Merge pull request #212 from buzzfeed/jhines-multiple-providers

sso: support multiple identity providers

cmd/sso-auth/main.go

@@ -16,25 +16,26 @@ func init() {
 func main() {
 	logger := log.NewLogEntry()
 
-	opts, err := auth.NewOptions()
+	config, err := auth.LoadConfig()
 	if err != nil {
-		logger.Error(err, "error loading in env vars")
+		logger.Error(err, "error loading in config from env vars")
 		os.Exit(1)
 	}
 
-	err = opts.Validate()
+	err = config.Validate()
 	if err != nil {
-		logger.Error(err, "error validating opts")
+		logger.Error(err, "error validating config")
 		os.Exit(1)
 	}
 
-	statsdClient, err := auth.NewStatsdClient(opts.StatsdHost, opts.StatsdPort)
+	sc := config.MetricsConfig.StatsdConfig
+	statsdClient, err := auth.NewStatsdClient(sc.Host, sc.Port)
 	if err != nil {
 		logger.Error(err, "error creating statsd client")
 		os.Exit(1)
 	}
 
-	authMux, err := auth.NewAuthenticatorMux(opts, statsdClient)
+	authMux, err := auth.NewAuthenticatorMux(config, statsdClient)
 	if err != nil {
 		logger.Error(err, "error creating new AuthenticatorMux")
 		os.Exit(1)
@@ -43,13 +44,13 @@ func main() {
 
 	// we leave the message field blank, which will inherit the stdlib timeout page which is sufficient
 	// and better than other naive messages we would currently place here
-	timeoutHandler := http.TimeoutHandler(authMux, opts.RequestTimeout, "")
+	timeoutHandler := http.TimeoutHandler(authMux, config.ServerConfig.TimeoutConfig.Request, "")
 
 	s := &http.Server{
-		Addr:         fmt.Sprintf(":%d", opts.Port),
-		ReadTimeout:  opts.TCPReadTimeout,
-		WriteTimeout: opts.TCPWriteTimeout,
-		Handler:      auth.NewLoggingHandler(os.Stdout, timeoutHandler, opts.RequestLogging, statsdClient),
+		Addr:         fmt.Sprintf(":%d", config.ServerConfig.Port),
+		ReadTimeout:  config.ServerConfig.TimeoutConfig.Read,
+		WriteTimeout: config.ServerConfig.TimeoutConfig.Write,
+		Handler:      auth.NewLoggingHandler(os.Stdout, timeoutHandler, config.LoggingConfig.Enable, statsdClient),
 	}
 
 	logger.Fatal(s.ListenAndServe())

go.mod

@@ -2,21 +2,20 @@ module github.com/buzzfeed/sso
 
 require (
 	github.com/18F/hmacauth v0.0.0-20151013130326-9232a6386b73
-	github.com/BurntSushi/toml v0.3.1 // indirect
 	github.com/benbjohnson/clock v0.0.0-20161215174838-7dc76406b6d3
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/datadog/datadog-go v0.0.0-20180822151419-281ae9f2d895
 	github.com/imdario/mergo v0.3.7
 	github.com/kelseyhightower/envconfig v1.3.0
-	github.com/kr/pretty v0.1.0 // indirect
 	github.com/mccutchen/go-httpbin v1.1.1
+	github.com/micro/go-micro v1.5.0
 	github.com/miscreant/miscreant-go v0.0.0-20181010193435-325cbd69228b
+	github.com/mitchellh/mapstructure v1.1.2
 	github.com/rakyll/statik v0.1.6
-	github.com/sirupsen/logrus v1.3.0
-	github.com/spf13/viper v1.3.2
-	golang.org/x/net v0.0.0-20190311183353-d8887717615a // indirect
-	golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1
-	golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4
-	google.golang.org/api v0.1.0
+	github.com/sirupsen/logrus v1.4.2
+	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
+	golang.org/x/sync v0.0.0-20190423024810-112230192c58
+	golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522
+	google.golang.org/api v0.5.0
 	gopkg.in/yaml.v2 v2.2.2
 )

internal/auth/authenticator.go

@@ -63,63 +63,29 @@ type getProfileResponse struct {
 	Groups []string `json:"groups"`
 }
 
-// SetCookieStore sets the cookie store to use a miscreant cipher
-func SetCookieStore(opts *Options, providerSlug string) func(*Authenticator) error {
-	return func(a *Authenticator) error {
-		decodedAuthCodeSecret, err := base64.StdEncoding.DecodeString(opts.AuthCodeSecret)
-		if err != nil {
-			return err
-		}
-		authCodeCipher, err := aead.NewMiscreantCipher([]byte(decodedAuthCodeSecret))
-		if err != nil {
-			return err
-		}
-
-		cookieName := fmt.Sprintf("%s_%s", opts.CookieName, providerSlug)
-		cookieStore, err := sessions.NewCookieStore(cookieName,
-			sessions.CreateMiscreantCookieCipher(opts.decodedCookieSecret),
-			func(c *sessions.CookieStore) error {
-				c.CookieDomain = opts.CookieDomain
-				c.CookieHTTPOnly = opts.CookieHTTPOnly
-				c.CookieExpire = opts.CookieExpire
-				c.CookieSecure = opts.CookieSecure
-				return nil
-			})
-
-		if err != nil {
-			return err
-		}
-
-		a.csrfStore = cookieStore
-		a.sessionStore = cookieStore
-		a.AuthCodeCipher = authCodeCipher
-		return nil
-	}
-}
-
 // NewAuthenticator creates a Authenticator struct and applies the optional functions slice to the struct.
-func NewAuthenticator(opts *Options, optionFuncs ...func(*Authenticator) error) (*Authenticator, error) {
+func NewAuthenticator(config Configuration, optionFuncs ...func(*Authenticator) error) (*Authenticator, error) {
 	logger := log.NewLogEntry()
 
 	templates := templates.NewHTMLTemplate()
 
 	proxyRootDomains := []string{}
-	for _, domain := range opts.ProxyRootDomains {
+	for _, domain := range config.AuthorizeConfig.ProxyConfig.Domains {
 		if !strings.HasPrefix(domain, ".") {
 			domain = fmt.Sprintf(".%s", domain)
 		}
 		proxyRootDomains = append(proxyRootDomains, domain)
 	}
 
 	p := &Authenticator{
-		ProxyClientID:     opts.ProxyClientID,
-		ProxyClientSecret: opts.ProxyClientSecret,
-		EmailDomains:      opts.EmailDomains,
-		ProxyRootDomains:  proxyRootDomains,
-		Host:              opts.Host,
-		Scheme:            opts.Scheme,
-
-		templates: templates,
+		ProxyClientID:     config.ClientConfigs["proxy"].ID,
+		ProxyClientSecret: config.ClientConfigs["proxy"].Secret,
+		EmailDomains:      config.AuthorizeConfig.EmailConfig.Domains,
+		Host:              config.ServerConfig.Host,
+		Scheme:            config.ServerConfig.Scheme,
+
+		ProxyRootDomains: proxyRootDomains,
+		templates:        templates,
 	}
 
 	p.ServeMux = p.newMux()