2023-07-24 16:00:42 +00:00
8 changed files with 150 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,9 +1,10 @@
 *.pem
 .idea/
 /cacert-idp
+/dist/
+/idp.toml
 /static
 /ui/css/
 /ui/images/
 /ui/js/
 certs/
-idp.toml
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -0,0 +1,57 @@
+---
+project_name: cacert-oidc-idp
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+builds:
+  - id: linux-amd64
+    main: ./cmd/idp
+    binary: cacert-idp
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+archives:
+  - id: cacert-oidc-idp
+    builds:
+      - linux-amd64
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ .Tag }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+nfpms:
+  -
+    package_name: cacert-oidc-idp
+    file_name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Arch }}"
+    maintainer: Jan Dittberner <jandd@cacert.org>
+    homepage: https://code.cacert.org/cacert/oidc_idp
+    description: |-
+      OpenID Connect IDP for the ORY Hydra authorization API server in Go
+    license: Apache 2.0
+    formats:
+      - deb
+    priority: optional
+    bindir: /usr/bin
+    contents:
+      - src: README.md
+        dst: /usr/share/doc/cacert-oidc-idp/README.md
+      - src: changelog.md
+        dst: /usr/share/doc/cacert-oidc-idp/changelog.md
+      - src: docs/idp.toml
+        dst: /usr/share/doc/cacert-oidc-idp/examples/idp.toml
+      - src: docs/cacert-oidc-idp.service
+        dst: /lib/systemd/system/cacert-oidc-idp.service
+    scripts:
+      postinstall: ./debian/postinst
+gitea_urls:
+  api: https://code.cacert.org/api/v1/
+  download: https://code.cacert.org
--- a/5
+++ b/5
@ -1,4 +1,4 @@
-GOFILES = $(wildcard */*.go)
+GOFILES = $(shell find -type f -name '*.go')
 TEMPLATES = $(wildcard ui/templates/*.gohtml)
 TRANSLATIONS = $(wildcard translations/active.*.toml)
 RESOURCES = ui/css ui/images ui/js
@ -30,10 +30,9 @@ lint: $(GOFILES)
 	golangci-lint run --verbose

 cacert-idp: go.sum $(GOFILES) $(TEMPLATES) translations $(RESOURCES)
-	CGO_ENABLED=0 go build -o $@ ./cmd/idp.go
+	CGO_ENABLED=0 go build -o $@ ./cmd/idp

 clean:
 	rm -rf cacert-idp ui/css ui/js ui/images

 .PHONY: all translations clean lint
-
--- a/changelog.md
+++ b/changelog.md
@ -0,0 +1,10 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## Unreleased
+### Changed
+- initial release
--- a/cmd/idp/main.go
+++ b/cmd/idp/main.go
--- a/debian/postinst
+++ b/debian/postinst
@ -0,0 +1,46 @@
+#!/bin/dash
+
+set -e
+
+case "$1" in
+  configure)
+    [ -f "/etc/default/cacert-oidc-idp" ] && . /etc/default/cacert-oidc-idp
+
+    [ -z "$OIDC_IDP_HOME" ] && OIDC_IDP_HOME=/var/lib/oidc-idp
+    [ -z "$OIDC_IDP_USER" ] && OIDC_IDP_USER=cacert-oidc-idp
+    [ -z "$OIDC_IDP_NAME" ] && OIDC_IDP_NAME="CAcert OIDC IDP"
+    [ -z "$OIDC_IDP_GROUP" ] && OIDC_IDP_GROUP=cacert-oidc-idp
+
+    # create user to avoid running cacert-oidc-idp as root
+    # 1. create group if not existing
+    if ! getent group | grep -q "^$OIDC_IDP_GROUP" ; then
+      echo -n "Adding group $OIDC_IDP_GROUP.."
+      addgroup --quiet --system $OIDC_IDP_GROUP 2>/dev/null || true
+      echo "..done"
+    fi
+    # 2. create homedir if not existing
+    test -d "$OIDC_IDP_HOME" || mkdir "$OIDC_IDP_HOME"
+    # 3. create user if not existing
+    if ! getent passwd | grep -q "^$OIDC_IDP_USER"; then
+      echo -n "Adding system user $OIDC_IDP_USER.."
+      adduser --quiet \
+              --system \
+              --ingroup $OIDC_IDP_GROUP \
+              --no-create-home \
+              --disabled-password \
+              $OIDC_IDP_USER 2>/dev/null || true
+      echo "..done"
+    fi
+    # 4. adjust passwd entry
+    usermod -c "$OIDC_IDP_NAME" \
+            -d $OIDC_IDP_HOME \
+            -g $OIDC_IDP_GROUP \
+               $OIDC_IDP_USER || true
+    # 5. adjust file and directory permissions
+    if ! dpkg-statoverride --list $OIDC_IDP_HOME >/dev/null
+    then
+      chown -R $OIDC_IDP_USER:adm $OIDC_IDP_HOME
+      chmod u=rwx,g=rxs,o= $OIDC_IDP_HOME
+    fi
+    ;;
+esac
--- a/docs/cacert-oidc-idp.service
+++ b/docs/cacert-oidc-idp.service
@ -0,0 +1,13 @@
+[Unit]
+Description=CAcert OpenID Connect Identity Provider for ORY Hydra
+
+[Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+ExecCondition=/bin/sh -c 'test -f /etc/cacert-oidc-idp/idp.toml'
+ExecStart=/usr/bin/cacert-oidc-idp --config /etc/cacert-oidc-idp/idp.toml'
+StateDirectory=cacert-oidc-idp
+User=cacert-oidc-idp
+Group=cacert-oidc-idp
+
+[Install]
+WantedBy=multi-user.target
--- a/docs/idp.toml
+++ b/docs/idp.toml
@ -0,0 +1,19 @@
+[security]
+# random key for CSRF protection, must be 32 bytes, generate with openssl rand -base64 32
+csrf.key = "32-byte-long-random-base64-encoded-key"
+# CA certificates that are accepted to sign client certificates
+client.ca-file = "client.cas.pem"
+
+[server]
+# server IP address
+name = "127.0.0.1"
+# server port
+port = 3443
+# server TLS X.509 certificate in PEM format
+certificate = "server.crt.pem"
+# private key for TLS
+key = "server.key.pem"
+
+[admin]
+# URL to ORY Hydra admin endpoint URL
+url = "https://hydra:4445"