improve-for-first-release #1

Merged
jandd merged 4 commits from improve-for-first-release into main 2023-07-24 16:00:42 +00:00
8 changed files with 150 additions and 5 deletions
Showing only changes of commit 0b59ad9fd4 - Show all commits

3
.gitignore vendored
View file

@ -1,9 +1,10 @@
*.pem *.pem
.idea/ .idea/
/cacert-idp /cacert-idp
/dist/
/idp.toml
/static /static
/ui/css/ /ui/css/
/ui/images/ /ui/images/
/ui/js/ /ui/js/
certs/ certs/
idp.toml

57
.goreleaser.yml Normal file
View file

@ -0,0 +1,57 @@
---
project_name: cacert-oidc-idp
before:
hooks:
# You may remove this if you don't use go modules.
- go mod tidy
builds:
- id: linux-amd64
main: ./cmd/idp
binary: cacert-idp
env:
- CGO_ENABLED=0
goos:
- linux
goarch:
- amd64
archives:
- id: cacert-oidc-idp
builds:
- linux-amd64
checksum:
name_template: 'checksums.txt'
snapshot:
name_template: "{{ .Tag }}-next"
changelog:
sort: asc
filters:
exclude:
- '^docs:'
- '^test:'
nfpms:
-
package_name: cacert-oidc-idp
file_name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Arch }}"
maintainer: Jan Dittberner <jandd@cacert.org>
homepage: https://code.cacert.org/cacert/oidc_idp
description: |-
OpenID Connect IDP for the ORY Hydra authorization API server in Go
license: Apache 2.0
formats:
- deb
priority: optional
bindir: /usr/bin
contents:
- src: README.md
dst: /usr/share/doc/cacert-oidc-idp/README.md
- src: changelog.md
dst: /usr/share/doc/cacert-oidc-idp/changelog.md
- src: docs/idp.toml
dst: /usr/share/doc/cacert-oidc-idp/examples/idp.toml
- src: docs/cacert-oidc-idp.service
dst: /lib/systemd/system/cacert-oidc-idp.service
scripts:
postinstall: ./debian/postinst
gitea_urls:
api: https://code.cacert.org/api/v1/
download: https://code.cacert.org

View file

@ -1,4 +1,4 @@
GOFILES = $(wildcard */*.go) GOFILES = $(shell find -type f -name '*.go')
TEMPLATES = $(wildcard ui/templates/*.gohtml) TEMPLATES = $(wildcard ui/templates/*.gohtml)
TRANSLATIONS = $(wildcard translations/active.*.toml) TRANSLATIONS = $(wildcard translations/active.*.toml)
RESOURCES = ui/css ui/images ui/js RESOURCES = ui/css ui/images ui/js
@ -30,10 +30,9 @@ lint: $(GOFILES)
golangci-lint run --verbose golangci-lint run --verbose
cacert-idp: go.sum $(GOFILES) $(TEMPLATES) translations $(RESOURCES) cacert-idp: go.sum $(GOFILES) $(TEMPLATES) translations $(RESOURCES)
CGO_ENABLED=0 go build -o $@ ./cmd/idp.go CGO_ENABLED=0 go build -o $@ ./cmd/idp
clean: clean:
rm -rf cacert-idp ui/css ui/js ui/images rm -rf cacert-idp ui/css ui/js ui/images
.PHONY: all translations clean lint .PHONY: all translations clean lint

10
changelog.md Normal file
View file

@ -0,0 +1,10 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## Unreleased
### Changed
- initial release

46
debian/postinst vendored Executable file
View file

@ -0,0 +1,46 @@
#!/bin/dash
set -e
case "$1" in
configure)
[ -f "/etc/default/cacert-oidc-idp" ] && . /etc/default/cacert-oidc-idp
[ -z "$OIDC_IDP_HOME" ] && OIDC_IDP_HOME=/var/lib/oidc-idp
[ -z "$OIDC_IDP_USER" ] && OIDC_IDP_USER=cacert-oidc-idp
[ -z "$OIDC_IDP_NAME" ] && OIDC_IDP_NAME="CAcert OIDC IDP"
[ -z "$OIDC_IDP_GROUP" ] && OIDC_IDP_GROUP=cacert-oidc-idp
# create user to avoid running cacert-oidc-idp as root
# 1. create group if not existing
if ! getent group | grep -q "^$OIDC_IDP_GROUP" ; then
echo -n "Adding group $OIDC_IDP_GROUP.."
addgroup --quiet --system $OIDC_IDP_GROUP 2>/dev/null || true
echo "..done"
fi
# 2. create homedir if not existing
test -d "$OIDC_IDP_HOME" || mkdir "$OIDC_IDP_HOME"
# 3. create user if not existing
if ! getent passwd | grep -q "^$OIDC_IDP_USER"; then
echo -n "Adding system user $OIDC_IDP_USER.."
adduser --quiet \
--system \
--ingroup $OIDC_IDP_GROUP \
--no-create-home \
--disabled-password \
$OIDC_IDP_USER 2>/dev/null || true
echo "..done"
fi
# 4. adjust passwd entry
usermod -c "$OIDC_IDP_NAME" \
-d $OIDC_IDP_HOME \
-g $OIDC_IDP_GROUP \
$OIDC_IDP_USER || true
# 5. adjust file and directory permissions
if ! dpkg-statoverride --list $OIDC_IDP_HOME >/dev/null
then
chown -R $OIDC_IDP_USER:adm $OIDC_IDP_HOME
chmod u=rwx,g=rxs,o= $OIDC_IDP_HOME
fi
;;
esac

View file

@ -0,0 +1,13 @@
[Unit]
Description=CAcert OpenID Connect Identity Provider for ORY Hydra
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecCondition=/bin/sh -c 'test -f /etc/cacert-oidc-idp/idp.toml'
ExecStart=/usr/bin/cacert-oidc-idp --config /etc/cacert-oidc-idp/idp.toml'
StateDirectory=cacert-oidc-idp
User=cacert-oidc-idp
Group=cacert-oidc-idp
[Install]
WantedBy=multi-user.target

19
docs/idp.toml Normal file
View file

@ -0,0 +1,19 @@
[security]
# random key for CSRF protection, must be 32 bytes, generate with openssl rand -base64 32
csrf.key = "32-byte-long-random-base64-encoded-key"
# CA certificates that are accepted to sign client certificates
client.ca-file = "client.cas.pem"
[server]
# server IP address
name = "127.0.0.1"
# server port
port = 3443
# server TLS X.509 certificate in PEM format
certificate = "server.crt.pem"
# private key for TLS
key = "server.key.pem"
[admin]
# URL to ORY Hydra admin endpoint URL
url = "https://hydra:4445"