admin: Generate Vouch-Proxy config

2024-03-23 18:51:53 +01:00 · 2024-03-23 18:51:53 +01:00 · 24e825d500
commit 24e825d500
parent 81d272c5b2
5 changed files with 96 additions and 16 deletions
--- a/admin/api/password.go
+++ b/admin/api/password.go
@ -17,8 +17,9 @@ import (
 )

 var (
-	OidcIssuer = "live.fic.srs.epita.fr"
-	OidcSecret = ""
+	OidcIssuer   = "live.fic.srs.epita.fr"
+	OidcClientId = "epita-challenge"
+	OidcSecret   = ""
 )

 func declarePasswordRoutes(router *gin.RouterGroup) {
@ -69,6 +70,26 @@ func declarePasswordRoutes(router *gin.RouterGroup) {
 			return
 		}

+		c.JSON(http.StatusOK, true)
+	})
+	router.GET("/vouch-proxy.yaml", func(c *gin.Context) {
+		cfg, err := genVouchProxyConfig()
+		if err != nil {
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": err.Error()})
+			return
+		}
+
+		c.String(http.StatusOK, string(cfg))
+	})
+	router.POST("/vouch-proxy.yaml", func(c *gin.Context) {
+		if dexcfg, err := genVouchProxyConfig(); err != nil {
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": err.Error()})
+			return
+		} else if err := ioutil.WriteFile(path.Join(pki.PKIDir, "shared", "vouch-config.yaml"), []byte(dexcfg), 0644); err != nil {
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": err.Error()})
+			return
+		}
+
 		c.JSON(http.StatusOK, true)
 	})
 }
@ -203,7 +224,7 @@ func genDexConfig() ([]byte, error) {
 			Issuer: "https://" + OidcIssuer,
 			Clients: []dexConfigClient{
 				dexConfigClient{
-					Id:           "epita-challenge",
+					Id:           OidcClientId,
 					Name:         challengeInfo.Title,
 					RedirectURIs: []string{"https://" + OidcIssuer + "/challenge_access/auth"},
 					Secret:       OidcSecret,
@ -249,3 +270,54 @@ func genDexPasswordTpl() ([]byte, error) {
 		}
 	}
 }
+
+const vouchcfgtpl = `# CONFIGURATION FILE HANDLED BY fic-admin
+# DO NOT MODIFY IT BY HAND
+
+vouch:
+  logLevel: debug
+  allowAllUsers: true
+  document_root: /challenge_access
+
+  cookie:
+    domain: {{ .Issuer }}
+
+  oauth:
+    provider: oidc
+    client_id: {{ .ClientId }}
+    client_secret: {{ .ClientSecret }}
+    callback_urls:
+      - https://{{ .Issuer }}/challenge_access/auth
+    auth_url: https://{{ .Issuer }}/auth
+    token_url: http://127.0.0.1:5556/token
+    user_info_url: http://127.0.0.1:5556/userinfo
+    scopes:
+      - openid
+      - email
+`
+
+type vouchProxyConfig struct {
+	Issuer       string
+	ClientId     string
+	ClientSecret string
+}
+
+func genVouchProxyConfig() ([]byte, error) {
+	if OidcSecret == "" {
+		return nil, fmt.Errorf("Unable to generate vouch proxy configuration: OIDC Secret not defined. Please define FICOIDC_SECRET in your environment.")
+	}
+
+	b := bytes.NewBufferString("")
+
+	if vouchTmpl, err := template.New("vouchcfg").Parse(vouchcfgtpl); err != nil {
+		return nil, fmt.Errorf("Cannot create template: %w", err)
+	} else if err = vouchTmpl.Execute(b, vouchProxyConfig{
+		Issuer:       "https://" + OidcIssuer,
+		ClientId:     OidcClientId,
+		ClientSecret: OidcSecret,
+	}); err != nil {
+		return nil, fmt.Errorf("An error occurs during template execution: %w", err)
+	} else {
+		return b.Bytes(), nil
+	}
+}