Add minimal CI

.circleci/config.yml

@@ -24,7 +24,7 @@ jobs:
       - run:
           name: run lint and tests for both services
           command: |
-            scripts/test
+            make test
       - run:
           name: build sso-auth
           command: |

.github/workflows/ci.yaml

@@ -0,0 +1,39 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - "*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+      GOPATH: /home/runner/go
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '1.20'
+          check-latest: true
+
+      - name: Setup tools
+        run: |
+          make tools
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v3
+        continue-on-error: true
+
+      - name: Test
+        run: |
+          make test
+
+      - name: Build sso-auth
+        run: |
+          make dist/sso-auth
+
+      - name: Build sso-proxy
+        run: |
+          make dist/sso-proxy

Makefile

@@ -2,7 +2,6 @@ version := "v3.0.0"
 
 commit := $(shell git rev-parse --short HEAD)
 
-
 build: dist/sso-auth dist/sso-proxy
 
 dist/sso-auth:
@@ -16,8 +15,7 @@ dist/sso-proxy:
 	go build -mod=readonly -o dist/sso-proxy ./cmd/sso-proxy
 
 tools:
-	go get golang.org/x/lint/golint
-	go get github.com/rakyll/statik 
+	go install github.com/rakyll/statik
 
 test:
 	./scripts/test

internal/auth/circuit/breaker.go

@@ -127,7 +127,7 @@ func (c *Counts) clear() {
 //
 // OnStateChange is called whenever the state of the Breaker changes.
 //
-// OnBackoff is called whenever a backoff is set with the backoff duration and reset time
+// # OnBackoff is called whenever a backoff is set with the backoff duration and reset time
 //
 // TestClock is used to mock the clock during tests
 type Options struct {

internal/auth/providers/amazon_cognito.go

@@ -262,11 +262,11 @@ func (p *AmazonCognitoProvider) cbStateChange(from, to circuit.State) {
 // 1. POSTs the code and grant_type to https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
 // 2. If the request fails, the authenticator will return a 500 and display an error page (see oauth_proxy.go#OAuthCallback)
 // 3. If the request succeeds, the data from AmazonCognito contains:
-//     - the access token which we use to get data from AmazonCognito
-//     - the refresh token which we can use to get a new access_token
-//     - the expiration time of the access token
-//     - a Base64 encoded id token which contains the user's email
-//       address and whether or not that email address is verified
+//   - the access token which we use to get data from AmazonCognito
+//   - the refresh token which we can use to get a new access_token
+//   - the expiration time of the access token
+//   - a Base64 encoded id token which contains the user's email
+//     address and whether or not that email address is verified
 func (p *AmazonCognitoProvider) Redeem(redirectURL, code string) (*sessions.SessionState, error) {
 	if code == "" {
 		return nil, ErrBadRequest

internal/auth/providers/google.go

@@ -291,11 +291,11 @@ func (p *GoogleProvider) cbStateChange(from, to circuit.State) {
 // 1. POSTs the code and grant_type to https://www.googleapis.com/oauth2/v3/token
 // 2. If the request fails, the authenticator will return a 500 and display an error page (see oauth_proxy.go#OAuthCallback)
 // 3. If the request succeeds, the data from Google contains:
-//     - the access token which we use to get data from Google
-//     - the refresh token which we can use to get a new access_token
-//     - the expiration time of the access token
-//     - a Base64 encoded id token which contains the user's email
-//       address and whether or not that email address is verified
+//   - the access token which we use to get data from Google
+//   - the refresh token which we can use to get a new access_token
+//   - the expiration time of the access token
+//   - a Base64 encoded id token which contains the user's email
+//     address and whether or not that email address is verified
 func (p *GoogleProvider) Redeem(redirectURL, code string) (*sessions.SessionState, error) {
 	if code == "" {
 		return nil, ErrBadRequest

internal/auth/providers/okta.go

@@ -250,11 +250,11 @@ func (p *OktaProvider) cbStateChange(from, to circuit.State) {
 // 1. POSTs the code and grant_type to https://developer.okta.com/docs/api/resources/oidc/#token
 // 2. If the request fails, the authenticator will return a 500 and display an error page (see oauth_proxy.go#OAuthCallback)
 // 3. If the request succeeds, the data from Okta contains:
-//     - the access token which we use to get data from Okta
-//     - the refresh token which we can use to get a new access_token
-//     - the expiration time of the access token
-//     - a Base64 encoded id token which contains the user's email
-//       address and whether or not that email address is verified
+//   - the access token which we use to get data from Okta
+//   - the refresh token which we can use to get a new access_token
+//   - the expiration time of the access token
+//   - a Base64 encoded id token which contains the user's email
+//     address and whether or not that email address is verified
 func (p *OktaProvider) Redeem(redirectURL, code string) (*sessions.SessionState, error) {
 	if code == "" {
 		return nil, ErrBadRequest

internal/pkg/aead/aead_test.go

@@ -121,7 +121,7 @@ func TestCipherDataRace(t *testing.T) {
 			b := make([]byte, 32)
 			_, err := rand.Read(b)
 			if err != nil {
-				t.Fatalf("unexecpted error reading random bytes: %v", err)
+				t.Errorf("unexecpted error reading random bytes: %v", err)
 			}
 
 			sha := fmt.Sprintf("%x", sha1.New().Sum(b))
@@ -131,40 +131,40 @@ func TestCipherDataRace(t *testing.T) {
 
 			value1, err := c.Marshal(tc)
 			if err != nil {
-				t.Fatalf("unexpected err: %v", err)
+				t.Errorf("unexpected err: %v", err)
 			}
 
 			value2, err := c.Marshal(tc)
 			if err != nil {
-				t.Fatalf("unexpected err: %v", err)
+				t.Errorf("unexpected err: %v", err)
 			}
 
 			if value1 == value2 {
-				t.Fatalf("expected marshaled values to not be equal %v != %v", value1, value2)
+				t.Errorf("expected marshaled values to not be equal %v != %v", value1, value2)
 			}
 
 			got1 := &TC{}
 			err = c.Unmarshal(value1, got1)
 			if err != nil {
-				t.Fatalf("unexpected err unmarshalling struct: %v", err)
+				t.Errorf("unexpected err unmarshalling struct: %v", err)
 			}
 
 			if !reflect.DeepEqual(got1, tc) {
 				t.Logf("want: %#v", tc)
 				t.Logf(" got: %#v", got1)
-				t.Fatalf("expected structs to be equal")
+				t.Errorf("expected structs to be equal")
 			}
 
 			got2 := &TC{}
 			err = c.Unmarshal(value2, got2)
 			if err != nil {
-				t.Fatalf("unexpected err unmarshalling struct: %v", err)
+				t.Errorf("unexpected err unmarshalling struct: %v", err)
 			}
 
 			if !reflect.DeepEqual(got1, got2) {
 				t.Logf("got2: %#v", got2)
 				t.Logf("got1: %#v", got1)
-				t.Fatalf("expected structs to be equal")
+				t.Errorf("expected structs to be equal")
 			}
 
 		}(miscreantCipher, wg)

internal/pkg/validators/email_address_validator.go

@@ -22,11 +22,12 @@ type EmailAddressValidator struct {
 
 // NewEmailAddressValidator takes in a list of email addresses and returns a Validator object.
 // The validator can be used to validate that the session.Email:
-// - is non-empty
-// - matches one of the originally passed in email addresses
-//   (case insensitive)
-// - if the originally passed in list of emails consists only of "*", then all emails
-//   are considered valid based on their domain.
+//   - is non-empty
+//   - matches one of the originally passed in email addresses
+//     (case insensitive)
+//   - if the originally passed in list of emails consists only of "*", then all emails
+//     are considered valid based on their domain.
+//
 // If valid, nil is returned in place of an error.
 func NewEmailAddressValidator(allowedEmails []string) EmailAddressValidator {
 	var emailAddresses []string

internal/pkg/validators/email_domain_validator.go

@@ -22,11 +22,12 @@ type EmailDomainValidator struct {
 
 // NewEmailDomainValidator takes in a list of domains and returns a Validator object.
 // The validator can be used to validate that the session.Email:
-// - is non-empty
-// - the domain of the email address matches one of the originally passed in domains.
-//   (case insensitive)
-// - if the originally passed in list of domains consists only of "*", then all emails
-//   are considered valid based on their domain.
+//   - is non-empty
+//   - the domain of the email address matches one of the originally passed in domains.
+//     (case insensitive)
+//   - if the originally passed in list of domains consists only of "*", then all emails
+//     are considered valid based on their domain.
+//
 // If valid, nil is returned in place of an error.
 func NewEmailDomainValidator(allowedDomains []string) EmailDomainValidator {
 	emailDomains := make([]string, 0, len(allowedDomains))

internal/proxy/proxy_config.go

@@ -80,17 +80,17 @@ type RouteConfig struct {
 }
 
 // OptionsConfig maps to the yaml config fields:
-// * header_overrides - overrides any heads set either by sso proxy itself or upstream applications.
-//   This can be useful for modifying browser security headers.
-// * skip_auth_regex - skips authentication for paths matching these regular expressions.
-// * allowed_groups - optional list of authorized google groups that can access the service.
-// * tls_skip_verify - a bool to skip certification verification of upstreams
-// * preserve_host - preserve the host named based in up the client request rather than re-writing for the upstream host
-// * timeout - duration before timing out request.
-// * reset_deadline - a duration to trigger resets of tcp connections to upstreams. This is useful in dynamic dns environments.
-// * flush_interval - interval at which the proxy should flush data to the browser
-// * skip_request_signing - skip request signing if this behavior is problematic or undesired. For requests with large http bodies
-//   this maybe useful to unset as http bodies are read into memory in order to sign.
+//   - header_overrides - overrides any heads set either by sso proxy itself or upstream applications.
+//     This can be useful for modifying browser security headers.
+//   - skip_auth_regex - skips authentication for paths matching these regular expressions.
+//   - allowed_groups - optional list of authorized google groups that can access the service.
+//   - tls_skip_verify - a bool to skip certification verification of upstreams
+//   - preserve_host - preserve the host named based in up the client request rather than re-writing for the upstream host
+//   - timeout - duration before timing out request.
+//   - reset_deadline - a duration to trigger resets of tcp connections to upstreams. This is useful in dynamic dns environments.
+//   - flush_interval - interval at which the proxy should flush data to the browser
+//   - skip_request_signing - skip request signing if this behavior is problematic or undesired. For requests with large http bodies
+//     this maybe useful to unset as http bodies are read into memory in order to sign.
 type OptionsConfig struct {
 	HeaderOverrides       map[string]string `yaml:"header_overrides"`
 	InjectRequestHeaders  map[string]string `yaml:"inject_request_headers"`

internal/proxy/request_signer.go

@@ -91,20 +91,21 @@ func NewRequestSigner(signingKeyPemStr string) (*RequestSigner, error) {
 // representation are considered "equivalent" for purposes of verifying the integrity of a request.
 //
 // Representations are formatted as follows:
-//   <HEADER.1>
-//   ...
-//   <HEADER.N>
-//   <URL>
-//   <BODY>
-//  where:
-//    <HEADER.k> is the ','-joined concatenation of all header values of `signedHeaders[k]`; empty
-//      values such as '' and all other headers in the request are ignored,
-//    <URL> is the string "<PATH>(?<QUERY>)(#FRAGMENT)", where "?<QUERY>" and "#<FRAGMENT>" are
-//      omitted if the associated components are absent from the request URL,
-//    <BODY> is the body of the Request (may be `nil`; e.g. for GET requests).
 //
-//  Receiving endpoints authenticating the integrity of a request should reconstruct this document
-//  exactly, when verifying the contents of a received request.
+//	 <HEADER.1>
+//	 ...
+//	 <HEADER.N>
+//	 <URL>
+//	 <BODY>
+//	where:
+//	  <HEADER.k> is the ','-joined concatenation of all header values of `signedHeaders[k]`; empty
+//	    values such as '' and all other headers in the request are ignored,
+//	  <URL> is the string "<PATH>(?<QUERY>)(#FRAGMENT)", where "?<QUERY>" and "#<FRAGMENT>" are
+//	    omitted if the associated components are absent from the request URL,
+//	  <BODY> is the body of the Request (may be `nil`; e.g. for GET requests).
+//
+//	Receiving endpoints authenticating the integrity of a request should reconstruct this document
+//	exactly, when verifying the contents of a received request.
 func mapRequestToHashInput(req *http.Request) (string, error) {
 	entries := []string{}
 
@@ -143,22 +144,28 @@ func mapRequestToHashInput(req *http.Request) (string, error) {
 // a subset of the request headers, together with the request URL and body.
 //
 // Signature is computed as:
-//   repr := Representation(request)  <- Computed by mapRequestToHashInput()
-//   hash := SHA256(repr)
-//   sig  := SIGN(hash, SigningKey)
-//   final := WEB_SAFE_BASE64(sig)
+//
+//	repr := Representation(request)  <- Computed by mapRequestToHashInput()
+//	hash := SHA256(repr)
+//	sig  := SIGN(hash, SigningKey)
+//	final := WEB_SAFE_BASE64(sig)
+//
 // The header `Sso-Signature` is given the value of `final`.
 //
 // Receiving endpoints authenticating the integrity of a request should:
-//   1. Strip the WEB_SAFE_BASE64 encoding from the value of `signatureHeader`,
-//   2. Decrypt the resulting value using the public key published by sso_proxy, thus obtaining the
-//      hash of the request representation,
-//   3. Compute the request representation from the received request, using the same format as the
-//      mapRequestToHashInput() function above,
-//   4. Apply SHA256 hash to the recomputed representation, and verify that it matches the decrypted
-//      hash value received through the `Sso-Signature` of the request.
 //
-//  Any requests failing this check should be considered tampered with, and rejected.
+//  1. Strip the WEB_SAFE_BASE64 encoding from the value of `signatureHeader`,
+//
+//  2. Decrypt the resulting value using the public key published by sso_proxy, thus obtaining the
+//     hash of the request representation,
+//
+//  3. Compute the request representation from the received request, using the same format as the
+//     mapRequestToHashInput() function above,
+//
+//  4. Apply SHA256 hash to the recomputed representation, and verify that it matches the decrypted
+//     hash value received through the `Sso-Signature` of the request.
+//
+//     Any requests failing this check should be considered tampered with, and rejected.
 func (signer RequestSigner) Sign(req *http.Request) error {
 	// Generate the request representation that will serve as hash input.
 	repr, err := mapRequestToHashInput(req)

scripts/test

@@ -24,9 +24,6 @@ fi
 echo "running go mod verify ..."
 go mod verify
 
-echo "running golint ..."
-golint -set_exit_status cmd internal
-
 echo "running go vet ..."
 go vet ./...