From 568577c64c8ea7de7f904bd8720588ccc51ce206 Mon Sep 17 00:00:00 2001 From: Simon Gottschlag Date: Mon, 5 Oct 2020 21:43:15 +0200 Subject: [PATCH 01/30] Make azure token configurable --- config/config.yml_example_azure | 3 ++- pkg/cfg/oauth.go | 18 ++++++++++++++++++ pkg/providers/azure/azure.go | 21 ++++++++++++++++----- 3 files changed, 36 insertions(+), 6 deletions(-) diff --git a/config/config.yml_example_azure b/config/config.yml_example_azure index ebab962a..541ac4c6 100644 --- a/config/config.yml_example_azure +++ b/config/config.yml_example_azure @@ -22,4 +22,5 @@ oauth: - openid - email - profile - callback_url: https://vouch.yourdomain/auth \ No newline at end of file + callback_url: https://vouch.yourdomain/auth + azure_token: id_token # access_token and id_token supported \ No newline at end of file diff --git a/pkg/cfg/oauth.go b/pkg/cfg/oauth.go index 8bfdd6df..4ef4626b 100644 --- a/pkg/cfg/oauth.go +++ b/pkg/cfg/oauth.go @@ -75,6 +75,7 @@ type oauthConfig struct { UserTeamURL string `mapstructure:"user_team_url" envconfig:"user_team_url"` UserOrgURL string `mapstructure:"user_org_url" envconfig:"user_org_url"` PreferredDomain string `mapstructure:"preferredDomain"` + AzureToken string `mapstructure:"azure_token" envconfig:"azure_token"` } func configureOauth() error { @@ -137,6 +138,9 @@ func setProviderDefaults() { } else if GenOAuth.Provider == Providers.ADFS { setDefaultsADFS() configureOAuthClient() + } else if GenOAuth.Provider == Providers.Azure { + setDefaultsAzure() + configureOAuthClient() } else { // IndieAuth, OIDC, OpenStax, Nextcloud, Azure configureOAuthClient() @@ -169,6 +173,20 @@ func setDefaultsADFS() { OAuthopts = oauth2.SetAuthURLParam("resource", GenOAuth.RedirectURL) // Needed or all claims won't be included } +func setDefaultsAzure() { + log.Info("configuring Azure OAuth") + if len(GenOAuth.AzureToken) == 0 { + log.Info("Using Default Azure Token: access_token") + GenOAuth.AzureToken = "access_token" + } else if GenOAuth.AzureToken == "access_token" { + log.Info("Using Azure Token: access_token") + } else if GenOAuth.AzureToken == "id_token" { + log.Info("Using Azure Token: id_token") + } else { + log.Error("Azure Token must be either access_token or id_token") + } +} + func setDefaultsGitHub() { // log.Info("configuring GitHub OAuth") if GenOAuth.AuthURL == "" { diff --git a/pkg/providers/azure/azure.go b/pkg/providers/azure/azure.go index ef3c6c3a..793a8803 100644 --- a/pkg/providers/azure/azure.go +++ b/pkg/providers/azure/azure.go @@ -45,27 +45,38 @@ func (Provider) GetUserInfo(r *http.Request, user *structs.User, customClaims *s // just going to extract user info and custom claims from there. azureUser := structs.AzureUser{} - tokenParts := strings.Split(ptokens.PAccessToken, ".") + var tokenParts []string + + if cfg.GenOAuth.AzureToken == "access_token" { + tokenParts = strings.Split(ptokens.PAccessToken, ".") + } else if cfg.GenOAuth.AzureToken == "id_token" { + tokenParts = strings.Split(ptokens.PIdToken, ".") + } else { + err = fmt.Errorf("Azure Token not access_token or id_token") + log.Error(err) + return err + } + if len(tokenParts) < 2 { err = fmt.Errorf("azure GetUserInfo: invalid token received; not enough parts") log.Error(err) return err } - accessTokenBytes, err := base64.RawURLEncoding.DecodeString(tokenParts[1]) + tokenBytes, err := base64.RawURLEncoding.DecodeString(tokenParts[1]) if err != nil { err = fmt.Errorf("azure GetUserInfo: decoding token failed: %+v", err) log.Error(err) return err } - if err = common.MapClaims(accessTokenBytes, customClaims); err != nil { + if err = common.MapClaims(tokenBytes, customClaims); err != nil { log.Error(err) return err } - log.Debugf("azure GetUserInfo: getting user info from accessToken: %+v", string(accessTokenBytes)) - if err = json.Unmarshal(accessTokenBytes, &azureUser); err != nil { + log.Debugf("azure GetUserInfo: getting user info from token: %+v", string(tokenBytes)) + if err = json.Unmarshal(tokenBytes, &azureUser); err != nil { err = fmt.Errorf("azure getUserInfoFromTokens: unpacking token into AzureUser failed: %+v", err) log.Error(err) return err From a049c8cbdc2ddb27b6677c3aa022fcc8c95fcc30 Mon Sep 17 00:00:00 2001 From: Simon Gottschlag Date: Mon, 5 Oct 2020 21:44:39 +0200 Subject: [PATCH 02/30] Use preferred username if UPN is unavailable --- pkg/structs/structs.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/structs/structs.go b/pkg/structs/structs.go index e42c0d60..fe07b070 100644 --- a/pkg/structs/structs.go +++ b/pkg/structs/structs.go @@ -47,8 +47,9 @@ func (u *User) PrepareUserData() { // AzureUser is a retrieved and authenticated user from Azure AD type AzureUser struct { User - Sub string `json:"sub"` - UPN string `json:"upn"` + Sub string `json:"sub"` + UPN string `json:"upn"` + PreferredUsername string `json:"preferred_username"` } // PrepareUserData implement PersonalData interface @@ -60,6 +61,10 @@ func (u *AzureUser) PrepareUserData() { u.Username = u.UPN } + if u.Username == "" { + u.Username = u.PreferredUsername + } + if u.Email == "" { u.Email = u.UPN } From f17b2a9dcc8e08cd91b8e7f423b191d4f6185e49 Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Thu, 12 Nov 2020 13:49:20 +0100 Subject: [PATCH 03/30] Add JWT algorithm support in config --- config/testing/test_config.yml | 2 +- config/testing/test_config_rsa.yml | 28 +++++++ pkg/cfg/cfg.go | 55 +++++++++++--- pkg/jwtmanager/jwtmanager.go | 114 +++++++++++++++++++++-------- pkg/jwtmanager/jwtmanager_test.go | 61 +++++++-------- 5 files changed, 188 insertions(+), 72 deletions(-) create mode 100644 config/testing/test_config_rsa.yml diff --git a/config/testing/test_config.yml b/config/testing/test_config.yml index 8143b4f6..3d72029b 100644 --- a/config/testing/test_config.yml +++ b/config/testing/test_config.yml @@ -17,7 +17,7 @@ vouch: name: VouchTestingSession jwt: - secret: testingsecret + secret: testingSecret oauth: provider: indieauth diff --git a/config/testing/test_config_rsa.yml b/config/testing/test_config_rsa.yml new file mode 100644 index 00000000..d865c8ed --- /dev/null +++ b/config/testing/test_config_rsa.yml @@ -0,0 +1,28 @@ +vouch: + logLevel: debug + listen: 0.0.0.0 + port: 9090 + domains: + - vouch.github.io + + whiteList: + - bob@yourdomain.com + - alice@yourdomain.com + - joe@yourdomain.com + + cookie: + name: vouchTestingCookie + + session: + name: VouchTestingSession + + jwt: + signing_method: RS512 + private_key_file: config/testing/rsa.key + public_key_file: config/testing/rsa.pub + +oauth: + provider: indieauth + client_id: http://vouch.github.io + auth_url: https://indielogin.com/auth + callback_url: http://vouch.github.io:9090/auth diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 3e8def28..7d9bed76 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -16,6 +16,7 @@ import ( "fmt" "net/http" "os" + "path" "path/filepath" "reflect" "strings" @@ -44,10 +45,13 @@ type Config struct { AllowAllUsers bool `mapstructure:"allowAllUsers"` PublicAccess bool `mapstructure:"publicAccess"` JWT struct { - MaxAge int `mapstructure:"maxAge"` // in minutes - Issuer string `mapstructure:"issuer"` - Secret string `mapstructure:"secret"` - Compress bool `mapstructure:"compress"` + SigningMethod string `mapstructure:"signing_method"` + MaxAge int `mapstructure:"maxAge"` // in minutes + Issuer string `mapstructure:"issuer"` + Secret string `mapstructure:"secret"` + PrivateKeyFile string `mapstructure:"private_key_file"` + PublicKeyFile string `mapstructure:"public_key_file"` + Compress bool `mapstructure:"compress"` } Cookie struct { Name string `mapstructure:"name"` @@ -293,7 +297,6 @@ func logConfigIfDebug() { } func fixConfigOptions() { - if Cfg.Cookie.MaxAge > Cfg.JWT.MaxAge { log.Warnf("setting `%s.cookie.maxage` to `%s.jwt.maxage` value of %d minutes (curently set to %d minutes)", Branding.LCName, Branding.LCName, Cfg.JWT.MaxAge, Cfg.Cookie.MaxAge) Cfg.Cookie.MaxAge = Cfg.JWT.MaxAge @@ -304,11 +307,25 @@ func fixConfigOptions() { Cfg.Headers.Redirect = "X-" + Branding.CcName + "-Requested-URI" } + if len(Cfg.JWT.SigningMethod) == 0 { + Cfg.JWT.SigningMethod = "HS256" + } else { + Cfg.JWT.SigningMethod = strings.ToUpper(Cfg.JWT.SigningMethod) + } + // jwt defaults - if len(Cfg.JWT.Secret) == 0 { + if strings.HasPrefix(Cfg.JWT.SigningMethod, "HS") && len(Cfg.JWT.Secret) == 0 { Cfg.JWT.Secret = getOrGenerateJWTSecret() } + if len(Cfg.JWT.PrivateKeyFile) > 0 && !path.IsAbs(Cfg.JWT.PrivateKeyFile) { + Cfg.JWT.PrivateKeyFile = path.Join(RootDir, Cfg.JWT.PrivateKeyFile) + } + + if len(Cfg.JWT.PublicKeyFile) > 0 && !path.IsAbs(Cfg.JWT.PublicKeyFile) { + Cfg.JWT.PublicKeyFile = path.Join(RootDir, Cfg.JWT.PublicKeyFile) + } + if len(Cfg.Session.Key) == 0 { log.Warn("generating random session.key") rstr, err := securerandom.Base64OfBytes(base64Bytes) @@ -353,7 +370,6 @@ func Get(key string) string { // basicTest just a quick sanity check to see if the config is sound func basicTest() error { - // check oauth config if err := oauthBasicTest(); err != nil { return err @@ -374,13 +390,33 @@ func basicTest() error { // issue a warning if the secret is too small log.Debugf("vouch.jwt.secret is %d characters long", len(Cfg.JWT.Secret)) - if len(Cfg.JWT.Secret) < minBase64Length { + + allowedSigningMethods := map[string]struct{}{ + "HS256": {}, "HS384": {}, "HS512": {}, // HMAC + "RS256": {}, "RS384": {}, "RS512": {}, // RSA + "ES256": {}, "ES384": {}, "ES512": {}, // ECDSA + } + if _, ok := allowedSigningMethods[Cfg.JWT.SigningMethod]; !ok { + return fmt.Errorf("configuration error: %s.jwt.signing_method value not allowed", Branding.LCName) + } + + if strings.HasPrefix(Cfg.JWT.SigningMethod, "HS") && len(Cfg.JWT.Secret) < minBase64Length { log.Errorf("Your secret is too short! (%d characters long). Please consider deleting %s to automatically generate a secret of %d characters", len(Cfg.JWT.Secret), Branding.LCName+".jwt.secret", minBase64Length) } + if strings.HasPrefix(Cfg.JWT.SigningMethod, "RS") || strings.HasPrefix(Cfg.JWT.SigningMethod, "ES") { + if len(Cfg.JWT.PublicKeyFile) == 0 { + log.Errorf("%s.jwt.public_key_file needs to be set for signing method %s", Branding.LCName, Cfg.JWT.SigningMethod) + } + + if len(Cfg.JWT.PrivateKeyFile) == 0 { + log.Errorf("%s.jwt.private_key_file needs to be set for signing method %s", Branding.LCName, Cfg.JWT.SigningMethod) + } + } + log.Debugf("vouch.session.key is %d characters long", len(Cfg.Session.Key)) if len(Cfg.Session.Key) < minBase64Length { log.Errorf("Your session key is too short! (%d characters long). Please consider deleting %s to automatically generate a secret of %d characters", @@ -481,7 +517,7 @@ func InitForTestPurposes() { // InitForTestPurposesWithProvider just for testing func InitForTestPurposesWithProvider(provider string) { Cfg = &Config{} // clear it out since we're called multiple times from subsequent tests - Logging.setLogLevel(zapcore.WarnLevel) + Logging.setLogLevel(zapcore.InfoLevel) setRootDir() // _, b, _, _ := runtime.Caller(0) // basepath := filepath.Dir(b) @@ -500,7 +536,6 @@ func InitForTestPurposesWithProvider(provider string) { setProviderDefaults() } fixConfigOptions() - // setDevelopmentLogger() // Needed to override the provider, which is otherwise set via yml diff --git a/pkg/jwtmanager/jwtmanager.go b/pkg/jwtmanager/jwtmanager.go index bd761eb8..fc0f0ad5 100644 --- a/pkg/jwtmanager/jwtmanager.go +++ b/pkg/jwtmanager/jwtmanager.go @@ -18,6 +18,7 @@ import ( "fmt" "io/ioutil" "net/http" + "os" "strings" "time" @@ -73,6 +74,72 @@ func populateSites() { } } +func decryptionKey() (interface{}, error) { + if strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "HS") { + return []byte(cfg.Cfg.JWT.Secret), nil + } + + f, err := os.Open(cfg.Cfg.JWT.PublicKeyFile) + if err != nil { + return nil, fmt.Errorf("error opening Key %s: %s\n", cfg.Cfg.JWT.PrivateKeyFile, err) + } + + keyBytes, err := ioutil.ReadAll(f) + if err != nil { + return nil, fmt.Errorf("error reading Key: %s\n", err) + } + + var key interface{} + switch { + case strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "RS"): + key, err = jwt.ParseRSAPublicKeyFromPEM(keyBytes) + case strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "ES"): + key, err = jwt.ParseECPublicKeyFromPEM(keyBytes) + default: + // signingMethod should already have been validated, this should not happen + return nil, fmt.Errorf("unexpected signing method %s", cfg.Cfg.JWT.SigningMethod) + } + + if err != nil { + return nil, fmt.Errorf("error parsing Key: %s\n", err) + } + + return key, nil +} + +func signingKey() (interface{}, error) { + if strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "HS") { + return []byte(cfg.Cfg.JWT.Secret), nil + } + + f, err := os.Open(cfg.Cfg.JWT.PrivateKeyFile) + if err != nil { + return nil, fmt.Errorf("error opening RSA Key %s: %s\n", cfg.Cfg.JWT.PrivateKeyFile, err) + } + + keyBytes, err := ioutil.ReadAll(f) + if err != nil { + return nil, fmt.Errorf("error reading Key: %s\n", err) + } + + var key interface{} + switch { + case strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "RS"): + key, err = jwt.ParseRSAPrivateKeyFromPEM(keyBytes) + case strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "ES"): + key, err = jwt.ParseECPrivateKeyFromPEM(keyBytes) + default: + // We should have validated this before + return nil, fmt.Errorf("unexpected signing method %s", cfg.Cfg.JWT.SigningMethod) + } + + if err != nil { + return nil, fmt.Errorf("error parsing Key: %s\n", err) + } + + return key, nil +} + // CreateUserTokenString converts user to signed jwt func CreateUserTokenString(u structs.User, customClaims structs.CustomClaims, ptokens structs.PTokens) string { // User`token` @@ -89,7 +156,7 @@ func CreateUserTokenString(u structs.User, customClaims structs.CustomClaims, pt // https://github.com/vouch/vouch-proxy/issues/287 if cfg.Cfg.Headers.AccessToken == "" { claims.PAccessToken = "" - } + } if cfg.Cfg.Headers.IDToken == "" { claims.PIdToken = "" @@ -98,14 +165,16 @@ func CreateUserTokenString(u structs.User, customClaims structs.CustomClaims, pt claims.StandardClaims.ExpiresAt = time.Now().Add(time.Minute * time.Duration(cfg.Cfg.JWT.MaxAge)).Unix() // https://godoc.org/github.com/dgrijalva/jwt-go#NewWithClaims - token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims) - + token := jwt.NewWithClaims(jwt.GetSigningMethod(cfg.Cfg.JWT.SigningMethod), claims) // log.Debugf("token: %v", token) log.Debugf("token created, expires: %d diff from now: %d", claims.StandardClaims.ExpiresAt, claims.StandardClaims.ExpiresAt-time.Now().Unix()) - // token -> string. Only server knows this secret (foobar). - ss, err := token.SignedString([]byte(cfg.Cfg.JWT.Secret)) - // ss, err := token.SignedString([]byte("testing")) + key, err := signingKey() + if err != nil { + log.Errorf("%s", err) + } + + ss, err := token.SignedString(key) if ss == "" || err != nil { log.Errorf("signed token error: %s", err) } @@ -118,25 +187,6 @@ func CreateUserTokenString(u structs.User, customClaims structs.CustomClaims, pt return ss } -// TokenIsValid gett better error reporting -func TokenIsValid(token *jwt.Token, err error) bool { - if token.Valid { - return true - } else if ve, ok := err.(*jwt.ValidationError); ok { - if ve.Errors&jwt.ValidationErrorMalformed != 0 { - log.Errorf("token malformed") - } else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 { - // Token is either expired or not active yet - log.Errorf("token expired %s", err) - } else { - log.Errorf("token unknown error") - } - } else { - log.Errorf("token unknown error") - } - return false -} - // SiteInToken searches does the token contain the site? func SiteInToken(site string, token *jwt.Token) bool { if claims, ok := token.Claims.(*VouchClaims); ok { @@ -157,13 +207,18 @@ func ParseTokenString(tokenString string) (*jwt.Token, error) { log.Debugf("decompressed tokenString length %d", len(tokenString)) } + key, err := decryptionKey() + if err != nil { + log.Errorf("%s", err) + } + return jwt.ParseWithClaims(tokenString, &VouchClaims{}, func(token *jwt.Token) (interface{}, error) { // return jwt.ParseWithClaims(tokenString, &VouchClaims{}, func(token *jwt.Token) (interface{}, error) { - if token.Method != jwt.GetSigningMethod("HS256") { + if token.Method != jwt.GetSigningMethod(cfg.Cfg.JWT.SigningMethod) { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } - return []byte(cfg.Cfg.JWT.Secret), nil + return key, nil }) } @@ -181,10 +236,6 @@ func (claims *VouchClaims) SiteInClaims(site string) bool { // PTokenClaims get all the claims func PTokenClaims(ptoken *jwt.Token) (*VouchClaims, error) { - // func PTokenClaims(ptoken *jwt.Token) (VouchClaims, error) { - // return ptoken.Claims, nil - - // return ptoken.Claims.(*VouchClaims), nil ptokenClaims, ok := ptoken.Claims.(*VouchClaims) if !ok { log.Debugf("failed claims: %v %v", ptokenClaims, ptoken.Claims) @@ -195,7 +246,6 @@ func PTokenClaims(ptoken *jwt.Token) (*VouchClaims, error) { } func decodeAndDecompressTokenString(encgzipss string) string { - var gzipss []byte // gzipss, err := url.QueryUnescape(encgzipss) gzipss, err := base64.URLEncoding.DecodeString(encgzipss) diff --git a/pkg/jwtmanager/jwtmanager_test.go b/pkg/jwtmanager/jwtmanager_test.go index f696e0f2..62bebc3e 100644 --- a/pkg/jwtmanager/jwtmanager_test.go +++ b/pkg/jwtmanager/jwtmanager_test.go @@ -12,6 +12,8 @@ package jwtmanager import ( "encoding/json" + "os" + "path/filepath" "testing" "github.com/vouch/vouch-proxy/pkg/cfg" @@ -42,37 +44,38 @@ var ( customClaims = structs.CustomClaims{} ) -func init() { - // log.SetLevel(log.DebugLevel) +func TestClaimsHMAC(t *testing.T) { + rootDir := os.Getenv(cfg.Branding.UCName + "_ROOT") + for _, cfgFile := range []string{"test_config.yml", "test_config_rsa.yml"} { + if err := os.Setenv(cfg.Branding.UCName+"_CONFIG", filepath.Join(rootDir, "config/testing", cfgFile)); err != nil { + t.Errorf("failed setting environment variable %s_CONFIG", cfg.Branding.UCName) + } - cfg.InitForTestPurposes() - Configure() + cfg.InitForTestPurposes() + Configure() - lc = VouchClaims{ - u1.Username, - Sites, - customClaims.Claims, - t1.PAccessToken, - t1.PIdToken, - StandardClaims, - } - json.Unmarshal([]byte(claimjson), &customClaims.Claims) -} + lc = VouchClaims{ + u1.Username, + Sites, + customClaims.Claims, + t1.PAccessToken, + t1.PIdToken, + StandardClaims, + } + json.Unmarshal([]byte(claimjson), &customClaims.Claims) -func TestClaims(t *testing.T) { - populateSites() - log.Debugf("jwt config %s %d", string(cfg.Cfg.JWT.Secret), cfg.Cfg.JWT.MaxAge) - assert.NotEmpty(t, cfg.Cfg.JWT.Secret) - assert.NotEmpty(t, cfg.Cfg.JWT.MaxAge) + populateSites() + log.Debugf("jwt config %s %d", string(cfg.Cfg.JWT.Secret), cfg.Cfg.JWT.MaxAge) + assert.NotEmpty(t, cfg.Cfg.JWT.SigningMethod) + assert.NotEmpty(t, cfg.Cfg.JWT.MaxAge) - // now := time.Now() - // d := time.Duration(ExpiresAtMinutes) * time.Minute - // log.Infof("lc d %s", d.String()) - // lc.StandardClaims.ExpiresAt = now.Add(time.Duration(ExpiresAtMinutes) * time.Minute).Unix() - // log.Infof("lc expiresAt %d", now.Unix()-lc.StandardClaims.ExpiresAt) - uts := CreateUserTokenString(u1, customClaims, t1) - utsParsed, _ := ParseTokenString(uts) - log.Infof("utsParsed: %+v", utsParsed) - log.Infof("Sites: %+v", Sites) - assert.True(t, SiteInToken(cfg.Cfg.Domains[0], utsParsed)) + uts := CreateUserTokenString(u1, customClaims, t1) + utsParsed, err := ParseTokenString(uts) + if err != nil { + t.Errorf("failed parsing token string: %s\n", err) + } + log.Infof("utsParsed: %+v", utsParsed) + log.Infof("Sites: %+v", Sites) + assert.True(t, SiteInToken(cfg.Cfg.Domains[0], utsParsed)) + } } From 8f67bb3b2748c2fe6c5fc4c6ee16512043efc84b Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Fri, 13 Nov 2020 01:50:05 +0100 Subject: [PATCH 04/30] update default config.yml example --- config/config.yml_example | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/config/config.yml_example b/config/config.yml_example index 95d7e5fb..5617d5fe 100644 --- a/config/config.yml_example +++ b/config/config.yml_example @@ -56,8 +56,15 @@ vouch: # - myOrg/myTeam jwt: + # signing_method: the algorithm used to sign the JWT. + # Can be one of HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512 + # Default is HS256 (HMAC) - and requires jwt.secret to be set + # Both RS* (RSA) and ES* (ECDSA) methods require jwt.private_key_file and + # jwt.public_key_file to be set. + # signing_method: HS256 + # secret - VOUCH_JWT_SECRET - # a random string used to cryptographically sign the jwt + # a random string used to cryptographically sign the jwt when signing_method is set to HS256, HS384 or HS512 # Vouch Proxy complains if the string is less than 44 characters (256 bits as 32 base64 bytes) # if the secret is not set here then Vouch Proxy will.. # - look for the secret in `./config/secret` @@ -66,6 +73,10 @@ vouch: # you'll want them all to have the same secret secret: your_random_string + # Path to the public/private key files when using an RSA or ECDSA signing method. + # public_key_file: + # private_key_file: + # issuer: Vouch # VOUCH_JWT_ISSUER # number of minutes until jwt expires - VOUCH_JWT_MAXAGE From 3b151a3f3f55cd9f98e4a5f0820106d7ed9ffbe0 Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Sun, 29 Nov 2020 11:38:16 +0100 Subject: [PATCH 05/30] add keys for tests --- config/testing/rsa.key | 51 ++++++++++++++++++++++++++++++++++++ config/testing/rsa.pub | 14 ++++++++++ handlers/login.go | 2 +- pkg/jwtmanager/jwtmanager.go | 2 +- 4 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 config/testing/rsa.key create mode 100644 config/testing/rsa.pub diff --git a/config/testing/rsa.key b/config/testing/rsa.key new file mode 100644 index 00000000..9a3507ef --- /dev/null +++ b/config/testing/rsa.key @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAtLXbZPJCybcLwegsi66vNjmXZIm42kAbp/tBoH7UwJIGjv4b +0Yn8jvkQKEdONNKvDQjcjrlfMCgeeV5rXLvKiUhCMf3KbRKcGdxWESYtUF1hd3qw +ubQCed0Z4xJgKegDFgUCasZMQUekwktgwMqXbGy19i2N9AHNCjXyLLQXV4ja3tVg +Xev8AJF0FAaYPLB2T7PFZ3xqH6kLFEWqSN6goF+cHIj0sCw6yRDBJmqU4oSwxCqE +H3mQNYw3UK2fV/VGrNf586OHqitdfATWdQmc5cXYeSGCqsM4OygM8VIs27SACoR0 +rCQT8daK2cBHPvG4YoHkUWx4STXscIMxdp5pnLjZZxBg9KOFPapZrMAu+v8d2wgs +30W8YgODxlcKK4ZVOG1B1naFT93kStvWeeNfrswlSIo1MqyMxJ4MP5mRzvcA5xEF +Buehv1XsdhxOkwXw7vMBv2DfavHxANiOP/yj5nr3P8pakPw8LGSJFknmJ5CodXUC +p4QjeCYoPB1aOKRLj1s2m/6opiIEy4he77Ev+CYwLX7L3vljPwHwlpgSN5IT/Xxk +vAH/7MZB3gVfNY72lkjat5SSlVjycaHf/a96EPOKhEe+0LtAZEEbOtzlmM+7PLij +Jt/piX8/QZlSIh0hhhYCzKvOFfCNmpeDNwbIaDFz3A4JrGgKmawgtzRdT3sCAwEA +AQKCAgEAtCDqFg9d/4+UCq8RaBKx181EWRTmy7ZHWwQagI6sJ1/nZbVpqU5wD1u4 +fU3GaOTxVH7WyvWAKpJy/evd/Mu7sWfzg71Ef8CjFSwKJoH1fTv3oY8Mha8nIK4B +1dRFQsBgAxzvMduDuzZcxsc4JDRNB+i84Cy8aNM6vMjVIzZIZhqmgKQUsMo/oZlb +KXMBYM1MwVmilerwJarsvkJK4OP5HKLxC4iAzvLnjfBDd7WZvskhIgh3NqCH3Lht +kt/eC2EUF8oY/oCtBDTBtJNl6bexS2AQzX1XsDtz25Oqgwm0aTPcxZ8OZWB4+QEv +2qnM2rM7ZgWvvnHu3JsBmY1MSr7Q6ZiJ3V6FgxqGu7vVECN5DgmHIB7/QoQkCp4M +F465WIpGwz7znPwA5igVI6F9wWihW5KYHxzyT8hJaQ5FJNbn7gxNwcrmBpA+06lO +GHAMV9ZaFJCDrgnkIiuNrUJjgNuK4NvFJHbxwu3P28A8JbFH6v3MSEkfGNA/Urc4 +5Hs8s/PxUGeYZ43BfhoOiDPOKHsHS6SKai57n+DdiB3cnH4/bvJ8bwdBC4wQY/IP +4gshwILoePKjERus5XzyY0RII1f6ZTEcxSKBatcu03T3EcpXyU5OsULnrb5nDF/2 +vDhCWQDLMX4fbbp5OwPTAl+RkL+0aJfkzLttyPUxYK7Gp9TUIJECggEBANox55BW +caUiL+6rFa8xxbxzm6ri+PqXGweYgGlLNlix+5QiuDitxJME4AVMMIqeha+lyj5v +CYUl60zUmtHyF1utVqs8ppY/WEFohR+rH2w/3WSAJn3AaL8Y7JuQn9a7lfb0fFcV +d6Dy2EZRuIOdbNX2vJ+cBaXGNYdWHM0g1k+ZpgLRCipOMuH65wt7NK5XhEZUHhnB +LwQ6NAtAdYZzXFYTqgHo+LexHl7erqmfqVYmUZ3WTbpwDf3345bDCI1YUvVVY36E +e5VvS49xJYMK7I9E1KbstfJ+rYGDr0QX2CA4LuAwws9lqlzmTWT+z0XOakl6I5vi +ohOI6Evsx0K3zoUCggEBANQFUI0kYJYfsDZmde1EtmgFusJjc73GwK+qAsnanJla +S31rCJR0tg74/BkReVe9j/TpU2eFf2GJWEWt+r4XIJs5rRCkt5q3KrTbtz8hNuEv +zJlYPmlU7l7kXYEGrFLZcerDDPN6CundgBo0LTsI5BboF1mHowH0UZKKcM7yJrUj +wmOH5NZI/RGLHjvsE5JOW+xgRSA4bR3XAK7cexicqj3kfyKbmpvTvXEFQjQxTeUG +jVeF6FUlbpLOeau7T2gRX2UZke7EkzQfKhgln/AgXcX98a8Ahw18X5SqRfWVQ1pT +xjuT1vzGAtyzMsJAX6EKo0NRQaB0gX1GzTDdxKamBf8CggEAZzPviS+59RdkgIjf +aswp8OblnEBa73wFRuR06FiwzebxTbHWXMikD73gj+DnnMk6BkhujnVKlXXIA8ET +sXXGYpBsS/YV/T7c6aMcRExWQoc6mkya6CPX53tMfpA7af+0AOjG3xHCUZhLf4cr +tOUDE3ju4reTXEOSEf9DBCsh8uiDwxVIr5XpL0XTfnS6CDRQ1kr3KctcB63X6/KD +JCLwa65FXT3qVkgqS0kcaBKir6LUO8mfXi2eEJ/tP+Pj6ab7JhtLQg47vgS0QpaL +3Z2PIny18HZJ4PbV7kpw3c5BZYvtcBDgM+SsXeB4fuqe8y+cykBBE3xwmLjK1w6Z +eQ8jWQKCAQBhmPCziANOF9gtsoymY/Lzf2+w+8bTnSIlusT91jwv+3i0iwiwDemg +iszBXWHWGdSikKVsCe/RHkAcEzJRPqQr0CjyeGBsP9TQ3DNGRCvXDQHJtO1F32q7 +E7RXKJM6sA3YW2Ei0xMjBGtrpIkNm9IjGUNmWyGWTLkgE8pJ+P4IdCWPW4bjfUXB +RaDtRIbd2mRGMyqe4lqYWdhepe+kLLnRM9WyQJ6zDI0v8ZPAItIQkyuNFn8Uct6r +hZBMlTTAWv7msxaSKrr4S0A9TVSKXNvNwE/4lu2UL6Rv8tGxcrxGYDnoQu27/gpj +Pbon4SokH5l363eiPP8+g9EApZVYgSRRAoIBAQC/o/02+JSiZtCD+wB4cAZJYXpN +i1Q6mY8mv4+8xxwBaLFuibYTcO+vwjm99x+AqCK4BKLPARf24yaHbalnkyL0HoYg +/NFMlHyRHYKZSofkV2+AiCY+DWW93efV5MlsKw7siIG6opBKSEnpcVvSSWGGhEeL +s3sIejx+N5i4Dntm9d/AL6c5iikeRUQNrVgR9EOH2A4bH/qRKsxKUQOJaO/81qlc +f8Q8nrHxK12XOFgSA9WrKFgUi2l4Mes3a2d2ABOphlseUKBGs8UvOznuFcGAgy08 +5EUPNf8B7jab+9ph5tqSs9K3kvj4dJzShLT45zk9qmNWQeBPwKqoyijaPPmb +-----END RSA PRIVATE KEY----- diff --git a/config/testing/rsa.pub b/config/testing/rsa.pub new file mode 100644 index 00000000..904fa13a --- /dev/null +++ b/config/testing/rsa.pub @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtLXbZPJCybcLwegsi66v +NjmXZIm42kAbp/tBoH7UwJIGjv4b0Yn8jvkQKEdONNKvDQjcjrlfMCgeeV5rXLvK +iUhCMf3KbRKcGdxWESYtUF1hd3qwubQCed0Z4xJgKegDFgUCasZMQUekwktgwMqX +bGy19i2N9AHNCjXyLLQXV4ja3tVgXev8AJF0FAaYPLB2T7PFZ3xqH6kLFEWqSN6g +oF+cHIj0sCw6yRDBJmqU4oSwxCqEH3mQNYw3UK2fV/VGrNf586OHqitdfATWdQmc +5cXYeSGCqsM4OygM8VIs27SACoR0rCQT8daK2cBHPvG4YoHkUWx4STXscIMxdp5p +nLjZZxBg9KOFPapZrMAu+v8d2wgs30W8YgODxlcKK4ZVOG1B1naFT93kStvWeeNf +rswlSIo1MqyMxJ4MP5mRzvcA5xEFBuehv1XsdhxOkwXw7vMBv2DfavHxANiOP/yj +5nr3P8pakPw8LGSJFknmJ5CodXUCp4QjeCYoPB1aOKRLj1s2m/6opiIEy4he77Ev ++CYwLX7L3vljPwHwlpgSN5IT/XxkvAH/7MZB3gVfNY72lkjat5SSlVjycaHf/a96 +EPOKhEe+0LtAZEEbOtzlmM+7PLijJt/piX8/QZlSIh0hhhYCzKvOFfCNmpeDNwbI +aDFz3A4JrGgKmawgtzRdT3sCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/handlers/login.go b/handlers/login.go index 0c932feb..387c0145 100644 --- a/handlers/login.go +++ b/handlers/login.go @@ -212,7 +212,7 @@ func getValidRequestedURL(r *http.Request) (string, error) { if cfg.GenOAuth.Provider != cfg.Providers.IndieAuth { d := domains.Matches(hostname) if d == "" { - inCookieDomain := (hostname == cfg.Cfg.Cookie.Domain || strings.HasSuffix(hostname, "." + cfg.Cfg.Cookie.Domain)) + inCookieDomain := (hostname == cfg.Cfg.Cookie.Domain || strings.HasSuffix(hostname, "."+cfg.Cfg.Cookie.Domain)) if cfg.Cfg.Cookie.Domain == "" || !inCookieDomain { return "", fmt.Errorf("%w: not within a %s managed domain", errInvalidURL, cfg.Branding.FullName) } diff --git a/pkg/jwtmanager/jwtmanager.go b/pkg/jwtmanager/jwtmanager.go index fc0f0ad5..25ad7cf1 100644 --- a/pkg/jwtmanager/jwtmanager.go +++ b/pkg/jwtmanager/jwtmanager.go @@ -81,7 +81,7 @@ func decryptionKey() (interface{}, error) { f, err := os.Open(cfg.Cfg.JWT.PublicKeyFile) if err != nil { - return nil, fmt.Errorf("error opening Key %s: %s\n", cfg.Cfg.JWT.PrivateKeyFile, err) + return nil, fmt.Errorf("error opening Key %s: %s\n", cfg.Cfg.JWT.PublicKeyFile, err) } keyBytes, err := ioutil.ReadAll(f) From 2eccc636a5fc9990fadd9ca23ea14d8dd7a78adc Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Sun, 29 Nov 2020 12:06:22 +0100 Subject: [PATCH 06/30] better cfg error handling, add gitguardian config --- .gitguardian.yml | 2 ++ pkg/cfg/cfg.go | 28 +++++++++++++++++++++------- 2 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 .gitguardian.yml diff --git a/.gitguardian.yml b/.gitguardian.yml new file mode 100644 index 00000000..c25f47f4 --- /dev/null +++ b/.gitguardian.yml @@ -0,0 +1,2 @@ +paths-ignore: + - 'config/testing/rsa*' \ No newline at end of file diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 7d9bed76..d75e7202 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -400,20 +400,34 @@ func basicTest() error { return fmt.Errorf("configuration error: %s.jwt.signing_method value not allowed", Branding.LCName) } - if strings.HasPrefix(Cfg.JWT.SigningMethod, "HS") && len(Cfg.JWT.Secret) < minBase64Length { - log.Errorf("Your secret is too short! (%d characters long). Please consider deleting %s to automatically generate a secret of %d characters", - len(Cfg.JWT.Secret), - Branding.LCName+".jwt.secret", - minBase64Length) + if strings.HasPrefix(Cfg.JWT.SigningMethod, "HS") { + if len(Cfg.JWT.PublicKeyFile) > 0 { + return fmt.Errorf("%s.jwt.public_key_file should not be set when using signing method %s", Branding.LCName, Cfg.JWT.SigningMethod) + } + + if len(Cfg.JWT.PrivateKeyFile) > 9 { + return fmt.Errorf("%s.jwt.private_key_file should not be set when using signing method %s", Branding.LCName, Cfg.JWT.SigningMethod) + } + + if len(Cfg.JWT.Secret) < minBase64Length { + log.Errorf("Your secret is too short! (%d characters long). Please consider deleting %s to automatically generate a secret of %d characters", + len(Cfg.JWT.Secret), + Branding.LCName+".jwt.secret", + minBase64Length) + } } if strings.HasPrefix(Cfg.JWT.SigningMethod, "RS") || strings.HasPrefix(Cfg.JWT.SigningMethod, "ES") { + if len(Cfg.JWT.Secret) > 0 { + return fmt.Errorf("%s.jwt.secret should not be set when using signing method %s", Branding.LCName, Cfg.JWT.SigningMethod) + } + if len(Cfg.JWT.PublicKeyFile) == 0 { - log.Errorf("%s.jwt.public_key_file needs to be set for signing method %s", Branding.LCName, Cfg.JWT.SigningMethod) + return fmt.Errorf("%s.jwt.public_key_file needs to be set for signing method %s", Branding.LCName, Cfg.JWT.SigningMethod) } if len(Cfg.JWT.PrivateKeyFile) == 0 { - log.Errorf("%s.jwt.private_key_file needs to be set for signing method %s", Branding.LCName, Cfg.JWT.SigningMethod) + return fmt.Errorf("%s.jwt.private_key_file needs to be set for signing method %s", Branding.LCName, Cfg.JWT.SigningMethod) } } From da61f2401f257dc64e46c6af01cfbbc5eb386a3a Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Sun, 29 Nov 2020 12:51:37 +0100 Subject: [PATCH 07/30] Add parsing test --- pkg/cfg/cfg_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/cfg/cfg_test.go b/pkg/cfg/cfg_test.go index d6dfb660..e776ebb0 100644 --- a/pkg/cfg/cfg_test.go +++ b/pkg/cfg/cfg_test.go @@ -69,6 +69,12 @@ func TestSetGitHubDefaultsWithTeamWhitelist(t *testing.T) { assert.Contains(t, GenOAuth.Scopes, "read:org") } +func TestCheckConfigWithRSA(t *testing.T) { + setUp("config/testing/test_config_rsa.yml") + assert.Contains(t, Cfg.JWT.PrivateKeyFile, "config/testing/rsa.key") + assert.Contains(t, Cfg.JWT.PublicKeyFile, "config/testing/rsa.pub") +} + func Test_claimToHeader(t *testing.T) { tests := []struct { name string From d08a4f79441870dc560c3a0ebcab84de7e513ee5 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Sun, 6 Dec 2020 19:02:32 -0800 Subject: [PATCH 08/30] #314 exit on bad config --- pkg/cfg/oauth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cfg/oauth.go b/pkg/cfg/oauth.go index 3d75a9db..cbf7c5de 100644 --- a/pkg/cfg/oauth.go +++ b/pkg/cfg/oauth.go @@ -205,7 +205,7 @@ func setDefaultsAzure() { } else if GenOAuth.AzureToken == "id_token" { log.Info("Using Azure Token: id_token") } else { - log.Fatal("Azure Token must be either access_token or id_token") + log.Fatal("'oauth.azure_token' must be either 'access_token' or 'id_token'") } GenOAuth.CodeChallengeMethod = "S256" } From b205a1b9f7301149d212d67c9d6773deb05d53db Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Mon, 7 Dec 2020 04:03:57 -0800 Subject: [PATCH 09/30] #314 exit on bad config --- pkg/cfg/oauth.go | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/pkg/cfg/oauth.go b/pkg/cfg/oauth.go index 3d75a9db..40dc4306 100644 --- a/pkg/cfg/oauth.go +++ b/pkg/cfg/oauth.go @@ -62,22 +62,6 @@ type OAuthProviders struct { // `envconfig` tag is for env var support // https://github.com/kelseyhightower/envconfig type oauthConfig struct { -<<<<<<< HEAD - Provider string `mapstructure:"provider"` - ClientID string `mapstructure:"client_id" envconfig:"client_id"` - ClientSecret string `mapstructure:"client_secret" envconfig:"client_secret"` - AuthURL string `mapstructure:"auth_url" envconfig:"auth_url"` - TokenURL string `mapstructure:"token_url" envconfig:"token_url"` - LogoutURL string `mapstructure:"end_session_endpoint" envconfig:"end_session_endpoint"` - RedirectURL string `mapstructure:"callback_url" envconfig:"callback_url"` - RedirectURLs []string `mapstructure:"callback_urls" envconfig:"callback_urls"` - Scopes []string `mapstructure:"scopes"` - UserInfoURL string `mapstructure:"user_info_url" envconfig:"user_info_url"` - UserTeamURL string `mapstructure:"user_team_url" envconfig:"user_team_url"` - UserOrgURL string `mapstructure:"user_org_url" envconfig:"user_org_url"` - PreferredDomain string `mapstructure:"preferredDomain"` - AzureToken string `mapstructure:"azure_token" envconfig:"azure_token"` -======= Provider string `mapstructure:"provider"` ClientID string `mapstructure:"client_id" envconfig:"client_id"` ClientSecret string `mapstructure:"client_secret" envconfig:"client_secret"` @@ -91,8 +75,8 @@ type oauthConfig struct { UserTeamURL string `mapstructure:"user_team_url" envconfig:"user_team_url"` UserOrgURL string `mapstructure:"user_org_url" envconfig:"user_org_url"` PreferredDomain string `mapstructure:"preferredDomain"` + AzureToken string `mapstructure:"azure_token" envconfig:"azure_token"` CodeChallengeMethod string `mapstructure:"code_challenge_method" envconfig:"code_challenge_method"` ->>>>>>> master } func configureOauth() error { @@ -157,7 +141,7 @@ func setProviderDefaults() { } else if GenOAuth.Provider == Providers.ADFS { setDefaultsADFS() configureOAuthClient() - } else if GenOAuth.Provider == Providers.Azure { + } else if GenOAuth.Provider == Providers.Azure { setDefaultsAzure() } else if GenOAuth.Provider == Providers.IndieAuth { GenOAuth.CodeChallengeMethod = "S256" @@ -205,7 +189,7 @@ func setDefaultsAzure() { } else if GenOAuth.AzureToken == "id_token" { log.Info("Using Azure Token: id_token") } else { - log.Fatal("Azure Token must be either access_token or id_token") + log.Fatal("'oauth.azure_token' must be either 'access_token' or 'id_token'") } GenOAuth.CodeChallengeMethod = "S256" } From 0746ee9c177c9b82f10ee8b6e484043d5a341745 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Mon, 7 Dec 2020 18:13:17 -0800 Subject: [PATCH 10/30] improve do.sh docu-messaging --- do.sh | 43 +++++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/do.sh b/do.sh index 2137db2c..3401ede8 100755 --- a/do.sh +++ b/do.sh @@ -105,11 +105,14 @@ bug_report() { usage: - $0 bug_report redacted_string redacted_string + $0 bug_report redacted_string redacted_string EOF exit 1; fi + echo -e "#\n# If sensitive information is still visible in the output, first try appending the string.." + echo -e "#\n# '$0 bug_report badstring1 badstring2'\n#\n" + echo -e "#\n# Please consider submitting a PR for the './do.sh _redact' routine if you feel that it should be improved.\n#" echo -e "\n-------------------------\n\n#\n# redacted Vouch Proxy ${CONFIG}\n# $(date -I)\n#\n" cat $CONFIG | _redact @@ -321,25 +324,25 @@ gosec() { usage() { cat < Date: Mon, 7 Dec 2020 18:13:47 -0800 Subject: [PATCH 11/30] minor changes flagged by gosec --- pkg/cfg/cfg.go | 10 +++++++--- pkg/healthcheck/healthcheck.go | 3 ++- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 3e8def28..7ec23fcd 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -178,7 +178,9 @@ func Configure() { if err := configureOauth(); err == nil { setProviderDefaults() } - cleanClaimsHeaders() + if err := cleanClaimsHeaders(); err != nil { + log.Fatalf("%w: %w", configFileErr, err) + } if *CmdLine.port != -1 { Cfg.Port = *CmdLine.port } @@ -494,7 +496,9 @@ func InitForTestPurposesWithProvider(provider string) { // Configure() // setRootDir() setDefaults() - parseConfigFile() + if err := parseConfigFile(); err != nil { + log.Error(err) + } configureFromEnv() if err := configureOauth(); err == nil { setProviderDefaults() @@ -508,6 +512,6 @@ func InitForTestPurposesWithProvider(provider string) { GenOAuth.Provider = provider setProviderDefaults() } - cleanClaimsHeaders() + _ = cleanClaimsHeaders() } diff --git a/pkg/healthcheck/healthcheck.go b/pkg/healthcheck/healthcheck.go index 9917eef1..be974171 100644 --- a/pkg/healthcheck/healthcheck.go +++ b/pkg/healthcheck/healthcheck.go @@ -42,7 +42,8 @@ func CheckAndExitIfIsHealthCheck() { func healthcheck() { url := fmt.Sprintf("http://%s:%d/healthcheck", cfg.Cfg.Listen, cfg.Cfg.Port) - log.Debug("Invoking healthcheck on URL ", url) + log.Debugf("Invoking healthcheck on %s", url) + // #nosec - turn off gosec checking which flags `http.Get(url)` resp, err := http.Get(url) if err == nil { body, err := ioutil.ReadAll(resp.Body) From b314dd53c3ccc8782f304c1b5652f6a160f375eb Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Mon, 7 Dec 2020 18:26:51 -0800 Subject: [PATCH 12/30] explicitly name fields in 'lc' struct init --- handlers/handlers_test.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/handlers/handlers_test.go b/handlers/handlers_test.go index 6a968940..d1ff237f 100644 --- a/handlers/handlers_test.go +++ b/handlers/handlers_test.go @@ -141,12 +141,12 @@ func init() { // log.SetLevel(log.DebugLevel) lc = jwtmanager.VouchClaims{ - u1.Username, - jwtmanager.Sites, - customClaims.Claims, - t1.PAccessToken, - t1.PIdToken, - jwtmanager.StandardClaims, + Username: u1.Username, + Sites: jwtmanager.Sites, + CustomClaims: customClaims.Claims, + PAccessToken: t1.PAccessToken, + PIdToken: t1.PIdToken, + StandardClaims: jwtmanager.StandardClaims, } json.Unmarshal([]byte(claimjson), &customClaims.Claims) } From 99e3fd93bfed01a4881c70e5c928277d85d5936f Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 26 Jan 2021 12:21:08 -0800 Subject: [PATCH 13/30] #331 fix minor formatting warnings --- pkg/jwtmanager/jwtmanager.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/jwtmanager/jwtmanager.go b/pkg/jwtmanager/jwtmanager.go index 25ad7cf1..f2f144d7 100644 --- a/pkg/jwtmanager/jwtmanager.go +++ b/pkg/jwtmanager/jwtmanager.go @@ -81,12 +81,12 @@ func decryptionKey() (interface{}, error) { f, err := os.Open(cfg.Cfg.JWT.PublicKeyFile) if err != nil { - return nil, fmt.Errorf("error opening Key %s: %s\n", cfg.Cfg.JWT.PublicKeyFile, err) + return nil, fmt.Errorf("error opening Key %s: %s", cfg.Cfg.JWT.PublicKeyFile, err) } keyBytes, err := ioutil.ReadAll(f) if err != nil { - return nil, fmt.Errorf("error reading Key: %s\n", err) + return nil, fmt.Errorf("error reading Key: %s", err) } var key interface{} @@ -101,7 +101,7 @@ func decryptionKey() (interface{}, error) { } if err != nil { - return nil, fmt.Errorf("error parsing Key: %s\n", err) + return nil, fmt.Errorf("error parsing Key: %s", err) } return key, nil @@ -114,12 +114,12 @@ func signingKey() (interface{}, error) { f, err := os.Open(cfg.Cfg.JWT.PrivateKeyFile) if err != nil { - return nil, fmt.Errorf("error opening RSA Key %s: %s\n", cfg.Cfg.JWT.PrivateKeyFile, err) + return nil, fmt.Errorf("error opening RSA Key %s: %s", cfg.Cfg.JWT.PrivateKeyFile, err) } keyBytes, err := ioutil.ReadAll(f) if err != nil { - return nil, fmt.Errorf("error reading Key: %s\n", err) + return nil, fmt.Errorf("error reading Key: %s", err) } var key interface{} @@ -134,7 +134,7 @@ func signingKey() (interface{}, error) { } if err != nil { - return nil, fmt.Errorf("error parsing Key: %s\n", err) + return nil, fmt.Errorf("error parsing Key: %s", err) } return key, nil From 6418e5210db63c5229f7b39de0510633b78d143f Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 27 Jan 2021 12:26:23 -0800 Subject: [PATCH 14/30] no change needed --- config/testing/test_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/testing/test_config.yml b/config/testing/test_config.yml index 3d72029b..8143b4f6 100644 --- a/config/testing/test_config.yml +++ b/config/testing/test_config.yml @@ -17,7 +17,7 @@ vouch: name: VouchTestingSession jwt: - secret: testingSecret + secret: testingsecret oauth: provider: indieauth From 53ed07afbb2f4bd235026837077f57531e9cd2eb Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 27 Jan 2021 12:26:43 -0800 Subject: [PATCH 15/30] #331 add env vars --- config/config.yml_example | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/config.yml_example b/config/config.yml_example index e9203154..126a2f23 100644 --- a/config/config.yml_example +++ b/config/config.yml_example @@ -62,7 +62,7 @@ vouch: profile: intermediate # VOUCH_TLS_PROFILE jwt: - # signing_method: the algorithm used to sign the JWT. + # signing_method: the algorithm used to sign the JWT. # VOUCH_JWT_SIGNING_METHOD # Can be one of HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512 # Default is HS256 (HMAC) - and requires jwt.secret to be set # Both RS* (RSA) and ES* (ECDSA) methods require jwt.private_key_file and @@ -80,8 +80,8 @@ vouch: secret: your_random_string # Path to the public/private key files when using an RSA or ECDSA signing method. - # public_key_file: - # private_key_file: + # public_key_file: # VOUCH_JWT_PUBLIC_KEY_FILE + # private_key_file: # VOUCH_JWT_PRIVATE_KEY_FILE # issuer: Vouch # VOUCH_JWT_ISSUER From d4264fef18f943b86f2b94d70164a9210a37c827 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 27 Jan 2021 12:42:48 -0800 Subject: [PATCH 16/30] #331 use .defaults.yml to set HS256 --- .defaults.yml | 1 + handlers/handlers_test.go | 12 ++++++------ pkg/cfg/cfg.go | 6 ------ 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/.defaults.yml b/.defaults.yml index 468c1c07..55f74827 100644 --- a/.defaults.yml +++ b/.defaults.yml @@ -25,6 +25,7 @@ vouch: issuer: Vouch maxAge: 240 compress: true + signing_method: HS256 cookie: name: VouchCookie diff --git a/handlers/handlers_test.go b/handlers/handlers_test.go index 6a968940..d1ff237f 100644 --- a/handlers/handlers_test.go +++ b/handlers/handlers_test.go @@ -141,12 +141,12 @@ func init() { // log.SetLevel(log.DebugLevel) lc = jwtmanager.VouchClaims{ - u1.Username, - jwtmanager.Sites, - customClaims.Claims, - t1.PAccessToken, - t1.PIdToken, - jwtmanager.StandardClaims, + Username: u1.Username, + Sites: jwtmanager.Sites, + CustomClaims: customClaims.Claims, + PAccessToken: t1.PAccessToken, + PIdToken: t1.PIdToken, + StandardClaims: jwtmanager.StandardClaims, } json.Unmarshal([]byte(claimjson), &customClaims.Claims) } diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index f044e5bf..0373f6be 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -312,12 +312,6 @@ func fixConfigOptions() { Cfg.Headers.Redirect = "X-" + Branding.CcName + "-Requested-URI" } - if len(Cfg.JWT.SigningMethod) == 0 { - Cfg.JWT.SigningMethod = "HS256" - } else { - Cfg.JWT.SigningMethod = strings.ToUpper(Cfg.JWT.SigningMethod) - } - // jwt defaults if strings.HasPrefix(Cfg.JWT.SigningMethod, "HS") && len(Cfg.JWT.Secret) == 0 { Cfg.JWT.Secret = getOrGenerateJWTSecret() From b928419fa0955586f035a05bed4628c61bdb2e59 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 3 Mar 2021 15:03:36 -0800 Subject: [PATCH 17/30] spelling error transposition --- handlers/auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/auth.go b/handlers/auth.go index b277bdcb..0e4e491d 100644 --- a/handlers/auth.go +++ b/handlers/auth.go @@ -83,7 +83,7 @@ func AuthStateHandler(w http.ResponseWriter, r *http.Request) { } if err := getUserInfo(r, &user, &customClaims, &ptokens, authCodeOptions...); err != nil { - responses.Error400(w, r, fmt.Errorf("/auth Error while retreiving user info after successful login at the OAuth provider: %w", err)) + responses.Error400(w, r, fmt.Errorf("/auth Error while retrieving user info after successful login at the OAuth provider: %w", err)) return } log.Debugf("/auth/{state}/ Claims from userinfo: %+v", customClaims) From 6d8b79ac52ccc6f1eaee4151d3e227dcb984be43 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 9 Mar 2021 16:15:15 -0800 Subject: [PATCH 18/30] #320 un-rm configureOAuthClient() HT @iamareuben --- pkg/cfg/oauth.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/cfg/oauth.go b/pkg/cfg/oauth.go index 40dc4306..b3d2b08a 100644 --- a/pkg/cfg/oauth.go +++ b/pkg/cfg/oauth.go @@ -143,6 +143,7 @@ func setProviderDefaults() { configureOAuthClient() } else if GenOAuth.Provider == Providers.Azure { setDefaultsAzure() + configureOAuthClient() } else if GenOAuth.Provider == Providers.IndieAuth { GenOAuth.CodeChallengeMethod = "S256" configureOAuthClient() From 092413b2dcb59bb81890da02dd34aff1314b4111 Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Sat, 27 Mar 2021 12:01:42 +0100 Subject: [PATCH 19/30] Generate RSA keys during testing, move key parsing to cfg.go --- config/testing/rsa.key | 51 -------------------------- config/testing/rsa.pub | 14 ------- do.sh | 9 +++++ pkg/cfg/cfg.go | 71 +++++++++++++++++++++++++++++++++++- pkg/jwtmanager/jwtmanager.go | 70 +---------------------------------- 5 files changed, 80 insertions(+), 135 deletions(-) delete mode 100644 config/testing/rsa.key delete mode 100644 config/testing/rsa.pub diff --git a/config/testing/rsa.key b/config/testing/rsa.key deleted file mode 100644 index 9a3507ef..00000000 --- a/config/testing/rsa.key +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEAtLXbZPJCybcLwegsi66vNjmXZIm42kAbp/tBoH7UwJIGjv4b -0Yn8jvkQKEdONNKvDQjcjrlfMCgeeV5rXLvKiUhCMf3KbRKcGdxWESYtUF1hd3qw -ubQCed0Z4xJgKegDFgUCasZMQUekwktgwMqXbGy19i2N9AHNCjXyLLQXV4ja3tVg -Xev8AJF0FAaYPLB2T7PFZ3xqH6kLFEWqSN6goF+cHIj0sCw6yRDBJmqU4oSwxCqE -H3mQNYw3UK2fV/VGrNf586OHqitdfATWdQmc5cXYeSGCqsM4OygM8VIs27SACoR0 -rCQT8daK2cBHPvG4YoHkUWx4STXscIMxdp5pnLjZZxBg9KOFPapZrMAu+v8d2wgs -30W8YgODxlcKK4ZVOG1B1naFT93kStvWeeNfrswlSIo1MqyMxJ4MP5mRzvcA5xEF -Buehv1XsdhxOkwXw7vMBv2DfavHxANiOP/yj5nr3P8pakPw8LGSJFknmJ5CodXUC -p4QjeCYoPB1aOKRLj1s2m/6opiIEy4he77Ev+CYwLX7L3vljPwHwlpgSN5IT/Xxk -vAH/7MZB3gVfNY72lkjat5SSlVjycaHf/a96EPOKhEe+0LtAZEEbOtzlmM+7PLij -Jt/piX8/QZlSIh0hhhYCzKvOFfCNmpeDNwbIaDFz3A4JrGgKmawgtzRdT3sCAwEA -AQKCAgEAtCDqFg9d/4+UCq8RaBKx181EWRTmy7ZHWwQagI6sJ1/nZbVpqU5wD1u4 -fU3GaOTxVH7WyvWAKpJy/evd/Mu7sWfzg71Ef8CjFSwKJoH1fTv3oY8Mha8nIK4B -1dRFQsBgAxzvMduDuzZcxsc4JDRNB+i84Cy8aNM6vMjVIzZIZhqmgKQUsMo/oZlb -KXMBYM1MwVmilerwJarsvkJK4OP5HKLxC4iAzvLnjfBDd7WZvskhIgh3NqCH3Lht -kt/eC2EUF8oY/oCtBDTBtJNl6bexS2AQzX1XsDtz25Oqgwm0aTPcxZ8OZWB4+QEv -2qnM2rM7ZgWvvnHu3JsBmY1MSr7Q6ZiJ3V6FgxqGu7vVECN5DgmHIB7/QoQkCp4M -F465WIpGwz7znPwA5igVI6F9wWihW5KYHxzyT8hJaQ5FJNbn7gxNwcrmBpA+06lO -GHAMV9ZaFJCDrgnkIiuNrUJjgNuK4NvFJHbxwu3P28A8JbFH6v3MSEkfGNA/Urc4 -5Hs8s/PxUGeYZ43BfhoOiDPOKHsHS6SKai57n+DdiB3cnH4/bvJ8bwdBC4wQY/IP -4gshwILoePKjERus5XzyY0RII1f6ZTEcxSKBatcu03T3EcpXyU5OsULnrb5nDF/2 -vDhCWQDLMX4fbbp5OwPTAl+RkL+0aJfkzLttyPUxYK7Gp9TUIJECggEBANox55BW -caUiL+6rFa8xxbxzm6ri+PqXGweYgGlLNlix+5QiuDitxJME4AVMMIqeha+lyj5v -CYUl60zUmtHyF1utVqs8ppY/WEFohR+rH2w/3WSAJn3AaL8Y7JuQn9a7lfb0fFcV -d6Dy2EZRuIOdbNX2vJ+cBaXGNYdWHM0g1k+ZpgLRCipOMuH65wt7NK5XhEZUHhnB -LwQ6NAtAdYZzXFYTqgHo+LexHl7erqmfqVYmUZ3WTbpwDf3345bDCI1YUvVVY36E -e5VvS49xJYMK7I9E1KbstfJ+rYGDr0QX2CA4LuAwws9lqlzmTWT+z0XOakl6I5vi -ohOI6Evsx0K3zoUCggEBANQFUI0kYJYfsDZmde1EtmgFusJjc73GwK+qAsnanJla -S31rCJR0tg74/BkReVe9j/TpU2eFf2GJWEWt+r4XIJs5rRCkt5q3KrTbtz8hNuEv -zJlYPmlU7l7kXYEGrFLZcerDDPN6CundgBo0LTsI5BboF1mHowH0UZKKcM7yJrUj -wmOH5NZI/RGLHjvsE5JOW+xgRSA4bR3XAK7cexicqj3kfyKbmpvTvXEFQjQxTeUG -jVeF6FUlbpLOeau7T2gRX2UZke7EkzQfKhgln/AgXcX98a8Ahw18X5SqRfWVQ1pT -xjuT1vzGAtyzMsJAX6EKo0NRQaB0gX1GzTDdxKamBf8CggEAZzPviS+59RdkgIjf -aswp8OblnEBa73wFRuR06FiwzebxTbHWXMikD73gj+DnnMk6BkhujnVKlXXIA8ET -sXXGYpBsS/YV/T7c6aMcRExWQoc6mkya6CPX53tMfpA7af+0AOjG3xHCUZhLf4cr -tOUDE3ju4reTXEOSEf9DBCsh8uiDwxVIr5XpL0XTfnS6CDRQ1kr3KctcB63X6/KD -JCLwa65FXT3qVkgqS0kcaBKir6LUO8mfXi2eEJ/tP+Pj6ab7JhtLQg47vgS0QpaL -3Z2PIny18HZJ4PbV7kpw3c5BZYvtcBDgM+SsXeB4fuqe8y+cykBBE3xwmLjK1w6Z -eQ8jWQKCAQBhmPCziANOF9gtsoymY/Lzf2+w+8bTnSIlusT91jwv+3i0iwiwDemg -iszBXWHWGdSikKVsCe/RHkAcEzJRPqQr0CjyeGBsP9TQ3DNGRCvXDQHJtO1F32q7 -E7RXKJM6sA3YW2Ei0xMjBGtrpIkNm9IjGUNmWyGWTLkgE8pJ+P4IdCWPW4bjfUXB -RaDtRIbd2mRGMyqe4lqYWdhepe+kLLnRM9WyQJ6zDI0v8ZPAItIQkyuNFn8Uct6r -hZBMlTTAWv7msxaSKrr4S0A9TVSKXNvNwE/4lu2UL6Rv8tGxcrxGYDnoQu27/gpj -Pbon4SokH5l363eiPP8+g9EApZVYgSRRAoIBAQC/o/02+JSiZtCD+wB4cAZJYXpN -i1Q6mY8mv4+8xxwBaLFuibYTcO+vwjm99x+AqCK4BKLPARf24yaHbalnkyL0HoYg -/NFMlHyRHYKZSofkV2+AiCY+DWW93efV5MlsKw7siIG6opBKSEnpcVvSSWGGhEeL -s3sIejx+N5i4Dntm9d/AL6c5iikeRUQNrVgR9EOH2A4bH/qRKsxKUQOJaO/81qlc -f8Q8nrHxK12XOFgSA9WrKFgUi2l4Mes3a2d2ABOphlseUKBGs8UvOznuFcGAgy08 -5EUPNf8B7jab+9ph5tqSs9K3kvj4dJzShLT45zk9qmNWQeBPwKqoyijaPPmb ------END RSA PRIVATE KEY----- diff --git a/config/testing/rsa.pub b/config/testing/rsa.pub deleted file mode 100644 index 904fa13a..00000000 --- a/config/testing/rsa.pub +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtLXbZPJCybcLwegsi66v -NjmXZIm42kAbp/tBoH7UwJIGjv4b0Yn8jvkQKEdONNKvDQjcjrlfMCgeeV5rXLvK -iUhCMf3KbRKcGdxWESYtUF1hd3qwubQCed0Z4xJgKegDFgUCasZMQUekwktgwMqX -bGy19i2N9AHNCjXyLLQXV4ja3tVgXev8AJF0FAaYPLB2T7PFZ3xqH6kLFEWqSN6g -oF+cHIj0sCw6yRDBJmqU4oSwxCqEH3mQNYw3UK2fV/VGrNf586OHqitdfATWdQmc -5cXYeSGCqsM4OygM8VIs27SACoR0rCQT8daK2cBHPvG4YoHkUWx4STXscIMxdp5p -nLjZZxBg9KOFPapZrMAu+v8d2wgs30W8YgODxlcKK4ZVOG1B1naFT93kStvWeeNf -rswlSIo1MqyMxJ4MP5mRzvcA5xEFBuehv1XsdhxOkwXw7vMBv2DfavHxANiOP/yj -5nr3P8pakPw8LGSJFknmJ5CodXUCp4QjeCYoPB1aOKRLj1s2m/6opiIEy4he77Ev -+CYwLX7L3vljPwHwlpgSN5IT/XxkvAH/7MZB3gVfNY72lkjat5SSlVjycaHf/a96 -EPOKhEe+0LtAZEEbOtzlmM+7PLijJt/piX8/QZlSIh0hhhYCzKvOFfCNmpeDNwbI -aDFz3A4JrGgKmawgtzRdT3sCAwEAAQ== ------END PUBLIC KEY----- diff --git a/do.sh b/do.sh index 5de70df8..af65fb50 100755 --- a/do.sh +++ b/do.sh @@ -186,6 +186,15 @@ test() { export VOUCH_CONFIG="$SDIR/config/testing/test_config.yml" fi + TEST_PRIVATE_KEY_FILE="$SDIR/config/testing/rsa.key" + TEST_PUBLIC_KEY_FILE="$SDIR/config/testing/rsa.pub" + if [[ ! -f "$TEST_PRIVATE_KEY_FILE" ]]; then + openssl genrsa -out "$TEST_PRIVATE_KEY_FILE" 4096 + fi + if [[ ! -f "$TEST_PUBLIC_KEY_FILE" ]]; then + openssl rsa -in "$TEST_PRIVATE_KEY_FILE" -pubout > "$TEST_PUBLIC_KEY_FILE" + fi + go get -t ./... # test all the things if [ -n "$*" ]; then diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 7f6b503f..a0cd1c61 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -14,6 +14,7 @@ import ( "errors" "flag" "fmt" + "io/ioutil" "net/http" "os" "path" @@ -21,6 +22,7 @@ import ( "reflect" "strings" + "github.com/dgrijalva/jwt-go" "github.com/kelseyhightower/envconfig" "github.com/mitchellh/mapstructure" "github.com/spf13/viper" @@ -123,7 +125,6 @@ var ( IsHealthCheck = false errConfigNotFound = errors.New("configuration file not found") - errConfigIsBad = errors.New("configuration file not found") ) type cmdLineFlags struct { @@ -152,7 +153,7 @@ type ctxKey int // the order of config follows the Viper conventions... // // The priority of the sources is the following: -// 1. comand line flags +// 1. command line flags // 2. env. variables // 3. config file // 4. defaults @@ -568,3 +569,69 @@ func InitForTestPurposesWithProvider(provider string) { cleanClaimsHeaders() } + +func DecryptionKey() (interface{}, error) { + if strings.HasPrefix(Cfg.JWT.SigningMethod, "HS") { + return []byte(Cfg.JWT.Secret), nil + } + + f, err := os.Open(Cfg.JWT.PublicKeyFile) + if err != nil { + return nil, fmt.Errorf("error opening Key %s: %s", Cfg.JWT.PublicKeyFile, err) + } + + keyBytes, err := ioutil.ReadAll(f) + if err != nil { + return nil, fmt.Errorf("error reading Key: %s", err) + } + + var key interface{} + switch { + case strings.HasPrefix(Cfg.JWT.SigningMethod, "RS"): + key, err = jwt.ParseRSAPublicKeyFromPEM(keyBytes) + case strings.HasPrefix(Cfg.JWT.SigningMethod, "ES"): + key, err = jwt.ParseECPublicKeyFromPEM(keyBytes) + default: + // signingMethod should already have been validated, this should not happen + return nil, fmt.Errorf("unexpected signing method %s", Cfg.JWT.SigningMethod) + } + + if err != nil { + return nil, fmt.Errorf("error parsing Key: %s", err) + } + + return key, nil +} + +func SigningKey() (interface{}, error) { + if strings.HasPrefix(Cfg.JWT.SigningMethod, "HS") { + return []byte(Cfg.JWT.Secret), nil + } + + f, err := os.Open(Cfg.JWT.PrivateKeyFile) + if err != nil { + return nil, fmt.Errorf("error opening RSA Key %s: %s", Cfg.JWT.PrivateKeyFile, err) + } + + keyBytes, err := ioutil.ReadAll(f) + if err != nil { + return nil, fmt.Errorf("error reading Key: %s", err) + } + + var key interface{} + switch { + case strings.HasPrefix(Cfg.JWT.SigningMethod, "RS"): + key, err = jwt.ParseRSAPrivateKeyFromPEM(keyBytes) + case strings.HasPrefix(Cfg.JWT.SigningMethod, "ES"): + key, err = jwt.ParseECPrivateKeyFromPEM(keyBytes) + default: + // We should have validated this before + return nil, fmt.Errorf("unexpected signing method %s", Cfg.JWT.SigningMethod) + } + + if err != nil { + return nil, fmt.Errorf("error parsing Key: %s", err) + } + + return key, nil +} diff --git a/pkg/jwtmanager/jwtmanager.go b/pkg/jwtmanager/jwtmanager.go index b6427eda..86fa0994 100644 --- a/pkg/jwtmanager/jwtmanager.go +++ b/pkg/jwtmanager/jwtmanager.go @@ -18,7 +18,6 @@ import ( "fmt" "io/ioutil" "net/http" - "os" "strings" "time" @@ -75,71 +74,6 @@ func audience() string { return strings.Join(aud, comma) } -func decryptionKey() (interface{}, error) { - if strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "HS") { - return []byte(cfg.Cfg.JWT.Secret), nil - } - - f, err := os.Open(cfg.Cfg.JWT.PublicKeyFile) - if err != nil { - return nil, fmt.Errorf("error opening Key %s: %s", cfg.Cfg.JWT.PublicKeyFile, err) - } - - keyBytes, err := ioutil.ReadAll(f) - if err != nil { - return nil, fmt.Errorf("error reading Key: %s", err) - } - - var key interface{} - switch { - case strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "RS"): - key, err = jwt.ParseRSAPublicKeyFromPEM(keyBytes) - case strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "ES"): - key, err = jwt.ParseECPublicKeyFromPEM(keyBytes) - default: - // signingMethod should already have been validated, this should not happen - return nil, fmt.Errorf("unexpected signing method %s", cfg.Cfg.JWT.SigningMethod) - } - - if err != nil { - return nil, fmt.Errorf("error parsing Key: %s", err) - } - - return key, nil -} - -func signingKey() (interface{}, error) { - if strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "HS") { - return []byte(cfg.Cfg.JWT.Secret), nil - } - - f, err := os.Open(cfg.Cfg.JWT.PrivateKeyFile) - if err != nil { - return nil, fmt.Errorf("error opening RSA Key %s: %s", cfg.Cfg.JWT.PrivateKeyFile, err) - } - - keyBytes, err := ioutil.ReadAll(f) - if err != nil { - return nil, fmt.Errorf("error reading Key: %s", err) - } - - var key interface{} - switch { - case strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "RS"): - key, err = jwt.ParseRSAPrivateKeyFromPEM(keyBytes) - case strings.HasPrefix(cfg.Cfg.JWT.SigningMethod, "ES"): - key, err = jwt.ParseECPrivateKeyFromPEM(keyBytes) - default: - // We should have validated this before - return nil, fmt.Errorf("unexpected signing method %s", cfg.Cfg.JWT.SigningMethod) - } - - if err != nil { - return nil, fmt.Errorf("error parsing Key: %s", err) - } - - return key, nil -} // NewVPJWT issue a signed Vouch Proxy JWT for a user func NewVPJWT(u structs.User, customClaims structs.CustomClaims, ptokens structs.PTokens) (string, error) { @@ -170,7 +104,7 @@ func NewVPJWT(u structs.User, customClaims structs.CustomClaims, ptokens structs // log.Debugf("token: %v", token) log.Debugf("token created, expires: %d diff from now: %d", claims.StandardClaims.ExpiresAt, claims.StandardClaims.ExpiresAt-time.Now().Unix()) - key, err := signingKey() + key, err := cfg.SigningKey() if err != nil { log.Errorf("%s", err) } @@ -208,7 +142,7 @@ func ParseTokenString(tokenString string) (*jwt.Token, error) { log.Debugf("decompressed tokenString length %d", len(tokenString)) } - key, err := decryptionKey() + key, err := cfg.DecryptionKey() if err != nil { log.Errorf("%s", err) } From 1b8584d95571812efbbc01d11b7039809d29cbd2 Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Sat, 27 Mar 2021 12:15:00 +0100 Subject: [PATCH 20/30] Remove gitguardian cfg file --- .gitguardian.yml | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 .gitguardian.yml diff --git a/.gitguardian.yml b/.gitguardian.yml deleted file mode 100644 index c25f47f4..00000000 --- a/.gitguardian.yml +++ /dev/null @@ -1,2 +0,0 @@ -paths-ignore: - - 'config/testing/rsa*' \ No newline at end of file From 431c3745fc3c25270f957b32ee839a707dd6178f Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Sat, 27 Mar 2021 12:22:52 +0100 Subject: [PATCH 21/30] Install openssl dep in Travis --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index a638b8fe..6a94156e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,6 +13,7 @@ env: - ISTRAVIS=true before_install: + - apt-get install openssl - ./do.sh goget # - go get github.com/golang/lint/golint # Linter # - go get github.com/fzipp/gocyclo From 5c616c8f3812a6f97dab55813155a0e9660328ca Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Sat, 27 Mar 2021 12:24:55 +0100 Subject: [PATCH 22/30] Install openssl dep in Travis --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 6a94156e..f6a66a6e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,7 +13,7 @@ env: - ISTRAVIS=true before_install: - - apt-get install openssl + - sudo apt-get install openssl - ./do.sh goget # - go get github.com/golang/lint/golint # Linter # - go get github.com/fzipp/gocyclo From 9742d28f23b161444b448e0e3e6cfd8dd00431af Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Sat, 27 Mar 2021 12:36:36 +0100 Subject: [PATCH 23/30] Update go to 1.16 to fix go get failure --- .travis.yml | 2 +- go.mod | 16 +++++----- go.sum | 89 ++++++++++++++++++++++++++++++----------------------- 3 files changed, 59 insertions(+), 48 deletions(-) diff --git a/.travis.yml b/.travis.yml index f6a66a6e..1ad3a302 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ services: - docker go: - - "1.14" + - "1.16" env: - ISTRAVIS=true diff --git a/go.mod b/go.mod index d77cb85f..fe1561ad 100644 --- a/go.mod +++ b/go.mod @@ -3,37 +3,37 @@ module github.com/vouch/vouch-proxy go 1.15 require ( - cloud.google.com/go v0.77.0 // indirect + cloud.google.com/go v0.80.0 // indirect github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b // indirect github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/dgryski/go-gk v0.0.0-20200319235926-a69029f61654 // indirect github.com/fsnotify/fsnotify v1.4.9 // indirect - github.com/google/go-cmp v0.5.4 + github.com/google/go-cmp v0.5.5 github.com/gorilla/mux v1.8.0 github.com/gorilla/sessions v1.2.1 github.com/influxdata/tdigest v0.0.1 // indirect github.com/karupanerura/go-mock-http-response v0.0.0-20171201120521-7c242a447d45 github.com/kelseyhightower/envconfig v1.4.0 - github.com/magiconair/properties v1.8.4 // indirect + github.com/magiconair/properties v1.8.5 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mitchellh/mapstructure v1.4.1 github.com/nirasan/go-oauth-pkce-code-verifier v0.0.0-20170819232839-0fbfe93532da github.com/patrickmn/go-cache v2.1.0+incompatible github.com/pelletier/go-toml v1.8.1 // indirect - github.com/spf13/afero v1.5.1 // indirect + github.com/spf13/afero v1.6.0 // indirect github.com/spf13/cast v1.3.1 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.7.1 github.com/streadway/quantile v0.0.0-20150917103942-b0c588724d25 // indirect - github.com/stretchr/testify v1.5.1 + github.com/stretchr/testify v1.6.1 github.com/theckman/go-securerandom v0.1.1 github.com/tsenart/vegeta v12.7.0+incompatible go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.16.0 - golang.org/x/net v0.0.0-20210119194325-5f4716e94777 - golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99 - golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b // indirect + golang.org/x/net v0.0.0-20210326220855-61e056675ecf + golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 + golang.org/x/sys v0.0.0-20210326220804-49726bf1d181 // indirect gopkg.in/ini.v1 v1.62.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index f4ef29e4..5d6e22f5 100644 --- a/go.sum +++ b/go.sum @@ -12,12 +12,13 @@ cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bP cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0 h1:Dg9iHVQfrhq82rUNu9ZxUDrJLaxFUe/HlCVaLyRruq8= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.77.0 h1:qA5V5+uQf6Mgr+tmFI8UT3D/ELyhIYkPwNGao/3Y+sQ= -cloud.google.com/go v0.77.0/go.mod h1:R8fYSLIilC247Iu8WS2OGHw1E/Ufn7Pd7HiDjTqiURs= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.80.0 h1:kAdyAMrj9CjqOSGiluseVjIgAyQ3uxADYtUYR6MwYeY= +cloud.google.com/go v0.80.0/go.mod h1:fqpb6QRi1CFGAMXDoE72G+b+Ybv7dMB/T1tbExDHktI= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -81,7 +82,6 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= @@ -107,6 +107,7 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -119,10 +120,11 @@ github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrU github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1 h1:jAbXjIeW2ZSW2AwFxlGTDoc2CjI2XujLkV3ArsZFCvc= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -131,11 +133,12 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1 h1:JFrFEBb2xKufg6XkJsJr+WbKb4FQlURi5RUcBveYu9k= github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -149,6 +152,7 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= @@ -213,10 +217,9 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.4 h1:8KGKTcQQGm0Kv7vEbKFErAoAOFyyacLStRtQSeYtvkY= -github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= +github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls= +github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -241,7 +244,6 @@ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc= github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ= -github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.8.1 h1:1Nf83orprkJyknT6h7zbuEGUEjcyVlCxSUGTENmNCRM= github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= @@ -273,19 +275,15 @@ github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIK github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= -github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= -github.com/spf13/afero v1.5.1 h1:VHu76Lk0LSP1x254maIu2bplkWpfBWI+B+6fdoZprcg= -github.com/spf13/afero v1.5.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= -github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8= +github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY= +github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= -github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= @@ -297,10 +295,10 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/theckman/go-securerandom v0.1.1 h1:5KctSyM0D5KKFK+bsypIyLq7yik0CEaI5i2fGcUGcsQ= @@ -320,17 +318,15 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/atomic v1.6.0 h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk= go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/multierr v1.5.0 h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= -go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.16.0 h1:uFRZXykJGK9lLY4HtgSw44DnIcAM+kRBP7x5m+NpAOM= @@ -366,7 +362,6 @@ golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 h1:2M3HP5CCK1Si9FQhwnzYhXdG6DXeebvUHFpre8QvbyI= golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= @@ -377,7 +372,6 @@ golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1 h1:Kvvh58BN8Y9/lBi7hTekvtMpm07eUZ0ck5pRHpsMWrY= @@ -414,9 +408,13 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210119194325-5f4716e94777 h1:003p0dJM77cxMSyCPFphvZf/Y5/NXf5fzg6ufd1/Oew= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210326220855-61e056675ecf h1:WUcCxqQqDT0aXO4VnQbfMvp4zh7m1Gb2clVuHUAGGRE= +golang.org/x/net v0.0.0-20210326220855-61e056675ecf/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -425,9 +423,11 @@ golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210113205817-d3ed898aa8a3/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99 h1:5vD4XjIc0X5+kHZjx4UecYdjA6mJo+XXNoaW0EjU5Os= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 h1:D7nTwh4J0i+5mW4Zjzn5omvlr6YBcWywE6KOcatyNxY= +golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -438,6 +438,7 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -471,20 +472,23 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b h1:lAZ0/chPUDWwjqosYR0X4M490zQhMsiJ4K3DbA7o+3g= -golang.org/x/sys v0.0.0-20210218155724-8ebf48af031b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210314195730-07df6a141424/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210326220804-49726bf1d181 h1:64ChN/hjER/taL4YJuA+gpLfIMT+/NFherRZixbxOhg= +golang.org/x/sys v0.0.0-20210326220804-49726bf1d181/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5 h1:i6eZZ+zk0SOf0xgBpEpPD18qWcJda6q1sxt3S0kzyUQ= @@ -537,7 +541,6 @@ golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200825202427-b303f430e36d h1:W07d4xkoAUSNOkOzdzXCdFGxT7o2rW4q8M34tB2i//k= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= @@ -574,12 +577,13 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.42.0/go.mod h1:+Oj4s6ch2SEGtPjGqfUfZonBH0GjQH89gTeKKAEGZKI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= @@ -617,7 +621,11 @@ google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210212180131-e7f2df4ecc2d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210312152112-fc591d9ea70f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210323160006-e668133fea6a/go.mod h1:f2Bd7+2PlaVKmvKQ52aspJZXIDaRQBVdOOBfJ5i8OEs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -634,6 +642,7 @@ google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -643,14 +652,15 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= -google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= @@ -658,10 +668,11 @@ gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From f4501434656200067ace1e443fcc0aadd9070d1c Mon Sep 17 00:00:00 2001 From: Yann Hamon Date: Sat, 27 Mar 2021 12:55:28 +0100 Subject: [PATCH 24/30] Update go to 1.16 to fix go get failure --- .github/workflows/coverage.yml | 2 +- Dockerfile | 2 +- Dockerfile.alpine | 2 +- do.sh | 2 +- go.mod | 2 +- go.sum | 1 - 6 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 29502615..3660ae08 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -17,7 +17,7 @@ jobs: strategy: fail-fast: false matrix: - go: ['1.14', '1.15'] + go: ['1.16'] # go: ['1.15'] steps: diff --git a/Dockerfile b/Dockerfile index 7175513e..e09dddc1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # voucher/vouch-proxy # https://github.com/vouch/vouch-proxy -FROM golang:1.15 AS builder +FROM golang:1.16 AS builder LABEL maintainer="vouch@bnf.net" diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 169e0315..0cffd220 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,6 +1,6 @@ # voucher/vouch-proxy # https://github.com/vouch/vouch-proxy -FROM golang:1.15 AS builder +FROM golang:1.16 AS builder LABEL maintainer="vouch@bnf.net" diff --git a/do.sh b/do.sh index af65fb50..e3fb13b2 100755 --- a/do.sh +++ b/do.sh @@ -13,7 +13,7 @@ fi IMAGE=voucher/vouch-proxy:latest ALPINE=voucher/vouch-proxy:alpine -GOIMAGE=golang:1.14 +GOIMAGE=golang:1.16 NAME=vouch-proxy HTTPPORT=9090 GODOC_PORT=5050 diff --git a/go.mod b/go.mod index fe1561ad..e5318178 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/vouch/vouch-proxy -go 1.15 +go 1.16 require ( cloud.google.com/go v0.80.0 // indirect diff --git a/go.sum b/go.sum index 5d6e22f5..0c6bfc2c 100644 --- a/go.sum +++ b/go.sum @@ -556,7 +556,6 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1N golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gonum.org/v1/gonum v0.0.0-20181121035319-3f7ecaa7e8ca h1:PupagGYwj8+I4ubCxcmcBRk3VlUWtTg5huQpZR9flmE= gonum.org/v1/gonum v0.0.0-20181121035319-3f7ecaa7e8ca/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= -gonum.org/v1/netlib v0.0.0-20181029234149-ec6d1f5cefe6 h1:4WsZyVtkthqrHTbDCJfiTs8IWNYE4uvsSDgaV6xpp+o= gonum.org/v1/netlib v0.0.0-20181029234149-ec6d1f5cefe6/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= From 18b544052a21606d64723259620bdf9bcbee8856 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 7 Apr 2021 13:54:51 -0700 Subject: [PATCH 25/30] errConfigIsBad improvement and TODO --- pkg/cfg/cfg.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 61f031ce..691634b7 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -120,7 +120,8 @@ var ( IsHealthCheck = false errConfigNotFound = errors.New("configuration file not found") - errConfigIsBad = errors.New("configuration file not found") + // TODO: audit errors and use errConfigIsBad + // errConfigIsBad = errors.New("configuration file is malformed") ) type cmdLineFlags struct { From b9007f09082678180ce1d98a252cebd301531e97 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 18 May 2021 15:38:22 -0700 Subject: [PATCH 26/30] don't log the oauth client creds, even in debug --- pkg/cfg/cfg.go | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 691634b7..5ae5b5f5 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -202,6 +202,7 @@ func configureFromEnv() bool { log.Fatal(err.Error()) } preEnvGenOAuth := *GenOAuth + err = envconfig.Process("OAUTH", GenOAuth) if err != nil { log.Fatal(err.Error()) @@ -214,16 +215,7 @@ func configureFromEnv() bool { if preEnvConfig.LogLevel != Cfg.LogLevel { Logging.setLogLevelString(Cfg.LogLevel) } - log.Debugf("preEnvConfig %+v", preEnvConfig) - // Mask sensitive configuration items before logging - maskedCfg := *Cfg - if len(Cfg.Session.Key) != 0 { - maskedCfg.Session.Key = "XXXXXXXX" - } - if len(Cfg.JWT.Secret) != 0 { - maskedCfg.JWT.Secret = "XXXXXXXX" - } - log.Debugf("Cfg %+v", maskedCfg) + // log.Debugf("preEnvConfig %+v", preEnvConfig) log.Infof("%s configuration set from Environmental Variables", Branding.FullName) return true } @@ -295,8 +287,22 @@ func parseConfigFile() error { // consolidate config related Log.Debugf() calls so that they can be placed *after* we set the logLevel func logConfigIfDebug() { log.Debugf("cfg.RootDir: %s", RootDir) - log.Debugf("viper settings %+v", viper.AllSettings()) - log.Debugf("cfg.GenOauth %+v", GenOAuth) + // log.Debugf("viper settings %+v", viper.AllSettings()) + + // Mask sensitive configuration items before logging + maskedCfg := *Cfg + if len(Cfg.Session.Key) != 0 { + maskedCfg.Session.Key = "XXXXXXXX" + } + if len(Cfg.JWT.Secret) != 0 { + maskedCfg.JWT.Secret = "XXXXXXXX" + } + log.Debugf("Cfg %+v", maskedCfg) + + maskedGenOAuth := *GenOAuth + maskedGenOAuth.ClientID = "12345678" + maskedGenOAuth.ClientSecret = "XXXXXXXX" + log.Debugf("cfg.GenOauth %+v", maskedGenOAuth) } func fixConfigOptions() { From 61b6d62154b48ee19ec93b023740e0bc49aaaac0 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 18 May 2021 15:47:41 -0700 Subject: [PATCH 27/30] bump to go version 1.15 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index a638b8fe..bea66e5c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ services: - docker go: - - "1.14" + - "1.15" env: - ISTRAVIS=true From 6577317c2d00cf2b5de71e3fed1bd533313d389c Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 18 May 2021 15:55:20 -0700 Subject: [PATCH 28/30] bump to go version 1.16 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index bea66e5c..6ea3816a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ services: - docker go: - - "1.15" + - "1.16" env: - ISTRAVIS=true From 6970b9266154830755178157328274eeb9510b84 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 18 May 2021 16:44:24 -0700 Subject: [PATCH 29/30] bump to go version 1.16 --- .github/workflows/coverage.yml | 4 ++-- Dockerfile | 2 +- Dockerfile.alpine | 2 +- go.mod | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 29502615..d06d264d 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -17,8 +17,8 @@ jobs: strategy: fail-fast: false matrix: - go: ['1.14', '1.15'] - # go: ['1.15'] + # go: ['1.14', '1.15'] + go: ['1.16'] steps: - uses: actions/setup-go@v2 diff --git a/Dockerfile b/Dockerfile index 7175513e..e09dddc1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # voucher/vouch-proxy # https://github.com/vouch/vouch-proxy -FROM golang:1.15 AS builder +FROM golang:1.16 AS builder LABEL maintainer="vouch@bnf.net" diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 169e0315..0cffd220 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,6 +1,6 @@ # voucher/vouch-proxy # https://github.com/vouch/vouch-proxy -FROM golang:1.15 AS builder +FROM golang:1.16 AS builder LABEL maintainer="vouch@bnf.net" diff --git a/go.mod b/go.mod index d77cb85f..1c7795f0 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/vouch/vouch-proxy -go 1.15 +go 1.16 require ( cloud.google.com/go v0.77.0 // indirect From 19aaed15a7dcf0977331f0f934472a08e05f3331 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 18 May 2021 18:27:59 -0700 Subject: [PATCH 30/30] ignore rsa keys created for testing --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 465ee477..48cf5cb6 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,5 @@ coverage.out coverage.html.env_google .env* .cover +config/testing/rsa.key +config/testing/rsa.pub