1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
package server
import (
"crypto/tls"
"fmt"
"log"
"net"
"github.com/pkg/errors"
"github.com/soheilhy/cmux"
"go4.org/wkfs"
"golang.org/x/crypto/acme/autocert"
wkfscache "github.com/nsheridan/autocert-wkfs-cache"
"github.com/nsheridan/cashier/server/auth"
"github.com/nsheridan/cashier/server/auth/github"
"github.com/nsheridan/cashier/server/auth/gitlab"
"github.com/nsheridan/cashier/server/auth/google"
"github.com/nsheridan/cashier/server/config"
"github.com/nsheridan/cashier/server/metrics"
"github.com/nsheridan/cashier/server/signer"
"github.com/nsheridan/cashier/server/store"
"github.com/sid77/drop"
)
var (
authprovider auth.Provider
certstore store.CertStorer
keysigner *signer.KeySigner
)
func loadCerts(certFile, keyFile string) (tls.Certificate, error) {
key, err := wkfs.ReadFile(keyFile)
if err != nil {
return tls.Certificate{}, errors.Wrap(err, "error reading TLS private key")
}
cert, err := wkfs.ReadFile(certFile)
if err != nil {
return tls.Certificate{}, errors.Wrap(err, "error reading TLS certificate")
}
return tls.X509KeyPair(cert, key)
}
// Run the HTTP and RPC servers.
func Run(conf *config.Config) {
var err error
keysigner, err = signer.New(conf.SSH)
if err != nil {
log.Fatal(err)
}
laddr := fmt.Sprintf("%s:%d", conf.Server.Addr, conf.Server.Port)
l, err := net.Listen("tcp", laddr)
if err != nil {
log.Fatal(errors.Wrapf(err, "unable to listen on %s:%d", conf.Server.Addr, conf.Server.Port))
}
tlsConfig := &tls.Config{}
if conf.Server.UseTLS {
if conf.Server.LetsEncryptServername != "" {
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
Cache: wkfscache.Cache(conf.Server.LetsEncryptCache),
HostPolicy: autocert.HostWhitelist(conf.Server.LetsEncryptServername),
}
tlsConfig.GetCertificate = m.GetCertificate
} else {
if conf.Server.TLSCert == "" || conf.Server.TLSKey == "" {
log.Fatal("TLS cert or key not specified in config")
}
tlsConfig.Certificates = make([]tls.Certificate, 1)
tlsConfig.Certificates[0], err = loadCerts(conf.Server.TLSCert, conf.Server.TLSKey)
if err != nil {
log.Fatal(errors.Wrap(err, "unable to create TLS listener"))
}
}
l = tls.NewListener(l, tlsConfig)
}
if conf.Server.User != "" {
log.Print("Dropping privileges...")
if err := drop.DropPrivileges(conf.Server.User); err != nil {
log.Fatal(errors.Wrap(err, "unable to drop privileges"))
}
}
// Unprivileged section
metrics.Register()
switch conf.Auth.Provider {
case "google":
authprovider, err = google.New(conf.Auth)
case "github":
authprovider, err = github.New(conf.Auth)
case "gitlab":
authprovider, err = gitlab.New(conf.Auth)
default:
log.Fatalf("Unknown provider %s\n", conf.Auth.Provider)
}
if err != nil {
log.Fatal(errors.Wrapf(err, "unable to use provider '%s'", conf.Auth.Provider))
}
certstore, err = store.New(conf.Server.Database)
if err != nil {
log.Fatal(err)
}
log.Printf("Starting server on %s", laddr)
cm := cmux.New(l)
httpl := cm.Match(cmux.HTTP1Fast())
grpcl := cm.Match(cmux.HTTP2HeaderField("content-type", "application/grpc"))
go runHTTPServer(conf.Server, httpl)
go runGRPCServer(grpcl)
log.Fatal(cm.Serve())
}
|