diff options
Diffstat (limited to 'server/server.go')
| -rw-r--r-- | server/server.go | 101 |
1 files changed, 14 insertions, 87 deletions
diff --git a/server/server.go b/server/server.go index 2a6af15..d9cdf3a 100644 --- a/server/server.go +++ b/server/server.go @@ -2,7 +2,6 @@ package server import ( "bytes" - "crypto/tls" "encoding/base64" "encoding/json" "fmt" @@ -12,8 +11,6 @@ import ( "os" "time" - "github.com/gorilla/csrf" - "github.com/gobuffalo/packr" "github.com/gorilla/handlers" "github.com/prometheus/client_golang/prometheus/promhttp" @@ -22,36 +19,16 @@ import ( "github.com/gorilla/sessions" "github.com/pkg/errors" - "go4.org/wkfs" - "golang.org/x/crypto/acme/autocert" "golang.org/x/oauth2" - wkfscache "github.com/nsheridan/autocert-wkfs-cache" "github.com/nsheridan/cashier/lib" - "github.com/nsheridan/cashier/server/auth" "github.com/nsheridan/cashier/server/auth/github" - "github.com/nsheridan/cashier/server/auth/gitlab" - "github.com/nsheridan/cashier/server/auth/google" - "github.com/nsheridan/cashier/server/auth/microsoft" "github.com/nsheridan/cashier/server/config" "github.com/nsheridan/cashier/server/metrics" "github.com/nsheridan/cashier/server/signer" - "github.com/nsheridan/cashier/server/store" "github.com/sid77/drop" ) -func loadCerts(certFile, keyFile string) (tls.Certificate, error) { - key, err := wkfs.ReadFile(keyFile) - if err != nil { - return tls.Certificate{}, errors.Wrap(err, "error reading TLS private key") - } - cert, err := wkfs.ReadFile(certFile) - if err != nil { - return tls.Certificate{}, errors.Wrap(err, "error reading TLS certificate") - } - return tls.X509KeyPair(cert, key) -} - // Run the server. func Run(conf *config.Config) { var err error @@ -62,30 +39,6 @@ func Run(conf *config.Config) { log.Fatal(errors.Wrapf(err, "unable to listen on %s:%d", conf.Server.Addr, conf.Server.Port)) } - tlsConfig := &tls.Config{} - if conf.Server.UseTLS { - if conf.Server.LetsEncryptServername != "" { - m := autocert.Manager{ - Prompt: autocert.AcceptTOS, - HostPolicy: autocert.HostWhitelist(conf.Server.LetsEncryptServername), - } - if conf.Server.LetsEncryptCache != "" { - m.Cache = wkfscache.Cache(conf.Server.LetsEncryptCache) - } - tlsConfig = m.TLSConfig() - } else { - if conf.Server.TLSCert == "" || conf.Server.TLSKey == "" { - log.Fatal("TLS cert or key not specified in config") - } - tlsConfig.Certificates = make([]tls.Certificate, 1) - tlsConfig.Certificates[0], err = loadCerts(conf.Server.TLSCert, conf.Server.TLSKey) - if err != nil { - log.Fatal(errors.Wrap(err, "unable to create TLS listener")) - } - } - l = tls.NewListener(l, tlsConfig) - } - if conf.Server.User != "" { log.Print("Dropping privileges...") if err := drop.DropPrivileges(conf.Server.User); err != nil { @@ -96,21 +49,9 @@ func Run(conf *config.Config) { // Unprivileged section metrics.Register() - var authprovider auth.Provider - switch conf.Auth.Provider { - case "github": - authprovider, err = github.New(conf.Auth) - case "gitlab": - authprovider, err = gitlab.New(conf.Auth) - case "google": - authprovider, err = google.New(conf.Auth) - case "microsoft": - authprovider, err = microsoft.New(conf.Auth) - default: - log.Fatalf("Unknown provider %s\n", conf.Auth.Provider) - } + authprovider, err := github.New(conf.Github) if err != nil { - log.Fatal(errors.Wrapf(err, "unable to use provider '%s'", conf.Auth.Provider)) + log.Fatal(errors.Wrap(err, "unable to setup github auth provider")) } keysigner, err := signer.New(conf.SSH) @@ -118,24 +59,17 @@ func Run(conf *config.Config) { log.Fatal(err) } - certstore, err := store.New(conf.Server.Database) - if err != nil { - log.Fatal(err) - } - ctx := &app{ - cookiestore: sessions.NewCookieStore([]byte(conf.Server.CookieSecret)), - requireReason: conf.Server.RequireReason, - keysigner: keysigner, - certstore: certstore, - authprovider: authprovider, - config: conf.Server, - router: mux.NewRouter(), + cookiestore: sessions.NewCookieStore([]byte(conf.Server.CookieSecret)), + keysigner: keysigner, + authprovider: authprovider, + config: conf.Server, + router: mux.NewRouter(), } ctx.cookiestore.Options = &sessions.Options{ MaxAge: 900, Path: "/", - Secure: conf.Server.UseTLS, + Secure: conf.Server.SecureCookie, HttpOnly: true, } @@ -190,30 +124,23 @@ func encodeString(s string) string { // app contains local context - cookiestore, authsession etc. type app struct { - cookiestore *sessions.CookieStore - authprovider auth.Provider - certstore store.CertStorer - keysigner *signer.KeySigner - router *mux.Router - config *config.Server - requireReason bool + cookiestore *sessions.CookieStore + authprovider *github.Config + keysigner *signer.KeySigner + router *mux.Router + config *config.Server } func (a *app) routes() { // login required - csrfHandler := csrf.Protect([]byte(a.config.CSRFSecret), csrf.Secure(a.config.UseTLS)) a.router.Methods("GET").Path("/").Handler(a.authed(http.HandlerFunc(a.index))) - a.router.Methods("POST").Path("/admin/revoke").Handler(a.authed(csrfHandler(http.HandlerFunc(a.revoke)))) - a.router.Methods("GET").Path("/admin/certs").Handler(a.authed(csrfHandler(http.HandlerFunc(a.getAllCerts)))) - a.router.Methods("GET").Path("/admin/certs.json").Handler(a.authed(http.HandlerFunc(a.getCertsJSON))) // no login required a.router.Methods("GET").Path("/auth/login").HandlerFunc(a.auth) a.router.Methods("GET").Path("/auth/callback").HandlerFunc(a.auth) - a.router.Methods("GET").Path("/revoked").HandlerFunc(a.revoked) a.router.Methods("POST").Path("/sign").HandlerFunc(a.sign) - a.router.Methods("GET").Path("/healthcheck").HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + a.router.Methods("GET").Path("/health").HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusOK) fmt.Fprintf(w, "ok") }) |