sso: init commit

Author: Shraya Ramani

.circleci/config.yml

@@ -0,0 +1,35 @@
+version: 2
+jobs:
+  build:
+    docker:
+      - image: circleci/golang:1.9
+    working_directory: /go/src/github.com/buzzfeed/sso
+    steps:
+      - checkout
+      - run:
+          name: get lint
+          command: go get github.com/golang/lint/golint
+      - run:
+          name: install dependencies
+          command: |
+            cp Godeps /tmp/Godeps
+            cp gpm /tmp/gpm
+            cd /tmp && ./gpm
+      - run:
+          name: copy source
+          command: |
+            mkdir bin
+      - run:
+          name: run lint and tests for both services
+          command: |
+            scripts/test
+      - run:
+          name: build sso_auth
+          command: |
+            cd cmd/sso-auth
+            go build
+      - run:
+          name: build sso_proxy
+          command: |
+            cd cmd/sso-proxy
+            go build

CODE_OF_CONDUCT.md

@@ -0,0 +1,37 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering an open and
+welcoming community, we pledge to respect all people who contribute through reporting issues,
+posting feature requests, updating documentation, submitting pull requests or patches, and other
+activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone,
+regardless of level of experience, gender, gender identity and expression, sexual orientation,
+disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits,
+code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By
+adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently
+applying these principles to every aspect of managing this project. Project maintainers who do not
+follow or enforce the Code of Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces when an individual is
+representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an
+issue or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant][1], version 1.2.0, available at
+[http://contributor-covenant.org/version/1/2/0/][2].
+
+[1]: http://contributor-covenant.org
+[2]: http://contributor-covenant.org/version/1/2/0/

CONTRIBUTING.md

@@ -0,0 +1,86 @@
+# Contributing
+
+Thank you for your interest in contributing to BuzzFeed's SSO!
+
+## Code of Conduct
+
+Help us keep SSO open and inclusive. Please read and follow our [Code of Conduct](CODE_OF_CONDUCT.md).
+
+## Getting Started
+
+### The Basics
+
+If you've never contributed to a project on Github before, take a look at [Rob Allen's beginner's guide to contributing to a Github project][begin-guide].
+
+* Make sure you have a [GitHub account](https://github.com/signup/free)
+* Submit a ticket for your issue, assuming one does not already exist. In that issue:
+  * Clearly describe the issue including steps to reproduce when it is a bug
+  * Identify specific versions of the binaries and client libraries
+* Fork the repository on GitHub
+
+### Making Changes
+
+* Create a branch from where you want to base your work
+  * We typically name branches according to the following format: `helpful_name_<issue_number>`
+* Make commits of logical units
+* Make sure your [commit messages](https://chris.beams.io/posts/git-commit/) are in a clear and readable format, example:
+
+```
+sso: added structured logging
+
+* use Logrus to add structured logging
+* update logging documentation
+* ...
+```
+
+### Quickstart
+
+If you want to get SSO up and running, please see our [quickstart guide](docs/quickstart.md).
+
+### Running Tests
+
+All bug fixes and new features are expected to include tests, so it's helpful to know how to run them locally while you're developing!
+
+Here are the steps to running the tests for SSO:
+
+1. [Install go][go]
+2. Be sure to set your workspace directory and set your GOPATH
+3. Add the sso repo to your gopath:
+
+   ```sh
+   ln -s path/to/sso $GOPATH/src/github.com/buzzfeed/sso
+   ```
+
+4. Install gpm and dependencies:
+
+   ```sh
+   brew install gpm
+   gpm install
+   ```
+
+5. Run the tests in the root directory
+
+   ```sh
+   ./scripts/test
+   ```
+
+### Submitting Changes
+
+* Push your changes to your branch in your fork of the repository
+* Submit a [pull request against BuzzFeed's repository](https://akrabat.com/the-beginners-guide-to-contributing-to-a-github-project/#step-3-create-the-pr)
+* Comment in the pull request when you're ready for the changes to be reviewed: `"ready for review"`
+
+### Code review
+
+Changes to `buzzfeed/sso` happen via GitHub pull requests, which is where at least one other engineer reviews and approves all code changes. Some tips for pull requests and code review:
+
+* Each pull request is a branch from `master` — there are no other long-lived branches
+* A single pull request is used for each set of changes — i.e., once a pull request has been opened, any follow-up commits to address code review and discussion should be pushed to that pull request instead of a new one
+* Before a pull request is merged, it must get a green check mark from our CI for passing tests
+* Before a pull request is merged, the author should take the opportunity to clean up and rewrite the commits on the branch (see [How to Write a Git Commit Message](https://chris.beams.io/posts/git-commit/).
+* A maintainer will merge your changes once they're approved and ready!
+* **Most importantly: Practice [mindful communication][mindful-comms]!**
+
+[begin-guide]: https://akrabat.com/the-beginners-guide-to-contributing-to-a-github-project/
+[mindful-comms]: https://kickstarter.engineering/a-guide-to-mindful-communication-in-code-reviews-48aab5282e5e
+[go]: https://golang.org/doc/install

Dockerfile

@@ -0,0 +1,13 @@
+FROM golang:1.9.2
+
+RUN apt-get update && apt-get install -y curl bash git jq gettext
+
+# install gpm dependencies
+COPY gpm /tmp/gpm
+COPY Godeps /tmp/Godeps
+RUN cd /tmp && ./gpm
+
+COPY / /go/src/github.com/buzzfeed/sso/
+
+RUN cd /go/src/github.com/buzzfeed/sso/cmd/sso-auth; go build -o /bin/sso-auth
+RUN cd /go/src/github.com/buzzfeed/sso/cmd/sso-proxy; go build -o /bin/sso-proxy

Godeps

@@ -0,0 +1,15 @@
+github.com/18F/hmacauth                  1.0.1
+gopkg.in/yaml.v2                         v2
+github.com/imdario/mergo                 v0.3.4
+github.com/BurntSushi/toml               d94612f9fc140360834f9742158c70b5c5b5535b
+github.com/bitly/go-simplejson           da1a8928f709389522c8023062a3739f3b4af419
+github.com/mreiferson/go-options         77551d20752b54535462404ad9d877ebdb26e53d
+github.com/datadog/datadog-go/statsd	 c74bd0589c83817c93e4eff39ccae69d6c46df9b
+golang.org/x/oauth2                      7fdf09982454086d5570c7db3e11f360194830ca
+golang.org/x/net/context                 242b6b35177ec3909636b6cf6a47e8c2c6324b5d
+google.golang.org/api/admin/directory/v1 650535c7d6201e8304c92f38c922a9a3a36c6877
+cloud.google.com/go/compute/metadata     v0.7.0
+github.com/benbjohnson/clock             7dc76406b6d3c05b5f71a86293cbcf3c4ea03b19
+github.com/kelseyhightower/envconfig     v1.3.0
+github.com/miscreant/miscreant/go        9a32f76c00c1294ef308947092687049a057381b
+github.com/sirupsen/logrus               e54a77765aca7bbdd8e56c1c54f60579968b2dc9

LICENSE

@@ -0,0 +1,17 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,50 @@
+# SSO
+
+[![CircleCI](https://circleci.com/gh/buzzfeed/sso.svg?style=svg)](https://circleci.com/gh/buzzfeed/sso)
+[![MIT license](http://img.shields.io/badge/license-MIT-brightgreen.svg)](http://opensource.org/licenses/MIT)
+
+<img src="https://user-images.githubusercontent.com/10510566/44476420-a64e5980-a605-11e8-8ad9-2820109deb75.png" width="128px">
+
+----
+
+BuzzFeed's SSO is our single sign-on experience for our internal web services, lovingly known as the *S.S. Octopus* (octoboi) by our team. In addition to the source code, we publish an official [Docker image][docker_hub].
+
+SSO is used to provide single-sign-on authentication and authorization for internal web applications behind it by ensuring that only people in a specific email domain (and optionally users in specific Google Groups) can access them. It consists of two processes - `auth` and `proxy`.
+
+The main idea of SSO is a "double OAuth2" flow, where `auth` is the OAuth2 provider for `proxy`, and Google or another third-party provider, is the OAuth2 provider for `auth`.
+
+In a nutshell:
+
+1. If a user visits a `proxy`-protected service (`foo.sso.example.com`) and does not have a session cookie, they are redirected to `auth` (`sso-auth.example.com`).
+   - If the user **does not** have a session cookie for `auth`,
+     they are prompted to log in via the usual Google OAuth2 flow, and then
+     redirected back to `proxy` where they will now be logged in (to
+     `foo.sso.example.com`)
+   - If the user *does* have a session cookie for `auth` (e.g. they
+     have already logged into `bar.sso.example.com`), they are
+     transparently redirected back to `proxy` where they will be logged in,
+     without needing to go through the Google OAuth2 flow
+2. `proxy` transparently re-validates & refreshes the user's session with `auth`
+3. After 15 days, all sessions are expired and `proxy` will redirect the user to `auth` to go through the Google OAuth2 flow once, after which they will again have access to all SSO-protected services.
+
+## Code of Conduct
+
+Help us keep SSO open and inclusive. Please read and follow our [Code of Conduct](CODE_OF_CONDUCT.md).
+
+## Contributing
+
+Contributions to SSO are welcome! Please follow our [contribution guideline](CONTRIBUTING.md).
+
+### Issues
+
+Please file any issues you find in our [issue tracker](https://github.com/buzzfeed/sso/issues).
+
+### Security Vulns
+
+If you come across any security vulnerabilities with the SSO repo or software, please email [email protected]. In your email, please request access to our [bug bounty program](https://hackerone.com/buzzfeed) so we can compensate you for any valid issues reported.
+
+## Maintainers
+
+SSO is actively maintained by the BuzzFeed Infrastructure teams.
+
+[docker_hub]: https://hub.docker.com/r/buzzfeed/sso/

cmd/sso-auth/main.go

@@ -0,0 +1,59 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/buzzfeed/sso/internal/auth"
+	log "github.com/buzzfeed/sso/internal/pkg/logging"
+	"github.com/buzzfeed/sso/internal/pkg/options"
+	"github.com/kelseyhightower/envconfig"
+)
+
+func init() {
+	log.SetServiceName("sso-authenticator")
+}
+
+func main() {
+	logger := log.NewLogEntry()
+
+	opts := auth.NewOptions()
+
+	err := envconfig.Process("", opts)
+	if err != nil {
+		logger.Error(err, "error loading in env vars")
+		os.Exit(1)
+	}
+
+	err = opts.Validate()
+	if err != nil {
+		logger.Error(err, "error validating opts")
+		os.Exit(1)
+	}
+
+	emailValidator := func(p *auth.Authenticator) error {
+		p.Validator = options.NewEmailValidator(opts.EmailDomains)
+		return nil
+	}
+
+	authenticator, err := auth.NewAuthenticator(opts, emailValidator, auth.SetCookieStore(opts), auth.AssignStatsdClient(opts))
+	if err != nil {
+		logger.Error(err, "error creating new Authenticator")
+		os.Exit(1)
+	}
+	defer authenticator.Stop()
+
+	// we leave the message field blank, which will inherit the stdlib timeout page which is sufficient
+	// and better than other naive messages we would currently place here
+	timeoutHandler := http.TimeoutHandler(authenticator.ServeMux, opts.RequestTimeout, "")
+
+	s := &http.Server{
+		Addr:         fmt.Sprintf(":%d", opts.Port),
+		ReadTimeout:  opts.TCPReadTimeout,
+		WriteTimeout: opts.TCPWriteTimeout,
+		Handler:      auth.NewLoggingHandler(os.Stdout, timeoutHandler, opts.RequestLogging, authenticator.StatsdClient),
+	}
+
+	logger.Fatal(s.ListenAndServe())
+}

cmd/sso-proxy/main.go

@@ -0,0 +1,52 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+
+	log "github.com/buzzfeed/sso/internal/pkg/logging"
+	"github.com/buzzfeed/sso/internal/pkg/options"
+	"github.com/buzzfeed/sso/internal/proxy"
+	"github.com/kelseyhightower/envconfig"
+)
+
+func init() {
+	log.SetServiceName("sso-proxy")
+}
+
+func main() {
+	logger := log.NewLogEntry()
+
+	opts := proxy.NewOptions()
+	err := envconfig.Process("", opts)
+	if err != nil {
+		logger.Error(err, "error parsing env vars into options")
+		os.Exit(1)
+	}
+
+	err = opts.Validate()
+	if err != nil {
+		logger.Error(err, "error validing options")
+		os.Exit(1)
+	}
+
+	validator := func(p *proxy.OAuthProxy) error {
+		p.EmailValidator = options.NewEmailValidator(opts.EmailDomains)
+		return nil
+	}
+
+	oauthproxy, err := proxy.NewOAuthProxy(opts, validator)
+	if err != nil {
+		logger.Error(err, "error creating oauthproxy")
+		os.Exit(1)
+	}
+
+	s := &http.Server{
+		Addr:         fmt.Sprintf(":%d", opts.Port),
+		ReadTimeout:  opts.TCPReadTimeout,
+		WriteTimeout: opts.TCPWriteTimeout,
+		Handler:      proxy.NewLoggingHandler(os.Stdout, oauthproxy.Handler(), opts.RequestLogging, oauthproxy.StatsdClient),
+	}
+	logger.Fatal(s.ListenAndServe())
+}