Skip to content

Commit

Permalink
Enable TLS option to serve API (#46)
Browse files Browse the repository at this point in the history
Signed-off-by: Frederic BIDON <[email protected]>
  • Loading branch information
fredbi authored and aeneasr committed Aug 31, 2018
1 parent b29cf8c commit 2f62063
Show file tree
Hide file tree
Showing 5 changed files with 475 additions and 60 deletions.
115 changes: 115 additions & 0 deletions cmd/helper_messages.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
/*
* Copyright © 2017-2018 Aeneas Rekkas <[email protected]>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* @author Aeneas Rekkas <[email protected]>
* @copyright 2017-2018 Aeneas Rekkas <[email protected]>
* @license Apache-2.0
*/

package cmd

import (
"fmt"
"os"
)

var corsMessage = `CORS CONTROLS
==============
- CORS_ENABLED: Switch CORS support on (true) or off (false). Default is off (false).
Example: CORS_ENABLED=true
- CORS_ALLOWED_ORIGINS: A list of origins (comma separated values) a cross-domain request can be executed from.
If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality.
Only one wildcard can be used per origin. The default value is *.
--------------------------------------------------------------
Example: CORS_ALLOWED_ORIGINS=http://*.domain.com,http://*.domain2.com
--------------------------------------------------------------
- CORS_ALLOWED_METHODS: A list of methods (comma separated values) the client is allowed to use with cross-domain
requests. Default value is simple methods (GET and POST).
--------------------------------------------------------------
Example: CORS_ALLOWED_METHODS=POST,GET,PUT
--------------------------------------------------------------
- CORS_ALLOWED_CREDENTIALS: Indicates whether the request can include user credentials like cookies, HTTP authentication
or client side SSL certificates.
--------------------------------------------------------------
Default: CORS_ALLOWED_CREDENTIALS=false
Example: CORS_ALLOWED_CREDENTIALS=true
--------------------------------------------------------------
- CORS_DEBUG: Debugging flag adds additional output to debug server side CORS issues.
--------------------------------------------------------------
Default: CORS_DEBUG=false
Example: CORS_DEBUG=true
--------------------------------------------------------------
- CORS_MAX_AGE: Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0
which stands for no max age.
--------------------------------------------------------------
Default: CORS_MAX_AGE=0
Example: CORS_MAX_AGE=10
--------------------------------------------------------------
- CORS_ALLOWED_HEADERS: A list of non simple headers (comma separated values) the client is allowed to use with
cross-domain requests.
- CORS_EXPOSED_HEADERS: Indicates which headers (comma separated values) are safe to expose to the API of a
CORS API specification.`

var databaseUrl = `- DATABASE_URL: A URL to a persistent backend. ORY Oathkeeper supports various backends:
- Memory: If DATABASE_URL is "memory", data will be written to memory and is lost when you restart this instance.
--------------------------------------------------------------
Example: DATABASE_URL=memory
--------------------------------------------------------------
- Postgres: If DATABASE_URL is a DSN starting with postgres:// PostgreSQL will be used as storage backend.
--------------------------------------------------------------
Example: DATABASE_URL=postgres://user:password@host:123/database
--------------------------------------------------------------
If PostgreSQL is not serving TLS, append ?sslmode=disable to the url:
--------------------------------------------------------------
DATABASE_URL=postgres://user:password@host:123/database?sslmode=disable
--------------------------------------------------------------
- MySQL: If DATABASE_URL is a DSN starting with mysql:// MySQL will be used as storage backend.
--------------------------------------------------------------
Example: DATABASE_URL=mysql://user:password@tcp(host:123)/database?parseTime=true
--------------------------------------------------------------
Be aware that the ?parseTime=true parameter is mandatory, or timestamps will not work.`

var tlsMessage = `
NOTE: configure TLS params consistently both as PATH or as string. If no TLS pair is set, HTTPS will be disabled and instead HTTP will be served.
- HTTPS_TLS_CERT_PATH: The path to the TLS certificate (pem encoded).
Example: HTTPS_TLS_CERT_PATH=~/cert.pem
- HTTPS_TLS_KEY_PATH: The path to the TLS private key (pem encoded).
Example: HTTPS_TLS_KEY_PATH=~/key.pem
- HTTP_TLS_CERT: Base64 encoded (without padding) string of the TLS certificate (PEM encoded) to be used for HTTP over TLS (HTTPS).
Example: HTTPS_TLS_CERT="-----BEGIN CERTIFICATE-----\nMIIDZTCCAk2gAwIBAgIEV5xOtDANBgkqhkiG9w0BAQ0FADA0MTIwMAYDVQQDDClP..."
- HTTP_TLS_KEY: Base64 encoded (without padding) string of the private key (PEM encoded) to be used for HTTP over TLS (HTTPS).
Example: HTTPS_TLS_KEY="-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg..."
`

func fatalf(msg string, args ...interface{}) {
fmt.Printf(msg+"\n", args...)
os.Exit(1)
}
64 changes: 16 additions & 48 deletions cmd/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,33 +38,28 @@ the controls section.
CORE CONTROLS
=============
- DATABASE_URL: A URL to a persistent backend. ORY Keto supports various backends:
- Memory: If DATABASE_URL is "memory", data will be written to memory and is lost when you restart this instance.
Example: DATABASE_URL=memory
- Postgres: If DATABASE_URL is a DSN starting with postgres:// PostgreSQL will be used as storage backend.
Example: DATABASE_URL=postgres://user:password@host:123/database
If PostgreSQL is not serving TLS, append ?sslmode=disable to the url:
DATABASE_URL=postgres://user:password@host:123/database?sslmode=disable
- MySQL: If DATABASE_URL is a DSN starting with mysql:// MySQL will be used as storage backend.
Example: DATABASE_URL=mysql://user:password@tcp(host:123)/database?parseTime=true
Be aware that the ?parseTime=true parameter is mandatory, or timestamps will not work.
- PORT: The port ORY Keto should listen on.
Defaults to PORT=4466
- HOST: The host interface ORY Keto should listen on. Leave empty to listen on all interfaces.
Example: HOST=localhost
` + databaseUrl + `
- LOG_LEVEL: Set the log level, supports "panic", "fatal", "error", "warn", "info" and "debug". Defaults to "info".
Example: LOG_LEVEL=panic
- LOG_FORMAT: Leave empty for text based log format, or set to "json" for JSON formatting.
Example: LOG_FORMAT="json"
HTTP(S) CONTROLS
==============
` + tlsMessage + `
- HOST: The host to listen on.
--------------------------------------------------------------
Default: HOST="" (all interfaces)
--------------------------------------------------------------
- PORT: The port to listen on.
--------------------------------------------------------------
Default: PORT="4466"
--------------------------------------------------------------
AUTHENTICATORS
==============
Expand Down Expand Up @@ -93,34 +88,7 @@ AUTHENTICATORS
- AUTHENTICATOR_OAUTH2_CLIENT_CREDENTIALS_TOKEN_URL: The OAuth2 Token Endpoint URL of the server
Example: AUTHENTICATOR_OAUTH2_CLIENT_CREDENTIALS_TOKEN_URL=https://my-server/oauth2/token
CORS CONTROLS
==============
- CORS_ENABLED: Switch CORS support on (true) or off (false). Default is off (false).
Example: CORS_ENABLED=true
- CORS_ALLOWED_ORIGINS: A list of origins (comma separated values) a cross-domain request can be executed from.
If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality.
Only one wildcard can be used per origin. The default value is *.
Example: CORS_ALLOWED_ORIGINS=http://*.domain.com,http://*.domain2.com
- CORS_ALLOWED_METHODS: A list of methods (comma separated values) the client is allowed to use with cross-domain
requests. Default value is simple methods (GET and POST).
Example: CORS_ALLOWED_METHODS=POST,GET,PUT
- CORS_ALLOWED_CREDENTIALS: Indicates whether the request can include user credentials like cookies, HTTP authentication
or client side SSL certificates. The default is false.
- CORS_DEBUG: Debugging flag adds additional output to debug server side CORS issues.
- CORS_MAX_AGE: Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
- CORS_ALLOWED_HEADERS: A list of non simple headers (comma separated values) the client is allowed to use with cross-domain requests.
- CORS_EXPOSED_HEADERS: Indicates which headers (comma separated values) are safe to expose to the API of a CORS API specification.
` + corsMessage + `
DEBUG CONTROLS
==============
Expand Down
64 changes: 64 additions & 0 deletions cmd/server/helper_server.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
/*
* Copyright © 2017-2018 Aeneas Rekkas <[email protected]>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* @author Aeneas Rekkas <[email protected]>
* @copyright 2017-2018 Aeneas Rekkas <[email protected]>
* @license Apache-2.0
*/

package server

import (
"crypto/tls"
"encoding/base64"
"fmt"

"github.com/spf13/viper"
)

func getTLSCertAndKey() (*tls.Certificate, error) {
certString, keyString := viper.GetString("HTTP_TLS_CERT"), viper.GetString("HTTP_TLS_KEY")
certPath, keyPath := viper.GetString("HTTP_TLS_CERT_PATH"), viper.GetString("HTTP_TLS_KEY_PATH")

if certString == "" && keyString == "" && certPath == "" && keyPath == "" {
// serve http
return nil, nil
} else if certString != "" && keyString != "" {
tlsCertBytes, err := base64.StdEncoding.DecodeString(certString)
if err != nil {
return nil, fmt.Errorf("unable to base64 decode the TLS certificate: %v", err)
}
tlsKeyBytes, err := base64.StdEncoding.DecodeString(keyString)
if err != nil {
return nil, fmt.Errorf("unable to base64 decode the TLS private key: %v", err)
}

cert, err := tls.X509KeyPair(tlsCertBytes, tlsKeyBytes)
if err != nil {
return nil, fmt.Errorf("unable to load X509 key pair: %v", err)
}
return &cert, nil
}
if certPath != "" && keyPath != "" {
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
return nil, fmt.Errorf("unable to load X509 key pair from files: %v", err)
}
return &cert, nil
}
// serve http
//logger.Warnln("TLS requires both cert and key to be specified. Fall back to serving HTTP")
return nil, nil
}
Loading

0 comments on commit 2f62063

Please sign in to comment.