web: include UI fonts to the static

YAML needed additional indenting for it to work with docker compose, also the "-c" flag is required.

.travis.yml

@@ -17,7 +17,7 @@ cache:
     - "$GOPATH/pkg/mod"
     - "$GOPATH/bin"
 
-install: "(cd $HOME && go get -v github.com/golangci/golangci-lint/cmd/golangci-lint@v1.16.0)"
+install: curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.16.0
 
 script:
   - go test -v -coverprofile=coverage.txt ./...

Dockerfile

@@ -3,7 +3,7 @@
 # This source code is licensed under the MIT license found in the
 # LICENSE file in the root directory of this source tree.
 
-FROM golang:1.12-alpine AS build
+FROM golang:1.13-alpine AS build
 
 ARG VERSION
 ARG GOPROXY

README.md

@@ -98,6 +98,15 @@ of the user role's claim `https://github.com/i-core/werther/claims/roles`.
 ```
 
 To customize the roles claim's name you should set a value of the environment variable `WERTHER_LDAP_ROLE_CLAIM`.
+Also you should map the custom name of the roles' claim to a roles's scope using the environment variable
+`WERTHER_IDENTP_CLAIM_SCOPES` (the name must be [URL encoded][uri-spec-encoding]):
+
+```bash
+env WERTHER_LDAP_ROLE_CLAIM=https://my-company.com/claims/roles                                                                                     \
+    WERTHER_IDENTP_CLAIM_SCOPES=name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fmy-company.com%2Fclaims%2Froles:roles \
+    werther
+```
+
 For more details about claims naming see [OpenID Connect Core 1.0][oidc-spec-additional-claims].
 
 **NB** There are cases when we need to create several roles with the same name in LDAP.
@@ -233,6 +242,11 @@ For a full example of a login page's template see [source code](internal/web/tem
                     condition: none
             depends_on:
                 - hydra
+            healthcheck:
+                test: ["CMD", "curl", "-f", "http://hydra:4445"]
+                interval: 10s
+                timeout: 10s
+                retries: 10
         hydra:
             image: oryd/hydra:v1.0.0-rc.12
             environment:
@@ -290,7 +304,7 @@ For a full example of a login page's template see [source code](internal/web/tem
 
 3. Run the command:
     ```bash
-    docker stack deploy docker-compose.yml auth
+    docker stack deploy -c docker-compose.yml auth
     ```
 
 4. Open the browser with http://localhost:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678.
@@ -348,3 +362,5 @@ The code in this project is licensed under [MIT license][license].
 [oidc-spec-session]: https://openid.net/specs/openid-connect-session-1_0.html
 [oidc-spec-front-channel-logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
 [oidc-spec-back-channel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
+
+[uri-spec-encoding]: https://tools.ietf.org/html/rfc3986#section-2

cmd/werther/main.go

@@ -11,6 +11,7 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 
 	"github.com/i-core/rlog"
@@ -58,6 +59,10 @@ func main() {
 		fmt.Fprintf(os.Stderr, "Invalid configuration: %s\n", err)
 		os.Exit(1)
 	}
+	if _, ok := cnf.Identp.ClaimScopes[url.QueryEscape(cnf.LDAP.RoleClaim)]; !ok {
+		fmt.Fprintf(os.Stderr, "Roles claim %q has no mapping to an OpenID Connect scope\n", cnf.LDAP.RoleClaim)
+		os.Exit(1)
+	}
 
 	logFunc := zap.NewProduction
 	if cnf.DevMode {

go.mod

@@ -19,3 +19,5 @@ require (
 	gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225 // indirect
 	gopkg.in/ldap.v2 v2.5.1
 )
+
+go 1.13

internal/identp/identp.go

@@ -29,7 +29,7 @@ const loginTmplName = "login.tmpl"
 type Config struct {
 	HydraURL    string            `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
 	SessionTTL  time.Duration     `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
-	ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,http%3A%2F%2Ffithub.com%2Fi-core.ru%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
+	ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
 }
 
 // UserManager is an interface that is used for authentication and providing user's claims.

internal/ldapclient/ldapclient.go

@@ -9,6 +9,7 @@ package ldapclient
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net"
@@ -57,6 +58,7 @@ type Config struct {
 	RoleClaim  string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
 	CacheSize  int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
 	CacheTTL   time.Duration     `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
+	IsTLS      bool              `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
 }
 
 // Client is a LDAP client (compatible with Active Directory).
@@ -70,7 +72,7 @@ type Client struct {
 func New(cnf Config) *Client {
 	return &Client{
 		Config:    cnf,
-		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN},
+		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, IsTLS: cnf.IsTLS},
 		cache:     freecache.NewCache(cnf.CacheSize * 1024),
 	}
 }
@@ -296,6 +298,7 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
 type ldapConnector struct {
 	BaseDN     string
 	RoleBaseDN string
+	IsTLS      bool
 }
 
 func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
@@ -304,7 +307,17 @@ func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error)
 	if err != nil {
 		return nil, err
 	}
-	ldapcn := ldap.NewConn(tcpcn, false)
+
+	if c.IsTLS {
+		tlscn, err := tls.DialWithDialer(&d, "tcp", addr, nil)
+		if err != nil {
+			return nil, err
+		}
+		tcpcn = tlscn
+	}
+
+	ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
+
 	ldapcn.Start()
 	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
 }
@@ -331,7 +344,10 @@ func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interf
 }
 
 func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
-	query := fmt.Sprintf("(&(objectClass=group)(member=%s))", user)
+	query := fmt.Sprintf("(|"+
+		"(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))"+
+		"(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s))"+
+		")", user)
 	return c.searchEntries(c.RoleBaseDN, query, attrs)
 }
 

internal/web/templates/static/style.css

@@ -1,4 +1,40 @@
-@import url(https://fonts.googleapis.com/css?family=Roboto:300);
+/* cyrillic-ext */
+@font-face {
+    font-family: 'Roboto';
+    font-style: normal;
+    font-weight: 400;
+    src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
+        url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
+    unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
+}
+/* cyrillic */
+@font-face {
+    font-family: 'Roboto';
+    font-style: normal;
+    font-weight: 400;
+    src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
+        url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
+    unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
+}
+/* latin-ext */
+@font-face {
+    font-family: 'Roboto';
+    font-style: normal;
+    font-weight: 400;
+    src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
+        url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
+    unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
+}
+/* latin */
+@font-face {
+    font-family: 'Roboto';
+    font-style: normal;
+    font-weight: 400;
+    src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
+        url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
+    unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC,
+        U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+}
 
 html {
   box-sizing: border-box;