sig-auth/server/server.go

package server

import (
	"context"
	"crypto"
	"encoding/json"
	"fmt"
	"net/http"

	"crispbyte.dev/sig-auth/keydirectory"
	"github.com/common-fate/httpsig"
	"github.com/common-fate/httpsig/inmemory"
	"golang.org/x/crypto/ssh"
)

func Start(keyDir keydirectory.RegistrationDirectory) error {
	mux := http.NewServeMux()

	validationOptions := httpsig.DefaultValidationOpts()
	delete(validationOptions.RequiredCoveredComponents, "content-digest")

	verifier := httpsig.Middleware(httpsig.MiddlewareOpts{
		NonceStorage: inmemory.NewNonceStorage(),
		KeyDirectory: keyDir,
		Tag:          "auth",
		Scheme:       "http",
		Authority:    "localhost:8001",
		Validation:   &validationOptions,

		OnValidationError: func(ctx context.Context, err error) {
			fmt.Printf("validation error: %s\n", err)
		},

		OnDeriveSigningString: func(ctx context.Context, stringToSign string) {
			fmt.Printf("string to sign:\n%s\n", stringToSign)
		},
	})

	verifyHandler := verifier(getDefaultHandler())

	handler := rewriteHeaders(verifyHandler)

	mux.Handle("/auth", handler)
	mux.Handle("/register", getRegistrationHandler(keyDir))

	err := http.ListenAndServe("localhost:8080", mux)

	return err
}

func getDefaultHandler() http.Handler {
	handler := func(w http.ResponseWriter, r *http.Request) {
		attr := httpsig.AttributesFromContext(r.Context()).(string)

		w.Header().Add("Remote-User", attr)
		msg := fmt.Sprintf("hello, %s!", attr)
		w.Write([]byte(msg))
	}

	return http.HandlerFunc(handler)
}

func getRegistrationHandler(keyDir keydirectory.RegistrationDirectory) http.Handler {
	handler := func(w http.ResponseWriter, r *http.Request) {
		if r.Method != "POST" {
			http.Error(w, "Bad request", 400)
			return
		}

		var request RegisterRequest

		err := json.NewDecoder(r.Body).Decode(&request)

		if err != nil {
			fmt.Println(err)
			http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)
			return
		}

		key, err := parsePublicKey(request.Key)

		if err != nil {
			fmt.Println(err)
			http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)
			return
		}

		if !isValidKeyType(key) {
			fmt.Println("Attempted to register invalid key type")
			http.Error(w, "Invalid key type", 400)
			return
		}

		fmt.Printf("Registering key for %s\n", request.UserId)

		keyId, err := keyDir.RegisterKey(key, request.UserId)

		if err != nil {
			fmt.Println(err)
			http.Error(w, fmt.Sprintf("Server error - %s", err), 500)
			return
		}

		w.Write([]byte(keyId))
	}

	return http.HandlerFunc(handler)
}

func parsePublicKey(input string) (crypto.PublicKey, error) {
	pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(input))

	if err != nil {
		return nil, err
	}

	return pk.(ssh.CryptoPublicKey).CryptoPublicKey(), err
}
Implement test server 2025-02-14 19:41:22 -05:00			`package server`

			`import (`
			`"context"`
Add basic key registration 2025-02-17 20:50:48 -05:00			`"crypto"`
			`"encoding/json"`
Implement test server 2025-02-14 19:41:22 -05:00			`"fmt"`
			`"net/http"`

Add basic key registration 2025-02-17 20:50:48 -05:00			`"crispbyte.dev/sig-auth/keydirectory"`
Implement test server 2025-02-14 19:41:22 -05:00			`"github.com/common-fate/httpsig"`
			`"github.com/common-fate/httpsig/inmemory"`
Add basic key registration 2025-02-17 20:50:48 -05:00			`"golang.org/x/crypto/ssh"`
Implement test server 2025-02-14 19:41:22 -05:00			`)`

Remove caddy simulation 2025-02-20 23:12:04 -05:00			`func Start(keyDir keydirectory.RegistrationDirectory) error {`
Implement test server 2025-02-14 19:41:22 -05:00			`mux := http.NewServeMux()`

Remove digest from covered components 2025-02-21 20:09:23 -05:00			`validationOptions := httpsig.DefaultValidationOpts()`
			`delete(validationOptions.RequiredCoveredComponents, "content-digest")`

Implement test server 2025-02-14 19:41:22 -05:00			`verifier := httpsig.Middleware(httpsig.MiddlewareOpts{`
			`NonceStorage: inmemory.NewNonceStorage(),`
Separate out key directory 2025-02-17 19:55:53 -05:00			`KeyDirectory: keyDir,`
Change tag 2025-02-16 13:51:12 -05:00			`Tag: "auth",`
Implement test server 2025-02-14 19:41:22 -05:00			`Scheme: "http",`
Remove digest from covered components 2025-02-21 20:09:23 -05:00			`Authority: "localhost:8001",`
			`Validation: &validationOptions,`
Implement test server 2025-02-14 19:41:22 -05:00
			`OnValidationError: func(ctx context.Context, err error) {`
			`fmt.Printf("validation error: %s\n", err)`
			`},`

			`OnDeriveSigningString: func(ctx context.Context, stringToSign string) {`
			`fmt.Printf("string to sign:\n%s\n", stringToSign)`
			`},`
			`})`

Remove caddy simulation 2025-02-20 23:12:04 -05:00			`verifyHandler := verifier(getDefaultHandler())`
Try simulating caddy forward_auth 2025-02-16 13:51:53 -05:00
Remove digest from covered components 2025-02-21 20:09:23 -05:00			`handler := rewriteHeaders(verifyHandler)`
Try simulating caddy forward_auth 2025-02-16 13:51:53 -05:00
Reorg client code 2025-02-20 21:49:05 -05:00			`mux.Handle("/auth", handler)`
Add basic key registration 2025-02-17 20:50:48 -05:00			`mux.Handle("/register", getRegistrationHandler(keyDir))`
Implement test server 2025-02-14 19:41:22 -05:00
			`err := http.ListenAndServe("localhost:8080", mux)`

			`return err`
			`}`
Add basic key registration 2025-02-17 20:50:48 -05:00
Remove caddy simulation 2025-02-20 23:12:04 -05:00			`func getDefaultHandler() http.Handler {`
Add basic key registration 2025-02-17 20:50:48 -05:00			`handler := func(w http.ResponseWriter, r *http.Request) {`
			`attr := httpsig.AttributesFromContext(r.Context()).(string)`

Remove caddy simulation 2025-02-20 23:12:04 -05:00			`w.Header().Add("Remote-User", attr)`
Generate a random key ID on registration 2025-02-17 21:03:31 -05:00			`msg := fmt.Sprintf("hello, %s!", attr)`
			`w.Write([]byte(msg))`
Add basic key registration 2025-02-17 20:50:48 -05:00			`}`

			`return http.HandlerFunc(handler)`
			`}`

			`func getRegistrationHandler(keyDir keydirectory.RegistrationDirectory) http.Handler {`
			`handler := func(w http.ResponseWriter, r *http.Request) {`
			`if r.Method != "POST" {`
			`http.Error(w, "Bad request", 400)`
			`return`
			`}`

			`var request RegisterRequest`

			`err := json.NewDecoder(r.Body).Decode(&request)`

			`if err != nil {`
Add support for more key types 2025-02-20 22:53:18 -05:00			`fmt.Println(err)`
Add basic key registration 2025-02-17 20:50:48 -05:00			`http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)`
			`return`
			`}`

Add support for more key types 2025-02-20 22:53:18 -05:00			`key, err := parsePublicKey(request.Key)`
Add basic key registration 2025-02-17 20:50:48 -05:00
			`if err != nil {`
Add support for more key types 2025-02-20 22:53:18 -05:00			`fmt.Println(err)`
Add basic key registration 2025-02-17 20:50:48 -05:00			`http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)`
			`return`
			`}`

Add some registration validation 2025-02-20 23:00:04 -05:00			`if !isValidKeyType(key) {`
			`fmt.Println("Attempted to register invalid key type")`
			`http.Error(w, "Invalid key type", 400)`
			`return`
			`}`

Add support for more key types 2025-02-20 22:53:18 -05:00			`fmt.Printf("Registering key for %s\n", request.UserId)`
Add basic key registration 2025-02-17 20:50:48 -05:00
Add support for more key types 2025-02-20 22:53:18 -05:00			`keyId, err := keyDir.RegisterKey(key, request.UserId)`
Generate a random key ID on registration 2025-02-17 21:03:31 -05:00
			`if err != nil {`
Add support for more key types 2025-02-20 22:53:18 -05:00			`fmt.Println(err)`
Generate a random key ID on registration 2025-02-17 21:03:31 -05:00			`http.Error(w, fmt.Sprintf("Server error - %s", err), 500)`
			`return`
			`}`

			`w.Write([]byte(keyId))`
Add basic key registration 2025-02-17 20:50:48 -05:00			`}`

			`return http.HandlerFunc(handler)`
			`}`

Add support for more key types 2025-02-20 22:53:18 -05:00			`func parsePublicKey(input string) (crypto.PublicKey, error) {`
Add basic key registration 2025-02-17 20:50:48 -05:00			`pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(input))`

Add support for more key types 2025-02-20 22:53:18 -05:00			`if err != nil {`
			`return nil, err`
Add basic key registration 2025-02-17 20:50:48 -05:00			`}`

Add support for more key types 2025-02-20 22:53:18 -05:00			`return pk.(ssh.CryptoPublicKey).CryptoPublicKey(), err`
Add basic key registration 2025-02-17 20:50:48 -05:00			`}`