From 0b59ad9fd4f0bbfe421a05c9bcb234d5b9e84a72 Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Mon, 24 Jul 2023 17:55:41 +0200
Subject: [PATCH] Add packaging configuration

- add gorelease config
- add commented example configuration
- add service file and postinst script
- rename cmd/idp.go to cmd/idp/main.go
---
 .gitignore                   |  5 ++--
 .goreleaser.yml              | 57 ++++++++++++++++++++++++++++++++++++
 Makefile                     |  5 ++--
 changelog.md                 | 10 +++++++
 cmd/{idp.go => idp/main.go}  |  0
 debian/postinst              | 46 +++++++++++++++++++++++++++++
 docs/cacert-oidc-idp.service | 13 ++++++++
 docs/idp.toml                | 19 ++++++++++++
 8 files changed, 150 insertions(+), 5 deletions(-)
 create mode 100644 .goreleaser.yml
 create mode 100644 changelog.md
 rename cmd/{idp.go => idp/main.go} (100%)
 create mode 100755 debian/postinst
 create mode 100644 docs/cacert-oidc-idp.service
 create mode 100644 docs/idp.toml

diff --git a/.gitignore b/.gitignore
index cfafa89..8af3e6d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,10 @@
 *.pem
 .idea/
 /cacert-idp
+/dist/
+/idp.toml
 /static
 /ui/css/
 /ui/images/
 /ui/js/
-certs/
-idp.toml
+certs/
\ No newline at end of file
diff --git a/.goreleaser.yml b/.goreleaser.yml
new file mode 100644
index 0000000..f8e5626
--- /dev/null
+++ b/.goreleaser.yml
@@ -0,0 +1,57 @@
+---
+project_name: cacert-oidc-idp
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+builds:
+  - id: linux-amd64
+    main: ./cmd/idp
+    binary: cacert-idp
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+archives:
+  - id: cacert-oidc-idp
+    builds:
+      - linux-amd64
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ .Tag }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+nfpms:
+  -
+    package_name: cacert-oidc-idp
+    file_name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Arch }}"
+    maintainer: Jan Dittberner <jandd@cacert.org>
+    homepage: https://code.cacert.org/cacert/oidc_idp
+    description: |-
+      OpenID Connect IDP for the ORY Hydra authorization API server in Go
+    license: Apache 2.0
+    formats:
+      - deb
+    priority: optional
+    bindir: /usr/bin
+    contents:
+      - src: README.md
+        dst: /usr/share/doc/cacert-oidc-idp/README.md
+      - src: changelog.md
+        dst: /usr/share/doc/cacert-oidc-idp/changelog.md
+      - src: docs/idp.toml
+        dst: /usr/share/doc/cacert-oidc-idp/examples/idp.toml
+      - src: docs/cacert-oidc-idp.service
+        dst: /lib/systemd/system/cacert-oidc-idp.service
+    scripts:
+      postinstall: ./debian/postinst
+gitea_urls:
+  api: https://code.cacert.org/api/v1/
+  download: https://code.cacert.org
diff --git a/Makefile b/Makefile
index a35a670..0de8c6a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-GOFILES = $(wildcard */*.go)
+GOFILES = $(shell find -type f -name '*.go')
 TEMPLATES = $(wildcard ui/templates/*.gohtml)
 TRANSLATIONS = $(wildcard translations/active.*.toml)
 RESOURCES = ui/css ui/images ui/js
@@ -30,10 +30,9 @@ lint: $(GOFILES)
 	golangci-lint run --verbose
 
 cacert-idp: go.sum $(GOFILES) $(TEMPLATES) translations $(RESOURCES)
-	CGO_ENABLED=0 go build -o $@ ./cmd/idp.go
+	CGO_ENABLED=0 go build -o $@ ./cmd/idp
 
 clean:
 	rm -rf cacert-idp ui/css ui/js ui/images
 
 .PHONY: all translations clean lint
-
diff --git a/changelog.md b/changelog.md
new file mode 100644
index 0000000..7160762
--- /dev/null
+++ b/changelog.md
@@ -0,0 +1,10 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## Unreleased
+### Changed
+- initial release
\ No newline at end of file
diff --git a/cmd/idp.go b/cmd/idp/main.go
similarity index 100%
rename from cmd/idp.go
rename to cmd/idp/main.go
diff --git a/debian/postinst b/debian/postinst
new file mode 100755
index 0000000..e49e174
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,46 @@
+#!/bin/dash
+
+set -e
+
+case "$1" in
+  configure)
+    [ -f "/etc/default/cacert-oidc-idp" ] && . /etc/default/cacert-oidc-idp
+
+    [ -z "$OIDC_IDP_HOME" ] && OIDC_IDP_HOME=/var/lib/oidc-idp
+    [ -z "$OIDC_IDP_USER" ] && OIDC_IDP_USER=cacert-oidc-idp
+    [ -z "$OIDC_IDP_NAME" ] && OIDC_IDP_NAME="CAcert OIDC IDP"
+    [ -z "$OIDC_IDP_GROUP" ] && OIDC_IDP_GROUP=cacert-oidc-idp
+
+    # create user to avoid running cacert-oidc-idp as root
+    # 1. create group if not existing
+    if ! getent group | grep -q "^$OIDC_IDP_GROUP" ; then
+      echo -n "Adding group $OIDC_IDP_GROUP.."
+      addgroup --quiet --system $OIDC_IDP_GROUP 2>/dev/null || true
+      echo "..done"
+    fi
+    # 2. create homedir if not existing
+    test -d "$OIDC_IDP_HOME" || mkdir "$OIDC_IDP_HOME"
+    # 3. create user if not existing
+    if ! getent passwd | grep -q "^$OIDC_IDP_USER"; then
+      echo -n "Adding system user $OIDC_IDP_USER.."
+      adduser --quiet \
+              --system \
+              --ingroup $OIDC_IDP_GROUP \
+              --no-create-home \
+              --disabled-password \
+              $OIDC_IDP_USER 2>/dev/null || true
+      echo "..done"
+    fi
+    # 4. adjust passwd entry
+    usermod -c "$OIDC_IDP_NAME" \
+            -d $OIDC_IDP_HOME \
+            -g $OIDC_IDP_GROUP \
+               $OIDC_IDP_USER || true
+    # 5. adjust file and directory permissions
+    if ! dpkg-statoverride --list $OIDC_IDP_HOME >/dev/null
+    then
+      chown -R $OIDC_IDP_USER:adm $OIDC_IDP_HOME
+      chmod u=rwx,g=rxs,o= $OIDC_IDP_HOME
+    fi
+    ;;
+esac
diff --git a/docs/cacert-oidc-idp.service b/docs/cacert-oidc-idp.service
new file mode 100644
index 0000000..ff0109b
--- /dev/null
+++ b/docs/cacert-oidc-idp.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=CAcert OpenID Connect Identity Provider for ORY Hydra
+
+[Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+ExecCondition=/bin/sh -c 'test -f /etc/cacert-oidc-idp/idp.toml'
+ExecStart=/usr/bin/cacert-oidc-idp --config /etc/cacert-oidc-idp/idp.toml'
+StateDirectory=cacert-oidc-idp
+User=cacert-oidc-idp
+Group=cacert-oidc-idp
+
+[Install]
+WantedBy=multi-user.target
diff --git a/docs/idp.toml b/docs/idp.toml
new file mode 100644
index 0000000..0a485b4
--- /dev/null
+++ b/docs/idp.toml
@@ -0,0 +1,19 @@
+[security]
+# random key for CSRF protection, must be 32 bytes, generate with openssl rand -base64 32
+csrf.key = "32-byte-long-random-base64-encoded-key"
+# CA certificates that are accepted to sign client certificates
+client.ca-file = "client.cas.pem"
+
+[server]
+# server IP address
+name = "127.0.0.1"
+# server port
+port = 3443
+# server TLS X.509 certificate in PEM format
+certificate = "server.crt.pem"
+# private key for TLS
+key = "server.key.pem"
+
+[admin]
+# URL to ORY Hydra admin endpoint URL
+url = "https://hydra:4445"