Merge pull request 'Définition des claims amr et acr via la configuration' (#5) from acr_amr into develop

Reviewed-on: #5
Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>

.gitignore

@@ -1,2 +1,5 @@
 /bin
 /dist
+/tools
+/.trivy
+.mktools/

Dockerfile

@@ -3,7 +3,7 @@
 # This source code is licensed under the MIT license found in the
 # LICENSE file in the root directory of this source tree.
 
-FROM golang:1.13-alpine AS build
+FROM golang:1.21-alpine AS build
 
 ARG VERSION
 ARG GOPROXY

Jenkinsfile

@@ -1,50 +1,29 @@
 @Library('cadoles') _
 
-pipeline {
+// Utilisation du pipeline "standard"
-  agent {
+// Voir https://forge.cadoles.com/Cadoles/Jenkins/src/branch/master/doc/tutorials/standard-make-pipeline.md
-    dockerfile {
+standardMakePipeline([
-      label 'docker'
+    'dockerfileExtension': '''
-      filename 'Dockerfile'
+    RUN apt-get update \
-      dir 'misc/ci'
+        && apt-get install -y zip jq
-    }
-  }
 
-  stages {
+    RUN wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz \
-    stage('Build and publish packages') {
+        && rm -rf /usr/local/go \
-      when {
+        && tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
-        anyOf {
+
-          branch 'master'
+    ENV PATH="${PATH}:/usr/local/go/bin"
-          branch 'develop'
+    ''',
+    'hooks': [
+        'pre-release': {
+            // Login into docker registry
+            sh '''
+            make .mktools
+            echo "$MKT_GITEA_RELEASE_PASSWORD" | docker login --username "$MKT_GITEA_RELEASE_USERNAME" --password-stdin reg.cadoles.com
+            '''
         }
-      }
+    ],
-      steps {
+    // Use credentials to push images to registry and pubish gitea release
-        script {
+    'credentials': [
-          List<String> packagers = ['deb', 'rpm']
+        usernamePassword(credentialsId: 'kipp-credentials', usernameVariable: 'MKT_GITEA_RELEASE_USERNAME', passwordVariable: 'MKT_GITEA_RELEASE_PASSWORD')
-          packagers.each { pkgr ->
+    ]
-            sh "make NFPM_PACKAGER='${pkgr}' build package"
+])
-          }
-
-          List<String> attachments = sh(returnStdout: true, script: "find dist -type f -name '*.deb' -or -name '*.rpm' -or -name '*.ipk'").split(' ')
-          String releaseVersion = sh(returnStdout: true, script: "git describe --always | rev | cut -d '/' -f 1 | rev").trim()
-
-          String releaseBody = """
-          _Publication automatisée réalisée par Jenkins._ [Voir le job](${env.RUN_DISPLAY_URL})
-          """
-
-          gitea.release('forge-jenkins', 'Cadoles', 'hydra-werther', [
-            'attachments': attachments,
-            'body': releaseBody,
-            'releaseName': "${releaseVersion}",
-            'releaseVersion': "${releaseVersion}"
-          ])
-        }
-      }
-    }
-  }
-
-  post {
-    always {
-      cleanWs()
-    }
-  }
-}

Makefile

@@ -1,23 +1,86 @@
-PACKAGE_VERSION ?= $(shell git describe --always | rev | cut -d '/' -f 1 | rev)
+SHELL := /bin/bash
-NFPM_PACKAGER ?= deb
 
-build: clean generate
+IMAGE_NAME := reg.cadoles.com/cadoles/hydra-werther
+
+NFPM_VERSION ?= 2.20.0
+NFPM_PACKAGERS ?= deb rpm
+
+MKT_GITEA_RELEASE_ORG ?= Cadoles
+MKT_GITEA_RELEASE_PROJECT ?= hydra-werther
+MKT_GITEA_RELEASE_VERSION ?= $(MKT_PROJECT_VERSION)
+
+define MKT_GITEA_RELEASE_BODY
+## Docker usage
+
+```
+docker pull $(IMAGE_NAME):$(MKT_PROJECT_VERSION)
+```
+endef
+export MKT_GITEA_RELEASE_BODY
+
+build: build-bin build-image
+
+build-bin: clean generate
 	CGO_ENABLED=0 misc/script/build
 
+test: scan
+
 generate:
 	go generate ./...
 
 clean:
-	rm -rf bin
+	rm -rf bin dist
-
-package: dist
-	PACKAGE_VERSION=$(PACKAGE_VERSION) \
-	nfpm package \
-		--config misc/packaging/nfpm.yml \
-		--target ./dist \
-		--packager $(NFPM_PACKAGER)
 
 dist:
 	mkdir -p dist
 
-.PHONY: build
+package: clean build-bin $(foreach p,$(NFPM_PACKAGERS), package-$(p))
+
+package-%: dist tools/nfpm/bin/nfpm
+	PACKAGE_VERSION=$(MKT_PROJECT_VERSION) \
+		tools/nfpm/bin/nfpm package \
+			--config misc/packaging/nfpm.yml \
+			--target ./dist \
+			--packager $*
+
+tools/nfpm/bin/nfpm:
+	mkdir -p tools/nfpm/bin
+	curl -L --output tools/nfpm/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz https://github.com/goreleaser/nfpm/releases/download/v$(NFPM_VERSION)/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz \
+        && tar -xzf tools/nfpm/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz -C tools/nfpm/bin \
+        && chmod +x tools/nfpm/bin/nfpm \
+		&& rm -f tools/nfpm/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz
+
+build-image:
+	docker build \
+		-t "${IMAGE_NAME}:latest" \
+		.	
+
+scan: build-image tools/trivy/bin/trivy
+	mkdir -p .trivy
+	tools/trivy/bin/trivy --cache-dir .trivy/.cache image --ignorefile .trivyignore.yaml $(TRIVY_ARGS) $(IMAGE_NAME):latest
+	
+tools/trivy/bin/trivy:
+	mkdir -p tools/trivy/bin
+	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.47.0
+
+release: release-image release-gitea
+
+release-gitea: .mktools package
+	@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
+	$(MAKE) MKT_GITEA_RELEASE_ATTACHMENTS="$$(find dist/* -type f -printf '%p ')" mkt-gitea-release
+
+release-image: .mktools
+	@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
+	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
+	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
+	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
+	
+	docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
+	docker push "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
+	docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
+
+.mktools:
+	rm -rf .mktools
+	curl -q https://forge.cadoles.com/Cadoles/mktools/raw/branch/master/install.sh | TASKS="version gitea" $(SHELL)
+
+-include .mktools/*.mk

conf/hydra-werther.conf

@@ -125,7 +125,19 @@ WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=myorg,dc=com
   # [required]
 
 # WERTHER_INSECURE_SKIP_VERIFY=
-#   [description] Disable TLS verification on Hydra connection
+  #   [description] Disable TLS verification on Hydra connection
-#   [type]        True or False
+  #   [type]        True or False
-#   [default]     false
+  #   [default]     false
-#   [required]
+  #   [required]
+
+# WERTHER_IDENTP_AMR=
+  # [description] Authentication Method Reference Values
+  # [type]        Comma-separated list of String
+  # [default]     
+  # [required]   false
+
+# WERTHER_IDENTP_ACR=
+  # [description] Authentication Context Class Reference
+  # [type]        String
+  # [default]     
+  # [required]   false

go.mod

@@ -1,11 +1,8 @@
 module github.com/i-core/werther
 
 require (
-	github.com/OneOfOne/xxhash v1.2.2 // indirect
 	github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883
-	github.com/cespare/xxhash v1.0.0 // indirect
 	github.com/coocood/freecache v1.0.1
-	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elazarl/go-bindata-assetfs v1.0.0
 	github.com/go-ldap/ldap/v3 v3.2.3
 	github.com/i-core/rlog v1.0.0
@@ -14,10 +11,24 @@ require (
 	github.com/kelseyhightower/envconfig v1.3.0
 	github.com/kevinburke/go-bindata v3.13.0+incompatible
 	github.com/pkg/errors v0.8.1
-	github.com/sergi/go-diff v1.0.0 // indirect
-	github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 // indirect
 	go.uber.org/zap v1.10.0
 	golang.org/x/text v0.3.2
 )
 
-go 1.13
+require (
+	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
+	github.com/OneOfOne/xxhash v1.2.2 // indirect
+	github.com/cespare/xxhash v1.0.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect
+	github.com/gofrs/uuid v3.2.0+incompatible // indirect
+	github.com/julienschmidt/httprouter v1.2.0 // indirect
+	github.com/justinas/alice v0.0.0-20171023064455-03f45bd4b7da // indirect
+	github.com/sergi/go-diff v1.0.0 // indirect
+	github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 // indirect
+	go.uber.org/atomic v1.4.0 // indirect
+	go.uber.org/multierr v1.1.0 // indirect
+	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 // indirect
+)
+
+go 1.21

internal/hydra/login.go

@@ -16,11 +16,13 @@ type LoginReqDoer struct {
 	hydraURL           string
 	fakeTLSTermination bool
 	rememberFor        int
+	acr                string
+	amr                []string
 }
 
 // NewLoginReqDoer creates a LoginRequest.
-func NewLoginReqDoer(hydraURL string, fakeTLSTermination bool, rememberFor int) *LoginReqDoer {
+func NewLoginReqDoer(hydraURL string, fakeTLSTermination bool, rememberFor int, acr string, amr []string) *LoginReqDoer {
-	return &LoginReqDoer{hydraURL: hydraURL, fakeTLSTermination: fakeTLSTermination, rememberFor: rememberFor}
+	return &LoginReqDoer{hydraURL: hydraURL, fakeTLSTermination: fakeTLSTermination, rememberFor: rememberFor, acr: acr, amr: amr}
 }
 
 // InitiateRequest fetches information on the OAuth2 request.
@@ -32,13 +34,17 @@ func (lrd *LoginReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
 // AcceptLoginRequest accepts the requested authentication process, and returns redirect URI.
 func (lrd *LoginReqDoer) AcceptLoginRequest(challenge string, remember bool, subject string) (string, error) {
 	data := struct {
-		Remember    bool   `json:"remember"`
+		Remember    bool     `json:"remember"`
-		RememberFor int    `json:"remember_for"`
+		RememberFor int      `json:"remember_for"`
-		Subject     string `json:"subject"`
+		Subject     string   `json:"subject"`
+		ACR         string   `json:"acr,omitempty"`
+		AMR         []string `json:"amr,omitempty"`
 	}{
 		Remember:    remember,
 		RememberFor: lrd.rememberFor,
 		Subject:     subject,
+		ACR:         lrd.acr,
+		AMR:         lrd.amr,
 	}
 	redirectURI, err := acceptRequest(login, lrd.hydraURL, lrd.fakeTLSTermination, challenge, data)
 	return redirectURI, errors.Wrap(err, "failed to accept login request")

internal/hydra/login_test.go

@@ -60,7 +60,7 @@ func TestInitiateLoginRequest(t *testing.T) {
 			h := &testInitiateLoginHandler{reqInfo: tc.reqInfo, status: tc.status}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewLoginReqDoer(srv.URL, false, 0)
+			ldr := hydra.NewLoginReqDoer(srv.URL, false, 0, "", nil)
 
 			reqInfo, err := ldr.InitiateRequest(tc.challenge)
 
@@ -160,7 +160,7 @@ func TestAcceptLoginRequest(t *testing.T) {
 			h := &testAcceptLoginHandler{challenge: tc.challenge, status: tc.status, redirect: tc.redirect}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewLoginReqDoer(srv.URL, false, tc.rememberFor)
+			ldr := hydra.NewLoginReqDoer(srv.URL, false, tc.rememberFor, "", nil)
 
 			redirect, err := ldr.AcceptLoginRequest(tc.challenge, tc.remember, tc.subject)
 

internal/identp/identp.go

@@ -32,6 +32,8 @@ type Config struct {
 	SessionTTL         time.Duration     `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
 	ClaimScopes        map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
 	FakeTLSTermination bool              `envconfig:"fake_tls_termination" default:"false" desc:"Fake tls termination by adding \"X-Forwarded-Proto: https\" to http headers "`
+	ACR                string            `envconfig:"acr" desc:"Authorization Context Class Reference"`
+	AMR                []string          `envconfig:"amr" desc:"Authentication Method References"`
 }
 
 // UserManager is an interface that is used for authentication and providing user's claims.
@@ -85,8 +87,8 @@ func NewHandler(cnf Config, um UserManager, tr TemplateRenderer) *Handler {
 // AddRoutes registers all required routes for Login & Consent Provider.
 func (h *Handler) AddRoutes(apply func(m, p string, h http.Handler, mws ...func(http.Handler) http.Handler)) {
 	sessionTTL := int(h.SessionTTL.Seconds())
-	apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, 0), h.tr))
+	apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, 0, h.ACR, h.AMR), h.tr))
-	apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.tr))
+	apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL, h.ACR, h.AMR), h.um, h.tr))
 	apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.ClaimScopes))
 	apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL, h.FakeTLSTermination)))
 }

misc/ci/Dockerfile

@@ -1,9 +0,0 @@
-FROM alpine:3.16
-
-RUN apk add --no-cache make git curl jq bash openssl go zip
-
-RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash
-
-RUN wget https://github.com/goreleaser/nfpm/releases/download/v2.20.0/nfpm_2.20.0_Linux_x86_64.tar.gz \
-    && tar -xzf nfpm_2.20.0_Linux_x86_64.tar.gz -C /usr/local/bin \
-    && chmod +x /usr/local/bin/nfpm

misc/packaging/nfpm.yml

@@ -10,6 +10,7 @@ description: |
 vendor: "Cadoles"
 homepage: "https://forge.cadoles.com/Cadoles/postgres-backup"
 license: "AGPL-3.0"
+version_schema: none
 contents:
   - src: bin/werther_linux_amd64
     dst: /usr/bin/hydra-werther