Merge branch 'master' into pr/punkle/375

.defaults.yml

@@ -25,6 +25,7 @@ vouch:
     issuer: Vouch
     maxAge: 240
     compress: true
+    signing_method: HS256
 
   cookie:
     name: VouchCookie

.github/workflows/coverage.yml

@@ -17,8 +17,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: ['1.14', '1.15']
-        # go: ['1.15']
+        # go: ['1.14', '1.15']
+        go: ['1.16']
 
     steps:
       - uses: actions/setup-go@v2

.gitignore

@@ -14,3 +14,5 @@ coverage.out
 coverage.html.env_google
 .env*
 .cover
+config/testing/rsa.key
+config/testing/rsa.pub

.travis.yml

@@ -7,12 +7,13 @@ services:
   - docker
 
 go:
-  - "1.14"
+  - "1.16"
 
 env:
   - ISTRAVIS=true
 
 before_install:
+  - sudo apt-get install openssl
   - ./do.sh goget
   # - go get github.com/golang/lint/golint # Linter
   # - go get github.com/fzipp/gocyclo

Dockerfile

@@ -1,6 +1,6 @@
 # voucher/vouch-proxy
 # https://github.com/vouch/vouch-proxy
-FROM golang:1.15 AS builder
+FROM golang:1.16 AS builder
 
 LABEL maintainer="[email protected]"
 

Dockerfile.alpine

@@ -1,6 +1,6 @@
 # voucher/vouch-proxy
 # https://github.com/vouch/vouch-proxy
-FROM golang:1.15 AS builder
+FROM golang:1.16 AS builder
 
 LABEL maintainer="[email protected]"
 

config/config.yml_example

@@ -62,8 +62,15 @@ vouch:
     profile: intermediate                           # VOUCH_TLS_PROFILE
 
   jwt:
+    # signing_method: the algorithm used to sign the JWT.  # VOUCH_JWT_SIGNING_METHOD
+    # Can be one of HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512
+    # Default is HS256 (HMAC) - and requires jwt.secret to be set
+    # Both RS* (RSA) and ES* (ECDSA) methods require jwt.private_key_file and
+    # jwt.public_key_file to be set.
+    # signing_method: HS256
+
     # secret - VOUCH_JWT_SECRET
-    # a random string used to cryptographically sign the jwt
+    # a random string used to cryptographically sign the jwt when signing_method is set to HS256, HS384 or HS512
     # Vouch Proxy complains if the string is less than 44 characters (256 bits as 32 base64 bytes)
     # if the secret is not set here then Vouch Proxy will..
     # - look for the secret in `./config/secret`
@@ -72,6 +79,10 @@ vouch:
     # you'll want them all to have the same secret
     secret: your_random_string
 
+    # Path to the public/private key files when using an RSA or ECDSA signing method.
+    # public_key_file:  # VOUCH_JWT_PUBLIC_KEY_FILE
+    # private_key_file: # VOUCH_JWT_PRIVATE_KEY_FILE
+
     # issuer: Vouch # VOUCH_JWT_ISSUER
 
     # number of minutes until jwt expires - VOUCH_JWT_MAXAGE

config/config.yml_example_azure

@@ -22,4 +22,5 @@ oauth:
     - openid
     - email
     - profile
-  callback_url: https://vouch.yourdomain/auth
+  callback_url: https://vouch.yourdomain/auth
+  azure_token: id_token # access_token and id_token supported

config/testing/test_config_rsa.yml

@@ -0,0 +1,28 @@
+vouch:
+  logLevel: debug
+  listen: 0.0.0.0
+  port: 9090
+  domains:
+    - vouch.github.io
+
+  whiteList:
+    - [email protected]
+    - [email protected]
+    - [email protected]
+
+  cookie:
+    name: vouchTestingCookie
+
+  session:
+    name: VouchTestingSession
+
+  jwt:
+    signing_method: RS512
+    private_key_file: config/testing/rsa.key
+    public_key_file: config/testing/rsa.pub
+
+oauth:
+  provider: indieauth
+  client_id: http://vouch.github.io
+  auth_url: https://indielogin.com/auth
+  callback_url: http://vouch.github.io:9090/auth

do.sh

@@ -13,7 +13,7 @@ fi
 
 IMAGE=voucher/vouch-proxy:latest
 ALPINE=voucher/vouch-proxy:alpine
-GOIMAGE=golang:1.14
+GOIMAGE=golang:1.16
 NAME=vouch-proxy
 HTTPPORT=9090
 GODOC_PORT=5050
@@ -133,11 +133,14 @@ bug_report() {
 
     usage:
 
-      $0 bug_report redacted_string redacted_string 
+      $0 bug_report redacted_string redacted_string
 
 EOF
     exit 1;
   fi
+  echo -e "#\n# If sensitive information is still visible in the output, first try appending the string.." 
+  echo -e "#\n#    '$0 bug_report badstring1 badstring2'\n#\n"
+  echo -e "#\n# Please consider submitting a PR for the './do.sh _redact' routine if you feel that it should be improved.\n#"
   echo -e "\n-------------------------\n\n#\n# redacted Vouch Proxy ${CONFIG}\n# $(date -I)\n#\n"
   cat $CONFIG | _redact
 
@@ -186,6 +189,15 @@ test() {
     export VOUCH_CONFIG="$SDIR/config/testing/test_config.yml"
   fi
 
+  TEST_PRIVATE_KEY_FILE="$SDIR/config/testing/rsa.key"
+  TEST_PUBLIC_KEY_FILE="$SDIR/config/testing/rsa.pub"
+  if [[ ! -f "$TEST_PRIVATE_KEY_FILE" ]]; then
+    openssl genrsa -out "$TEST_PRIVATE_KEY_FILE" 4096
+  fi
+  if [[ ! -f "$TEST_PUBLIC_KEY_FILE" ]]; then
+    openssl rsa -in "$TEST_PRIVATE_KEY_FILE" -pubout > "$TEST_PUBLIC_KEY_FILE"
+  fi
+
   go get -t ./...
   # test all the things
   if [ -n "$*" ]; then
@@ -363,27 +375,27 @@ selfcert() {
 usage() {
    cat <<EOF
    usage:
-     $0 run                    - go run main.go
-     $0 build                  - go build
-     $0 install                - move binary to ${GOPATH}/bin/vouch
-     $0 goget                  - get all dependencies
-     $0 gofmt                  - gofmt the entire code base
-     $0 gosec                  - gosec security audit of the entire code base
-     $0 selfcert               - calls openssl to create a self signed key and cert
-     $0 dbuild                 - build docker container
-     $0 drun [args]            - run docker container
-     $0 dbuildalpine           - build docker container for alpine
-     $0 drunalpine [args]      - run docker container for alpine
-     $0 test [./pkg_test.go]   - run go tests (defaults to all tests)
-     $0 test_logging           - test the logging output
-     $0 coverage               - coverage test
-     $0 coveragereport         - coverage report published to .cover/coverage.html
-     $0 profile                - go pprof tools
-     $0 bug_report domain.com  - print config file removing secrets and each provided domain
-     $0 gogo [gocmd]           - run, build, any go cmd
-     $0 stats                  - simple metrics (lines of code in project, number of go files)
-     $0 watch [cmd]            - watch the $CWD for any change and re-reun the [cmd]
-     $0 license [file]         - apply the license to the file
+     $0 run                                - go run main.go
+     $0 build                              - go build
+     $0 install                            - move binary to ${GOPATH}/bin/vouch
+     $0 goget                              - get all dependencies
+     $0 gofmt                              - gofmt the entire code base
+     $0 gosec                              - gosec security audit of the entire code base
+     $0 selfcert                           - calls openssl to create a self signed key and cert
+     $0 dbuild                             - build docker container
+     $0 drun [args]                        - run docker container
+     $0 dbuildalpine                       - build docker container for alpine
+     $0 drunalpine [args]                  - run docker container for alpine
+     $0 test [./pkg_test.go]               - run go tests (defaults to all tests)
+     $0 test_logging                       - test the logging output
+     $0 coverage                           - coverage test
+     $0 coveragereport                     - coverage report published to .cover/coverage.html
+     $0 profile                            - go pprof tools
+     $0 bug_report domain.com [badstr2..]  - print config file and log removing secrets and each provided string
+     $0 gogo [gocmd]                       - run, build, any go cmd
+     $0 stats                              - simple metrics (lines of code in project, number of go files)
+     $0 watch [cmd]                        - watch the $CWD for any change and re-reun the [cmd]
+     $0 license [file]                     - apply the license to the file
 
   do is like make
 

go.mod

@@ -1,39 +1,39 @@
 module github.com/vouch/vouch-proxy
 
-go 1.15
+go 1.16
 
 require (
-	cloud.google.com/go v0.77.0 // indirect
+	cloud.google.com/go v0.80.0 // indirect
 	github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b // indirect
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/dgryski/go-gk v0.0.0-20200319235926-a69029f61654 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
-	github.com/google/go-cmp v0.5.4
+	github.com/google/go-cmp v0.5.5
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/sessions v1.2.1
 	github.com/influxdata/tdigest v0.0.1 // indirect
 	github.com/karupanerura/go-mock-http-response v0.0.0-20171201120521-7c242a447d45
 	github.com/kelseyhightower/envconfig v1.4.0
-	github.com/magiconair/properties v1.8.4 // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mitchellh/mapstructure v1.4.1
 	github.com/nirasan/go-oauth-pkce-code-verifier v0.0.0-20170819232839-0fbfe93532da
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pelletier/go-toml v1.8.1 // indirect
-	github.com/spf13/afero v1.5.1 // indirect
+	github.com/spf13/afero v1.6.0 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.7.1
 	github.com/streadway/quantile v0.0.0-20150917103942-b0c588724d25 // indirect
-	github.com/stretchr/testify v1.5.1
+	github.com/stretchr/testify v1.6.1
 	github.com/theckman/go-securerandom v0.1.1
 	github.com/tsenart/vegeta v12.7.0+incompatible
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.16.0
-	golang.org/x/net v0.0.0-20210119194325-5f4716e94777
-	golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99
-	golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b // indirect
+	golang.org/x/net v0.0.0-20210326220855-61e056675ecf
+	golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558
+	golang.org/x/sys v0.0.0-20210326220804-49726bf1d181 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )