Merge pull request 'Possibilité d'ignorer les vérifications TLS sur les connexions au service Hydra depuis la configuration' (#3) from feat/ssl-ignore into develop

Reviewed-on: #3

.gitignore

@@ -1 +1,2 @@
 /bin
+/dist

Jenkinsfile

@@ -0,0 +1,50 @@
+@Library('cadoles') _
+
+pipeline {
+  agent {
+    dockerfile {
+      label 'docker'
+      filename 'Dockerfile'
+      dir 'misc/ci'
+    }
+  }
+
+  stages {
+    stage('Build and publish packages') {
+      when {
+        anyOf {
+          branch 'master'
+          branch 'develop'
+        }
+      }
+      steps {
+        script {
+          List<String> packagers = ['deb', 'rpm']
+          packagers.each { pkgr ->
+            sh "make NFPM_PACKAGER='${pkgr}' build package"
+          }
+
+          List<String> attachments = sh(returnStdout: true, script: "find dist -type f -name '*.deb' -or -name '*.rpm' -or -name '*.ipk'").split(' ')
+          String releaseVersion = sh(returnStdout: true, script: "git describe --always | rev | cut -d '/' -f 1 | rev").trim()
+
+          String releaseBody = """
+          _Publication automatisée réalisée par Jenkins._ [Voir le job](${env.RUN_DISPLAY_URL})
+          """
+
+          gitea.release('forge-jenkins', 'Cadoles', 'hydra-werther', [
+            'attachments': attachments,
+            'body': releaseBody,
+            'releaseName': "${releaseVersion}",
+            'releaseVersion': "${releaseVersion}"
+          ])
+        }
+      }
+    }
+  }
+
+  post {
+    always {
+      cleanWs()
+    }
+  }
+}

Makefile

@@ -1,4 +1,23 @@
-build:
-	misc/script/build
+PACKAGE_VERSION ?= $(shell git describe --always | rev | cut -d '/' -f 1 | rev)
+NFPM_PACKAGER ?= deb
+
+build: clean generate
+	CGO_ENABLED=0 misc/script/build
+
+generate:
+	go generate ./...
+
+clean:
+	rm -rf bin
+
+package: dist
+	PACKAGE_VERSION=$(PACKAGE_VERSION) \
+	nfpm package \
+		--config misc/packaging/nfpm.yml \
+		--target ./dist \
+		--packager $(NFPM_PACKAGER)
+
+dist:
+	mkdir -p dist
 
 .PHONY: build

cmd/werther/main.go

@@ -14,6 +14,8 @@ import (
 	"net/url"
 	"os"
 
+	"crypto/tls"
+
 	"github.com/i-core/rlog"
 	"github.com/i-core/routegroup"
 	"github.com/i-core/werther/internal/identp"
@@ -30,8 +32,9 @@ var version = ""
 
 // Config is a server's configuration.
 type Config struct {
-	DevMode bool   `envconfig:"dev_mode" default:"false" desc:"a development mode"`
+	DevMode            bool   `envconfig:"dev_mode" default:"false" desc:"Enable development mode"`
 	Listen             string `default:":8080" desc:"a host and port to listen on (<host>:<port>)"`
+	InsecureSkipVerify bool   `envconfig:"insecure_skip_verify" default:"false" desc:"Disable TLS verification on Hydra connection"`
 	Identp             identp.Config
 	LDAP               ldapclient.Config
 	Web                web.Config
@@ -80,6 +83,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	if cnf.InsecureSkipVerify {
+		log.Warn("All ssl verifications are disabled !")
+		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
 	ldap := ldapclient.New(cnf.LDAP)
 
 	router := routegroup.NewRouter(nosurf.NewPure, rlog.NewMiddleware(log))

conf/hydra-werther.conf

@@ -117,3 +117,15 @@ WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=myorg,dc=com
   # [type]        String
   # [default]     /
   # [required]
+
+#WERTHER_LDAP_CONNECTION_TIMEOUT=
+  # [description] LDAP server connection timeout
+  # [type]        Duration
+  # [default]     60s
+  # [required]
+
+# WERTHER_INSECURE_SKIP_VERIFY=
+#   [description] Disable TLS verification on Hydra connection
+#   [type]        True or False
+#   [default]     false
+#   [required]

internal/hydra/hydra.go

@@ -26,6 +26,8 @@ var (
 	ErrChallengeNotFound = errors.New("challenge not found")
 	// ErrChallengeExpired is an error that happens when a challenge is already used.
 	ErrChallengeExpired = errors.New("challenge expired")
+	//ErrServiceUnavailable is an error that happens when the hydra admin service is unavailable
+	ErrServiceUnavailable = errors.New("hydra service unavailable")
 )
 
 type reqType string
@@ -52,6 +54,7 @@ func initiateRequest(typ reqType, hydraURL string, fakeTLSTermination bool, chal
 	if err != nil {
 		return nil, err
 	}
+
 	u, err := parseURL(hydraURL)
 	if err != nil {
 		return nil, err
@@ -145,6 +148,8 @@ func checkResponse(resp *http.Response) error {
 		return ErrChallengeNotFound
 	case 409:
 		return ErrChallengeExpired
+	case 503:
+		return ErrServiceUnavailable
 	default:
 		var rs struct {
 			Message string `json:"error"`

internal/identp/identp.go

@@ -11,6 +11,7 @@ package identp
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -127,7 +128,8 @@ func newLoginStartHandler(rproc oa2LoginReqProcessor, tmplRenderer TemplateRende
 				return
 			}
 			log.Infow("Failed to initiate an OAuth2 login request", zap.Error(err), "challenge", challenge)
-			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			errMsg := fmt.Sprintf("%s - %s - %s", http.StatusText(http.StatusInternalServerError), err, errors.Cause(err))
+			http.Error(w, errMsg, http.StatusInternalServerError)
 			return
 		}
 		log.Infow("A login request is initiated", "challenge", challenge, "username", ri.Subject)
@@ -171,7 +173,7 @@ func newLoginEndHandler(ra oa2LoginReqAcceptor, auther authenticator, tmplRender
 		data := LoginTmplData{
 			CSRFToken: nosurf.Token(r),
 			Challenge: challenge,
-			LoginURL:  r.URL.String(),
+			LoginURL:  strings.TrimPrefix(r.URL.String(), "/"),
 		}
 
 		username, password := r.Form.Get("username"), r.Form.Get("password")

internal/ldapclient/ldapclient.go

@@ -61,6 +61,7 @@ type Config struct {
 	CacheSize         int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
 	CacheTTL          time.Duration     `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
 	IsTLS             bool              `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
+	ConnectionTimeout time.Duration     `envconfig:"connection_timeout" default:"60s" desc:"LDAP server connection timeout"`
 }
 
 // Client is a LDAP client (compatible with Active Directory).
@@ -80,6 +81,7 @@ func New(cnf Config) *Client {
 			RoleBaseDN:        cnf.RoleBaseDN,
 			IsTLS:             cnf.IsTLS,
 			RoleSearchQuery:   cnf.RoleSearchQuery,
+			ConnectionTimeout: cnf.ConnectionTimeout,
 		},
 		cache: freecache.NewCache(cnf.CacheSize * 1024),
 	}
@@ -193,7 +195,7 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) (map[str
 		return nil, err
 	}
 
-	roles := make(map[string]interface{})
+	roles := make([]map[string]interface{}, 0)
 	for _, entry := range entries {
 		roleDN, ok := entry["dn"].(string)
 		if !ok || roleDN == "" {
@@ -211,21 +213,8 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) (map[str
 		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
 			panic("You should never see that")
 		}
-		// The DN without the role's base DN must contain a CN and OU
-		// where the CN is for uniqueness only, and the OU is an application id.
-		path := strings.Split(roleDN[:n-k-1], ",")
-		if len(path) != 2 {
-			log.Infow("A role's DN without the role's base DN must contain two nodes only",
-				"roleBaseDN", cli.RoleBaseDN, "roleDN", roleDN)
-			continue
-		}
-		appID := path[1][len("OU="):]
 
-		var appRoles []interface{}
-		if v := roles[appID]; v != nil {
-			appRoles = v.([]interface{})
-		}
-		roles[appID] = append(appRoles, entry[cli.RoleAttr])
+		roles = append(roles, entry)
 	}
 	claims[cli.RoleClaim] = roles
 
@@ -309,10 +298,11 @@ type ldapConnector struct {
 	IsTLS             bool
 	UserSearchQuery   string
 	RoleSearchQuery   string
+	ConnectionTimeout time.Duration
 }
 
 func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
-	d := net.Dialer{Timeout: ldap.DefaultTimeout}
+	d := net.Dialer{Timeout: c.ConnectionTimeout}
 	tcpcn, err := d.DialContext(ctx, "tcp", addr)
 	if err != nil {
 		return nil, err

misc/ci/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:3.16
+
+RUN apk add --no-cache make git curl jq bash openssl go zip
+
+RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash
+
+RUN wget https://github.com/goreleaser/nfpm/releases/download/v2.20.0/nfpm_2.20.0_Linux_x86_64.tar.gz \
+    && tar -xzf nfpm_2.20.0_Linux_x86_64.tar.gz -C /usr/local/bin \
+    && chmod +x /usr/local/bin/nfpm

misc/packaging/nfpm.yml

@@ -0,0 +1,21 @@
+name: "hydra-werther"
+arch: "amd64"
+platform: "linux"
+version: "${PACKAGE_VERSION}"
+section: "default"
+priority: "extra"
+maintainer: "Cadoles <contact@cadoles.com>"
+description: |
+  PostgreSQL automated backup scripts
+vendor: "Cadoles"
+homepage: "https://forge.cadoles.com/Cadoles/postgres-backup"
+license: "AGPL-3.0"
+contents:
+  - src: bin/werther_linux_amd64
+    dst: /usr/bin/hydra-werther
+  - src: conf/hydra-werther.conf
+    dst: /etc/hydra-werther/hydra-werther.conf
+  - src: misc/packaging/systemd/hydra-werther.service
+    dst: /usr/lib/systemd/system/hydra-werther.service
+
+    

misc/packaging/systemd/hydra-werther.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Run Hydra Werther login/consent/logout app
+After=network-online.target
+
+[Service]
+Type=simple
+EnvironmentFile=/etc/hydra-werther/hydra-werther.conf
+ExecStart=/usr/bin/hydra-werther
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

misc/script/build

@@ -18,4 +18,4 @@ do
     fi
 done
 
-(cd bin && sha256sum *.{tar.gz,zip} > werther_checksums.txt)
+(cd bin && sha256sum *.{tar.gz,zip} > werther_checksums.txt || exit 0)