sig-auth/server/server.go

package server

import (
	"context"
	"crypto"
	"encoding/json"
	"fmt"
	"net/http"

	"crispbyte.dev/sig-auth/keydirectory"
	"github.com/common-fate/httpsig"
	"github.com/common-fate/httpsig/inmemory"
	"golang.org/x/crypto/ssh"
)

func Start(isCaddyAuth bool, keyDir keydirectory.RegistrationDirectory) error {
	mux := http.NewServeMux()

	verifier := httpsig.Middleware(httpsig.MiddlewareOpts{
		NonceStorage: inmemory.NewNonceStorage(),
		KeyDirectory: keyDir,
		Tag:          "auth",
		Scheme:       "http",
		Authority:    "localhost:8080",

		OnValidationError: func(ctx context.Context, err error) {
			fmt.Printf("validation error: %s\n", err)
		},

		OnDeriveSigningString: func(ctx context.Context, stringToSign string) {
			fmt.Printf("string to sign:\n%s\n", stringToSign)
		},
	})

	verifyHandler := verifier(getDefaultHandler(isCaddyAuth))

	var handler http.Handler

	if isCaddyAuth {
		handler = rewriteHeaders(verifyHandler)
	} else {
		handler = verifyHandler
	}

	mux.Handle("/auth", handler)
	mux.Handle("/register", getRegistrationHandler(keyDir))

	err := http.ListenAndServe("localhost:8080", mux)

	return err
}

func getDefaultHandler(isCaddyAuth bool) http.Handler {
	handler := func(w http.ResponseWriter, r *http.Request) {
		attr := httpsig.AttributesFromContext(r.Context()).(string)

		if isCaddyAuth {
			w.Header().Add("Remote-User", attr)
		}

		msg := fmt.Sprintf("hello, %s!", attr)
		w.Write([]byte(msg))
	}

	return http.HandlerFunc(handler)
}

func getRegistrationHandler(keyDir keydirectory.RegistrationDirectory) http.Handler {
	handler := func(w http.ResponseWriter, r *http.Request) {
		if r.Method != "POST" {
			http.Error(w, "Bad request", 400)
			return
		}

		var request RegisterRequest

		err := json.NewDecoder(r.Body).Decode(&request)

		if err != nil {
			http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)
			return
		}

		key, alg, err := parsePublicKey(request.Key)

		if err != nil {
			http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)
			return
		}

		fmt.Printf("Registering %s key for %s\n", alg, request.UserId)

		keyId, err := keyDir.RegisterKey(key, alg, request.UserId)

		if err != nil {
			http.Error(w, fmt.Sprintf("Server error - %s", err), 500)
			return
		}

		w.Write([]byte(keyId))
	}

	return http.HandlerFunc(handler)
}

func parsePublicKey(input string) (crypto.PublicKey, string, error) {
	pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(input))

	var alg string

	switch pk.Type() {
	case "ssh-ed25519":
		alg = "ed25519"
	}

	return pk.(ssh.CryptoPublicKey).CryptoPublicKey(), alg, err
}
Implement test server 2025-02-14 19:41:22 -05:00			`package server`

			`import (`
			`"context"`
Add basic key registration 2025-02-17 20:50:48 -05:00			`"crypto"`
			`"encoding/json"`
Implement test server 2025-02-14 19:41:22 -05:00			`"fmt"`
			`"net/http"`

Add basic key registration 2025-02-17 20:50:48 -05:00			`"crispbyte.dev/sig-auth/keydirectory"`
Implement test server 2025-02-14 19:41:22 -05:00			`"github.com/common-fate/httpsig"`
			`"github.com/common-fate/httpsig/inmemory"`
Add basic key registration 2025-02-17 20:50:48 -05:00			`"golang.org/x/crypto/ssh"`
Implement test server 2025-02-14 19:41:22 -05:00			`)`

Add basic key registration 2025-02-17 20:50:48 -05:00			`func Start(isCaddyAuth bool, keyDir keydirectory.RegistrationDirectory) error {`
Implement test server 2025-02-14 19:41:22 -05:00			`mux := http.NewServeMux()`

			`verifier := httpsig.Middleware(httpsig.MiddlewareOpts{`
			`NonceStorage: inmemory.NewNonceStorage(),`
Separate out key directory 2025-02-17 19:55:53 -05:00			`KeyDirectory: keyDir,`
Change tag 2025-02-16 13:51:12 -05:00			`Tag: "auth",`
Implement test server 2025-02-14 19:41:22 -05:00			`Scheme: "http",`
			`Authority: "localhost:8080",`

			`OnValidationError: func(ctx context.Context, err error) {`
			`fmt.Printf("validation error: %s\n", err)`
			`},`

			`OnDeriveSigningString: func(ctx context.Context, stringToSign string) {`
			`fmt.Printf("string to sign:\n%s\n", stringToSign)`
			`},`
			`})`

Add basic key registration 2025-02-17 20:50:48 -05:00			`verifyHandler := verifier(getDefaultHandler(isCaddyAuth))`
Try simulating caddy forward_auth 2025-02-16 13:51:53 -05:00
			`var handler http.Handler`

			`if isCaddyAuth {`
			`handler = rewriteHeaders(verifyHandler)`
			`} else {`
			`handler = verifyHandler`
			`}`

Reorg client code 2025-02-20 21:49:05 -05:00			`mux.Handle("/auth", handler)`
Add basic key registration 2025-02-17 20:50:48 -05:00			`mux.Handle("/register", getRegistrationHandler(keyDir))`
Implement test server 2025-02-14 19:41:22 -05:00
			`err := http.ListenAndServe("localhost:8080", mux)`

			`return err`
			`}`
Add basic key registration 2025-02-17 20:50:48 -05:00
			`func getDefaultHandler(isCaddyAuth bool) http.Handler {`
			`handler := func(w http.ResponseWriter, r *http.Request) {`
			`attr := httpsig.AttributesFromContext(r.Context()).(string)`

			`if isCaddyAuth {`
			`w.Header().Add("Remote-User", attr)`
			`}`
Generate a random key ID on registration 2025-02-17 21:03:31 -05:00
			`msg := fmt.Sprintf("hello, %s!", attr)`
			`w.Write([]byte(msg))`
Add basic key registration 2025-02-17 20:50:48 -05:00			`}`

			`return http.HandlerFunc(handler)`
			`}`

			`func getRegistrationHandler(keyDir keydirectory.RegistrationDirectory) http.Handler {`
			`handler := func(w http.ResponseWriter, r *http.Request) {`
			`if r.Method != "POST" {`
			`http.Error(w, "Bad request", 400)`
			`return`
			`}`

			`var request RegisterRequest`

			`err := json.NewDecoder(r.Body).Decode(&request)`

			`if err != nil {`
			`http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)`
			`return`
			`}`

			`key, alg, err := parsePublicKey(request.Key)`

			`if err != nil {`
			`http.Error(w, fmt.Sprintf("Bad request - %s", err), 400)`
			`return`
			`}`

			`fmt.Printf("Registering %s key for %s\n", alg, request.UserId)`

Generate a random key ID on registration 2025-02-17 21:03:31 -05:00			`keyId, err := keyDir.RegisterKey(key, alg, request.UserId)`

			`if err != nil {`
			`http.Error(w, fmt.Sprintf("Server error - %s", err), 500)`
			`return`
			`}`

			`w.Write([]byte(keyId))`
Add basic key registration 2025-02-17 20:50:48 -05:00			`}`

			`return http.HandlerFunc(handler)`
			`}`

			`func parsePublicKey(input string) (crypto.PublicKey, string, error) {`
			`pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(input))`

			`var alg string`

			`switch pk.Type() {`
			`case "ssh-ed25519":`
			`alg = "ed25519"`
			`}`

			`return pk.(ssh.CryptoPublicKey).CryptoPublicKey(), alg, err`
			`}`