Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
a11460e
idp: extract access token generation
daeMOn63 Oct 6, 2020
3b83165
add biscuit wrappers and helpers to generate, sign and verify hubauth…
daeMOn63 Oct 8, 2020
0f47b7a
idp/token: split builder in multiple files
daeMOn63 Oct 8, 2020
9bbf14b
add biscuit metadata and expiration date
daeMOn63 Oct 12, 2020
a571a38
update returned token type to depend on configured builder
daeMOn63 Oct 12, 2020
9ea5bf3
add access token builder creation switch from env
daeMOn63 Oct 12, 2020
70e61c8
add /public-key HTTP endpoint
daeMOn63 Oct 12, 2020
8846d2b
update biscuit verify audience key type to use *ecdsa.PublicKey inste…
daeMOn63 Oct 12, 2020
6cce9d2
simplify http public key encoding
daeMOn63 Oct 12, 2020
5c2751a
add helper to create UserKeyPair from an ecdsa.PrivateKey
daeMOn63 Oct 12, 2020
4e32e6a
cleanup
daeMOn63 Oct 13, 2020
23ffbf8
add biscuit setup instructions in readme
daeMOn63 Oct 13, 2020
4ee2432
renamed signedPbBuilder to bearerBuilder
daeMOn63 Oct 13, 2020
d84af72
extracted user signature nonce and timestamp
daeMOn63 Oct 13, 2020
31f2745
idp/token: add biscuit tests
daeMOn63 Oct 13, 2020
88c2864
moved biscuit pkg to biscuit-go repo
daeMOn63 Oct 15, 2020
249a3e9
go mod tidy
daeMOn63 Oct 20, 2020
3c32c13
add biscuit wrappers and helpers to generate, sign and verify hubauth…
daeMOn63 Oct 8, 2020
5f99e4d
add biscuit metadata and expiration date
daeMOn63 Oct 12, 2020
f60e260
cleanup
daeMOn63 Oct 13, 2020
49c96b2
moved biscuit pkg to biscuit-go repo
daeMOn63 Oct 15, 2020
068da6e
datastore: add keyVersion field to audience
daeMOn63 Oct 20, 2020
1dcc2c2
idp: replace AudienceKeyNamer by VersionnedAudienceKeyNamer
daeMOn63 Oct 20, 2020
5f5f625
WIP: cli: add commands for audience key management
daeMOn63 Oct 21, 2020
d562153
remove keyVersion stored in db
daeMOn63 Oct 21, 2020
0d4a8e7
cli: add tests for audience delete command
daeMOn63 Oct 21, 2020
d703be8
cli: fix linter warns on clients_tests
daeMOn63 Oct 21, 2020
fd20bd3
cli: add tests for audiences list-key-versions
daeMOn63 Oct 22, 2020
73c1440
cli: add tests for audiences create / delete / restore key versions
daeMOn63 Oct 22, 2020
42fcd9f
kms: add AudienceKeyNameFunc test
daeMOn63 Oct 22, 2020
05a5aa1
cloudbuild: add script to setup hubauth (#88)
daeMOn63 Oct 28, 2020
efa7ad6
fix typos
daeMOn63 Nov 10, 2020
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,22 @@ Create a new job:
- URL: use the hubauth-int URL: `<URL>/cron`


## Enabling Biscuit

To use biscuit tokens instead of bearers, configure the following:

### In Security > Secret manager

Create new secret
- HUBAUTH_BISCUIT_ROOT_PRIVKEY: a base64 encoded p256 EC private key

### In variables

Add a new variable
- TOKEN_TYPE: `Biscuit`
- BISCUIT_ROOT_PRIVKEY: set to the resource ID from `HUBAUTH_BISCUIT_ROOT_PRIVKEY`


## Hubauth CLI

Configure gcloud auth application-default with the following command, and follow the browser instructions:
Expand Down
5 changes: 5 additions & 0 deletions cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ steps:
'--image', 'gcr.io/$PROJECT_ID/$_APP:$BUILD_ID',
'--region', '$_DEPLOY_REGION_PRIMARY',
'--update-env-vars', 'BUILD_REPO=$REPO_NAME,BUILD_REV=$COMMIT_SHA',
'--command', '/app/hubauth-ext',
'--allow-unauthenticated'
]
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:slim'
waitFor: ['build']
Expand All @@ -27,6 +29,8 @@ steps:
'--image', 'gcr.io/$PROJECT_ID/$_APP:$BUILD_ID',
'--region', '$_DEPLOY_REGION_FALLBACK',
'--update-env-vars', 'BUILD_REPO=$REPO_NAME,BUILD_REV=$COMMIT_SHA',
'--command', '/app/hubauth-ext',
'--allow-unauthenticated'
]
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:slim'
waitFor: ['build']
Expand All @@ -37,6 +41,7 @@ steps:
'--image', 'gcr.io/$PROJECT_ID/$_APP:$BUILD_ID',
'--region', '$_DEPLOY_REGION_PRIMARY',
'--update-env-vars', 'BUILD_REPO=$REPO_NAME,BUILD_REV=$COMMIT_SHA',
'--command', '/app/hubauth-int',
]
substitutions:
_APP: hubauth
Expand Down
51 changes: 47 additions & 4 deletions cmd/hubauth-ext/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package main

import (
"context"
"encoding/json"
"fmt"
"log"
"net/http"
Expand All @@ -15,6 +16,7 @@ import (
"github.com/flynn/hubauth/pkg/datastore"
"github.com/flynn/hubauth/pkg/httpapi"
"github.com/flynn/hubauth/pkg/idp"
"github.com/flynn/hubauth/pkg/idp/token"
"github.com/flynn/hubauth/pkg/kmssign"
"github.com/flynn/hubauth/pkg/rp/google"
"go.opencensus.io/plugin/ochttp"
Expand Down Expand Up @@ -65,27 +67,68 @@ func main() {
if err != nil {
log.Fatalf("failed to access secret version for %s: %s", name, err)
}
return result.Payload.String()

// Payload.String() would return a json encoded version of the secret: {"data": "..."}
// the actual secret is in Data.
return string(result.Payload.Data)
}

forcedAudienceKeyVersions := new(kmssign.ForcedAudiencesKeyVersion)
// AUDIENCE_KEYS is a env variable containing a serialized json object, holding tuples of audienceURL: keyVersion
// it allows to specify a different key to use for some audience.
// example:
// {
// "https://audience.url": "projects/PROJECT/locations/KMS_LOCATION/keyRings/KMS_KEYRING/cryptoKeys/AUDIENCE_NAME/cryptoKeyVersions/VERSION",
// "https://another.audience.url": "projects/PROJECT/locations/KMS_LOCATION/keyRings/KMS_KEYRING/cryptoKeys/AUDIENCE_NAME/cryptoKeyVersions/VERSION"
// }
if keys := os.Getenv("AUDIENCE_KEYS"); keys != "" {
if err := json.Unmarshal([]byte(keys), forcedAudienceKeyVersions); err != nil {
log.Fatalf("invalid audience keys: %v", err)
}
}

audienceKeyNamer := kmssign.AudienceKeyNameFunc(*forcedAudienceKeyVersions, os.Getenv("PROJECT_ID"), os.Getenv("KMS_LOCATION"), os.Getenv("KMS_KEYRING"))

var accessTokenBuilder token.AccessTokenBuilder
var rootPubKey []byte
tokenType, exists := os.LookupEnv("TOKEN_TYPE")
if !exists {
tokenType = "Bearer"
}
switch tokenType {
case "Bearer":
accessTokenBuilder = token.NewBearerBuilder(kmsClient, audienceKeyNamer)
case "Biscuit":
biscuitKey, err := token.DecodeB64PrivateKey(secret("BISCUIT_ROOT_PRIVKEY"))
if err != nil {
log.Fatalf("failed to initialize biscuit keypair: %v", err)
}

rootPubKey = biscuitKey.Public().Bytes()
accessTokenBuilder = token.NewBiscuitBuilder(kmsClient, audienceKeyNamer, biscuitKey)
default:
log.Fatalf("invalid TOKEN_TYPE, must be one of: Bearer, Biscuit")
}

log.Fatal(http.ListenAndServe(":"+httpPort, &ochttp.Handler{
Propagation: &propagation.HTTPFormat{},
Handler: httpapi.New(httpapi.Config{
IdP: idp.New(datastore.New(dsClient),
IdP: idp.New(
datastore.New(dsClient),
google.New(
os.Getenv("RP_GOOGLE_CLIENT_ID"),
os.Getenv("RP_GOOGLE_CLIENT_SECRET"),
os.Getenv("BASE_URL")+"/rp/google",
),
kmsClient,
[]byte(secret("CODE_KEY_SECRET")),
refreshKey,
idp.AudienceKeyNameFunc(os.Getenv("PROJECT_ID"), os.Getenv("KMS_LOCATION"), os.Getenv("KMS_KEYRING")),
accessTokenBuilder,
),
CookieKey: []byte(secret("COOKIE_KEY_SECRET")),
ProjectID: os.Getenv("PROJECT_ID"),
Repository: fmt.Sprintf("https://source.developers.google.com/p/%s/r/%s", os.Getenv("PROJECT_ID"), os.Getenv("BUILD_REPO")),
Revision: os.Getenv("BUILD_REV"),
PublicKey: rootPubKey,
}),
},
))
Expand Down
3 changes: 2 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,14 @@ require (
github.com/alecthomas/kong v0.2.12
github.com/aws/aws-sdk-go v1.34.6 // indirect
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
github.com/flynn/biscuit-go v0.0.0-20201015081742-15d7d351f345
github.com/golang/protobuf v1.4.3
github.com/googleapis/gax-go/v2 v2.0.5
github.com/jedib0t/go-pretty/v6 v6.0.5
github.com/stretchr/testify v1.6.1
go.opencensus.io v0.22.5
go.uber.org/zap v1.16.0
golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
golang.org/x/exp/errors v0.0.0-20200513190911-00229845015e
golang.org/x/net v0.0.0-20201209123823-ac852fbbde11
golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5
Expand Down
Loading