auth

Paddy 2015-05-17 Parent:bdb83e88e1da Child:9e3ceddf29ad

173:b0d1b3e39fc8 Go to Latest

auth/authd/server.go

Make client use our auth(n/z) scheme. Our auth(n/z) scheme can be loosely defined as "encrypted tokens that nginx transforms into headers" and "scopes for bypassing ACL". Our Go client, which is what we'll be using to have services communicate with each other, follows this paradigm now by auto-injecting the headers we'll need to identify ourselves. This will work behind our firewall, but will be useless for the rest of the world, which will need to go through the nginx bastion that can strip the headers and replace them with the headers appropriate to the token attached to the request. This did involve setting a static client ID as the client for our email_verification listener. Ideally, this would cause Client registration (using that ID) when the listener starts up, ignoring ErrClientAlreadyExists. I don't want to have to write the code that will allow us to bypass the Client ACL properly right now, though, so we're just going to have to remember to manually create that Client. Or not. I don't think it will do any harm (outside the OAuth flow) to be using a Client ID that doesn't actually point to a Client. I just think it'd be good for record-keeping purposes.

Download raw file
View source Diff to previous Annotate
History
paddy@100 1 package main
paddy@100 2
paddy@100 3 import (
paddy@100 4 "html/template"
paddy@100 5 "log"
paddy@100 6 "net/http"
paddy@157 7 "os"
paddy@100 8
paddy@107 9 "code.secondbit.org/auth.hg"
paddy@100 10 "github.com/gorilla/mux"
paddy@100 11 )
paddy@100 12
paddy@100 13 func main() {
paddy@151 14 log.SetFlags(log.LstdFlags | log.Llongfile)
paddy@170 15 log.Printf("Running version '%s'\n", auth.Version)
paddy@157 16 var config auth.Config
paddy@157 17 if os.Getenv("AUTH_PG_DB") != "" {
paddy@157 18 p, err := auth.NewPostgres(os.Getenv("AUTH_PG_DB"))
paddy@157 19 if err != nil {
paddy@157 20 panic(err)
paddy@157 21 }
paddy@157 22 config.ClientStore = &p
paddy@157 23 config.AuthCodeStore = &p
paddy@157 24 config.ProfileStore = &p
paddy@157 25 config.TokenStore = &p
paddy@157 26 config.SessionStore = &p
paddy@157 27 config.ScopeStore = &p
paddy@157 28 } else {
paddy@157 29 store := auth.NewMemstore()
paddy@157 30 config.ClientStore = store
paddy@157 31 config.AuthCodeStore = store
paddy@157 32 config.ProfileStore = store
paddy@157 33 config.TokenStore = store
paddy@157 34 config.SessionStore = store
paddy@157 35 config.ScopeStore = store
paddy@149 36 }
paddy@157 37 config.Template = template.Must(template.New("base").ParseGlob("./templates/*.gotmpl"))
paddy@157 38 config.LoginURI = "/login"
paddy@168 39 config.JWTPrivateKey = []byte(`secret`)
paddy@170 40 if os.Getenv("AUTH_NSQD_ADDR") != "" {
paddy@170 41 n, err := auth.NewNSQNotifier(os.Getenv("AUTH_NSQD_ADDR"))
paddy@170 42 if err != nil {
paddy@170 43 log.Fatal(err)
paddy@170 44 }
paddy@170 45 config.LoginVerificationNotifier = n
paddy@170 46 } else {
paddy@170 47 config.LoginVerificationNotifier = auth.NewStdoutNotifier()
paddy@170 48 }
paddy@157 49 err := config.Init()
paddy@106 50 if err != nil {
paddy@106 51 log.Fatal(err)
paddy@106 52 }
paddy@100 53 context, err := auth.NewContext(config)
paddy@100 54 if err != nil {
paddy@100 55 panic(err)
paddy@100 56 }
paddy@149 57 err = context.CreateScopes([]auth.Scope{
paddy@173 58 auth.ScopeLoginAdmin,
paddy@149 59 })
paddy@157 60 if err != nil && err != auth.ErrScopeAlreadyExists {
paddy@157 61 log.Fatal(err)
paddy@152 62 }
paddy@100 63
paddy@100 64 router := mux.NewRouter()
paddy@100 65 auth.RegisterOAuth2(router, context)
paddy@100 66 auth.RegisterSessionHandlers(router, context)
paddy@106 67 auth.RegisterProfileHandlers(router, context)
paddy@108 68 auth.RegisterClientHandlers(router, context)
paddy@100 69 http.Handle("/", router)
paddy@100 70 log.Fatal(http.ListenAndServe(":8080", nil))
paddy@100 71 }