:31:10 +01:00			`generated = true`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`}`

Implement login flow 2020-12-30 19:31:10 +01:00			`if generated {`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`_ = config.Load(confmap.Provider(map[string]interface{}{`
Implement login flow 2020-12-30 19:31:10 +01:00			`"session.auth-key": sessionAuthKey,`
			`"session.enc-key": sessionEncKey,`
			`}, "."), nil)`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`tomlData, err := config.Marshal(toml.Parser())`
Implement login flow 2020-12-30 19:31:10 +01:00			`if err != nil {`
			`log.Fatalf("could not encode session config")`
			`}`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`log.Infof("put the following in your resource_app.toml:\n%s", string(tomlData))`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`}`

Refactor i18n, add templating for resource app 2021-01-01 09:20:49 +01:00			`if ctx, err = commonServices.DiscoverOIDC(ctx, logger, &commonServices.OidcParams{`
			`OidcServer: oidcServer,`
			`OidcClientId: oidcClientId,`
			`OidcClientSecret: oidcClientSecret,`
			`APIClient: &http.Client{},`
			`}); err != nil {`
Implement login flow 2020-12-30 19:31:10 +01:00			`log.Fatalf("OpenID Connect discovery failed: %s", err)`
			`}`

Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`services.InitSessionStore(logger, sessionPath, sessionAuthKey, sessionEncKey)`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00
Refactor i18n, add templating for resource app 2021-01-01 09:20:49 +01:00			`authMiddleware := handlers.Authenticate(ctx, oidcClientId)`
Implement login flow 2020-12-30 19:31:10 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`serverAddr := fmt.Sprintf("%s:%d", config.String("server.name"), config.Int("server.port"))`
Refactor i18n, add templating for resource app 2021-01-01 09:20:49 +01:00
			`indexHandler, err := handlers.NewIndexHandler(ctx, serverAddr)`
			`if err != nil {`
			`logger.Fatalf("could not initialize index handler: %v", err)`
			`}`
			`callbackHandler := handlers.NewCallbackHandler(ctx)`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`afterLogoutHandler := handlers.NewAfterLogoutHandler(logger)`
Implement login flow 2020-12-30 19:31:10 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`router := http.NewServeMux()`
			`router.Handle("/", authMiddleware(indexHandler))`
			`router.Handle("/callback", callbackHandler)`
			`router.Handle("/after-logout", afterLogoutHandler)`
Implement login flow 2020-12-30 19:31:10 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`nextRequestId := func() string {`
			`return fmt.Sprintf("%d", time.Now().UnixNano())`
Implement login flow 2020-12-30 19:31:10 +01:00			`}`

Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`tracing := commonHandlers.Tracing(nextRequestId)`
			`logging := commonHandlers.Logging(logger)`
			`hsts := commonHandlers.EnableHSTS()`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`tlsConfig := &tls.Config{`
			`ServerName: config.String("server.name"),`
			`MinVersion: tls.VersionTLS12,`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`}`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`server := &http.Server{`
			`Addr: serverAddr,`
			`Handler: tracing(logging(hsts(router))),`
			`ReadTimeout: 5 * time.Second,`
			`WriteTimeout: 10 * time.Second,`
			`IdleTimeout: 15 * time.Second,`
			`TLSConfig: tlsConfig,`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`}`

Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`done := make(chan bool)`
			`quit := make(chan os.Signal, 1)`
			`signal.Notify(quit, os.Interrupt)`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`go func() {`
			`<-quit`
			`logger.Infoln("Server is shutting down...")`
			`atomic.StoreInt32(&commonHandlers.Healthy, 0)`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`ctx, cancel := context.WithTimeout(ctx, 30*time.Second)`
			`defer cancel()`
Implement login flow 2020-12-30 19:31:10 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`server.SetKeepAlivesEnabled(false)`
			`if err := server.Shutdown(ctx); err != nil {`
			`logger.Fatalf("Could not gracefully shutdown the server: %v\n", err)`
Implement login flow 2020-12-30 19:31:10 +01:00			`}`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`close(done)`
			`}()`
Implement login flow 2020-12-30 19:31:10 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`logger.Infof("Server is ready to handle requests at https://%s/", server.Addr)`
			`atomic.StoreInt32(&commonHandlers.Healthy, 1)`
			`if err := server.ListenAndServeTLS(`
			`config.String("server.certificate"), config.String("server.key"),`
			`); err != nil && err != http.ErrServerClosed {`
			`logger.Fatalf("Could not listen on %s: %v\n", server.Addr, err)`
Implement login flow 2020-12-30 19:31:10 +01:00			`}`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`<-done`
			`logger.Infoln("Server stopped")`
Initial version without actual verification of login 2020-12-29 21:50:59 +01:00			`}`