authentik/proxy/pkg/server/api.go

package server

import (
	"crypto/sha512"
	"encoding/hex"
	"fmt"
	"math/rand"
	"net/http"
	"net/url"
	"os"
	"strings"
	"time"

	"github.com/BeryJu/passbook/proxy/pkg"
	"github.com/BeryJu/passbook/proxy/pkg/client"
	"github.com/BeryJu/passbook/proxy/pkg/client/outposts"
	"github.com/getsentry/sentry-go"
	"github.com/go-openapi/runtime"
	"github.com/recws-org/recws"

	httptransport "github.com/go-openapi/runtime/client"
	"github.com/go-openapi/strfmt"
	"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options"
	log "github.com/sirupsen/logrus"
)

const ConfigLogLevel = "log_level"
const ConfigErrorReportingEnabled = "error_reporting_enabled"
const ConfigErrorReportingEnvironment = "error_reporting_environment"

// APIController main controller which connects to the passbook api via http and ws
type APIController struct {
	client *client.Passbook
	auth   runtime.ClientAuthInfoWriter
	token  string

	server *Server

	commonOpts *options.Options

	lastBundleHash string
	logger         *log.Entry

	reloadOffset time.Duration

	wsConn *recws.RecConn
}

func getCommonOptions() *options.Options {
	commonOpts := options.NewOptions()
	commonOpts.Cookie.Name = "passbook_proxy"
	commonOpts.EmailDomains = []string{"*"}
	commonOpts.ProviderType = "oidc"
	commonOpts.ProxyPrefix = "/pbprox"
	commonOpts.Logging.SilencePing = true
	commonOpts.SetAuthorization = false
	commonOpts.Scope = "openid email profile pb_proxy"
	return commonOpts
}

func doGlobalSetup(config map[string]interface{}) {
	switch config[ConfigLogLevel].(string) {
	case "debug":
		log.SetLevel(log.DebugLevel)
	case "info":
		log.SetLevel(log.InfoLevel)
	case "warning":
		log.SetLevel(log.WarnLevel)
	case "error":
		log.SetLevel(log.ErrorLevel)
	default:
		log.SetLevel(log.DebugLevel)
	}
	log.WithField("version", pkg.VERSION).Info("Starting passbook proxy")

	var dsn string
	if config[ConfigErrorReportingEnabled].(bool) {
		dsn = "https://33cdbcb23f8b436dbe0ee06847410b67@sentry.beryju.org/3"
		log.Debug("Error reporting enabled")
	}

	err := sentry.Init(sentry.ClientOptions{
		Dsn:         dsn,
		Environment: config[ConfigErrorReportingEnvironment].(string),
	})
	if err != nil {
		log.Fatalf("sentry.Init: %s", err)
	}

	defer sentry.Flush(2 * time.Second)
}

func getTLSTransport() http.RoundTripper {
	value, set := os.LookupEnv("PASSBOOK_INSECURE")
	if !set {
		value = "false"
	}
	tlsTransport, err := httptransport.TLSTransport(httptransport.TLSClientOptions{
		InsecureSkipVerify: strings.ToLower(value) == "true",
	})
	if err != nil {
		panic(err)
	}
	return tlsTransport
}

// NewAPIController initialise new API Controller instance from URL and API token
func NewAPIController(pbURL url.URL, token string) *APIController {
	transport := httptransport.New(pbURL.Host, client.DefaultBasePath, []string{pbURL.Scheme})
	transport.Transport = SetUserAgent(getTLSTransport(), fmt.Sprintf("passbook-proxy@%s", pkg.VERSION))

	// create the transport
	auth := httptransport.BasicAuth("", token)

	// create the API client, with the transport
	apiClient := client.New(transport, strfmt.Default)

	// Because we don't know the outpost UUID, we simply do a list and pick the first
	// The service account this token belongs to should only have access to a single outpost
	outposts, err := apiClient.Outposts.OutpostsOutpostsList(outposts.NewOutpostsOutpostsListParams(), auth)

	if err != nil {
		panic(err)
	}
	outpost := outposts.Payload.Results[0]
	doGlobalSetup(outpost.Config.(map[string]interface{}))

	ac := &APIController{
		client: apiClient,
		auth:   auth,
		token:  token,

		logger:     log.WithField("component", "api-controller"),
		commonOpts: getCommonOptions(),
		server:     NewServer(),

		reloadOffset: time.Duration(rand.Intn(10)) * time.Second,

		lastBundleHash: "",
	}
	ac.logger.Debugf("HA Reload offset: %s", ac.reloadOffset)
	ac.initWS(pbURL, outpost.Pk)
	return ac
}

func (a *APIController) bundleProviders() ([]*providerBundle, error) {
	providers, err := a.client.Outposts.OutpostsProxyList(outposts.NewOutpostsProxyListParams(), a.auth)
	if err != nil {
		a.logger.WithError(err).Error("Failed to fetch providers")
		return nil, err
	}
	// Check provider hash to see if anything is changed
	hasher := sha512.New()
	bin, _ := providers.Payload.MarshalBinary()
	hash := hex.EncodeToString(hasher.Sum(bin))
	if hash == a.lastBundleHash {
		return nil, nil
	}
	a.lastBundleHash = hash

	bundles := make([]*providerBundle, len(providers.Payload.Results))

	for idx, provider := range providers.Payload.Results {
		externalHost, err := url.Parse(*provider.ExternalHost)
		if err != nil {
			log.WithError(err).Warning("Failed to parse URL, skipping provider")
		}
		bundles[idx] = &providerBundle{
			a:    a,
			Host: externalHost.Host,
		}
		bundles[idx].Build(provider)
	}
	return bundles, nil
}

func (a *APIController) updateHTTPServer(bundles []*providerBundle) {
	newMap := make(map[string]*providerBundle)
	for _, bundle := range bundles {
		newMap[bundle.Host] = bundle
	}
	a.logger.Debug("Swapped maps")
	a.server.Handlers = newMap
}

// UpdateIfRequired Updates the HTTP Server config if required, automatically swaps the handlers
func (a *APIController) UpdateIfRequired() error {
	bundles, err := a.bundleProviders()
	if err != nil {
		return err
	}
	if bundles == nil {
		a.logger.Debug("Providers have not changed, not updating")
		return nil
	}
	a.updateHTTPServer(bundles)
	return nil
}

// Start Starts all handlers, non-blocking
func (a *APIController) Start() error {
	err := a.UpdateIfRequired()
	if err != nil {
		return err
	}
	go func() {
		a.logger.Debug("Starting HTTP Server...")
		a.server.ServeHTTP()
	}()
	go func() {
		a.logger.Debug("Starting HTTPs Server...")
		a.server.ServeHTTPS()
	}()
	go func() {
		a.logger.Debug("Starting WS Handler...")
		a.startWSHandler()
	}()
	go func() {
		a.logger.Debug("Starting WS Health notifier...")
		a.startWSHealth()
	}()
	return nil
}
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`package server`

			`import (`
			`"crypto/sha512"`
			`"encoding/hex"`
proxy: send proxy version in user-agent header 2020-11-29 18:01:15 +00:00			`"fmt"`
proxy: add random reload offset for HA 2020-10-17 14:48:53 +00:00			`"math/rand"`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`"net/http"`
			`"net/url"`
			`"os"`
proxy: improve reconnect logic, send version, properly version proxy 2020-09-18 23:29:49 +00:00			`"strings"`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`"time"`

proxy: show version on startup 2020-10-19 14:21:13 +00:00			`"github.com/BeryJu/passbook/proxy/pkg"`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`"github.com/BeryJu/passbook/proxy/pkg/client"`
			`"github.com/BeryJu/passbook/proxy/pkg/client/outposts"`
			`"github.com/getsentry/sentry-go"`
			`"github.com/go-openapi/runtime"`
			`"github.com/recws-org/recws"`

			`httptransport "github.com/go-openapi/runtime/client"`
			`"github.com/go-openapi/strfmt"`
			`"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options"`
			`log "github.com/sirupsen/logrus"`
			`)`

			`const ConfigLogLevel = "log_level"`
			`const ConfigErrorReportingEnabled = "error_reporting_enabled"`
			`const ConfigErrorReportingEnvironment = "error_reporting_environment"`

			`// APIController main controller which connects to the passbook api via http and ws`
			`type APIController struct {`
			`client *client.Passbook`
			`auth runtime.ClientAuthInfoWriter`
			`token string`

			`server *Server`

			`commonOpts *options.Options`

			`lastBundleHash string`
			`logger *log.Entry`

proxy: add random reload offset for HA 2020-10-17 14:48:53 +00:00			`reloadOffset time.Duration`

proxy: improve reconnect logic, send version, properly version proxy 2020-09-18 23:29:49 +00:00			`wsConn *recws.RecConn`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`}`

			`func getCommonOptions() *options.Options {`
			`commonOpts := options.NewOptions()`
			`commonOpts.Cookie.Name = "passbook_proxy"`
			`commonOpts.EmailDomains = []string{"*"}`
			`commonOpts.ProviderType = "oidc"`
			`commonOpts.ProxyPrefix = "/pbprox"`
			`commonOpts.Logging.SilencePing = true`
proxy: implement internal_host_ssl_validation option 2020-09-23 10:21:19 +00:00			`commonOpts.SetAuthorization = false`
proxy: ask for pb_proxy scope, set authorization header if enabled 2020-09-30 09:49:06 +00:00			`commonOpts.Scope = "openid email profile pb_proxy"`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`return commonOpts`
			`}`

			`func doGlobalSetup(config map[string]interface{}) {`
			`switch config[ConfigLogLevel].(string) {`
			`case "debug":`
			`log.SetLevel(log.DebugLevel)`
			`case "info":`
			`log.SetLevel(log.InfoLevel)`
			`case "warning":`
			`log.SetLevel(log.WarnLevel)`
			`case "error":`
			`log.SetLevel(log.ErrorLevel)`
			`default:`
			`log.SetLevel(log.DebugLevel)`
			`}`
proxy: show version on startup 2020-10-19 14:21:13 +00:00			`log.WithField("version", pkg.VERSION).Info("Starting passbook proxy")`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
			`var dsn string`
			`if config[ConfigErrorReportingEnabled].(bool) {`
			`dsn = "https://33cdbcb23f8b436dbe0ee06847410b67@sentry.beryju.org/3"`
			`log.Debug("Error reporting enabled")`
			`}`

			`err := sentry.Init(sentry.ClientOptions{`
			`Dsn: dsn,`
			`Environment: config[ConfigErrorReportingEnvironment].(string),`
			`})`
			`if err != nil {`
			`log.Fatalf("sentry.Init: %s", err)`
			`}`

			`defer sentry.Flush(2 * time.Second)`
			`}`

			`func getTLSTransport() http.RoundTripper {`
proxy: improve reconnect logic, send version, properly version proxy 2020-09-18 23:29:49 +00:00			`value, set := os.LookupEnv("PASSBOOK_INSECURE")`
			`if !set {`
			`value = "false"`
			`}`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`tlsTransport, err := httptransport.TLSTransport(httptransport.TLSClientOptions{`
proxy: improve reconnect logic, send version, properly version proxy 2020-09-18 23:29:49 +00:00			`InsecureSkipVerify: strings.ToLower(value) == "true",`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`})`
			`if err != nil {`
			`panic(err)`
			`}`
			`return tlsTransport`
			`}`

			`// NewAPIController initialise new API Controller instance from URL and API token`
			`func NewAPIController(pbURL url.URL, token string) *APIController {`
			`transport := httptransport.New(pbURL.Host, client.DefaultBasePath, []string{pbURL.Scheme})`
proxy: send proxy version in user-agent header 2020-11-29 18:01:15 +00:00			`transport.Transport = SetUserAgent(getTLSTransport(), fmt.Sprintf("passbook-proxy@%s", pkg.VERSION))`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00
			`// create the transport`
			`auth := httptransport.BasicAuth("", token)`

			`// create the API client, with the transport`
			`apiClient := client.New(transport, strfmt.Default)`

			`// Because we don't know the outpost UUID, we simply do a list and pick the first`
			`// The service account this token belongs to should only have access to a single outpost`
			`outposts, err := apiClient.Outposts.OutpostsOutpostsList(outposts.NewOutpostsOutpostsListParams(), auth)`

			`if err != nil {`
			`panic(err)`
			`}`
			`outpost := outposts.Payload.Results[0]`
			`doGlobalSetup(outpost.Config.(map[string]interface{}))`

			`ac := &APIController{`
			`client: apiClient,`
			`auth: auth,`
			`token: token,`

			`logger: log.WithField("component", "api-controller"),`
			`commonOpts: getCommonOptions(),`
			`server: NewServer(),`

proxy: add random reload offset for HA 2020-10-17 14:48:53 +00:00			`reloadOffset: time.Duration(rand.Intn(10)) * time.Second,`

Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`lastBundleHash: "",`
			`}`
proxy: add random reload offset for HA 2020-10-17 14:48:53 +00:00			`ac.logger.Debugf("HA Reload offset: %s", ac.reloadOffset)`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`ac.initWS(pbURL, outpost.Pk)`
			`return ac`
			`}`

			`func (a APIController) bundleProviders() ([]providerBundle, error) {`
			`providers, err := a.client.Outposts.OutpostsProxyList(outposts.NewOutpostsProxyListParams(), a.auth)`
			`if err != nil {`
			`a.logger.WithError(err).Error("Failed to fetch providers")`
			`return nil, err`
			`}`
			`// Check provider hash to see if anything is changed`
			`hasher := sha512.New()`
			`bin, _ := providers.Payload.MarshalBinary()`
			`hash := hex.EncodeToString(hasher.Sum(bin))`
			`if hash == a.lastBundleHash {`
			`return nil, nil`
			`}`
			`a.lastBundleHash = hash`

			`bundles := make([]*providerBundle, len(providers.Payload.Results))`

			`for idx, provider := range providers.Payload.Results {`
			`externalHost, err := url.Parse(*provider.ExternalHost)`
			`if err != nil {`
			`log.WithError(err).Warning("Failed to parse URL, skipping provider")`
			`}`
			`bundles[idx] = &providerBundle{`
			`a: a,`
proxy: use host not hostname to match header 2020-10-29 16:25:39 +00:00			`Host: externalHost.Host,`
Proxy v2 (#189) 2020-09-02 22:04:12 +00:00			`}`
			`bundles[idx].Build(provider)`
			`}`
			`return bundles, nil`
			`}`

			`func (a APIController) updateHTTPServer(bundles []providerBundle) {`
			`newMap := make(map[string]*providerBundle)`
			`for _, bundle := range bundles {`
			`newMap[bundle.Host] = bundle`
			`}`
			`a.logger.Debug("Swapped maps")`
			`a.server.Handlers = newMap`
			`}`

			`// UpdateIfRequired Updates the HTTP Server config if required, automatically swaps the handlers`
			`func (a *APIController) UpdateIfRequired() error {`
			`bundles, err := a.bundleProviders()`
			`if err != nil {`
			`return err`
			`}`
			`if bundles == nil {`
			`a.logger.Debug("Providers have not changed, not updating")`
			`return nil`
			`}`
			`a.updateHTTPServer(bundles)`
			`return nil`
			`}`

			`// Start Starts all handlers, non-blocking`
			`func (a *APIController) Start() error {`
			`err := a.UpdateIfRequired()`
			`if err != nil {`
			`return err`
			`}`
			`go func() {`
			`a.logger.Debug("Starting HTTP Server...")`
			`a.server.ServeHTTP()`
			`}()`
			`go func() {`
			`a.logger.Debug("Starting HTTPs Server...")`
			`a.server.ServeHTTPS()`
			`}()`
			`go func() {`
			`a.logger.Debug("Starting WS Handler...")`
			`a.startWSHandler()`
			`}()`
			`go func() {`
			`a.logger.Debug("Starting WS Health notifier...")`
			`a.startWSHealth()`
			`}()`
			`return nil`
			`}`