oidc-idp/internal/handlers/security.go

/*
Copyright CAcert Inc.
SPDX-License-Identifier: Apache-2.0

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package handlers

import (
	"crypto/x509"
	"fmt"
	"log/slog"
	"net/http"
	"time"
)

func EnableHSTS() func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			const Days180 = 180

			w.Header().Set("Strict-Transport-Security", fmt.Sprintf("max-age=%d", int((time.Hour*24*Days180).Seconds())))
			next.ServeHTTP(w, r)
		})
	}
}

func getDataFromClientCert(logger *slog.Logger, r *http.Request) (string, []string) {
	if r.TLS != nil && r.TLS.PeerCertificates != nil && len(r.TLS.PeerCertificates) > 0 {
		firstCert := r.TLS.PeerCertificates[0]

		if !isClientCertificate(firstCert) {
			return "", nil
		}

		for _, email := range firstCert.EmailAddresses {
			logger.Info("authenticated with a client certificate for email address", "email", email)
		}

		return firstCert.Subject.CommonName, firstCert.EmailAddresses
	}

	return "", nil
}

func isClientCertificate(cert *x509.Certificate) bool {
	for _, ext := range cert.ExtKeyUsage {
		if ext == x509.ExtKeyUsageClientAuth {
			return true
		}
	}

	return false
}
Initial IDP version - copied/stripped down from https://git.dittberner.info/jan/hydra_oidc_poc 2021-09-11 11:35:15 +00:00			`/*`
Update golangci-lint, fix warnings - remove copyright years - mark unused parameter with _ - add missing empty lines before expressions 2024-05-11 20:42:21 +00:00			`Copyright CAcert Inc.`
Fix linter warnings, modernize code 2023-05-13 11:27:19 +00:00			`SPDX-License-Identifier: Apache-2.0`
Initial IDP version - copied/stripped down from https://git.dittberner.info/jan/hydra_oidc_poc 2021-09-11 11:35:15 +00:00
Fix linter warnings, modernize code 2023-05-13 11:27:19 +00:00			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`
Initial IDP version - copied/stripped down from https://git.dittberner.info/jan/hydra_oidc_poc 2021-09-11 11:35:15 +00:00
Small IDP refactoring - move internal code to internal directory - add translations for texts on missing email in client certificate page - add error handling for missing login_challenge request parameter - add Markdown support via goldmark - use https:// URLs in Apache license headers 2023-07-18 18:37:04 +00:00			`https://www.apache.org/licenses/LICENSE-2.0`
Initial IDP version - copied/stripped down from https://git.dittberner.info/jan/hydra_oidc_poc 2021-09-11 11:35:15 +00:00
Fix linter warnings, modernize code 2023-05-13 11:27:19 +00:00			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
Initial IDP version - copied/stripped down from https://git.dittberner.info/jan/hydra_oidc_poc 2021-09-11 11:35:15 +00:00			`*/`

			`package handlers`

			`import (`
Implement consent management The primary change in this commit is the introduction of consent management. A few minor improvements have been made: - move common header to ui/templates/base.gohtml - add an I18NService to unify localization - add a handlers.getLocalizer function - fix translation extraction and merging in Makefile - add a new AuthMiddleware to centralize client certificate authentication - move client certificate handling to internal/handlers/security.go - improver error handling, allow localization of HTTP error messages 2023-08-07 13:15:45 +00:00			`"crypto/x509"`
Initial IDP version - copied/stripped down from https://git.dittberner.info/jan/hydra_oidc_poc 2021-09-11 11:35:15 +00:00			`"fmt"`
Switch logging to slog This commit replaces logrus with slog from the Go standard library. 2024-05-11 23:07:34 +00:00			`"log/slog"`
Initial IDP version - copied/stripped down from https://git.dittberner.info/jan/hydra_oidc_poc 2021-09-11 11:35:15 +00:00			`"net/http"`
			`"time"`
			`)`

			`func EnableHSTS() func(http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Fix linter warnings, modernize code 2023-05-13 11:27:19 +00:00			`const Days180 = 180`
Update golangci-lint, fix warnings - remove copyright years - mark unused parameter with _ - add missing empty lines before expressions 2024-05-11 20:42:21 +00:00
Fix linter warnings, modernize code 2023-05-13 11:27:19 +00:00			`w.Header().Set("Strict-Transport-Security", fmt.Sprintf("max-age=%d", int((time.Hour24Days180).Seconds())))`
Initial IDP version - copied/stripped down from https://git.dittberner.info/jan/hydra_oidc_poc 2021-09-11 11:35:15 +00:00			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`
Implement consent management The primary change in this commit is the introduction of consent management. A few minor improvements have been made: - move common header to ui/templates/base.gohtml - add an I18NService to unify localization - add a handlers.getLocalizer function - fix translation extraction and merging in Makefile - add a new AuthMiddleware to centralize client certificate authentication - move client certificate handling to internal/handlers/security.go - improver error handling, allow localization of HTTP error messages 2023-08-07 13:15:45 +00:00
Switch logging to slog This commit replaces logrus with slog from the Go standard library. 2024-05-11 23:07:34 +00:00			`func getDataFromClientCert(logger slog.Logger, r http.Request) (string, []string) {`
Implement consent management The primary change in this commit is the introduction of consent management. A few minor improvements have been made: - move common header to ui/templates/base.gohtml - add an I18NService to unify localization - add a handlers.getLocalizer function - fix translation extraction and merging in Makefile - add a new AuthMiddleware to centralize client certificate authentication - move client certificate handling to internal/handlers/security.go - improver error handling, allow localization of HTTP error messages 2023-08-07 13:15:45 +00:00			`if r.TLS != nil && r.TLS.PeerCertificates != nil && len(r.TLS.PeerCertificates) > 0 {`
			`firstCert := r.TLS.PeerCertificates[0]`

			`if !isClientCertificate(firstCert) {`
			`return "", nil`
			`}`

			`for _, email := range firstCert.EmailAddresses {`
Switch logging to slog This commit replaces logrus with slog from the Go standard library. 2024-05-11 23:07:34 +00:00			`logger.Info("authenticated with a client certificate for email address", "email", email)`
Implement consent management The primary change in this commit is the introduction of consent management. A few minor improvements have been made: - move common header to ui/templates/base.gohtml - add an I18NService to unify localization - add a handlers.getLocalizer function - fix translation extraction and merging in Makefile - add a new AuthMiddleware to centralize client certificate authentication - move client certificate handling to internal/handlers/security.go - improver error handling, allow localization of HTTP error messages 2023-08-07 13:15:45 +00:00			`}`

			`return firstCert.Subject.CommonName, firstCert.EmailAddresses`
			`}`

			`return "", nil`
			`}`

			`func isClientCertificate(cert *x509.Certificate) bool {`
			`for _, ext := range cert.ExtKeyUsage {`
			`if ext == x509.ExtKeyUsageClientAuth {`
			`return true`
			`}`
			`}`

			`return false`
			`}`