adlin/token-validator/main.go

package main

import (
	"context"
	"encoding/base64"
	"flag"
	"fmt"
	"log"
	"net/http"
	"net/url"
	"os"
	"os/signal"
	"path"
	"strings"
	"syscall"

	"git.nemunai.re/srs/adlin/libadlin"
)

var (
	baseURL string = "/"
)

type ResponseWriterPrefix struct {
	real   http.ResponseWriter
	prefix string
}

func (r ResponseWriterPrefix) Header() http.Header {
	return r.real.Header()
}

func (r ResponseWriterPrefix) WriteHeader(s int) {
	if v, exists := r.real.Header()["Location"]; exists && len(v) > 0 && !strings.HasPrefix(v[0], "https://") && !strings.HasPrefix(v[0], "http://") {
		r.real.Header().Set("Location", r.prefix+v[0])
	}
	r.real.WriteHeader(s)
}

func (r ResponseWriterPrefix) Write(z []byte) (int, error) {
	return r.real.Write(z)
}

func StripPrefix(prefix string, h http.Handler) http.Handler {
	if prefix == "" {
		return h
	}
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if prefix != "/" && r.URL.Path == "/" {
			http.Redirect(w, r, prefix+"/", http.StatusFound)
		} else if p := strings.TrimPrefix(r.URL.Path, prefix); len(p) < len(r.URL.Path) {
			r2 := new(http.Request)
			*r2 = *r
			r2.URL = new(url.URL)
			*r2.URL = *r.URL
			r2.URL.Path = p
			h.ServeHTTP(ResponseWriterPrefix{w, prefix}, r2)
		} else {
			h.ServeHTTP(w, r)
		}
	})
}

func main() {
	var err error

	if v, exists := os.LookupEnv("ADLIN_NS_HOST"); exists {
		ControlSocket = v
	}
	if v, exists := os.LookupEnv("ADLIN_TSIG_NAME"); exists {
		tsigName = v
	}
	if v, exists := os.LookupEnv("ADLIN_TSIG_SECRET"); exists {
		tsigSecret = v
	}
	if v, exists := os.LookupEnv("ADLIN_SHARED_SECRET"); exists {
		adlin.SharedSecret = v
	}
	if v, exists := os.LookupEnv("ADLIN_COLLECTOR_SECRET"); !exists {
		log.Println("Warning: Please define ADLIN_COLLECTOR_SECRET environment variable")
	} else if t, err := base64.StdEncoding.DecodeString(v); err != nil {
		log.Fatal("Error reading ADLIN_COLLECTOR_SECRET variable:", err)
	} else {
		adlin.SetCollectorSecret(t)
	}

	var bind = flag.String("bind", ":8081", "Bind port/socket")
	var dsn = flag.String("dsn", adlin.DSNGenerator(), "DSN to connect to the MySQL server")
	flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
	flag.StringVar(&adlin.SharedSecret, "sharedsecret", adlin.SharedSecret, "secret used to communicate with remote validator")
	flag.StringVar(&AuthorizedKeysLocation, "authorizedkeyslocation", AuthorizedKeysLocation, "File for allowing user to SSH to the machine")
	flag.StringVar(&SshPiperLocation, "sshPiperLocation", SshPiperLocation, "Directory containing directories for sshpiperd")
	flag.StringVar(&ControlSocket, "ns-host", ControlSocket, "Host:port of the nameserver to use")
	flag.StringVar(&tsigName, "tsig-name", tsigName, "TSIG name to use to contact NS")
	flag.StringVar(&tsigSecret, "tsig-secret", tsigSecret, "TSIG secret to use to contact NS")
	var dummyauth = flag.Bool("dummyauth", false, "don't perform password check")
	flag.Parse()

	// Sanitize options
	log.Println("Checking paths...")
	if err = sanitizeStaticOptions(); err != nil {
		log.Fatal(err)
	}
	if baseURL != "/" {
		baseURL = path.Clean(baseURL)
	} else {
		baseURL = ""
	}

	if *dummyauth {
		AuthFunc = dummyAuth
	}

	initializeOIDC()

	// Initialize contents
	log.Println("Opening database...")
	if err := adlin.DBInit(*dsn); err != nil {
		log.Fatal("Cannot open the database: ", err)
	}
	defer adlin.DBClose()

	log.Println("Creating database...")
	if err := adlin.DBCreate(); err != nil {
		log.Fatal("Cannot create database: ", err)
	}

	// Prepare graceful shutdown
	interrupt := make(chan os.Signal, 1)
	signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)

	srv := &http.Server{
		Addr:    *bind,
		Handler: StripPrefix(baseURL, Router()),
	}

	// Serve content
	go func() {
		log.Fatal(srv.ListenAndServe())
	}()
	log.Println(fmt.Sprintf("Ready, listening on %s", *bind))

	// Wait shutdown signal
	<-interrupt

	log.Print("The service is shutting down...")
	srv.Shutdown(context.Background())
	log.Println("done")
}