commit 7497c6617c4840b56ef4453370dabb8acd3fa8f9 Author: William Petit Date: Wed Nov 15 20:38:25 2023 +0100 feat: initial commit diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..7718fe8 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,5 @@ +/release +/data +/bin +/.vscode +/.env \ No newline at end of file diff --git a/.env.dist b/.env.dist new file mode 100644 index 0000000..e69de29 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c112e61 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +/release +/data +/bin +/.vscode +/.env +/tools \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..b69f739 --- /dev/null +++ b/Makefile @@ -0,0 +1,64 @@ +SHELL := /bin/bash +DOCKER_IMAGE_NAME ?= reg.cadoles.com/wpetit/hydra-webauthn + +build: + CGO_ENABLED=0 go build -v -o bin/server ./cmd/server + +test: + go test -v -race ./... + +tidy: + go mod tidy + +watch: tools/modd/bin/modd .env + ( set -o allexport && source .env && set +o allexport && tools/modd/bin/modd ) + +.env: + cp .env.dist .env + +lint: + golangci-lint run --enable-all + +up: + docker-compose up --build + +down: + docker-compose down -v --remove-orphans + rm -rf data/storage.sqlite* + +docker-build: + docker build \ + --build-arg="HTTP_PROXY=$(HTTP_PROXY)" \ + --build-arg="HTTPS_PROXY=${HTTP_PROXY}" \ + --build-arg="https_proxy=${https_proxy}" \ + --build-arg="http_proxy=${http_proxy}" \ + -t hydra-webauthn:latest \ + -f ./misc/docker/Dockerfile \ + . + +docker-run: + docker run \ + -it --rm \ + -p 3000:3000 \ + hydra-webauthn:latest + +docker-release: docker-build + docker image tag hydra-webauthn:latest $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) + docker image tag hydra-webauthn:latest $(DOCKER_IMAGE_NAME):latest + docker login + docker push $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) + docker push $(DOCKER_IMAGE_NAME):latest + +clean: + rm -rf release + rm -rf data + rm -rf bin + +release: + @$(SHELL) ./misc/script/release.sh + +.PHONY: lint watch build tidy release + +tools/modd/bin/modd: + mkdir -p tools/modd/bin + GOBIN=$(PWD)/tools/modd/bin go install github.com/cortesi/modd/cmd/modd@latest \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..424ce45 --- /dev/null +++ b/README.md @@ -0,0 +1,20 @@ +# hydra-webauthn + +["Login & Consent App"](https://www.ory.sh/hydra/docs/login-consent-flow/) pour le serveur d'authentification OpenID Connect [Hydra](https://www.ory.sh/hydra/). + +Ce middleware permet une authentification de type "[webauthn](https://webauthn.io/)". + +## Démarrer avec les sources + +```shell +# Requires Go 1.21 and docker-compose +make watch +``` + +### URLs + +|URL|Description| +|---|-----------| +|http://localhost:4444/|Points d'entrée OIDC Hydra| +|http://localhost:4445/|API d'administration Hydra| +|http://localhost:3000/|Middleware Hydra hydra-webauthn (Voir ["Hydra- Login & Consent App"](https://www.ory.sh/hydra/docs/login-consent-flow/)) \ No newline at end of file diff --git a/cmd/server/container.go b/cmd/server/container.go new file mode 100644 index 0000000..522d3d5 --- /dev/null +++ b/cmd/server/container.go @@ -0,0 +1,178 @@ +package main + +import ( + "encoding/base64" + "encoding/json" + "log" + "net/http" + + "gitlab.com/wpetit/goweb/template/html" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/config" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/hydra" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage/sqlite" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/webauthn" + + gotemplate "html/template" + + "github.com/gorilla/sessions" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/service" + "gitlab.com/wpetit/goweb/service/build" + "gitlab.com/wpetit/goweb/service/session" + "gitlab.com/wpetit/goweb/service/template" + "gitlab.com/wpetit/goweb/session/gorilla" +) + +func getServiceContainer(conf *config.Config) (*service.Container, error) { + // Initialize and configure service container + ctn := service.NewContainer() + + ctn.Provide(build.ServiceName, build.ServiceProvider(ProjectVersion, GitRef, BuildDate)) + + // Generate random cookie authentication key if none is set + if conf.HTTP.CookieAuthenticationKey == "" { + log.Println("could not find cookie authentication key. generating one...") + + cookieAuthenticationKey, err := gorilla.GenerateRandomBytes(64) + if err != nil { + return nil, errors.Wrap(err, "could not generate cookie authentication key") + } + + conf.HTTP.CookieAuthenticationKey = string(cookieAuthenticationKey) + } + + // Generate random cookie encryption key if none is set + if conf.HTTP.CookieEncryptionKey == "" { + log.Println("could not find cookie encryption key. generating one...") + + cookieEncryptionKey, err := gorilla.GenerateRandomBytes(32) + if err != nil { + return nil, errors.Wrap(err, "could not generate cookie encryption key") + } + + conf.HTTP.CookieEncryptionKey = string(cookieEncryptionKey) + } + + // Generate random token signing key if none is set + if conf.HTTP.TokenSigningKey == "" { + log.Println("could not find token signing key. generating one...") + + tokenSigningKey, err := gorilla.GenerateRandomBytes(64) + if err != nil { + return nil, errors.Wrap(err, "could not generate token signing key") + } + + conf.HTTP.TokenSigningKey = string(tokenSigningKey) + } + + // Generate random token encryption key if none is set + if conf.HTTP.TokenEncryptionKey == "" { + log.Println("could not find token encryption key. generating one...") + + tokenEncryptionKey, err := gorilla.GenerateRandomBytes(32) + if err != nil { + return nil, errors.Wrap(err, "could not generate token encryption key") + } + + conf.HTTP.TokenEncryptionKey = string(tokenEncryptionKey) + } + + // Create and initialize HTTP session service provider + cookieStore := sessions.NewCookieStore( + []byte(conf.HTTP.CookieAuthenticationKey), + []byte(conf.HTTP.CookieEncryptionKey), + ) + + // Define default cookie options + cookieStore.Options = &sessions.Options{ + Path: "/", + HttpOnly: true, + MaxAge: conf.HTTP.CookieMaxAge, + SameSite: http.SameSiteStrictMode, + } + + ctn.Provide( + session.ServiceName, + gorilla.ServiceProvider("hydra-webauthn", cookieStore), + ) + + // Create and expose template service provider + // Create and expose template service provider + ctn.Provide(template.ServiceName, html.ServiceProvider( + html.NewDirectoryLoader(conf.HTTP.TemplateDir), + html.WithHelper("marshal", func(v interface{}) (gotemplate.JS, error) { + data, err := json.Marshal(v) + if err != nil { + return "", errors.WithStack(err) + } + + return gotemplate.JS(data), nil + }), + html.WithHelper("base64", func(v interface{}) (gotemplate.JS, error) { + var b64 string + + switch typ := v.(type) { + case string: + b64 = base64.RawURLEncoding.EncodeToString([]byte(typ)) + case []byte: + b64 = base64.RawURLEncoding.EncodeToString(typ) + case gotemplate.JS: + b64 = base64.RawURLEncoding.EncodeToString([]byte(typ)) + default: + return "", errors.Errorf("unexpected type '%T'", v) + } + + return gotemplate.JS(b64), nil + }), + )) + + // Create and expose config service provider + ctn.Provide(config.ServiceName, config.ServiceProvider(conf)) + + ctn.Provide( + hydra.ServiceName, + hydra.ServiceProvider( + conf.Hydra.BaseURL, + conf.Hydra.FakeSSLTermination, + conf.Hydra.HTTPClientTimeout, + ), + ) + + // Create and expose webauthn service provider + webauthnConfig := &webauthn.Config{ + RPID: conf.WebAuthn.RelyingParty.ID, + RPDisplayName: conf.WebAuthn.RelyingParty.DisplayName, + RPOrigins: conf.WebAuthn.RelyingParty.Origins, + // AttestationPreference: protocol.PreferDirectAttestation, + // AuthenticatorSelection: protocol.AuthenticatorSelection{ + // AuthenticatorAttachment: protocol.CrossPlatform, + // }, + Debug: true, + // EncodeUserIDAsString: true, + // Timeouts: webauthn.TimeoutsConfig{ + // Login: webauthn.TimeoutConfig{ + // Enforce: true, + // Timeout: , + // }, + // }, + } + + ctn.Provide( + webauthn.ServiceName, + webauthn.ServiceProvider(webauthnConfig), + ) + + userRepository, err := sqlite.NewUserRepository(conf.Storage.DSN) + if err != nil { + return nil, errors.Wrap(err, "could not create sqlite user repository") + } + + ctn.Provide( + storage.ServiceName, + storage.ServiceProvider(userRepository), + ) + + return ctn, nil +} diff --git a/cmd/server/main.go b/cmd/server/main.go new file mode 100644 index 0000000..98c4d9f --- /dev/null +++ b/cmd/server/main.go @@ -0,0 +1,146 @@ +package main + +import ( + "flag" + "fmt" + "log" + "net/http" + "os" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/route" + "github.com/getsentry/sentry-go" + "github.com/go-chi/chi" + "github.com/go-chi/chi/middleware" + "gitlab.com/wpetit/goweb/middleware/container" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/config" + sentryhttp "github.com/getsentry/sentry-go/http" + "github.com/pkg/errors" +) + +// nolint: gochecknoglobals +var ( + configFile = "" + workdir = "" + dumpConfig = false + version = false +) + +// nolint: gochecknoglobals +var ( + GitRef = "unknown" + ProjectVersion = "unknown" + BuildDate = "unknown" +) + +// nolint: gochecknoinits +func init() { + flag.StringVar(&configFile, "config", configFile, "configuration file") + flag.StringVar(&workdir, "workdir", workdir, "working directory") + flag.BoolVar(&dumpConfig, "dump-config", dumpConfig, "dump configuration and exit") + flag.BoolVar(&version, "version", version, "show version and exit") +} + +func main() { + flag.Parse() + + if version { + fmt.Printf("%s (%s) - %s\n", ProjectVersion, GitRef, BuildDate) + + os.Exit(0) + } + + // Switch to new working directory if defined + if workdir != "" { + if err := os.Chdir(workdir); err != nil { + log.Fatalf("%+v", errors.Wrapf(err, "could not change working directory to '%s'", workdir)) + } + } + + // Load configuration file if defined, use default configuration otherwise + var conf *config.Config + + var err error + + if configFile != "" { + conf, err = config.NewFromFile(configFile) + if err != nil { + log.Fatalf("%+v", errors.Wrapf(err, "could not load config file '%s'", configFile)) + } + } else { + if dumpConfig { + conf = config.NewDumpDefault() + } else { + conf = config.NewDefault() + } + } + + // Dump configuration if asked + if dumpConfig { + if err := config.Dump(conf, os.Stdout); err != nil { + log.Fatalf("%+v", errors.Wrap(err, "could not dump config")) + } + + os.Exit(0) + } + + if err := config.WithEnvironment(conf); err != nil { + log.Fatalf("%+v", errors.Wrap(err, "could not override config with environment")) + } + + useSentry := conf.Sentry.DSN != "" + + if useSentry { + var sentryEnv string + if conf.Sentry.Environment == "" { + sentryEnv, _ = os.Hostname() + } else { + sentryEnv = conf.Sentry.Environment + } + + err := sentry.Init(sentry.ClientOptions{ + Dsn: conf.Sentry.DSN, + Debug: conf.Debug, + SampleRate: conf.Sentry.ServerSampleRate, + Release: ProjectVersion + "-" + GitRef, + Environment: sentryEnv, + }) + if err != nil { + log.Fatalf("%+v", errors.Wrap(err, "could not initialize sentry")) + } + + defer sentry.Flush(conf.Sentry.ServerFlushTimeout) + } + + // Create service container + ctn, err := getServiceContainer(conf) + if err != nil { + log.Fatalf("%+v", errors.Wrap(err, "could not create service container")) + } + + r := chi.NewRouter() + + // Define base middlewares + r.Use(middleware.Logger) + + if useSentry { + sentryMiddleware := sentryhttp.New(sentryhttp.Options{ + Repanic: true, + }) + + r.Use(sentryMiddleware.Handle) + } + + // Expose service container on router + r.Use(container.ServiceContainer(ctn)) + + // Define routes + if err := route.Mount(r, conf); err != nil { + log.Fatalf("%+v", errors.Wrap(err, "could not mount http routes")) + } + + log.Printf("listening on '%s'", conf.HTTP.Address) + if err := http.ListenAndServe(conf.HTTP.Address, r); err != nil { + log.Fatalf("%+v", errors.Wrapf(err, "could not listen on '%s'", conf.HTTP.Address)) + } +} diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..339c322 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,79 @@ +version: '2.4' +services: + postgres: + image: postgres:16.1 + environment: + - POSTGRES_PASSWORD=hydra + - POSTGRES_USER=hydra + - POSTGRES_DB=hydra + restart: unless-stopped + healthcheck: + test: ["CMD", "pg_isready", "-U", "hydra", "-d", "hydra"] + interval: 3s + timeout: 5s + retries: 5 + network_mode: host + + hydra: + image: &hydra_image oryd/hydra:v1.11 + environment: &hydra_environment + - LOG_LEVEL=debug + - LOG_LEAK_SENSITIVE_VALUES=true + - SECRETS_SYSTEM=NotSoSecret123456 + - DSN=postgres://hydra:hydra@127.0.0.1:5432/hydra + - URLS_CONSENT=http://localhost:3000/consent + - URLS_LOGIN=http://localhost:3000/login + - URLS_LOGOUT=http://localhost:3000/logout + entrypoint: "" + command: ["hydra", "serve", "all", "--dangerous-force-http", "--dangerous-allow-insecure-redirect-urls=http://localhost:8080/oauth2/callback,http://127.0.0.1:8080/oauth2/callback"] + healthcheck: + test: ["CMD", "/bin/sh", "-c", "wget -q --spider http://127.0.0.1:4444/.well-known/openid-configuration"] + interval: 3s + timeout: 5s + retries: 5 + depends_on: + init-hydra-database: + condition: service_completed_successfully + restart: unless-stopped + network_mode: host + + + oidc-test: + image: reg.cadoles.com/cadoles/oidc-test:2023.11.6-stable.1557.e16b905 + environment: + - LOG_LEVEL=0 + - HTTP_ADDRESS=0.0.0.0:8080 + - OIDC_CLIENT_ID=oidc-test + - OIDC_CLIENT_SECRET=oidc-test-123456 + - OIDC_ISSUER_URL=http://127.0.0.1:4444/ + - OIDC_REDIRECT_URL=http://localhost:8080/oauth2/callback + - OIDC_POST_LOGOUT_REDIRECT_URL=http://localhost:8080 + - OIDC_SKIP_ISSUER_VERIFICATION=true + depends_on: + init-hydra-client: + condition: service_completed_successfully + network_mode: host + restart: unless-stopped + + init-hydra-database: + image: *hydra_image + environment: *hydra_environment + command: ["migrate", "sql", "-e", "--yes"] + network_mode: host + depends_on: + postgres: + condition: service_healthy + + init-hydra-client: + image: *hydra_image + entrypoint: "" + command: ["/bin/sh", "-c", "hydra clients import --endpoint http://127.0.0.1:4445 --fake-tls-termination /oidc/client.json || true"] + environment: *hydra_environment + depends_on: + init-hydra-database: + condition: service_completed_successfully + hydra: + condition: service_healthy + network_mode: host + volumes: + - ./misc/compose/hydra/client.json:/oidc/client.json \ No newline at end of file diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..c547bfc --- /dev/null +++ b/go.mod @@ -0,0 +1,67 @@ +module forge.cadoles.com/wpetit/hydra-webauthn + +go 1.21 + +require ( + github.com/caarlos0/env/v6 v6.2.2 + github.com/davecgh/go-spew v1.1.1 + github.com/getsentry/sentry-go v0.7.0 + github.com/go-chi/chi v4.1.0+incompatible + github.com/go-webauthn/webauthn v0.8.6 + github.com/google/uuid v1.3.0 + github.com/gorilla/csrf v1.6.2 + github.com/gorilla/sessions v1.2.0 + github.com/pkg/errors v0.9.1 + gitlab.com/wpetit/goweb v0.0.0-20231119195238-e40a8515cfad + gopkg.in/yaml.v2 v2.4.0 +) + +require ( + github.com/caarlos0/env/v10 v10.0.0 // indirect + github.com/dustin/go-humanize v1.0.1 // indirect + github.com/go-chi/chi/v5 v5.0.10 // indirect + github.com/go-playground/locales v0.14.0 // indirect + github.com/go-playground/universal-translator v0.18.0 // indirect + github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect + github.com/leodido/go-urn v1.2.1 // indirect + github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect + golang.org/x/mod v0.8.0 // indirect + golang.org/x/tools v0.6.0 // indirect + gopkg.in/go-playground/validator.v9 v9.29.1 // indirect + lukechampine.com/uint128 v1.2.0 // indirect + modernc.org/cc/v3 v3.40.0 // indirect + modernc.org/ccgo/v3 v3.16.13 // indirect + modernc.org/libc v1.29.0 // indirect + modernc.org/mathutil v1.6.0 // indirect + modernc.org/memory v1.7.2 // indirect + modernc.org/opt v0.1.3 // indirect + modernc.org/strutil v1.1.3 // indirect + modernc.org/token v1.0.1 // indirect +) + +require ( + cdr.dev/slog v1.6.1 // indirect + github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect + github.com/charmbracelet/lipgloss v0.9.1 // indirect + github.com/fxamacker/cbor/v2 v2.4.0 // indirect + github.com/go-webauthn/x v0.1.4 // indirect + github.com/golang-jwt/jwt/v5 v5.0.0 // indirect + github.com/google/go-tpm v0.9.0 // indirect + github.com/gorilla/securecookie v1.1.1 // indirect + github.com/lucasb-eyer/go-colorful v1.2.0 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mattn/go-runewidth v0.0.15 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/muesli/reflow v0.3.0 // indirect + github.com/muesli/termenv v0.15.2 // indirect + github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect + github.com/rivo/uniseg v0.4.4 // indirect + github.com/x448/float16 v0.8.4 // indirect + go.opentelemetry.io/otel v1.21.0 // indirect + go.opentelemetry.io/otel/trace v1.21.0 // indirect + golang.org/x/crypto v0.15.0 // indirect + golang.org/x/sys v0.14.0 // indirect + golang.org/x/term v0.14.0 // indirect + golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect + modernc.org/sqlite v1.27.0 +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..8bd4ef3 --- /dev/null +++ b/go.sum @@ -0,0 +1,335 @@ +cdr.dev/slog v1.6.1 h1:IQjWZD0x6//sfv5n+qEhbu3wBkmtBQY5DILXNvMaIv4= +cdr.dev/slog v1.6.1/go.mod h1:eHEYQLaZvxnIAXC+XdTSNLb/kgA/X2RVSF72v5wsxEI= +cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= +cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/logging v1.7.0 h1:CJYxlNNNNAMkHp9em/YEXcfJg+rPDg7YfwoRpMU+t5I= +cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M= +cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI= +cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc= +github.com/AndreasBriese/bbloom v0.0.0-20190306092124-e2d15f34fcf9/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/CloudyKit/fastprinter v0.0.0-20170127035650-74b38d55f37a/go.mod h1:EFZQ978U7x8IRnstaskI3IysnWY5Ao3QgZUKOXlsAdw= +github.com/CloudyKit/jet v2.1.3-0.20180809161101-62edd43e4f88+incompatible/go.mod h1:HPYO+50pSWkPoj9Q/eq0aRGByCL6ScRlUmiEX5Zgm+w= +github.com/Joker/hpp v1.0.0/go.mod h1:8x5n+M1Hp5hC0g8okX3sR3vFQwynaX/UgSOM9MeBKzY= +github.com/Joker/jade v1.0.1-0.20190614124447-d475f43051e7/go.mod h1:6E6s8o2AE4KhCrqr6GRJjdC/gNfTdxkIXvuGZZda2VM= +github.com/Shopify/goreferrer v0.0.0-20181106222321-ec9c9a553398/go.mod h1:a1uqRtAwp2Xwc6WNPJEufxJ7fx3npB4UV/JOLmbu5I0= +github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= +github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8= +github.com/aymerick/raymond v2.0.3-0.20180322193309-b565731e1464+incompatible/go.mod h1:osfaiScAUVup+UC9Nfq76eWqDhXlp+4UYaA8uhTBO6g= +github.com/caarlos0/env/v10 v10.0.0 h1:yIHUBZGsyqCnpTkbjk8asUlx6RFhhEs+h7TOBdgdzXA= +github.com/caarlos0/env/v10 v10.0.0/go.mod h1:ZfulV76NvVPw3tm591U4SwL3Xx9ldzBP9aGxzeN7G18= +github.com/caarlos0/env/v6 v6.2.2 h1:R0NIFXaB/LhwuGrjnsldzpnVNjFU/U+hTVHt+cq0yDY= +github.com/caarlos0/env/v6 v6.2.2/go.mod h1:3LpmfcAYCG6gCiSgDLaFR5Km1FRpPwFvBbRcjHar6Sw= +github.com/charmbracelet/lipgloss v0.9.1 h1:PNyd3jvaJbg4jRHKWXnCj1akQm4rh8dbEzN1p/u1KWg= +github.com/charmbracelet/lipgloss v0.9.1/go.mod h1:1mPmG4cxScwUQALAAnacHaigiiHB9Pmr+v1VEawJl6I= +github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgraph-io/badger v1.6.0/go.mod h1:zwt7syl517jmP8s94KqSxTlM6IMsdhYy6psNgSztDR4= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/eknkc/amber v0.0.0-20171010120322-cdade1c07385/go.mod h1:0vRUJqYpeSZifjYj7uP3BG/gKcuzL9xWVV/Y+cK33KM= +github.com/etcd-io/bbolt v1.3.3/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw= +github.com/fasthttp-contrib/websocket v0.0.0-20160511215533-1f3b11f56072/go.mod h1:duJ4Jxv5lDcvg4QuQr0oowTf7dz4/CR8NtyCooz9HL8= +github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/flosch/pongo2 v0.0.0-20190707114632-bbf5a6c351f4/go.mod h1:T9YF2M40nIgbVgp3rreNmTged+9HrbNTIQf1PsaIiTA= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= +github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/gavv/httpexpect v2.0.0+incompatible/go.mod h1:x+9tiU1YnrOvnB725RkpoLv1M62hOWzwo5OXotisrKc= +github.com/getsentry/sentry-go v0.7.0 h1:MR2yfR4vFfv/2+iBuSnkdQwVg7N9cJzihZ6KJu7srwQ= +github.com/getsentry/sentry-go v0.7.0/go.mod h1:pLFpD2Y5RHIKF9Bw3KH6/68DeN2K/XBJd8awjdPnUwg= +github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3/go.mod h1:VJ0WA2NBN22VlZ2dKZQPAPnyWw5XTlK1KymzLKsr59s= +github.com/gin-gonic/gin v1.4.0/go.mod h1:OW2EZn3DO8Ln9oIKOvM++LBO+5UPHJJDH72/q/3rZdM= +github.com/go-check/check v0.0.0-20180628173108-788fd7840127/go.mod h1:9ES+weclKsC9YodN5RgxqK/VD9HM9JsCSh7rNhMZE98= +github.com/go-chi/chi v4.1.0+incompatible h1:ETj3cggsVIY2Xao5ExCu6YhEh5MD6JTfcBzS37R260w= +github.com/go-chi/chi v4.1.0+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= +github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk= +github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= +github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU= +github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs= +github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho= +github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA= +github.com/go-webauthn/webauthn v0.8.6 h1:bKMtL1qzd2WTFkf1mFTVbreYrwn7dsYmEPjTq6QN90E= +github.com/go-webauthn/webauthn v0.8.6/go.mod h1:emwVLMCI5yx9evTTvr0r+aOZCdWJqMfbRhF0MufyUog= +github.com/go-webauthn/x v0.1.4 h1:sGmIFhcY70l6k7JIDfnjVBiAAFEssga5lXIUXe0GtAs= +github.com/go-webauthn/x v0.1.4/go.mod h1:75Ug0oK6KYpANh5hDOanfDI+dvPWHk788naJVG/37H8= +github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo= +github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= +github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM= +github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= +github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/gomodule/redigo v1.7.1-0.20190724094224-574c33c3df38/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= +github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk= +github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU= +github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ= +github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/csrf v1.6.2 h1:QqQ/OWwuFp4jMKgBFAzJVW3FMULdyUW7JoM4pEWuqKg= +github.com/gorilla/csrf v1.6.2/go.mod h1:7tSf8kmjNYr7IWDCYhd3U8Ck34iQ/Yw5CJu7bAkHEGI= +github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.0 h1:S7P+1Hm5V/AT9cjEcUD5uDaQSX0OE577aCXgoaKpYbQ= +github.com/gorilla/sessions v1.2.0/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/imkira/go-interpol v1.1.0/go.mod h1:z0h2/2T3XF8kyEPpRgJ3kmNv+C43p+I/CoI+jC3w2iA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/iris-contrib/blackfriday v2.0.0+incompatible/go.mod h1:UzZ2bDEoaSGPbkg6SAB4att1aAwTmVIx/5gCVqeyUdI= +github.com/iris-contrib/go.uuid v2.0.0+incompatible/go.mod h1:iz2lgM/1UnEf1kP0L/+fafWORmlnuysV2EMP8MW+qe0= +github.com/iris-contrib/i18n v0.0.0-20171121225848-987a633949d0/go.mod h1:pMCz62A0xJL6I+umB2YTlFRwWXaDFA0jy+5HzGiJjqI= +github.com/iris-contrib/schema v0.0.1/go.mod h1:urYA3uvUNG1TIIjOSCzHr9/LmbQo8LrOcOqfqxa4hXw= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/juju/errors v0.0.0-20181118221551-089d3ea4e4d5/go.mod h1:W54LbzXuIE0boCoNJfwqpmkKJ1O4TCTZMetAt6jGk7Q= +github.com/juju/loggo v0.0.0-20180524022052-584905176618/go.mod h1:vgyd7OREkbtVEN/8IXZe5Ooef3LQePvuBm9UWj6ZL8U= +github.com/juju/testing v0.0.0-20180920084828-472a3e8b2073/go.mod h1:63prj8cnj0tU0S9OHjGJn+b1h0ZghCndfnbQolrYTwA= +github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= +github.com/kataras/golog v0.0.9/go.mod h1:12HJgwBIZFNGL0EJnMRhmvGA0PQGx8VFwrZtM4CqbAk= +github.com/kataras/iris/v12 v12.0.1/go.mod h1:udK4vLQKkdDqMGJJVd/msuMtN6hpYJhg/lSzuxjhO+U= +github.com/kataras/neffos v0.0.10/go.mod h1:ZYmJC07hQPW67eKuzlfY7SO3bC0mw83A3j6im82hfqw= +github.com/kataras/pio v0.0.0-20190103105442-ea782b38602d/go.mod h1:NV88laa9UiiDuX9AhMbDPkGYSPugBOV6yTZB1l2K9Z0= +github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= +github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= +github.com/klauspost/compress v1.8.2/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/compress v1.9.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/cpuid v1.2.1/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/labstack/echo/v4 v4.1.11/go.mod h1:i541M3Fj6f76NZtHSj7TXnyM8n2gaodfvfxNnFqi74g= +github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k= +github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w= +github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY= +github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= +github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= +github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= +github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y= +github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= +github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw= +github.com/mediocregopher/mediocre-go-lib v0.0.0-20181029021733-cb65787f37ed/go.mod h1:dSsfyI2zABAdhcbvkXqgxOxrCsbYeHCPgrZkku60dSg= +github.com/mediocregopher/radix/v3 v3.3.0/go.mod h1:EmfVyvspXz1uZEyPBMyGK+kjWiKQGvsUt6O3Pj+LDCQ= +github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ= +github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s= +github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8= +github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo= +github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8= +github.com/nats-io/nats.go v1.8.1/go.mod h1:BrFz9vVn0fU3AcH9Vn4Kd7W0NpJ651tD5omQ3M8LwxM= +github.com/nats-io/nkeys v0.0.2/go.mod h1:dab7URMsZm6Z/jp9Z5UGa87Uutgc2mVpXLC4B7TDb/4= +github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw= +github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4= +github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= +github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= +github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= +github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= +github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis= +github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY= +github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/fasthttp v1.6.0/go.mod h1:FstJa9V+Pj9vQ7OJie2qMHdwemEDaDiSdBnvPM1Su9w= +github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8= +github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0/go.mod h1:/LWChgwKmvncFJFHJ7Gvn9wZArjbV5/FppcK2fKk/tI= +github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= +github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= +github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= +gitlab.com/wpetit/goweb v0.0.0-20231119195238-e40a8515cfad h1:KDrx55pxLSx/Uv3Zt0eox8ed2WKA1uYhHQX85eOk03E= +gitlab.com/wpetit/goweb v0.0.0-20231119195238-e40a8515cfad/go.mod h1:M84eg+LmLpFLZT0YTZ/IpbXjviXFW5t+xBtEgHWc/Oo= +go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc= +go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo= +go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4= +go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM= +go.opentelemetry.io/otel/sdk v1.16.0 h1:Z1Ok1YsijYL0CSJpHt4cS3wDDh7p572grzNrBMiMWgE= +go.opentelemetry.io/otel/sdk v1.16.0/go.mod h1:tMsIuKXuuIWPBAOrH+eHtvhTL+SntFtXF9QD68aP6p4= +go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8fpfLc= +go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= +golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190327091125-710a502c58a2/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= +golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= +golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181221001348-537d06c36207/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190327201419-c70d86f8b7cf/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU= +golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= +google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e h1:xIXmWJ303kJCuogpj0bHq+dcjcZHU+XFyc1I0Yl9cRg= +google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:0ggbjUrZYpy1q+ANUS30SEoGZ53cdfwtbuG7Ptgy108= +google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU= +google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130 h1:2FZP5XuJY9zQyGM5N0rtovnoXjiMUEIUMvw0m9wlpLc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:8mL13HKkDa+IuJ8yruA3ci0q+0vsUz4m//+ottjwS5o= +google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw= +google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM= +gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= +gopkg.in/go-playground/validator.v8 v8.18.2/go.mod h1:RX2a/7Ha8BgOhfk7j780h4/u/RRjR0eouCJSH80/M2Y= +gopkg.in/go-playground/validator.v9 v9.29.1 h1:SvGtYmN60a5CVKTOzMSyfzWDeZRxRuGvRQyEAKbw1xc= +gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= +gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +lukechampine.com/uint128 v1.2.0 h1:mBi/5l91vocEN8otkC5bDLhi2KdCticRiwbdB0O+rjI= +lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= +modernc.org/cc/v3 v3.40.0 h1:P3g79IUS/93SYhtoeaHW+kRCIrYaxJ27MFPv+7kaTOw= +modernc.org/cc/v3 v3.40.0/go.mod h1:/bTg4dnWkSXowUO6ssQKnOV0yMVxDYNIsIrzqTFDGH0= +modernc.org/ccgo/v3 v3.16.13 h1:Mkgdzl46i5F/CNR/Kj80Ri59hC8TKAhZrYSaqvkwzUw= +modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY= +modernc.org/ccorpus v1.11.6 h1:J16RXiiqiCgua6+ZvQot4yUuUy8zxgqbqEEUuGPlISk= +modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ= +modernc.org/httpfs v1.0.6 h1:AAgIpFZRXuYnkjftxTAZwMIiwEqAfk8aVB2/oA6nAeM= +modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM= +modernc.org/libc v1.29.0 h1:tTFRFq69YKCF2QyGNuRUQxKBm1uZZLubf6Cjh/pVHXs= +modernc.org/libc v1.29.0/go.mod h1:DaG/4Q3LRRdqpiLyP0C2m1B8ZMGkQ+cCgOIjEtQlYhQ= +modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4= +modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo= +modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E= +modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E= +modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4= +modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0= +modernc.org/sqlite v1.27.0 h1:MpKAHoyYB7xqcwnUwkuD+npwEa0fojF0B5QRbN+auJ8= +modernc.org/sqlite v1.27.0/go.mod h1:Qxpazz0zH8Z1xCFyi5GSL3FzbtZ3fvbjmywNogldEW0= +modernc.org/strutil v1.1.3 h1:fNMm+oJklMGYfU9Ylcywl0CO5O6nTfaowNsh2wpPjzY= +modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw= +modernc.org/tcl v1.15.2 h1:C4ybAYCGJw968e+Me18oW55kD/FexcHbqH2xak1ROSY= +modernc.org/tcl v1.15.2/go.mod h1:3+k/ZaEbKrC8ePv8zJWPtBSW0V7Gg9g8rkmhI1Kfs3c= +modernc.org/token v1.0.1 h1:A3qvTqOwexpfZZeyI0FeGPDlSWX5pjZu9hF4lU+EKWg= +modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= +modernc.org/z v1.7.3 h1:zDJf6iHjrnB+WRD88stbXokugjyc0/pB91ri1gO6LZY= +modernc.org/z v1.7.3/go.mod h1:Ipv4tsdxZRbQyLq9Q1M6gdbkxYzdlrciF2Hi/lS7nWE= diff --git a/internal/config/api.go b/internal/config/api.go new file mode 100644 index 0000000..133a256 --- /dev/null +++ b/internal/config/api.go @@ -0,0 +1,48 @@ +package config + +import ( + "encoding/json" + + "github.com/davecgh/go-spew/spew" + "github.com/pkg/errors" +) + +type APIConfig struct { + Authentication AuthenticationConfig `yaml:"auth" envPrefix:"AUTH_"` +} + +type Accounts []AccountConfig + +type AuthenticationConfig struct { + Accounts Accounts `yaml:"accounts" env:"ACCOUNTS"` +} + +func parseAccounts(value string) (any, error) { + var accounts Accounts + + spew.Dump(value) + + if err := json.Unmarshal([]byte(value), &accounts); err != nil { + return nil, errors.WithStack(err) + } + + return accounts, nil +} + +type AccountConfig struct { + Username string `yaml:"username" json:"username"` + Password string `yaml:"password" json:"password"` +} + +func NewDefaultAPIConfig() APIConfig { + return APIConfig{ + Authentication: AuthenticationConfig{ + Accounts: []AccountConfig{ + { + Username: "admin", + Password: "webauthn", + }, + }, + }, + } +} diff --git a/internal/config/config.go b/internal/config/config.go new file mode 100644 index 0000000..9497c4c --- /dev/null +++ b/internal/config/config.go @@ -0,0 +1,128 @@ +package config + +import ( + "io" + "os" + "reflect" + "time" + + "github.com/pkg/errors" + + "github.com/caarlos0/env/v10" + "gopkg.in/yaml.v2" +) + +type Config struct { + Debug bool `yaml:"debug" env:"DEBUG"` + HTTP HTTPConfig `yaml:"http" envPrefix:"HTTP_"` + Hydra HydraConfig `yaml:"hydra" envPrefix:"HYDRA_"` + Session SessionConfig `yaml:"session" envPrefix:"SESSION_"` + Sentry SentryConfig `yaml:"sentry" envPrefix:"SENTRY_"` + WebAuthn WebAuthnConfig `yaml:"webauthn" envPrefix:"WEBAUTHN_"` + API APIConfig `yaml:"api" envPrefix:"API_"` + Storage StorageConfig `yaml:"storage" envPrefix:"STORAGE_"` +} + +// NewFromFile retrieves the configuration from the given file +func NewFromFile(filepath string) (*Config, error) { + config := NewDefault() + + data, err := os.ReadFile(filepath) + if err != nil { + return nil, errors.Wrapf(err, "could not read file '%s'", filepath) + } + + if err := yaml.Unmarshal(data, config); err != nil { + return nil, errors.Wrapf(err, "could not unmarshal configuration") + } + + return config, nil +} + +type HydraConfig struct { + BaseURL string `yaml:"baseURL" env:"BASE_URL"` + // Fake upstream SSL termination adding the "X-Forwarded-Proto: https" to the OIDC client + // HTTP request headers. + // Required by ory/hydra in some networks topologies + FakeSSLTermination bool `yaml:"fakeSSLTermination" env:"FAKE_SSL_TERMINATION"` + HTTPClientTimeout time.Duration `yaml:"httpClientTimeout" env:"HTTP_CLIENT_TIMEOUT"` +} + +type SessionConfig struct { + DefaultDuration int `yaml:"defaultDuration" env:"DEFAULT_DURATION"` + RememberMeDuration int `yaml:"rememberMeDuration" env:"REMEMBER_ME_DURATION"` +} + +type SentryConfig struct { + DSN string `yaml:"dsn" env:"DSN"` + // Server events sampling rate, see https://docs.sentry.io/platforms/go/configuration/options/ + ServerSampleRate float64 `yaml:"serverSampleRate" env:"SERVER_SAMPLE_RATE"` + ServerFlushTimeout time.Duration `yaml:"serverFlushTimeout" env:"SERVER_FLUSH_TIMEOUT"` + Environment string `yaml:"environment" env:"ENVIRONMENT"` +} + +func NewDumpDefault() *Config { + config := NewDefault() + return config +} + +func NewDefault() *Config { + return &Config{ + Debug: false, + HTTP: HTTPConfig{ + Address: ":3000", + CookieAuthenticationKey: "", + CookieEncryptionKey: "", + TokenEncryptionKey: "", + TokenSigningKey: "", + CookieMaxAge: int((time.Hour * 1).Seconds()), // 1 hour + TemplateDir: "template", + PublicDir: "public", + BaseURL: "/", + }, + Hydra: HydraConfig{ + BaseURL: "http://localhost:4445/", + FakeSSLTermination: false, + HTTPClientTimeout: time.Second * 30, //nolint: gomnb + }, + Session: SessionConfig{ + DefaultDuration: int((time.Hour * 1).Seconds()), // 1 hour + RememberMeDuration: int((time.Hour * 24 * 30).Seconds()), // 30 days + }, + Sentry: SentryConfig{ + DSN: "", + ServerSampleRate: 1, + ServerFlushTimeout: 2 * time.Second, + Environment: "", + }, + WebAuthn: NewDefaultWebAuthnConfig(), + API: NewDefaultAPIConfig(), + Storage: NewDefaultStorageConfig(), + } +} + +func Dump(config *Config, w io.Writer) error { + data, err := yaml.Marshal(config) + if err != nil { + return errors.Wrap(err, "could not dump config") + } + + if _, err := w.Write(data); err != nil { + return err + } + + return nil +} + +func WithEnvironment(conf *Config) error { + if err := env.ParseWithOptions(conf, env.Options{ + Prefix: "HYDRA_WEBAUTHN_", + FuncMap: map[reflect.Type]env.ParserFunc{ + reflect.TypeOf(Accounts{}): parseAccounts, + }, + }); err != nil { + return err + } + + return nil +} diff --git a/internal/config/http.go b/internal/config/http.go new file mode 100644 index 0000000..ab45f70 --- /dev/null +++ b/internal/config/http.go @@ -0,0 +1,13 @@ +package config + +type HTTPConfig struct { + Address string `yaml:"address" env:"ADDRESS"` + CookieAuthenticationKey string `yaml:"cookieAuthenticationKey" env:"COOKIE_AUTHENTICATION_KEY"` + CookieEncryptionKey string `yaml:"cookieEncryptionKey" env:"COOKIE_ENCRYPTION_KEY"` + TokenSigningKey string `yaml:"tokenSigningKey" env:"TOKEN_SIGNING_KEY"` + TokenEncryptionKey string `yaml:"tokenEncryptionKey" env:"TOKEN_ENCRYPTION_KEY"` + BaseURL string `yaml:"basePublicUrl" env:"BASE_URL"` + CookieMaxAge int `yaml:"cookieMaxAge" env:"COOKIE_MAX_AGE"` + TemplateDir string `yaml:"templateDir" env:"TEMPLATE_DIR"` + PublicDir string `yaml:"publicDir" env:"PUBLIC_DIR"` +} diff --git a/internal/config/provider.go b/internal/config/provider.go new file mode 100644 index 0000000..0e768ed --- /dev/null +++ b/internal/config/provider.go @@ -0,0 +1,9 @@ +package config + +import "gitlab.com/wpetit/goweb/service" + +func ServiceProvider(config *Config) service.Provider { + return func(ctn *service.Container) (interface{}, error) { + return config, nil + } +} diff --git a/internal/config/service.go b/internal/config/service.go new file mode 100644 index 0000000..e57c05d --- /dev/null +++ b/internal/config/service.go @@ -0,0 +1,33 @@ +package config + +import ( + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/service" +) + +const ServiceName service.Name = "config" + +// From retrieves the config service in the given container +func From(container *service.Container) (*Config, error) { + service, err := container.Service(ServiceName) + if err != nil { + return nil, errors.Wrapf(err, "error while retrieving '%s' service", ServiceName) + } + + srv, ok := service.(*Config) + if !ok { + return nil, errors.Errorf("retrieved service is not a valid '%s' service", ServiceName) + } + + return srv, nil +} + +// Must retrieves the config service in the given container or panic otherwise +func Must(container *service.Container) *Config { + srv, err := From(container) + if err != nil { + panic(err) + } + + return srv +} diff --git a/internal/config/storage.go b/internal/config/storage.go new file mode 100644 index 0000000..4bc6024 --- /dev/null +++ b/internal/config/storage.go @@ -0,0 +1,13 @@ +package config + +type StorageConfig struct { + Driver string `yaml:"driver" env:"DRIVER"` + DSN string `yaml:"dsn" env:"DSN"` +} + +func NewDefaultStorageConfig() StorageConfig { + return StorageConfig{ + Driver: "sqlite", + DSN: "./data/storage.sqlite?mode=rw&_pragma=foreign_keys(1)&_pragma=busy_timeout=150000&_pragma=journal_mode=WAL", + } +} diff --git a/internal/config/webauthn.go b/internal/config/webauthn.go new file mode 100644 index 0000000..277359c --- /dev/null +++ b/internal/config/webauthn.go @@ -0,0 +1,21 @@ +package config + +type WebAuthnConfig struct { + RelyingParty WebAuthnRelyingPartyConfig `yaml:"relyingParty" envPrefix:"RELYINGPARTY_"` +} + +type WebAuthnRelyingPartyConfig struct { + ID string `yaml:"id" env:"ID"` + DisplayName string `yaml:"displayName" env:"DISPLAYNAME"` + Origins []string `yaml:"origins" env:"ORIGINS" envSeparator:","` +} + +func NewDefaultWebAuthnConfig() WebAuthnConfig { + return WebAuthnConfig{ + RelyingParty: WebAuthnRelyingPartyConfig{ + ID: "localhost", + DisplayName: "WebAuthn", + Origins: []string{"http://localhost:3000"}, + }, + } +} diff --git a/internal/hydra/client.go b/internal/hydra/client.go new file mode 100644 index 0000000..ebcf8e7 --- /dev/null +++ b/internal/hydra/client.go @@ -0,0 +1,263 @@ +package hydra + +import ( + "bytes" + "encoding/json" + "net/http" + "net/url" + "time" + + "github.com/pkg/errors" +) + +type Client struct { + baseURL *url.URL + http *http.Client +} + +func (c *Client) LoginRequest(challenge string) (*LoginResponse, error) { + u := fromURL(*c.baseURL, "/oauth2/auth/requests/login", url.Values{ + "login_challenge": []string{challenge}, + }) + + res, err := c.http.Get(u) + if err != nil { + return nil, errors.Wrap(err, "could not retrieve login response") + } + + if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest { + return nil, errors.Wrapf(ErrUnexpectedHydraResponse, "hydra responded with status code '%d'", res.StatusCode) + } + + defer res.Body.Close() + + decoder := json.NewDecoder(res.Body) + loginRes := &LoginResponse{} + + if err := decoder.Decode(loginRes); err != nil { + return nil, errors.Wrap(err, "could not decode json response") + } + + return loginRes, nil +} + +func (c *Client) AcceptLoginRequest(challenge string, req *AcceptLoginRequest) (*AcceptResponse, error) { + u := fromURL(*c.baseURL, "/oauth2/auth/requests/login/accept", url.Values{ + "login_challenge": []string{challenge}, + }) + + res := &AcceptResponse{} + + if err := c.putJSON(u, req, res); err != nil { + return nil, err + } + + return res, nil +} + +func (c *Client) RejectLoginRequest(challenge string, req *RejectRequest) (*RejectResponse, error) { + u := fromURL(*c.baseURL, "/oauth2/auth/requests/login/reject", url.Values{ + "login_challenge": []string{challenge}, + }) + + res := &RejectResponse{} + + if err := c.putJSON(u, req, res); err != nil { + return nil, err + } + + return res, nil +} + +func (c *Client) LogoutRequest(challenge string) (*LogoutResponse, error) { + u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout", url.Values{ + "logout_challenge": []string{challenge}, + }) + + res, err := c.http.Get(u) + if err != nil { + return nil, errors.Wrap(err, "could not retrieve logout response") + } + + if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest { + return nil, errors.Wrapf(ErrUnexpectedHydraResponse, "hydra responded with status code '%d'", res.StatusCode) + } + + defer res.Body.Close() + + decoder := json.NewDecoder(res.Body) + logoutRes := &LogoutResponse{} + + if err := decoder.Decode(logoutRes); err != nil { + return nil, errors.Wrap(err, "could not decode json response") + } + + return logoutRes, nil +} + +func (c *Client) AcceptLogoutRequest(challenge string) (*AcceptResponse, error) { + u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/accept", url.Values{ + "logout_challenge": []string{challenge}, + }) + + res := &AcceptResponse{} + + if err := c.putJSON(u, nil, res); err != nil { + return nil, err + } + + return res, nil +} + +func (c *Client) RejectLogoutRequest(challenge string, req *RejectRequest) (*RejectResponse, error) { + u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/reject", url.Values{ + "logout_challenge": []string{challenge}, + }) + + res := &RejectResponse{} + + if err := c.putJSON(u, req, res); err != nil { + return nil, err + } + + return res, nil +} + +func (c *Client) ConsentRequest(challenge string) (*ConsentResponse, error) { + u := fromURL(*c.baseURL, "/oauth2/auth/requests/consent", url.Values{ + "consent_challenge": []string{challenge}, + }) + + res, err := c.http.Get(u) + if err != nil { + return nil, errors.Wrap(err, "could not retrieve login response") + } + + if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest { + return nil, errors.Wrapf(ErrUnexpectedHydraResponse, "hydra responded with status code '%d'", res.StatusCode) + } + + defer res.Body.Close() + + decoder := json.NewDecoder(res.Body) + consentRes := &ConsentResponse{} + + if err := decoder.Decode(consentRes); err != nil { + return nil, errors.Wrap(err, "could not decode json response") + } + + return consentRes, nil +} + +func (c *Client) AcceptConsentRequest(challenge string, req *AcceptConsentRequest) (*AcceptResponse, error) { + u := fromURL(*c.baseURL, "/oauth2/auth/requests/consent/accept", url.Values{ + "consent_challenge": []string{challenge}, + }) + + res := &AcceptResponse{} + + if err := c.putJSON(u, req, res); err != nil { + return nil, err + } + + return res, nil +} + +func (c *Client) RejectConsentRequest(challenge string, req *RejectRequest) (*RejectResponse, error) { + u := fromURL(*c.baseURL, "/oauth2/auth/requests/consent/reject", url.Values{ + "consent_challenge": []string{challenge}, + }) + + res := &RejectResponse{} + + if err := c.putJSON(u, req, res); err != nil { + return nil, err + } + + return res, nil +} + +func (c *Client) LoginChallenge(r *http.Request) (string, error) { + return c.challenge(r, "login_challenge") +} + +func (c *Client) ConsentChallenge(r *http.Request) (string, error) { + return c.challenge(r, "consent_challenge") +} + +func (c *Client) LogoutChallenge(r *http.Request) (string, error) { + return c.challenge(r, "logout_challenge") +} + +func (c *Client) challenge(r *http.Request, name string) (string, error) { + challenge := r.URL.Query().Get(name) + if challenge == "" { + return "", ErrChallengeNotFound + } + + return challenge, nil +} + +func (c *Client) putJSON(u string, payload interface{}, result interface{}) error { + var buf bytes.Buffer + + encoder := json.NewEncoder(&buf) + if err := encoder.Encode(payload); err != nil { + return errors.Wrap(err, "could not encode request body") + } + + req, err := http.NewRequest("PUT", u, &buf) + if err != nil { + return errors.Wrap(err, "could not create request") + } + + res, err := c.http.Do(req) + if err != nil { + return errors.Wrap(err, "could not retrieve login response") + } + + if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest { + return errors.Wrapf(ErrUnexpectedHydraResponse, "hydra responded with status code '%d'", res.StatusCode) + } + + defer res.Body.Close() + + decoder := json.NewDecoder(res.Body) + + if err := decoder.Decode(result); err != nil { + return errors.Wrap(err, "could not decode json response") + } + + return nil +} + +func fromURL(url url.URL, path string, query url.Values) string { + url.Path = path + url.RawQuery = query.Encode() + + return url.String() +} + +type fakeSSLTerminationTransport struct { + T http.RoundTripper +} + +func (t *fakeSSLTerminationTransport) RoundTrip(req *http.Request) (*http.Response, error) { + req.Header.Add("X-Forwarded-Proto", "https") + return t.T.RoundTrip(req) +} + +func NewClient(baseURL *url.URL, fakeSSLTermination bool, httpTimeout time.Duration) *Client { + httpClient := &http.Client{ + Timeout: httpTimeout, + } + + if fakeSSLTermination { + httpClient.Transport = &fakeSSLTerminationTransport{http.DefaultTransport} + } + + return &Client{ + baseURL: baseURL, + http: httpClient, + } +} diff --git a/internal/hydra/error.go b/internal/hydra/error.go new file mode 100644 index 0000000..8e08555 --- /dev/null +++ b/internal/hydra/error.go @@ -0,0 +1,8 @@ +package hydra + +import "errors" + +var ( + ErrUnexpectedHydraResponse = errors.New("unexpected hydra response") + ErrChallengeNotFound = errors.New("challenge not found") +) diff --git a/internal/hydra/provider.go b/internal/hydra/provider.go new file mode 100644 index 0000000..63df1ee --- /dev/null +++ b/internal/hydra/provider.go @@ -0,0 +1,30 @@ +package hydra + +import ( + "net/url" + "time" + + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/service" +) + +func ServiceProvider(rawBaseURL string, fakeSSLTermination bool, httpTimeout time.Duration) service.Provider { + var ( + baseURL *url.URL + err error + ) + + baseURL, err = url.Parse(rawBaseURL) + if err != nil { + err = errors.Wrap(err, "could not parse base url") + } + + client := NewClient(baseURL, fakeSSLTermination, httpTimeout) + + return func(ctn *service.Container) (interface{}, error) { + if err != nil { + return nil, err + } + return client, nil + } +} diff --git a/internal/hydra/request.go b/internal/hydra/request.go new file mode 100644 index 0000000..3e59d04 --- /dev/null +++ b/internal/hydra/request.go @@ -0,0 +1,29 @@ +package hydra + +type AcceptLoginRequest struct { + Subject string `json:"subject"` + Remember bool `json:"remember"` + RememberFor int `json:"remember_for"` + ACR string `json:"acr"` + Context map[string]interface{} `json:"context"` +} + +type AcceptLogoutRequest struct{} + +type AcceptConsentRequest struct { + GrantScope []string `json:"grant_scope"` + GrantAccessTokenAudience []string `json:"grant_access_token_audience"` + Remember bool `json:"remember"` + RememberFor int `json:"remember_for"` + Session AcceptConsentSession `json:"session"` +} + +type AcceptConsentSession struct { + AccessToken map[string]interface{} `json:"access_token"` + IDToken map[string]interface{} `json:"id_token"` +} + +type RejectRequest struct { + Error string `json:"error"` + ErrorDescription string `json:"error_description"` +} diff --git a/internal/hydra/response.go b/internal/hydra/response.go new file mode 100644 index 0000000..5f10ded --- /dev/null +++ b/internal/hydra/response.go @@ -0,0 +1,88 @@ +package hydra + +import "time" + +// https://www.ory.sh/hydra/docs/reference/api#get-a-login-request + +type ClientResponseFragment struct { + AllowCORSOrigins []string `json:"allowed_cors_origins"` + Audience []string `json:"audience"` + BackChannelLogoutSessionRequired bool `json:"backchannel_logout_session_required"` + BackChannelLogoutURI string `json:"backchannel_logout_uri"` + ClientID string `json:"client_id"` + ClientName string `json:"client_name"` + ClientSecret string `json:"client_secret"` + ClientSecretExpiresAt int `json:"client_secret_expires_at"` + ClientURI string `json:"client_uri"` + Contacts []string `json:"contacts"` + CreatedAt time.Time `json:"created_at"` + FrontChannelLogoutSessionRequired bool `json:"frontchannel_logout_session_required"` + FrontChannelLogoutURL string `json:"frontchannel_logout_uri"` + GrantTypes []string `json:"grant_types"` + JWKS map[string]interface{} `json:"jwks"` + JwksURI string `json:"jwks_uri"` + LogoURI string `json:"logo_uri"` + Metadata map[string]interface{} `json:"metadata"` + Owner string `json:"owner"` + PolicyURI string `json:"policy_uri"` + PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris"` + RedirectURIs []string `json:"redirect_uris"` + RequestObjectSigningAlg string `json:"request_object_signing_alg"` + RequestURIs []string `json:"request_uris"` + ResponseTypes []string `json:"response_types"` + Scope string `json:"scope"` + SectorIdentifierURI string `json:"sector_identifier_uri"` + SubjectType string `json:"subject_type"` + TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"` + TosURI string `json:"tos_uri"` + UpdatedAt time.Time `json:"updated_at"` + UserInfoSignedResponseAlg string `json:"userinfo_signed_response_alg"` +} + +type OidcContextResponseFragment struct { + ACRValues []string `json:"acr_values"` + Display string `json:"display"` + IDTokenHintClaims map[string]interface{} `json:"id_token_hint_claims"` + LoginHint string `json:"login_hint"` + UILocales []string `json:"ui_locales"` +} + +type LoginResponse struct { + Challenge string `json:"challenge"` + Skip bool `json:"skip"` + Subject string `json:"subject"` + Client ClientResponseFragment `json:"client"` + RequestURL string `json:"request_url"` + RequestedScope []string `json:"requested_scope"` + OidcContext OidcContextResponseFragment `json:"oidc_context"` + RequestedAccessTokenAudience []string `json:"requested_access_token_audience"` + SessionID string `json:"session_id"` +} + +type AcceptResponse struct { + RedirectTo string `json:"redirect_to"` +} + +type RejectResponse struct { + RedirectTo string `json:"redirect_to"` +} + +type LogoutResponse struct { + Subject string `json:"subject"` + SessionID string `json:"sid"` + RPInitiated bool `json:"rp_initiated"` + RequestURL string `json:"request_url"` +} + +type ConsentResponse struct { + Challenge string `json:"challenge"` + Skip bool `json:"skip"` + Subject string `json:"subject"` + Client ClientResponseFragment `json:"client"` + RequestURL string `json:"request_url"` + RequestedScope []string `json:"requested_scope"` + OidcContext OidcContextResponseFragment `json:"oidc_context"` + RequestedAccessTokenAudience []string `json:"requested_access_token_audience"` + SessionID string `json:"session_id"` + Context map[string]interface{} `json:"context"` +} diff --git a/internal/hydra/service.go b/internal/hydra/service.go new file mode 100644 index 0000000..bdba65b --- /dev/null +++ b/internal/hydra/service.go @@ -0,0 +1,33 @@ +package hydra + +import ( + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/service" +) + +const ServiceName service.Name = "hydra" + +// From retrieves the hydra service in the given container +func From(container *service.Container) (*Client, error) { + service, err := container.Service(ServiceName) + if err != nil { + return nil, errors.Wrapf(err, "error while retrieving '%s' service", ServiceName) + } + + srv, ok := service.(*Client) + if !ok { + return nil, errors.Errorf("retrieved service is not a valid '%s' service", ServiceName) + } + + return srv, nil +} + +// Must retrieves the hydra service in the given container or panic otherwise +func Must(container *service.Container) *Client { + srv, err := From(container) + if err != nil { + panic(err) + } + + return srv +} diff --git a/internal/route/api/create_user.go b/internal/route/api/create_user.go new file mode 100644 index 0000000..44ac675 --- /dev/null +++ b/internal/route/api/create_user.go @@ -0,0 +1,52 @@ +package api + +import ( + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/api" + "gitlab.com/wpetit/goweb/logger" + "gitlab.com/wpetit/goweb/middleware/container" +) + +type CreateUserRequest struct { + Username string `json:"username" validate:"required"` + Attributes map[string]any `json:"attributes"` +} + +type CreateUserResponse struct { + User *storage.User `json:"user"` +} + +func CreateUser(w http.ResponseWriter, r *http.Request) { + createUserReq := &CreateUserRequest{} + if ok := api.Bind(w, r, createUserReq); !ok { + return + } + + ctx := r.Context() + ctn := container.Must(ctx) + storageSrv := storage.Must(ctn) + + user, err := storageSrv.User().CreateUser(ctx, createUserReq.Username, createUserReq.Attributes) + if err != nil { + if errors.Is(err, storage.ErrAlreadyExist) { + logger.Warn(ctx, "user already exists", logger.E(errors.WithStack(err)), logger.F("username", createUserReq.Username)) + api.ErrorResponse(w, http.StatusConflict, ErrCodeAlreadyExist, nil) + + return + } + + logger.Error(ctx, "could not create user", logger.E(errors.WithStack(err))) + api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil) + + return + } + + response := CreateUserResponse{ + User: user, + } + + api.DataResponse(w, http.StatusCreated, response) +} diff --git a/internal/route/api/error.go b/internal/route/api/error.go new file mode 100644 index 0000000..9a01f8d --- /dev/null +++ b/internal/route/api/error.go @@ -0,0 +1,8 @@ +package api + +import "gitlab.com/wpetit/goweb/api" + +var ( + ErrCodeAlreadyExist api.ErrorCode = "already-exist" + ErrNotModified api.ErrorCode = "not-modified" +) diff --git a/internal/route/api/generate_registration_link.go b/internal/route/api/generate_registration_link.go new file mode 100644 index 0000000..39c27a2 --- /dev/null +++ b/internal/route/api/generate_registration_link.go @@ -0,0 +1,45 @@ +package api + +import ( + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "github.com/go-chi/chi" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/api" + "gitlab.com/wpetit/goweb/logger" + "gitlab.com/wpetit/goweb/middleware/container" +) + +type GenerateRegistrationLinkResponse struct { + RegistrationLink *storage.RegistrationLink `json:"registrationLink"` +} + +func GenerateRegistrationLink(w http.ResponseWriter, r *http.Request) { + userID := chi.URLParam(r, "userID") + + ctx := r.Context() + ctn := container.Must(ctx) + storageSrv := storage.Must(ctn) + + registrationLink, err := storageSrv.User().GenerateRegistrationLink(ctx, userID) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "user not found", logger.E(errors.WithStack(err)), logger.F("userID", userID)) + api.ErrorResponse(w, http.StatusNotFound, api.ErrCodeNotFound, nil) + + return + } + + logger.Error(ctx, "could not generate registration link", logger.E(errors.WithStack(err))) + api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil) + + return + } + + response := GenerateRegistrationLinkResponse{ + RegistrationLink: registrationLink, + } + + api.DataResponse(w, http.StatusCreated, response) +} diff --git a/internal/route/api/get_registration_link.go b/internal/route/api/get_registration_link.go new file mode 100644 index 0000000..1958ee7 --- /dev/null +++ b/internal/route/api/get_registration_link.go @@ -0,0 +1,45 @@ +package api + +import ( + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "github.com/go-chi/chi" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/api" + "gitlab.com/wpetit/goweb/logger" + "gitlab.com/wpetit/goweb/middleware/container" +) + +type GetRegistrationLinkResponse struct { + RegistrationLink *storage.RegistrationLink `json:"registrationLink"` +} + +func GetRegistrationLink(w http.ResponseWriter, r *http.Request) { + userID := chi.URLParam(r, "userID") + + ctx := r.Context() + ctn := container.Must(ctx) + storageSrv := storage.Must(ctn) + + registrationLink, err := storageSrv.User().GetRegistrationLink(ctx, userID) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "registration link or associated user not found", logger.E(errors.WithStack(err)), logger.F("userID", userID)) + api.ErrorResponse(w, http.StatusNotFound, api.ErrCodeNotFound, nil) + + return + } + + logger.Error(ctx, "could not get registration link", logger.E(errors.WithStack(err))) + api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil) + + return + } + + response := GetRegistrationLinkResponse{ + RegistrationLink: registrationLink, + } + + api.DataResponse(w, http.StatusOK, response) +} diff --git a/internal/route/api/get_user.go b/internal/route/api/get_user.go new file mode 100644 index 0000000..bb191ad --- /dev/null +++ b/internal/route/api/get_user.go @@ -0,0 +1,45 @@ +package api + +import ( + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "github.com/go-chi/chi" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/api" + "gitlab.com/wpetit/goweb/logger" + "gitlab.com/wpetit/goweb/middleware/container" +) + +type GetUserResponse struct { + User *storage.User `json:"user"` +} + +func GetUser(w http.ResponseWriter, r *http.Request) { + userID := chi.URLParam(r, "userID") + + ctx := r.Context() + ctn := container.Must(ctx) + storageSrv := storage.Must(ctn) + + user, err := storageSrv.User().FindUserByID(ctx, userID) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "could not find user", logger.E(errors.WithStack(err)), logger.F("userID", userID)) + api.ErrorResponse(w, http.StatusNotFound, api.ErrCodeNotFound, nil) + + return + } + + logger.Error(ctx, "could not get user", logger.E(errors.WithStack(err))) + api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil) + + return + } + + response := GetUserResponse{ + User: user, + } + + api.DataResponse(w, http.StatusOK, response) +} diff --git a/internal/route/api/list_users.go b/internal/route/api/list_users.go new file mode 100644 index 0000000..50c38fb --- /dev/null +++ b/internal/route/api/list_users.go @@ -0,0 +1,42 @@ +package api + +import ( + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/api" + "gitlab.com/wpetit/goweb/logger" + "gitlab.com/wpetit/goweb/middleware/container" +) + +type ListUsersResponse struct { + Users []storage.UserHeader `json:"users"` +} + +func ListUsers(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + ctn := container.Must(ctx) + storageSrv := storage.Must(ctn) + + users, err := storageSrv.User().ListUsers(ctx) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "could not list users", logger.E(errors.WithStack(err))) + api.ErrorResponse(w, http.StatusNotFound, api.ErrCodeNotFound, nil) + + return + } + + logger.Error(ctx, "could not get user", logger.E(errors.WithStack(err))) + api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil) + + return + } + + response := ListUsersResponse{ + Users: users, + } + + api.DataResponse(w, http.StatusOK, response) +} diff --git a/internal/route/api/mount.go b/internal/route/api/mount.go new file mode 100644 index 0000000..d8de11d --- /dev/null +++ b/internal/route/api/mount.go @@ -0,0 +1,33 @@ +package api + +import ( + "forge.cadoles.com/wpetit/hydra-webauthn/internal/config" + "github.com/go-chi/chi" + "github.com/go-chi/chi/middleware" +) + +func Mount(r *chi.Mux, config *config.Config) error { + basicAuth := middleware.BasicAuth("Hydra WebAuthn", toCredentials(config.API.Authentication.Accounts)) + + r.Route("/api/v1", func(r chi.Router) { + r.Use(basicAuth) + r.Post("/users", CreateUser) + r.Get("/users/{userID}", GetUser) + r.Get("/users", ListUsers) + r.Post("/users/{userID}/registration-link", GenerateRegistrationLink) + r.Get("/users/{userID}/registration-link", GetRegistrationLink) + r.Put("/users/{userID}", UpdateUser) + }) + + return nil +} + +func toCredentials(accounts []config.AccountConfig) map[string]string { + credentials := make(map[string]string, len(accounts)) + + for _, acc := range accounts { + credentials[acc.Username] = acc.Password + } + + return credentials +} diff --git a/internal/route/api/update_user.go b/internal/route/api/update_user.go new file mode 100644 index 0000000..a64bbac --- /dev/null +++ b/internal/route/api/update_user.go @@ -0,0 +1,85 @@ +package api + +import ( + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "github.com/go-chi/chi" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/api" + "gitlab.com/wpetit/goweb/logger" + "gitlab.com/wpetit/goweb/middleware/container" +) + +type UpdateUserRequest struct { + Username *string `json:"username"` + Attributes *map[string]any `json:"attributes"` +} + +type UpdateUserResponse struct { + User *storage.User `json:"user"` +} + +func UpdateUser(w http.ResponseWriter, r *http.Request) { + userID := chi.URLParam(r, "userID") + + updateUserReq := &UpdateUserRequest{} + if ok := api.Bind(w, r, updateUserReq); !ok { + return + } + + ctx := r.Context() + ctn := container.Must(ctx) + storageSrv := storage.Must(ctn) + + var ( + user *storage.User + err error + ) + + if updateUserReq.Username != nil { + user, err = storageSrv.User().UpdateUserUsername(ctx, userID, *updateUserReq.Username) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "could not find user", logger.E(errors.WithStack(err)), logger.F("userID", userID)) + api.ErrorResponse(w, http.StatusNotFound, api.ErrCodeNotFound, nil) + + return + } + + logger.Error(ctx, "could not update username", logger.E(errors.WithStack(err))) + api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil) + + return + } + } + + if updateUserReq.Attributes != nil { + user, err = storageSrv.User().UpdateUserAttributes(ctx, userID, *updateUserReq.Attributes) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "could not find user", logger.E(errors.WithStack(err)), logger.F("userID", userID)) + api.ErrorResponse(w, http.StatusNotFound, api.ErrCodeNotFound, nil) + + return + } + + logger.Error(ctx, "could not update attributes", logger.E(errors.WithStack(err)), logger.F("userID", userID)) + api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil) + + return + } + } + + if user == nil { + api.ErrorResponse(w, http.StatusBadRequest, ErrNotModified, nil) + + return + } + + response := UpdateUserResponse{ + User: user, + } + + api.DataResponse(w, http.StatusOK, response) +} diff --git a/internal/route/common/helper.go b/internal/route/common/helper.go new file mode 100644 index 0000000..7d3c16f --- /dev/null +++ b/internal/route/common/helper.go @@ -0,0 +1,58 @@ +package common + +import ( + "net/http" + "strings" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/config" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/middleware/container" + "gitlab.com/wpetit/goweb/service" + "gitlab.com/wpetit/goweb/service/template" + "gitlab.com/wpetit/goweb/template/html" +) + +func ExtendTemplateData(w http.ResponseWriter, r *http.Request, data template.Data) template.Data { + ctn := container.Must(r.Context()) + data, err := template.Extend(data, + html.WithFlashes(w, r, ctn), + template.WithBuildInfo(w, r, ctn), + withBaseURL(w, r, ctn), + ) + if err != nil { + panic(errors.Wrap(err, "could not extend template data")) + } + + return data +} + +func withBaseURL(w http.ResponseWriter, r *http.Request, ctn *service.Container) template.DataExtFunc { + return func(data template.Data) (template.Data, error) { + conf, err := config.From(ctn) + if err != nil { + return nil, errors.WithStack(err) + } + + data["BaseURL"] = strings.TrimSuffix(conf.HTTP.BaseURL, "/") + + return data, nil + } +} + +func RenderErrorPage(w http.ResponseWriter, r *http.Request, statusCode int, title, description string) error { + ctn := container.Must(r.Context()) + tmpl := template.Must(ctn) + + data := ExtendTemplateData(w, r, template.Data{ + "ErrorTitle": title, + "ErrorDescription": description, + }) + + w.WriteHeader(statusCode) + + if err := tmpl.RenderPage(w, "error.html.tmpl", data); err != nil { + return errors.Wrap(err, "could not render error page") + } + + return nil +} diff --git a/internal/route/home.go b/internal/route/home.go new file mode 100644 index 0000000..110b8fe --- /dev/null +++ b/internal/route/home.go @@ -0,0 +1,21 @@ +package route + +import ( + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/route/common" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/middleware/container" + "gitlab.com/wpetit/goweb/service/template" +) + +func serveHomePage(w http.ResponseWriter, r *http.Request) { + ctn := container.Must(r.Context()) + tmpl := template.Must(ctn) + + data := common.ExtendTemplateData(w, r, template.Data{}) + + if err := tmpl.RenderPage(w, "home.html.tmpl", data); err != nil { + panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path)) + } +} diff --git a/internal/route/hydra/consent.go b/internal/route/hydra/consent.go new file mode 100644 index 0000000..d6d1199 --- /dev/null +++ b/internal/route/hydra/consent.go @@ -0,0 +1,50 @@ +package hydra + +import ( + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/hydra" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/middleware/container" +) + +func serveConsentPage(w http.ResponseWriter, r *http.Request) { + ctn := container.Must(r.Context()) + hydr := hydra.Must(ctn) + + challenge, err := hydr.ConsentChallenge(r) + if err != nil { + if err == hydra.ErrChallengeNotFound { + http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + + return + } + + panic(errors.Wrap(err, "could not retrieve consent challenge")) + } + + consentRes, err := hydr.ConsentRequest(challenge) + if err != nil { + panic(errors.Wrap(err, "could not retrieve hydra consent response")) + } + + userAttributes, ok := consentRes.Context["userAttributes"].(map[string]any) + if !ok { + userAttributes = make(map[string]any) + } + + acceptConsentReq := &hydra.AcceptConsentRequest{ + GrantScope: consentRes.RequestedScope, + GrantAccessTokenAudience: consentRes.RequestedAccessTokenAudience, + Session: hydra.AcceptConsentSession{ + IDToken: userAttributes, + }, + } + + acceptRes, err := hydr.AcceptConsentRequest(challenge, acceptConsentReq) + if err != nil { + panic(errors.Wrap(err, "could not accept hydra consent request")) + } + + http.Redirect(w, r, acceptRes.RedirectTo, http.StatusTemporaryRedirect) +} diff --git a/internal/route/hydra/login.go b/internal/route/hydra/login.go new file mode 100644 index 0000000..0af129c --- /dev/null +++ b/internal/route/hydra/login.go @@ -0,0 +1,272 @@ +package hydra + +import ( + "encoding/base64" + "encoding/gob" + "encoding/json" + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/config" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/hydra" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/route/common" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/webauthn" + "github.com/getsentry/sentry-go" + "github.com/go-webauthn/webauthn/protocol" + "github.com/gorilla/csrf" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/logger" + "gitlab.com/wpetit/goweb/middleware/container" + "gitlab.com/wpetit/goweb/service/session" + "gitlab.com/wpetit/goweb/service/template" +) + +func init() { + gob.Register(&webauthn.SessionData{}) +} + +func serveLoginPage(w http.ResponseWriter, r *http.Request) { + ctn := container.Must(r.Context()) + hydr := hydra.Must(ctn) + + challenge, err := hydr.LoginChallenge(r) + if err != nil { + if errors.Is(err, hydra.ErrChallengeNotFound) { + err := common.RenderErrorPage( + w, r, + http.StatusBadRequest, + "Requête invalide", + "Certaines informations requises afin de réaliser votre requête sont absentes.", + ) + if err != nil { + panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path)) + } + + return + } + + panic(errors.Wrap(err, "could not retrieve login challenge")) + } + + res, err := hydr.LoginRequest(challenge) + if err != nil { + panic(errors.Wrap(err, "could not retrieve hydra login response")) + } + + if res.Skip { + accept := &hydra.AcceptLoginRequest{ + Subject: res.Subject, + Context: map[string]interface{}{ + "username": res.Subject, + }, + } + + res, err := hydr.AcceptLoginRequest(challenge, accept) + if err != nil { + panic(errors.Wrap(err, "could not retrieve hydra accept response")) + } + + http.Redirect(w, r, res.RedirectTo, http.StatusSeeOther) + + return + } + + tmpl := template.Must(ctn) + + data := common.ExtendTemplateData(w, r, template.Data{ + csrf.TemplateTag: csrf.TemplateField(r), + "LoginChallenge": challenge, + "ClientName": res.Client.ClientName, + "ClientURI": res.Client.ClientURI, + "Username": "", + "RememberMe": "", + "CredentialAssertion": nil, + }) + + if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil { + panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path)) + } +} + +func handleLoginForm(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + ctn := container.Must(ctx) + tmpl := template.Must(ctn) + hydr := hydra.Must(ctn) + strg := storage.Must(ctn) + conf := config.Must(ctn) + wbth := webauthn.Must(ctn) + sesn := session.Must(ctn) + + if err := r.ParseForm(); err != nil { + http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + + return + } + + challenge := r.Form.Get("challenge") + + if challenge == "" { + err := common.RenderErrorPage( + w, r, + http.StatusBadRequest, + "Requête invalide", + "Certaines informations requises sont manquantes pour pouvoir réaliser votre requête.", + ) + if err != nil { + panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path)) + } + + return + } + + res, err := hydr.LoginRequest(challenge) + if err != nil { + panic(errors.Wrap(err, "could not retrieve hydra login response")) + } + + username := r.Form.Get("username") + rememberMe := r.Form.Get("rememberme") == "on" + + renderPage := func(assertionRequest *protocol.CredentialAssertion) { + data := common.ExtendTemplateData(w, r, template.Data{ + csrf.TemplateTag: csrf.TemplateField(r), + "LoginChallenge": challenge, + "Username": username, + "RememberMe": rememberMe, + "AssertionRequest": assertionRequest, + "ClientName": res.Client.ClientName, + "ClientURI": res.Client.ClientURI, + }) + + if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil { + panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path)) + } + } + + sess, err := sesn.Get(w, r) + if err != nil { + panic(errors.Wrap(err, "could not retrieve session")) + } + + renderFlashError := func(message string) { + sess.AddFlash(session.FlashError, message) + + if err := sess.Save(w, r); err != nil { + panic(errors.Wrap(err, "could not save session")) + } + + renderPage(nil) + } + + user, err := strg.User().FindUserByUsername(ctx, username) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + renderFlashError("Impossible de trouver un compte associé à ce nom d'utilisateur.") + + return + } + + panic(errors.Wrap(err, "could not find user")) + } + + if !r.Form.Has("assertion") { + if len(user.WebAuthnCredentials()) == 0 { + renderFlashError("Aucune clé n'est encore associée à ce compte. Contactez votre administrateur.") + + return + } + + assertionRequest, webAuthnSessionData, err := wbth.BeginLogin(user) + if err != nil { + panic(errors.Wrap(err, "could not begin webauthn login")) + } + + sess.Set("webauthn", webAuthnSessionData) + + if err := sess.Save(w, r); err != nil { + panic(errors.Wrap(err, "could not save session")) + } + + renderPage(assertionRequest) + + return + } + + webAuthnSessionData, ok := sess.Get("webauthn").(*webauthn.SessionData) + if !ok { + panic(errors.New("could not retrieve webauthn session data")) + } + + base64Assertion := r.Form.Get("assertion") + if base64Assertion == "" { + renderFlashError("Authentification échouée.") + + return + } + + rawAssertion, err := base64.RawURLEncoding.DecodeString(base64Assertion) + if err != nil { + logger.Error(ctx, "could not parse base64 encoded assertion", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + + return + } + + var car protocol.CredentialAssertionResponse + if err := json.Unmarshal(rawAssertion, &car); err != nil { + logger.Error(ctx, "could not parse credential assertion response", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + + return + } + + parsedResponse, err := car.Parse() + if err != nil { + logger.Error(ctx, "could not parse credential assertion response", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + + return + } + + if _, err := wbth.ValidateLogin(user, *webAuthnSessionData, parsedResponse); err != nil { + logger.Error(ctx, "could not authenticate user", logger.E(errors.WithStack(err))) + renderFlashError("Authentification échouée.") + + return + } + + rememberFor := conf.Session.DefaultDuration + if rememberMe { + rememberFor = conf.Session.RememberMeDuration + } + + accept := &hydra.AcceptLoginRequest{ + Subject: user.Username, + Remember: rememberMe, + RememberFor: rememberFor, + Context: map[string]any{ + "userAttributes": user.Attributes, + }, + } + + loginRes, err := hydr.AcceptLoginRequest(challenge, accept) + if err != nil { + sentry.CaptureException(err) + logger.Error(ctx, "could not retrieve hydra accept response", logger.E(err)) + + err := common.RenderErrorPage( + w, r, + http.StatusBadRequest, + "Lien invalide", + "Le lien de connexion utilisé est invalide ou a expiré.", + ) + if err != nil { + panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path)) + } + + return + } + + http.Redirect(w, r, loginRes.RedirectTo, http.StatusSeeOther) +} diff --git a/internal/route/hydra/logout.go b/internal/route/hydra/logout.go new file mode 100644 index 0000000..0175854 --- /dev/null +++ b/internal/route/hydra/logout.go @@ -0,0 +1,47 @@ +package hydra + +import ( + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/hydra" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/middleware/container" + "gitlab.com/wpetit/goweb/service/session" +) + +func serveLogoutPage(w http.ResponseWriter, r *http.Request) { + ctn := container.Must(r.Context()) + hydr := hydra.Must(ctn) + + challenge, err := hydr.LogoutChallenge(r) + if err != nil { + if errors.Is(err, hydra.ErrChallengeNotFound) { + http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + + return + } + + panic(errors.Wrap(err, "could not retrieve logout challenge")) + } + + _, err = hydr.LogoutRequest(challenge) + if err != nil { + panic(errors.Wrap(err, "could not retrieve hydra logout response")) + } + + acceptRes, err := hydr.AcceptLogoutRequest(challenge) + if err != nil { + panic(errors.Wrap(err, "could not retrieve hydra accept logout response")) + } + + sess, err := session.Must(ctn).Get(w, r) + if err != nil { + panic(errors.Wrap(err, "could not retrieve session")) + } + + if err := sess.Delete(w, r); err != nil { + panic(errors.Wrap(err, "could not delete session")) + } + + http.Redirect(w, r, acceptRes.RedirectTo, http.StatusSeeOther) +} diff --git a/internal/route/hydra/mount.go b/internal/route/hydra/mount.go new file mode 100644 index 0000000..8ea659d --- /dev/null +++ b/internal/route/hydra/mount.go @@ -0,0 +1,34 @@ +package hydra + +import ( + "forge.cadoles.com/wpetit/hydra-webauthn/internal/config" + + "github.com/go-chi/chi" + "github.com/gorilla/csrf" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/session/gorilla" +) + +func Mount(r *chi.Mux, config *config.Config) error { + csrfSecret, err := gorilla.GenerateRandomBytes(32) + if err != nil { + return errors.Wrap(err, "could not generate CSRF secret") + } + + csrfMiddleware := csrf.Protect( + csrfSecret, + csrf.Secure(false), + ) + + r.Group(func(r chi.Router) { + r.Use(csrfMiddleware) + r.Get("/login", serveLoginPage) + r.Post("/login", handleLoginForm) + r.Get("/logout", serveLogoutPage) + r.Get("/consent", serveConsentPage) + r.Get("/register/{token}", serveRegisterPage) + r.Post("/register/{token}", handleRegisterForm) + }) + + return nil +} diff --git a/internal/route/hydra/register.go b/internal/route/hydra/register.go new file mode 100644 index 0000000..abed0b3 --- /dev/null +++ b/internal/route/hydra/register.go @@ -0,0 +1,171 @@ +package hydra + +import ( + "encoding/base64" + "encoding/json" + "net/http" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/route/common" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/webauthn" + "github.com/go-chi/chi" + "github.com/go-webauthn/webauthn/protocol" + "github.com/gorilla/csrf" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/logger" + "gitlab.com/wpetit/goweb/middleware/container" + "gitlab.com/wpetit/goweb/service/session" + "gitlab.com/wpetit/goweb/service/template" +) + +func serveRegisterPage(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + ctn := container.Must(ctx) + tmpl := template.Must(ctn) + webAuthn := webauthn.Must(ctn) + session := session.Must(ctn) + storageSrv := storage.Must(ctn) + + token := chi.URLParam(r, "token") + registrationLink, err := storageSrv.User().GetRegistrationLinkByToken(ctx, token) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "registration link not found", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound) + + return + } + + panic(errors.Wrap(err, "could not retrieve registration link")) + } + + user, err := storageSrv.User().FindUserByID(ctx, registrationLink.UserID) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "user not found", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound) + + return + } + + panic(errors.Wrap(err, "could not retrieve user")) + } + + webAuthnOptions, webAuthnSessionData, err := webAuthn.BeginRegistration(user) + if err != nil { + panic(errors.Wrap(err, "could not begin discoverable login")) + } + + sess, err := session.Get(w, r) + if err != nil { + panic(errors.Wrap(err, "could not retrieve session")) + } + + sess.Set("webauthn", webAuthnSessionData) + + if err := sess.Save(w, r); err != nil { + panic(errors.Wrap(err, "could not save session")) + } + + data := common.ExtendTemplateData(w, r, template.Data{ + csrf.TemplateTag: csrf.TemplateField(r), + "WebAuthnOptions": webAuthnOptions, + "Token": registrationLink.Token, + }) + + if err := tmpl.RenderPage(w, "register.html.tmpl", data); err != nil { + panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path)) + } +} + +func handleRegisterForm(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + serviceContainer := container.Must(ctx) + webAuthnService := webauthn.Must(serviceContainer) + sessionService := session.Must(serviceContainer) + storageSrv := storage.Must(serviceContainer) + + token := chi.URLParam(r, "token") + registrationLink, err := storageSrv.User().GetRegistrationLinkByToken(ctx, token) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "registration link not found", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound) + + return + } + + panic(errors.Wrap(err, "could not retrieve registration link")) + } + + user, err := storageSrv.User().FindUserByID(ctx, registrationLink.UserID) + if err != nil { + if errors.Is(err, storage.ErrNotFound) { + logger.Warn(ctx, "user not found", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound) + + return + } + + panic(errors.Wrap(err, "could not retrieve user")) + } + + if err := r.ParseForm(); err != nil { + http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + + return + } + + base64Credentials := r.Form.Get("credentials") + + rawCredentials, err := base64.RawURLEncoding.DecodeString(base64Credentials) + if err != nil { + logger.Error(ctx, "could not parse base64 encoded credentials", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + + return + } + + var ccr protocol.CredentialCreationResponse + if err := json.Unmarshal(rawCredentials, &ccr); err != nil { + logger.Error(ctx, "could not parse credential creation response", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + + return + } + + parsedResponse, err := ccr.Parse() + if err != nil { + logger.Error(ctx, "could not parse credential creation response", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + + return + } + + sess, err := sessionService.Get(w, r) + if err != nil { + logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + + return + } + + webAuthnSessionData := sess.Get("webauthn").(*webauthn.SessionData) + + credential, err := webAuthnService.CreateCredential(user, *webAuthnSessionData, parsedResponse) + if err != nil { + logger.Error(ctx, "could not create user credential", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + + return + } + + if _, err := storageSrv.User().AddUserCredential(ctx, user.ID, credential); err != nil { + logger.Error(ctx, "could not add credential", logger.E(errors.WithStack(err))) + http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + + return + } + + http.Redirect(w, r, "/registered", http.StatusSeeOther) +} diff --git a/internal/route/mount.go b/internal/route/mount.go new file mode 100644 index 0000000..da253e2 --- /dev/null +++ b/internal/route/mount.go @@ -0,0 +1,22 @@ +package route + +import ( + "forge.cadoles.com/wpetit/hydra-webauthn/internal/config" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/route/api" + "forge.cadoles.com/wpetit/hydra-webauthn/internal/route/hydra" + + "github.com/go-chi/chi" + "gitlab.com/wpetit/goweb/static" +) + +func Mount(r *chi.Mux, config *config.Config) error { + + r.Get("/", serveHomePage) + hydra.Mount(r, config) + api.Mount(r, config) + + notFoundHandler := r.NotFoundHandler() + r.Get("/*", static.Dir(config.HTTP.PublicDir, "", notFoundHandler)) + + return nil +} diff --git a/internal/storage/credential.go b/internal/storage/credential.go new file mode 100644 index 0000000..bdfcd9a --- /dev/null +++ b/internal/storage/credential.go @@ -0,0 +1,8 @@ +package storage + +import "github.com/go-webauthn/webauthn/webauthn" + +type Credential struct { + ID string `json:"id"` + Credential *webauthn.Credential `json:"credential"` +} diff --git a/internal/storage/error.go b/internal/storage/error.go new file mode 100644 index 0000000..7510544 --- /dev/null +++ b/internal/storage/error.go @@ -0,0 +1,8 @@ +package storage + +import "errors" + +var ( + ErrAlreadyExist = errors.New("already exist") + ErrNotFound = errors.New("not found") +) diff --git a/internal/storage/id.go b/internal/storage/id.go new file mode 100644 index 0000000..4d1849b --- /dev/null +++ b/internal/storage/id.go @@ -0,0 +1,7 @@ +package storage + +import "github.com/google/uuid" + +func NewID() string { + return uuid.New().String() +} diff --git a/internal/storage/provider.go b/internal/storage/provider.go new file mode 100644 index 0000000..7f31f72 --- /dev/null +++ b/internal/storage/provider.go @@ -0,0 +1,15 @@ +package storage + +import ( + "gitlab.com/wpetit/goweb/service" +) + +func ServiceProvider(userRepo UserRepository) service.Provider { + srv := &Service{ + userRepository: userRepo, + } + + return func(ctn *service.Container) (interface{}, error) { + return srv, nil + } +} diff --git a/internal/storage/registration_link.go b/internal/storage/registration_link.go new file mode 100644 index 0000000..e1c7c50 --- /dev/null +++ b/internal/storage/registration_link.go @@ -0,0 +1,17 @@ +package storage + +import "time" + +type RegistrationLink struct { + Token string `json:"token"` + UserID string `json:"userId"` + CreatedAt time.Time `json:"createdAt"` +} + +func NewRegistrationLink(userID string) *RegistrationLink { + return &RegistrationLink{ + UserID: userID, + Token: NewID(), + CreatedAt: time.Now(), + } +} diff --git a/internal/storage/service.go b/internal/storage/service.go new file mode 100644 index 0000000..82f3d53 --- /dev/null +++ b/internal/storage/service.go @@ -0,0 +1,41 @@ +package storage + +import ( + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/service" +) + +const ServiceName service.Name = "storage" + +// From retrieves the storage service in the given container +func From(container *service.Container) (*Service, error) { + service, err := container.Service(ServiceName) + if err != nil { + return nil, errors.Wrapf(err, "error while retrieving '%s' service", ServiceName) + } + + srv, ok := service.(*Service) + if !ok { + return nil, errors.Errorf("retrieved service is not a valid '%s' service", ServiceName) + } + + return srv, nil +} + +// Must retrieves the storage service in the given container or panic otherwise +func Must(container *service.Container) *Service { + srv, err := From(container) + if err != nil { + panic(err) + } + + return srv +} + +type Service struct { + userRepository UserRepository +} + +func (s *Service) User() UserRepository { + return s.userRepository +} diff --git a/internal/storage/sqlite/user_repository.go b/internal/storage/sqlite/user_repository.go new file mode 100644 index 0000000..d518baa --- /dev/null +++ b/internal/storage/sqlite/user_repository.go @@ -0,0 +1,682 @@ +package sqlite + +import ( + "context" + "database/sql" + "encoding/json" + "fmt" + "strings" + "time" + + "forge.cadoles.com/wpetit/hydra-webauthn/internal/storage" + "github.com/go-webauthn/webauthn/webauthn" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/logger" + + _ "embed" + + _ "modernc.org/sqlite" +) + +type UserRepository struct { + db *sql.DB + sqliteBusyRetryMaxAttempts int +} + +// Create implements storage.UserRepository. +func (r *UserRepository) CreateUser(ctx context.Context, username string, attributes map[string]any) (*storage.User, error) { + user := storage.NewUser(username, attributes) + + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + query := `SELECT COUNT(id) FROM users WHERE username = $1` + args := []any{ + user.Username, + } + + row := tx.QueryRowContext(ctx, query, args...) + + var count int64 + if err := row.Scan(&count); err != nil { + return errors.WithStack(err) + } + + if err := row.Err(); err != nil { + return errors.WithStack(err) + } + + if count > 0 { + return errors.WithStack(storage.ErrAlreadyExist) + } + + query = ` + INSERT INTO users (id, username, attributes, created_at, updated_at) + VALUES ($1, $2, $3, $4, $4) + ` + + rawAttributes, err := json.Marshal(user.Attributes) + if err != nil { + return errors.WithStack(err) + } + + args = []any{ + user.ID, + user.Username, + rawAttributes, + user.CreatedAt, + user.UpdatedAt, + } + + if _, err := tx.ExecContext(ctx, query, args...); err != nil { + return errors.WithStack(err) + } + + return nil + }) + if err != nil { + return nil, errors.WithStack(err) + } + + return user, nil +} + +// DeleteUserByID implements storage.UserRepository. +func (*UserRepository) DeleteUserByID(ctx context.Context, username string) error { + panic("unimplemented") +} + +// FindUserByUsername implements storage.UserRepository. +func (r *UserRepository) FindUserByUsername(ctx context.Context, username string) (*storage.User, error) { + user, err := r.findUserBy(ctx, "username", username) + if err != nil { + return nil, errors.WithStack(err) + } + + return user, nil +} + +// FindUserByID implements storage.UserRepository. +func (r *UserRepository) FindUserByID(ctx context.Context, userID string) (*storage.User, error) { + user, err := r.findUserBy(ctx, "id", userID) + if err != nil { + return nil, errors.WithStack(err) + } + + return user, nil +} + +func (r *UserRepository) findUserBy(ctx context.Context, column string, value any) (*storage.User, error) { + user := &storage.User{} + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + query := fmt.Sprintf(`SELECT id, username, attributes, created_at, updated_at FROM users WHERE %s = $1`, column) + args := []any{ + value, + } + + var rawAttributes []byte + + row := tx.QueryRowContext(ctx, query, args...) + if err := row.Scan(&user.ID, &user.Username, &rawAttributes, &user.CreatedAt, &user.UpdatedAt); err != nil { + if errors.Is(err, sql.ErrNoRows) { + return errors.WithStack(storage.ErrNotFound) + } + + return errors.WithStack(err) + } + + if err := row.Err(); err != nil { + return errors.WithStack(err) + } + + if err := json.Unmarshal(rawAttributes, &user.Attributes); err != nil { + return errors.WithStack(err) + } + + if user.Attributes == nil { + user.Attributes = make(map[string]any) + } + + query = `SELECT credential FROM user_credentials WHERE user_id = $1` + args = []any{ + user.ID, + } + + rows, err := tx.QueryContext(ctx, query, args...) + if err != nil { + return errors.WithStack(err) + } + + defer func() { + if err := rows.Close(); err != nil { + logger.Error(ctx, "could not close rows", logger.E(errors.WithStack(err))) + } + }() + + user.Credentials = make([]webauthn.Credential, 0) + + for rows.Next() { + var ( + rawCredential []byte + credential webauthn.Credential + ) + + if err := rows.Scan(&rawCredential); err != nil { + return errors.WithStack(err) + } + + if err := json.Unmarshal(rawCredential, &credential); err != nil { + return errors.WithStack(err) + } + + user.Credentials = append(user.Credentials, credential) + } + + if err := rows.Err(); err != nil { + return errors.WithStack(err) + } + + return nil + }) + if err != nil { + return nil, errors.WithStack(err) + } + + return user, nil +} + +// List implements storage.UserRepository. +func (r *UserRepository) ListUsers(ctx context.Context) ([]storage.UserHeader, error) { + users := make([]storage.UserHeader, 0) + + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + query := `SELECT id, username, created_at, updated_at FROM users` + + rows, err := tx.QueryContext(ctx, query) + if err != nil { + return errors.WithStack(err) + } + + defer func() { + if err := rows.Close(); err != nil { + logger.Error(ctx, "could not close rows", logger.E(errors.WithStack(err))) + } + }() + + for rows.Next() { + user := storage.UserHeader{} + if err := rows.Scan(&user.ID, &user.Username, &user.CreatedAt, &user.UpdatedAt); err != nil { + return errors.WithStack(err) + } + + users = append(users, user) + } + + if err := rows.Err(); err != nil { + return errors.WithStack(err) + } + + return nil + }) + if err != nil { + return nil, errors.WithStack(err) + } + + return users, nil +} + +// UpdateUsername implements storage.UserRepository. +func (r *UserRepository) UpdateUserUsername(ctx context.Context, userID string, username string) (*storage.User, error) { + var user *storage.User + + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + query := `SELECT COUNT(id) FROM users WHERE id = $1` + args := []any{ + userID, + } + + row := tx.QueryRowContext(ctx, query, args...) + + var count int64 + if err := row.Scan(&count); err != nil { + return errors.WithStack(err) + } + + if err := row.Err(); err != nil { + return errors.WithStack(err) + } + + if count == 0 { + return errors.WithStack(storage.ErrNotFound) + } + + query = ` + UPDATE users SET username = $1, updated_at = $2 WHERE id = $3 + RETURNING id, username, attributes, created_at, updated_at + ` + + args = []any{ + username, + time.Now(), + userID, + } + + var rawAttributes []byte + + user = &storage.User{} + + row = tx.QueryRowContext(ctx, query, args...) + if err := row.Scan(&user.ID, &user.Username, &rawAttributes, &user.CreatedAt, &user.UpdatedAt); err != nil { + return errors.WithStack(err) + } + + if err := row.Err(); err != nil { + return errors.WithStack(err) + } + + if err := json.Unmarshal(rawAttributes, &user.Attributes); err != nil { + return errors.WithStack(err) + } + + if user.Attributes == nil { + user.Attributes = make(map[string]any) + } + + return nil + }) + if err != nil { + return nil, errors.WithStack(err) + } + + return user, nil +} + +// Update implements storage.UserRepository. +func (r *UserRepository) UpdateUserAttributes(ctx context.Context, userID string, attributes map[string]any) (*storage.User, error) { + var user *storage.User + + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + query := `SELECT COUNT(id) FROM users WHERE id = $1` + args := []any{ + userID, + } + + row := tx.QueryRowContext(ctx, query, args...) + + var count int64 + if err := row.Scan(&count); err != nil { + return errors.WithStack(err) + } + + if err := row.Err(); err != nil { + return errors.WithStack(err) + } + + if count == 0 { + return errors.WithStack(storage.ErrNotFound) + } + + query = ` + UPDATE users SET attributes = $1, updated_at = $2 WHERE id = $3 + RETURNING id, username, attributes, created_at, updated_at + ` + + rawAttributes, err := json.Marshal(attributes) + if err != nil { + return errors.WithStack(err) + } + + args = []any{ + rawAttributes, + time.Now(), + userID, + } + + user = &storage.User{} + + row = tx.QueryRowContext(ctx, query, args...) + if err := row.Scan(&user.ID, &user.Username, &rawAttributes, &user.CreatedAt, &user.UpdatedAt); err != nil { + return errors.WithStack(err) + } + + if err := row.Err(); err != nil { + return errors.WithStack(err) + } + + if err := json.Unmarshal(rawAttributes, &user.Attributes); err != nil { + return errors.WithStack(err) + } + + if user.Attributes == nil { + user.Attributes = make(map[string]any) + } + + return nil + }) + if err != nil { + return nil, errors.WithStack(err) + } + + return user, nil +} + +// AddCredential implements storage.UserRepository. +func (r *UserRepository) AddUserCredential(ctx context.Context, userID string, credential *webauthn.Credential) (string, error) { + credentialID := storage.NewID() + + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + exists, err := r.userExists(ctx, tx, userID) + if err != nil { + return errors.WithStack(err) + } + + if !exists { + return errors.WithStack(storage.ErrNotFound) + } + + query := ` + INSERT INTO user_credentials (id, user_id, credential, created_at) + VALUES ($1, $2, $3, $4) + ` + + rawCredential, err := json.Marshal(credential) + if err != nil { + return errors.WithStack(err) + } + + args := []any{ + credentialID, + userID, + rawCredential, + time.Now(), + } + + if _, err := tx.ExecContext(ctx, query, args...); err != nil { + return errors.WithStack(err) + } + + return nil + }) + if err != nil { + return "", errors.WithStack(err) + } + + return credentialID, nil +} + +// RemoveCredential implements storage.UserRepository. +func (r *UserRepository) RemoveUserCredential(ctx context.Context, userID string, credentialID string) error { + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + exists, err := r.userExists(ctx, tx, userID) + if err != nil { + return errors.WithStack(err) + } + + if !exists { + return errors.WithStack(storage.ErrNotFound) + } + + query := ` + DELETE FROM user_credentials WHERE id = $1 AND user_id = $2 + ` + + args := []any{ + credentialID, + userID, + } + + if _, err := tx.ExecContext(ctx, query, args...); err != nil { + return errors.WithStack(err) + } + + return nil + }) + if err != nil { + return errors.WithStack(err) + } + + return nil +} + +// GenerateRegistrationLink implements storage.UserRepository. +func (r *UserRepository) GenerateRegistrationLink(ctx context.Context, userID string) (*storage.RegistrationLink, error) { + registrationLink := storage.NewRegistrationLink(userID) + + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + exists, err := r.userExists(ctx, tx, userID) + if err != nil { + return errors.WithStack(err) + } + + if !exists { + return errors.WithStack(storage.ErrNotFound) + } + + query := `DELETE FROM registration_links WHERE user_id = $1` + args := []any{ + registrationLink.UserID, + } + + if _, err := tx.ExecContext(ctx, query, args...); err != nil { + return errors.WithStack(err) + } + + query = ` + INSERT INTO registration_links (token, user_id, created_at) + VALUES ($1, $2, $3) + ` + + args = []any{ + registrationLink.Token, + registrationLink.UserID, + registrationLink.CreatedAt, + } + + if _, err := tx.ExecContext(ctx, query, args...); err != nil { + return errors.WithStack(err) + } + + return nil + }) + if err != nil { + return nil, errors.WithStack(err) + } + + return registrationLink, nil +} + +// ClearRegistrationLink implements storage.UserRepository. +func (*UserRepository) ClearRegistrationLink(ctx context.Context, userID string) error { + panic("unimplemented") +} + +// GetRegistrationLink implements storage.UserRepository. +func (r *UserRepository) GetRegistrationLink(ctx context.Context, userID string) (*storage.RegistrationLink, error) { + registrationLink := &storage.RegistrationLink{} + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + query := `SELECT token, user_id, created_at FROM registration_links WHERE user_id = $1` + args := []any{ + userID, + } + + row := tx.QueryRowContext(ctx, query, args...) + if err := row.Scan(®istrationLink.Token, ®istrationLink.UserID, ®istrationLink.CreatedAt); err != nil { + if errors.Is(err, sql.ErrNoRows) { + return errors.WithStack(storage.ErrNotFound) + } + + return errors.WithStack(err) + } + + if err := row.Err(); err != nil { + return errors.WithStack(err) + } + + return nil + }) + if err != nil { + return nil, errors.WithStack(err) + } + + return registrationLink, nil +} + +// GetRegistrationLinkByToken implements storage.UserRepository. +func (r *UserRepository) GetRegistrationLinkByToken(ctx context.Context, token string) (*storage.RegistrationLink, error) { + registrationLink := &storage.RegistrationLink{} + err := r.withTxRetry(ctx, func(tx *sql.Tx) error { + query := `SELECT token, user_id, created_at FROM registration_links WHERE token = $1` + args := []any{ + token, + } + + row := tx.QueryRowContext(ctx, query, args...) + if err := row.Scan(®istrationLink.Token, ®istrationLink.UserID, ®istrationLink.CreatedAt); err != nil { + if errors.Is(err, sql.ErrNoRows) { + return errors.WithStack(storage.ErrNotFound) + } + + return errors.WithStack(err) + } + + if err := row.Err(); err != nil { + return errors.WithStack(err) + } + + return nil + }) + if err != nil { + return nil, errors.WithStack(err) + } + + return registrationLink, nil +} + +func (r *UserRepository) userExists(ctx context.Context, tx *sql.Tx, userID string) (bool, error) { + query := `SELECT COUNT(id) FROM users WHERE id = $1` + args := []any{ + userID, + } + + row := tx.QueryRowContext(ctx, query, args...) + + var count int64 + if err := row.Scan(&count); err != nil { + return false, errors.WithStack(err) + } + + if err := row.Err(); err != nil { + return false, errors.WithStack(err) + } + + return count >= 1, nil +} + +func (r *UserRepository) withTxRetry(ctx context.Context, fn func(*sql.Tx) error) error { + attempts := 0 + max := r.sqliteBusyRetryMaxAttempts + + ctx = logger.With(ctx, logger.F("max", max)) + + var err error + for { + ctx = logger.With(ctx) + + if attempts >= max { + logger.Debug(ctx, "transaction retrying failed", logger.F("attempts", attempts)) + + return errors.Wrapf(err, "transaction failed after %d attempts", max) + } + + err = r.withTx(ctx, fn) + if err != nil { + if !strings.Contains(err.Error(), "(5) (SQLITE_BUSY)") { + return errors.WithStack(err) + } + + err = errors.WithStack(err) + + logger.Warn(ctx, "database is busy", logger.E(err)) + + wait := time.Duration(8<<(attempts+1)) * time.Millisecond + + logger.Debug( + ctx, "database is busy, waiting before retrying transaction", + logger.F("wait", wait.String()), + logger.F("attempts", attempts), + ) + + timer := time.NewTimer(wait) + select { + case <-timer.C: + attempts++ + continue + + case <-ctx.Done(): + if err := ctx.Err(); err != nil { + return errors.WithStack(err) + } + + return nil + } + } + + return nil + } +} + +func (r *UserRepository) withTx(ctx context.Context, fn func(*sql.Tx) error) error { + tx, err := r.db.BeginTx(ctx, nil) + if err != nil { + return errors.WithStack(err) + } + + defer func() { + if err := tx.Rollback(); err != nil { + if errors.Is(err, sql.ErrTxDone) { + return + } + + err = errors.WithStack(err) + logger.Error(ctx, "could not rollback transaction", logger.CapturedE(err)) + } + }() + + if err := fn(tx); err != nil { + return errors.WithStack(err) + } + + if err := tx.Commit(); err != nil { + return errors.WithStack(err) + } + + return nil +} + +func NewUserRepository(dsn string) (*UserRepository, error) { + db, err := sql.Open("sqlite", dsn) + if err != nil { + return nil, errors.WithStack(err) + } + + if err := applyUserRepositoryMigration(db); err != nil { + return nil, errors.Wrap(err, "could not migrate schema") + } + + return &UserRepository{db, 5}, nil +} + +var _ storage.UserRepository = &UserRepository{} + +//go:embed user_repository.sql +var userRepositoryMigrationScript string + +func applyUserRepositoryMigration(db *sql.DB) error { + if err := db.Ping(); err != nil { + return errors.WithStack(err) + } + + if _, err := db.Exec(userRepositoryMigrationScript); err != nil { + return errors.WithStack(err) + } + + return nil +} diff --git a/internal/storage/sqlite/user_repository.sql b/internal/storage/sqlite/user_repository.sql new file mode 100644 index 0000000..25660f2 --- /dev/null +++ b/internal/storage/sqlite/user_repository.sql @@ -0,0 +1,22 @@ +CREATE TABLE IF NOT EXISTS users ( + id TEXT NOT NULL PRIMARY KEY, + username TEXT NOT NULL UNIQUE, + attributes JSON NOT NULL, + created_at DATETIME NOT NULL, + updated_at DATETIME NOT NULL +); + +CREATE TABLE IF NOT EXISTS registration_links ( + token TEXT NOT NULL PRIMARY KEY, + user_id TEXT NOT NULL, + created_at DATETIME NOT NULL, + FOREIGN KEY(user_id) REFERENCES users(id) +); + +CREATE TABLE IF NOT EXISTS user_credentials ( + id TEXT NOT NULL PRIMARY KEY, + user_id TEXT NOT NULL, + credential JSON NOT NULL, + created_at DATETIME NOT NULL, + FOREIGN KEY(user_id) REFERENCES users(id) +); \ No newline at end of file diff --git a/internal/storage/user.go b/internal/storage/user.go new file mode 100644 index 0000000..931ec4a --- /dev/null +++ b/internal/storage/user.go @@ -0,0 +1,65 @@ +package storage + +import ( + "time" + + "github.com/go-webauthn/webauthn/webauthn" +) + +type UserHeader struct { + ID string `json:"id"` + Username string `json:"username"` + + CreatedAt time.Time `json:"createdAt"` + UpdatedAt time.Time `json:"updatedAt"` +} + +type User struct { + UserHeader + + Attributes map[string]any `json:"attributes"` + Credentials []webauthn.Credential `json:"credentials"` +} + +// WebAuthnCredentials implements webauthn.User. +func (u *User) WebAuthnCredentials() []webauthn.Credential { + return u.Credentials +} + +// WebAuthnDisplayName implements webauthn.User. +func (u *User) WebAuthnDisplayName() string { + return u.Username +} + +// WebAuthnID implements webauthn.User. +func (u *User) WebAuthnID() []byte { + return []byte(u.ID) +} + +// WebAuthnIcon implements webauthn.User. +func (u *User) WebAuthnIcon() string { + return "" +} + +// WebAuthnName implements webauthn.User. +func (u *User) WebAuthnName() string { + return u.Username +} + +func NewUser(username string, attributes map[string]any) *User { + now := time.Now() + return &User{ + UserHeader: UserHeader{ + ID: NewID(), + Username: username, + + CreatedAt: now, + UpdatedAt: now, + }, + + Attributes: attributes, + Credentials: make([]webauthn.Credential, 0), + } +} + +var _ webauthn.User = &User{} diff --git a/internal/storage/user_repository.go b/internal/storage/user_repository.go new file mode 100644 index 0000000..8d96b15 --- /dev/null +++ b/internal/storage/user_repository.go @@ -0,0 +1,27 @@ +package storage + +import ( + "context" + + "github.com/go-webauthn/webauthn/webauthn" +) + +type UserRepository interface { + CreateUser(ctx context.Context, username string, attributes map[string]any) (*User, error) + + UpdateUserUsername(ctx context.Context, userID string, username string) (*User, error) + UpdateUserAttributes(ctx context.Context, userID string, attributes map[string]any) (*User, error) + + AddUserCredential(ctx context.Context, userID string, credential *webauthn.Credential) (string, error) + RemoveUserCredential(ctx context.Context, userID string, credentialID string) error + + GenerateRegistrationLink(ctx context.Context, userID string) (*RegistrationLink, error) + GetRegistrationLink(ctx context.Context, userID string) (*RegistrationLink, error) + GetRegistrationLinkByToken(ctx context.Context, token string) (*RegistrationLink, error) + ClearRegistrationLink(ctx context.Context, userID string) error + + DeleteUserByID(ctx context.Context, userID string) error + FindUserByID(ctx context.Context, userID string) (*User, error) + FindUserByUsername(ctx context.Context, username string) (*User, error) + ListUsers(ctx context.Context) ([]UserHeader, error) +} diff --git a/internal/webauthn/provider.go b/internal/webauthn/provider.go new file mode 100644 index 0000000..5b96765 --- /dev/null +++ b/internal/webauthn/provider.go @@ -0,0 +1,29 @@ +package webauthn + +import ( + "github.com/go-webauthn/webauthn/webauthn" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/service" +) + +type Config = webauthn.Config +type TimeoutsConfig = webauthn.TimeoutsConfig +type TimeoutConfig = webauthn.TimeoutConfig +type LoginOption = webauthn.LoginOption +type SessionData = webauthn.SessionData + +var WithAllowedCredentials = webauthn.WithAllowedCredentials +var WithAssertionExtensions = webauthn.WithAssertionExtensions +var WithUserVerification = webauthn.WithUserVerification +var WithAppIdExtension = webauthn.WithAppIdExtension + +func ServiceProvider(config *Config) service.Provider { + webauthn, err := webauthn.New(config) + + return func(ctn *service.Container) (interface{}, error) { + if err != nil { + return nil, errors.WithStack(err) + } + return webauthn, nil + } +} diff --git a/internal/webauthn/service.go b/internal/webauthn/service.go new file mode 100644 index 0000000..cf12282 --- /dev/null +++ b/internal/webauthn/service.go @@ -0,0 +1,34 @@ +package webauthn + +import ( + "github.com/go-webauthn/webauthn/webauthn" + "github.com/pkg/errors" + "gitlab.com/wpetit/goweb/service" +) + +const ServiceName service.Name = "webauthn" + +// From retrieves the webauthn service in the given container +func From(container *service.Container) (*webauthn.WebAuthn, error) { + service, err := container.Service(ServiceName) + if err != nil { + return nil, errors.Wrapf(err, "error while retrieving '%s' service", ServiceName) + } + + srv, ok := service.(*webauthn.WebAuthn) + if !ok { + return nil, errors.Errorf("retrieved service is not a valid '%s' service", ServiceName) + } + + return srv, nil +} + +// Must retrieves the config service in the given container or panic otherwise +func Must(container *service.Container) *webauthn.WebAuthn { + srv, err := From(container) + if err != nil { + panic(err) + } + + return srv +} diff --git a/misc/compose/hydra/client.json b/misc/compose/hydra/client.json new file mode 100644 index 0000000..0955ebf --- /dev/null +++ b/misc/compose/hydra/client.json @@ -0,0 +1,35 @@ +{ + "client_id": "oidc-test", + "client_name": "OIDC Test", + "client_secret": "oidc-test-123456", + "client_uri": "http://localhost:8080", + "grant_types": [ + "authorization_code", + "refresh_token", + "client_credentials", + "implicit" + ], + "jwks": {}, + "logo_uri": "", + "metadata": {}, + "owner": "", + "policy_uri": "", + "post_logout_redirect_uris": [ + "http://localhost:8080" + ], + "redirect_uris": [ + "http://localhost:8080/oauth2/callback" + ], + "request_object_signing_alg": "RS256", + "response_types": [ + "token", + "code", + "id_token" + ], + "scope": "openid profile email", + "skip_consent": false, + "subject_type": "public", + "token_endpoint_auth_method": "client_secret_basic", + "tos_uri": "", + "userinfo_signed_response_alg": "none" +} \ No newline at end of file diff --git a/misc/docker/Dockerfile b/misc/docker/Dockerfile new file mode 100644 index 0000000..84f7255 --- /dev/null +++ b/misc/docker/Dockerfile @@ -0,0 +1,33 @@ +FROM golang:1.21 AS build + +ARG HTTP_PROXY= +ARG HTTPS_PROXY= +ARG http_proxy= +ARG https_proxy= + +RUN apt-get update && apt-get install -y build-essential git bash + +RUN mkdir -p /src + +WORKDIR /src + +COPY go.mod . +COPY go.sum . + +RUN go mod download + +COPY . . + +RUN make ARCH_TARGETS=amd64 release + +FROM busybox + +COPY --from=build /src/release/server-linux-amd64 /app + +WORKDIR /app + +RUN mkdir ./data + +EXPOSE 3000 + +CMD ["bin/server", "-workdir", "/app", "-config", "server.yml"] \ No newline at end of file diff --git a/misc/script/release.sh b/misc/script/release.sh new file mode 100644 index 0000000..f2e66d7 --- /dev/null +++ b/misc/script/release.sh @@ -0,0 +1,119 @@ +#!/bin/bash + +set -eo pipefail + +OS_TARGETS=(linux) +ARCH_TARGETS=${ARCH_TARGETS:-amd64 arm 386} + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" +PROJECT_DIR="$DIR/../.." + +function build { + + local name=$1 + local srcdir=$2 + local os=$3 + local arch=$4 + + local dirname="$name-$os-$arch" + local destdir="$PROJECT_DIR/release/$dirname" + + rm -rf "$destdir" + mkdir -p "$destdir" + + echo "building $dirname..." + + CGO_ENABLED=0 GOOS="$os" GOARCH="$arch" go build \ + -ldflags="-s -w -X 'main.GitRef=$(current_commit_ref)' -X 'main.ProjectVersion=$(current_version)' -X 'main.BuildDate=$(current_date)'" \ + -gcflags=-trimpath="${PWD}" \ + -asmflags=-trimpath="${PWD}" \ + -o "$destdir/bin/$name" \ + "$srcdir" + + if [ ! -z "$(which upx)" ]; then + upx --best "$destdir/bin/$name" + fi + +} + +function current_date { + date '+%Y-%m-%d %H:%M' +} + +function current_commit_ref { + git log -n 1 --pretty="format:%h" +} + +function current_version { + git describe --always +} + +function copy { + + local name=$1 + local os=$2 + local arch=$3 + local src=$4 + local dest=$5 + + local dirname="$name-$os-$arch" + local destdir="$PROJECT_DIR/release/$dirname" + + echo "copying '$src' to '$destdir/$dest'..." + + mkdir -p "$(dirname $destdir/$dest)" + + cp -rfL $src "$destdir/$dest" + +} + +function dump_default_conf { + # Generate and copy configuration file + local command=$1 + local os=$2 + local arch=$3 + local tmp_conf=$(mktemp) + + go run "$PROJECT_DIR/cmd/$command" -dump-config > "$tmp_conf" + copy "$command" $os $arch "$tmp_conf" "$command.yml" + rm -f "$tmp_conf" +} + +function compress { + + local name=$1 + local os=$2 + local arch=$3 + + local dirname="$name-$os-$arch" + local destdir="$PROJECT_DIR/release/$dirname" + + echo "compressing $dirname..." + tar -czf "$destdir.tar.gz" -C "$destdir/../" "$dirname" +} + +function release_server { + local os=$1 + local arch=$2 + + build 'server' "$PROJECT_DIR/cmd/server" $os $arch + + dump_default_conf 'server' $os $arch + + copy 'server' $os $arch "$PROJECT_DIR/README.md" "README.md" + copy 'server' $os $arch "$PROJECT_DIR/public" "public" + copy 'server' $os $arch "$PROJECT_DIR/template" "template" + + compress 'server' $os $arch +} + +function main { + + for os in ${OS_TARGETS[@]}; do + for arch in ${ARCH_TARGETS[@]}; do + release_server $os $arch + done + done +} + +main \ No newline at end of file diff --git a/modd.conf b/modd.conf new file mode 100644 index 0000000..7e5a6a5 --- /dev/null +++ b/modd.conf @@ -0,0 +1,17 @@ +**/*.go +!**/*_test.go +data/config.yml +template/**/* +modd.conf { + prep: make build + prep: [ -e data/config.yml ] || ( mkdir -p data && bin/server -dump-config > data/config.yml ) + daemon: bin/server -config ./data/config.yml +} + +**/*.go { + prep: make test +} + +docker-compose.yml { + daemon: make up +} \ No newline at end of file diff --git a/public/css/style.css b/public/css/style.css new file mode 100644 index 0000000..352a1cc --- /dev/null +++ b/public/css/style.css @@ -0,0 +1,3 @@ +body { + background-color: hsla(217, 15%, 95%, 1); +} \ No newline at end of file diff --git a/public/js/hydra-webauthn.js b/public/js/hydra-webauthn.js new file mode 100644 index 0000000..fee5909 --- /dev/null +++ b/public/js/hydra-webauthn.js @@ -0,0 +1,91 @@ +(function(HydraWebAuthn) { + +HydraWebAuthn.base64ToArrayBuffer = function(base64) { + var binaryString = HydraWebAuthn.fromBase64URL(base64); + var bytes = new Uint8Array(binaryString.length); + for (var i = 0; i < binaryString.length; i++) { + bytes[i] = binaryString.charCodeAt(i); + } + return bytes.buffer; +} + +HydraWebAuthn.arrayBufferToBase64 = function( buffer ) { + var binary = ''; + var bytes = new Uint8Array( buffer ); + var len = bytes.byteLength; + for (var i = 0; i < len; i++) { + binary += String.fromCharCode( bytes[ i ] ); + } + return window.btoa( binary ); +} + +HydraWebAuthn.toJSONCredentials = function(credentials) { + return { + id: credentials.id, + rawId: HydraWebAuthn.toBase64URL(credentials.rawId), + authenticatorAttachment: credentials.authenticatorAttachment, + type: "public-key", + clientExtensionResults: (() => { + const results = credentials.getClientExtensionResults(); + return Object.keys(results).reduce((json, key) => { + json[key] = HydraWebAuthn.urlsafe(HydraWebAuthn.arrayBufferToBase64(results[key])) + return json; + }, {}) + })(), + response: { + attestationObject: HydraWebAuthn.urlsafe(HydraWebAuthn.arrayBufferToBase64(credentials.response.attestationObject)), + clientDataJSON: HydraWebAuthn.urlsafe(HydraWebAuthn.arrayBufferToBase64(credentials.response.clientDataJSON)) + } + } +} + +HydraWebAuthn.toJSONAssertion = function(assertion) { + return { + id: assertion.id, + rawId: HydraWebAuthn.urlsafe(HydraWebAuthn.arrayBufferToBase64(assertion.rawId)), + type: "public-key", + response: { + authenticatorData: HydraWebAuthn.urlsafe(HydraWebAuthn.arrayBufferToBase64(assertion.response.authenticatorData)), + clientDataJSON: HydraWebAuthn.urlsafe(HydraWebAuthn.arrayBufferToBase64(assertion.response.clientDataJSON)), + signature: HydraWebAuthn.urlsafe(HydraWebAuthn.arrayBufferToBase64(assertion.response.signature)), + userHandle: assertion.response.userHandle + } + } +} + +HydraWebAuthn.base64 = function(str) { + return HydraWebAuthn.bytesToBase64(new TextEncoder().encode(str)); +} + +HydraWebAuthn.toBase64URL = function(str) { + return HydraWebAuthn.urlsafe(HydraWebAuthn.base64(str)); +} + +HydraWebAuthn.fromBase64URL = function(str) { + str = str + .replace(/-/g, '+') + .replace(/_/g, '/'); + + var pad = str.length % 4; + if(pad) { + if(pad === 1) { + throw new Error('InvalidLengthError: Input base64url string is the wrong length to determine padding'); + } + str += new Array(5-pad).join('='); + } + + return atob(str); +} + +HydraWebAuthn.urlsafe = function(base64) { + return base64.replace(/\+/g, '-') + .replace(/\//g, '_') + .replace(/=+$/, '') +} + +HydraWebAuthn.bytesToBase64 = function(bytes) { + const binString = String.fromCodePoint(...bytes); + return btoa(binString); +} + +}(window.HydraWebAuthn = {})) \ No newline at end of file diff --git a/public/js/login.js b/public/js/login.js new file mode 100644 index 0000000..c1be529 --- /dev/null +++ b/public/js/login.js @@ -0,0 +1,20 @@ +const rawAssertionRequest = HydraWebAuthn.fromBase64URL(document.currentScript.dataset.assertionRequest); +const assertionRequest = JSON.parse(rawAssertionRequest); +assertionRequest.publicKey.challenge = HydraWebAuthn.base64ToArrayBuffer(assertionRequest.publicKey.challenge) +assertionRequest.publicKey.allowCredentials.forEach(credential => credential.id = HydraWebAuthn.base64ToArrayBuffer(credential.id)) + +console.log("Assertion request", assertionRequest) + +navigator.credentials.get(assertionRequest) + .then(assertion => { + console.log("Assertion", assertion) + if (assertion) { + const jsonAssertion = JSON.stringify(HydraWebAuthn.toJSONAssertion(assertion), null, 2); + console.log(jsonAssertion); + document.getElementById("assertion").value = HydraWebAuthn.toBase64URL(jsonAssertion); + } + }).catch(err => { + console.error(err); + }).finally(() => { + document.getElementById("login").submit(); + }) \ No newline at end of file diff --git a/public/js/register.js b/public/js/register.js new file mode 100644 index 0000000..bbb7ce4 --- /dev/null +++ b/public/js/register.js @@ -0,0 +1,17 @@ +const rawWebAuthnOptions = HydraWebAuthn.fromBase64URL(document.currentScript.dataset.webAuthnOptions); +const webAuthnOptions = JSON.parse(rawWebAuthnOptions); + +webAuthnOptions.publicKey.challenge = HydraWebAuthn.base64ToArrayBuffer(webAuthnOptions.publicKey.challenge); +webAuthnOptions.publicKey.user.id = HydraWebAuthn.base64ToArrayBuffer(webAuthnOptions.publicKey.user.id); + +console.log(webAuthnOptions) + +function generateCredentials() { + navigator.credentials.create(webAuthnOptions).then(credentials => { + if (!credentials) return; + const jsonCredentials = JSON.stringify(HydraWebAuthn.toJSONCredentials(credentials), null, 2); + console.log(jsonCredentials); + document.getElementById("credentials").value = HydraWebAuthn.toBase64URL(jsonCredentials); + document.getElementById("register").submit(); + }).catch(err => console.error(err)); +} \ No newline at end of file diff --git a/template/blocks/base.html.tmpl b/template/blocks/base.html.tmpl new file mode 100644 index 0000000..ac1cf8b --- /dev/null +++ b/template/blocks/base.html.tmpl @@ -0,0 +1,19 @@ +{{define "base"}} + + + + + + {{block "title" . -}}{{- end}} + {{- block "head_style" . -}} + + + {{end}} + {{- block "head_script" . -}}{{end}} + + + {{- block "body" . -}}{{- end -}} + {{- block "body_script" . -}}{{end}} + + +{{end}} \ No newline at end of file diff --git a/template/blocks/flash.html.tmpl b/template/blocks/flash.html.tmpl new file mode 100644 index 0000000..9e1a445 --- /dev/null +++ b/template/blocks/flash.html.tmpl @@ -0,0 +1,24 @@ +{{define "flash"}} +
+ {{- range .Flashes -}} + {{- if eq .Type "error" -}} + {{template "flash_message" map "Title" "Erreur" "MessageClass" "is-danger" "Message" .Message }} + {{- else if eq .Type "warn" -}} + {{template "flash_message" map "Title" "Attention" "MessageClass" "is-warning" "Message" .Message }} + {{- else if eq .Type "success" -}} + {{template "flash_message" map "Title" "Succès" "MessageClass" "is-success" "Message" .Message }} + {{- else -}} + {{template "flash_message" map "Title" "Information" "MessageClass" "is-info" "Message" .Message }} + {{- end -}} + {{- end -}} +
+{{end}} + +{{define "flash_message" -}} +
+
+ {{.Title}} +

{{.Message}}

+
+
+{{- end}} \ No newline at end of file diff --git a/template/blocks/footer.html.tmpl b/template/blocks/footer.html.tmpl new file mode 100644 index 0000000..3b4081c --- /dev/null +++ b/template/blocks/footer.html.tmpl @@ -0,0 +1,7 @@ +{{define "footer"}} +

+ Version: {{ .BuildInfo.ProjectVersion }} - + Réf.: {{ .BuildInfo.GitRef }} - + Date de construction: {{ .BuildInfo.BuildDate }} +

+{{end}} \ No newline at end of file diff --git a/template/layouts/consent.html.tmpl b/template/layouts/consent.html.tmpl new file mode 100644 index 0000000..731a1e4 --- /dev/null +++ b/template/layouts/consent.html.tmpl @@ -0,0 +1,35 @@ +{{define "title"}}Autorisation{{end}} +{{define "body"}} +
+
+
+
+
+ {{template "flash" .}} +

+ Demande d'autorisation +

+

+ Autorisez vous l'application à utiliser ces informations vous concernant ? +

+
+
+ {{range .RequestedScope}} +
+ +
+ {{end}} + {{ .csrfField }} + + +
+
+
+
+
+
+{{end}} +{{template "base" .}} \ No newline at end of file diff --git a/template/layouts/error.html.tmpl b/template/layouts/error.html.tmpl new file mode 100644 index 0000000..c2f1a7c --- /dev/null +++ b/template/layouts/error.html.tmpl @@ -0,0 +1,20 @@ +{{define "title"}}Erreur{{end}} +{{define "body"}} +
+
+
+
+
+
+
+

{{ .ErrorTitle }}

+

{{ .ErrorDescription }}

+
+
+
+
+
+
+
+{{end}} +{{template "base" .}} \ No newline at end of file diff --git a/template/layouts/home.html.tmpl b/template/layouts/home.html.tmpl new file mode 100644 index 0000000..b88ceed --- /dev/null +++ b/template/layouts/home.html.tmpl @@ -0,0 +1,22 @@ +{{define "title"}}Connexion{{end}} +{{define "body"}} +
+
+
+
+
+

+ Hydra WebAuthn +

+

+ Version: {{ .BuildInfo.ProjectVersion }} | + Réf.: {{ .BuildInfo.GitRef }} | + Date de construction: {{ .BuildInfo.BuildDate }} +

+
+
+
+
+
+{{end}} +{{template "base" .}} \ No newline at end of file diff --git a/template/layouts/login.html.tmpl b/template/layouts/login.html.tmpl new file mode 100644 index 0000000..60ad02b --- /dev/null +++ b/template/layouts/login.html.tmpl @@ -0,0 +1,53 @@ +{{define "title"}}Connexion{{end}} +{{define "body"}} +
+
+
+
+
+ {{template "flash" .}} +

+ Authentification sur
{{ .ClientName }} +

+
+ +
+
+
+ +
+ +
+
+
+ +
+ {{if .AssertionRequest}} + + {{end}} + {{ .csrfField }} + + +
+
+
+
+
+
+
+
+{{if .AssertionRequest}} + + +{{end}} +{{end}} +{{template "base" .}} \ No newline at end of file diff --git a/template/layouts/register.html.tmpl b/template/layouts/register.html.tmpl new file mode 100644 index 0000000..c5f4375 --- /dev/null +++ b/template/layouts/register.html.tmpl @@ -0,0 +1,28 @@ +{{define "title"}}S'enregistrer{{end}} +{{define "body"}} +
+
+
+
+
+ {{template "flash" .}} +

+ Finaliser votre compte +

+

Cliquer sur le bouton ci-dessous pour générer une paire de clés cryptographiques qui sera associée à votre compte.

+ +
+ {{ .csrfField }} + +
+
+
+
+
+
+ + +{{end}} +{{template "base" .}} \ No newline at end of file