forked from kellegous/underpants
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathunderpants.go
248 lines (204 loc) · 5.52 KB
/
underpants.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
package main
import (
"bytes"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"flag"
"fmt"
"io"
"io/ioutil"
"net"
"net/http"
"os"
"strings"
"github.com/playdots/underpants/auth"
"github.com/playdots/underpants/auth/google"
"github.com/playdots/underpants/auth/okta"
"github.com/playdots/underpants/config"
"github.com/playdots/underpants/hub"
"github.com/playdots/underpants/mux"
"github.com/playdots/underpants/proxy"
"go.uber.org/zap"
"golang.org/x/crypto/ssh/terminal"
)
// getAuthProvider returns the auth.Provider that was configured in the config info.
func getAuthProvider(cfg *config.Info) (auth.Provider, error) {
var prv auth.Provider
switch cfg.Oauth.Provider {
case google.Name, "":
prv = google.Provider
case okta.Name:
prv = okta.Provider
default:
return nil, fmt.Errorf("invalid oauth provider: %s", cfg.Oauth.Provider)
}
if err := prv.Validate(cfg); err != nil {
return nil, err
}
return prv, nil
}
func getAuthProviderName(cfg *config.Info) string {
switch cfg.Oauth.Provider {
case google.Name, "":
return google.Name
case okta.Name:
return okta.Name
}
return "unknown"
}
// Generate a new random key for HMAC signing. Server keys are completely emphemeral
// in that the key is generated at server startup and not persisted between restarts.
// This means all cookies are invalidated just by restarting the server. This is
// generally desirable since it is "easy" for clients to re-authenticate with OAuth.
func newKey() ([]byte, error) {
var b bytes.Buffer
if _, err := io.CopyN(&b, rand.Reader, 64); err != nil {
return nil, err
}
return b.Bytes(), nil
}
// buildMux creates a mux for serving all http routes.
func buildMux(ctx *config.Context, p auth.Provider) (*mux.Serve, error) {
mb := mux.Create()
// setup routes for proxy backends
proxy.Setup(ctx, p, mb)
// setup all routes for the hub
hub.Setup(ctx, p, mb)
return mb.Build(), nil
}
// LoadCertificate loads the TLS certificate from the speciified files. The key file can be an encryped
// PEM so long as it carries the appropriate headers (Proc-Type and Dek-Info) and the
// password will be requested interactively.
func LoadCertificate(crtFile, keyFile string) (tls.Certificate, error) {
crtBytes, err := ioutil.ReadFile(crtFile)
if err != nil {
return tls.Certificate{}, err
}
keyBytes, err := ioutil.ReadFile(keyFile)
if err != nil {
return tls.Certificate{}, err
}
keyDer, _ := pem.Decode(keyBytes)
if keyDer == nil {
return tls.Certificate{}, fmt.Errorf("%s cannot be decoded", keyFile)
}
// http://www.ietf.org/rfc/rfc1421.txt
if !strings.HasPrefix(keyDer.Headers["Proc-Type"], "4,ENCRYPTED") {
return tls.X509KeyPair(crtBytes, keyBytes)
}
fmt.Printf("%s\nPassword: ", keyFile)
pwd, err := terminal.ReadPassword(int(os.Stdin.Fd()))
fmt.Println()
if err != nil {
return tls.Certificate{}, err
}
keyDec, err := x509.DecryptPEMBlock(keyDer, pwd)
if err != nil {
return tls.Certificate{}, err
}
return tls.X509KeyPair(crtBytes, pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Headers: map[string]string{},
Bytes: keyDec,
}))
}
// ListenAndServe binds the listening port and start serving traffic.
func ListenAndServe(ctx *config.Context, m http.Handler) error {
if ctx.HasCerts() {
var certs []tls.Certificate
for _, item := range ctx.Certs {
crt, err := LoadCertificate(item.Crt, item.Key)
if err != nil {
return err
}
certs = append(certs, crt)
}
addr := ctx.ListenAddr()
s := &http.Server{
Addr: addr,
Handler: m,
TLSConfig: &tls.Config{
NextProtos: []string{"http/1.1"},
Certificates: certs,
MinVersion: tls.VersionTLS10,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
},
PreferServerCipherSuites: true,
},
}
s.TLSConfig.BuildNameToCertificate()
conn, err := net.Listen("tcp", addr)
if err != nil {
return err
}
return s.Serve(tls.NewListener(conn, s.TLSConfig))
}
return http.ListenAndServe(ctx.ListenAddr(), m)
}
func contextFrom(cfg *config.Info, port int) (*config.Context, error) {
// Construct the HMAC signing key
key, err := newKey()
if err != nil {
return nil, err
}
if port == 0 {
if cfg.HasCerts() {
port = 443
} else {
port = 80
}
}
return config.BuildContext(cfg, port, key), nil
}
func setupLogger() error {
lg, err := zap.NewProduction()
if err != nil {
return err
}
zap.ReplaceGlobals(lg)
return nil
}
func main() {
flagPort := flag.Int("port", 0, "")
confFileName := os.Getenv("UNDERPANTS_CONF_JSON_FILENAME")
flagConf := flag.String("conf", confFileName, "")
flag.Parse()
if err := setupLogger(); err != nil {
panic(err)
}
var cfg config.Info
if err := cfg.ReadFile(*flagConf); err != nil {
zap.L().Fatal("unable to load config",
zap.String("filename", *flagConf),
zap.Error(err))
}
p, err := getAuthProvider(&cfg)
if err != nil {
zap.L().Fatal("invalid provider config",
zap.String("filename", *flagConf),
zap.Error(err))
}
ctx, err := contextFrom(&cfg, *flagPort)
if err != nil {
zap.L().Fatal("unable to build context",
zap.Error(err))
}
zap.L().Info("starting",
zap.Int("port", ctx.Port),
zap.String("conf", *flagConf),
zap.String("provider", getAuthProviderName(ctx.Info)))
m, err := buildMux(ctx, p)
if err != nil {
zap.L().Fatal("unable to build mux",
zap.Error(err))
}
if err := ListenAndServe(ctx, m); err != nil {
zap.L().Fatal("unable to listen and serve",
zap.Error(err))
}
}