.gitignore

@@ -1,5 +1,2 @@
 /bin
-/dist
-/tools
-/.trivy
-.mktools/
+/dist

Dockerfile

@@ -3,7 +3,7 @@
 # This source code is licensed under the MIT license found in the
 # LICENSE file in the root directory of this source tree.
 
-FROM golang:1.21-alpine AS build
+FROM golang:1.13-alpine AS build
 
 ARG VERSION
 ARG GOPROXY

Jenkinsfile

@@ -1,29 +1,50 @@
 @Library('cadoles') _
 
-// Utilisation du pipeline "standard"
-// Voir https://forge.cadoles.com/Cadoles/Jenkins/src/branch/master/doc/tutorials/standard-make-pipeline.md
-standardMakePipeline([
-    'dockerfileExtension': '''
-    RUN apt-get update \
-        && apt-get install -y zip jq
+pipeline {
+  agent {
+    dockerfile {
+      label 'docker'
+      filename 'Dockerfile'
+      dir 'misc/ci'
+    }
+  }
 
-    RUN wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz \
-        && rm -rf /usr/local/go \
-        && tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
-
-    ENV PATH="${PATH}:/usr/local/go/bin"
-    ''',
-    'hooks': [
-        'pre-release': {
-            // Login into docker registry
-            sh '''
-            make .mktools
-            echo "$MKT_GITEA_RELEASE_PASSWORD" | docker login --username "$MKT_GITEA_RELEASE_USERNAME" --password-stdin reg.cadoles.com
-            '''
+  stages {
+    stage('Build and publish packages') {
+      when {
+        anyOf {
+          branch 'master'
+          branch 'develop'
         }
-    ],
-    // Use credentials to push images to registry and pubish gitea release
-    'credentials': [
-        usernamePassword(credentialsId: 'kipp-credentials', usernameVariable: 'MKT_GITEA_RELEASE_USERNAME', passwordVariable: 'MKT_GITEA_RELEASE_PASSWORD')
-    ]
-])
+      }
+      steps {
+        script {
+          List<String> packagers = ['deb', 'rpm']
+          packagers.each { pkgr ->
+            sh "make NFPM_PACKAGER='${pkgr}' build package"
+          }
+
+          List<String> attachments = sh(returnStdout: true, script: "find dist -type f -name '*.deb' -or -name '*.rpm' -or -name '*.ipk'").split(' ')
+          String releaseVersion = sh(returnStdout: true, script: "git describe --always | rev | cut -d '/' -f 1 | rev").trim()
+
+          String releaseBody = """
+          _Publication automatisée réalisée par Jenkins._ [Voir le job](${env.RUN_DISPLAY_URL})
+          """
+
+          gitea.release('forge-jenkins', 'Cadoles', 'hydra-werther', [
+            'attachments': attachments,
+            'body': releaseBody,
+            'releaseName': "${releaseVersion}",
+            'releaseVersion': "${releaseVersion}"
+          ])
+        }
+      }
+    }
+  }
+
+  post {
+    always {
+      cleanWs()
+    }
+  }
+}

Makefile

@@ -1,86 +1,23 @@
-SHELL := /bin/bash
+PACKAGE_VERSION ?= $(shell git describe --always | rev | cut -d '/' -f 1 | rev)
+NFPM_PACKAGER ?= deb
 
-IMAGE_NAME := reg.cadoles.com/cadoles/hydra-werther
-
-NFPM_VERSION ?= 2.20.0
-NFPM_PACKAGERS ?= deb rpm
-
-MKT_GITEA_RELEASE_ORG ?= Cadoles
-MKT_GITEA_RELEASE_PROJECT ?= hydra-werther
-MKT_GITEA_RELEASE_VERSION ?= $(MKT_PROJECT_VERSION)
-
-define MKT_GITEA_RELEASE_BODY
-## Docker usage
-
-```
-docker pull $(IMAGE_NAME):$(MKT_PROJECT_VERSION)
-```
-endef
-export MKT_GITEA_RELEASE_BODY
-
-build: build-bin build-image
-
-build-bin: clean generate
+build: clean generate
 	CGO_ENABLED=0 misc/script/build
 
-test: scan
-
 generate:
 	go generate ./...
 
 clean:
-	rm -rf bin dist
+	rm -rf bin
+
+package: dist
+	PACKAGE_VERSION=$(PACKAGE_VERSION) \
+	nfpm package \
+		--config misc/packaging/nfpm.yml \
+		--target ./dist \
+		--packager $(NFPM_PACKAGER)
 
 dist:
 	mkdir -p dist
 
-package: clean build-bin $(foreach p,$(NFPM_PACKAGERS), package-$(p))
-
-package-%: dist tools/nfpm/bin/nfpm
-	PACKAGE_VERSION=$(MKT_PROJECT_VERSION) \
-		tools/nfpm/bin/nfpm package \
-			--config misc/packaging/nfpm.yml \
-			--target ./dist \
-			--packager $*
-
-tools/nfpm/bin/nfpm:
-	mkdir -p tools/nfpm/bin
-	curl -L --output tools/nfpm/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz https://github.com/goreleaser/nfpm/releases/download/v$(NFPM_VERSION)/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz \
-        && tar -xzf tools/nfpm/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz -C tools/nfpm/bin \
-        && chmod +x tools/nfpm/bin/nfpm \
-		&& rm -f tools/nfpm/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz
-
-build-image:
-	docker build \
-		-t "${IMAGE_NAME}:latest" \
-		.	
-
-scan: build-image tools/trivy/bin/trivy
-	mkdir -p .trivy
-	tools/trivy/bin/trivy --cache-dir .trivy/.cache image --ignorefile .trivyignore.yaml $(TRIVY_ARGS) $(IMAGE_NAME):latest
-	
-tools/trivy/bin/trivy:
-	mkdir -p tools/trivy/bin
-	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.47.0
-
-release: release-image release-gitea
-
-release-gitea: .mktools package
-	@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
-	$(MAKE) MKT_GITEA_RELEASE_ATTACHMENTS="$$(find dist/* -type f -printf '%p ')" mkt-gitea-release
-
-release-image: .mktools
-	@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
-	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
-	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
-	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
-	
-	docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
-	docker push "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
-	docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
-
-.mktools:
-	rm -rf .mktools
-	curl -q https://forge.cadoles.com/Cadoles/mktools/raw/branch/master/install.sh | TASKS="version gitea" $(SHELL)
-
--include .mktools/*.mk
+.PHONY: build

conf/hydra-werther.conf

@@ -125,19 +125,7 @@ WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=myorg,dc=com
   # [required]
 
 # WERTHER_INSECURE_SKIP_VERIFY=
-  #   [description] Disable TLS verification on Hydra connection
-  #   [type]        True or False
-  #   [default]     false
-  #   [required]
-
-# WERTHER_IDENTP_AMR=
-  # [description] Authentication Method Reference Values
-  # [type]        Comma-separated list of String
-  # [default]     
-  # [required]   false
-
-# WERTHER_IDENTP_ACR=
-  # [description] Authentication Context Class Reference
-  # [type]        String
-  # [default]     
-  # [required]   false
+#   [description] Disable TLS verification on Hydra connection
+#   [type]        True or False
+#   [default]     false
+#   [required]

go.mod

@@ -1,8 +1,11 @@
 module github.com/i-core/werther
 
 require (
+	github.com/OneOfOne/xxhash v1.2.2 // indirect
 	github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883
+	github.com/cespare/xxhash v1.0.0 // indirect
 	github.com/coocood/freecache v1.0.1
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elazarl/go-bindata-assetfs v1.0.0
 	github.com/go-ldap/ldap/v3 v3.2.3
 	github.com/i-core/rlog v1.0.0
@@ -11,24 +14,10 @@ require (
 	github.com/kelseyhightower/envconfig v1.3.0
 	github.com/kevinburke/go-bindata v3.13.0+incompatible
 	github.com/pkg/errors v0.8.1
+	github.com/sergi/go-diff v1.0.0 // indirect
+	github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 // indirect
 	go.uber.org/zap v1.10.0
 	golang.org/x/text v0.3.2
 )
 
-require (
-	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
-	github.com/OneOfOne/xxhash v1.2.2 // indirect
-	github.com/cespare/xxhash v1.0.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect
-	github.com/gofrs/uuid v3.2.0+incompatible // indirect
-	github.com/julienschmidt/httprouter v1.2.0 // indirect
-	github.com/justinas/alice v0.0.0-20171023064455-03f45bd4b7da // indirect
-	github.com/sergi/go-diff v1.0.0 // indirect
-	github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 // indirect
-	go.uber.org/atomic v1.4.0 // indirect
-	go.uber.org/multierr v1.1.0 // indirect
-	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 // indirect
-)
-
-go 1.21
+go 1.13

internal/hydra/login.go

@@ -16,13 +16,11 @@ type LoginReqDoer struct {
 	hydraURL           string
 	fakeTLSTermination bool
 	rememberFor        int
-	acr                string
-	amr                []string
 }
 
 // NewLoginReqDoer creates a LoginRequest.
-func NewLoginReqDoer(hydraURL string, fakeTLSTermination bool, rememberFor int, acr string, amr []string) *LoginReqDoer {
-	return &LoginReqDoer{hydraURL: hydraURL, fakeTLSTermination: fakeTLSTermination, rememberFor: rememberFor, acr: acr, amr: amr}
+func NewLoginReqDoer(hydraURL string, fakeTLSTermination bool, rememberFor int) *LoginReqDoer {
+	return &LoginReqDoer{hydraURL: hydraURL, fakeTLSTermination: fakeTLSTermination, rememberFor: rememberFor}
 }
 
 // InitiateRequest fetches information on the OAuth2 request.
@@ -34,17 +32,13 @@ func (lrd *LoginReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
 // AcceptLoginRequest accepts the requested authentication process, and returns redirect URI.
 func (lrd *LoginReqDoer) AcceptLoginRequest(challenge string, remember bool, subject string) (string, error) {
 	data := struct {
-		Remember    bool     `json:"remember"`
-		RememberFor int      `json:"remember_for"`
-		Subject     string   `json:"subject"`
-		ACR         string   `json:"acr,omitempty"`
-		AMR         []string `json:"amr,omitempty"`
+		Remember    bool   `json:"remember"`
+		RememberFor int    `json:"remember_for"`
+		Subject     string `json:"subject"`
 	}{
 		Remember:    remember,
 		RememberFor: lrd.rememberFor,
 		Subject:     subject,
-		ACR:         lrd.acr,
-		AMR:         lrd.amr,
 	}
 	redirectURI, err := acceptRequest(login, lrd.hydraURL, lrd.fakeTLSTermination, challenge, data)
 	return redirectURI, errors.Wrap(err, "failed to accept login request")

internal/hydra/login_test.go

@@ -60,7 +60,7 @@ func TestInitiateLoginRequest(t *testing.T) {
 			h := &testInitiateLoginHandler{reqInfo: tc.reqInfo, status: tc.status}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewLoginReqDoer(srv.URL, false, 0, "", nil)
+			ldr := hydra.NewLoginReqDoer(srv.URL, false, 0)
 
 			reqInfo, err := ldr.InitiateRequest(tc.challenge)
 
@@ -160,7 +160,7 @@ func TestAcceptLoginRequest(t *testing.T) {
 			h := &testAcceptLoginHandler{challenge: tc.challenge, status: tc.status, redirect: tc.redirect}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewLoginReqDoer(srv.URL, false, tc.rememberFor, "", nil)
+			ldr := hydra.NewLoginReqDoer(srv.URL, false, tc.rememberFor)
 
 			redirect, err := ldr.AcceptLoginRequest(tc.challenge, tc.remember, tc.subject)
 

internal/identp/identp.go

@@ -32,8 +32,6 @@ type Config struct {
 	SessionTTL         time.Duration     `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
 	ClaimScopes        map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
 	FakeTLSTermination bool              `envconfig:"fake_tls_termination" default:"false" desc:"Fake tls termination by adding \"X-Forwarded-Proto: https\" to http headers "`
-	ACR                string            `envconfig:"acr" desc:"Authorization Context Class Reference"`
-	AMR                []string          `envconfig:"amr" desc:"Authentication Method References"`
 }
 
 // UserManager is an interface that is used for authentication and providing user's claims.
@@ -87,8 +85,8 @@ func NewHandler(cnf Config, um UserManager, tr TemplateRenderer) *Handler {
 // AddRoutes registers all required routes for Login & Consent Provider.
 func (h *Handler) AddRoutes(apply func(m, p string, h http.Handler, mws ...func(http.Handler) http.Handler)) {
 	sessionTTL := int(h.SessionTTL.Seconds())
-	apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, 0, h.ACR, h.AMR), h.tr))
-	apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL, h.ACR, h.AMR), h.um, h.tr))
+	apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, 0), h.tr))
+	apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.tr))
 	apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.ClaimScopes))
 	apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL, h.FakeTLSTermination)))
 }

misc/ci/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:3.16
+
+RUN apk add --no-cache make git curl jq bash openssl go zip
+
+RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash
+
+RUN wget https://github.com/goreleaser/nfpm/releases/download/v2.20.0/nfpm_2.20.0_Linux_x86_64.tar.gz \
+    && tar -xzf nfpm_2.20.0_Linux_x86_64.tar.gz -C /usr/local/bin \
+    && chmod +x /usr/local/bin/nfpm

misc/packaging/nfpm.yml

@@ -10,7 +10,6 @@ description: |
 vendor: "Cadoles"
 homepage: "https://forge.cadoles.com/Cadoles/postgres-backup"
 license: "AGPL-3.0"
-version_schema: none
 contents:
   - src: bin/werther_linux_amd64
     dst: /usr/bin/hydra-werther