vault-otp-ui/main.go

package main

//go:generate go-bindata -pkg $GOPACKAGE -o assets.go index.html application.js static/...

import (
	"bytes"
	"crypto/sha1"
	"crypto/sha256"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"mime"
	"net/http"
	"os"
	"strings"
	"time"

	"github.com/gorilla/mux"
	"github.com/gorilla/securecookie"
	"github.com/gorilla/sessions"
	log "github.com/sirupsen/logrus"
	"github.com/tdewolff/minify"
	"github.com/tdewolff/minify/html"
	"github.com/tdewolff/minify/js"
	validator "gopkg.in/validator.v2"

	"github.com/Luzifer/rconfig/v2"
)

const (
	requiredScope = "read:org,user"
	sessionName   = "vault-otp-ui"
)

var (
	cfg struct {
		Github struct {
			ClientID     string `flag:"client-id" default:"" env:"CLIENT_ID" description:"Github oAuth2 application Client ID" validate:"nonzero"`
			ClientSecret string `flag:"client-secret" default:"" env:"CLIENT_SECRET" description:"Github oAuth2 application Client Secret" validate:"nonzero"`
		}
		Listen        string `flag:"listen" default:":3000" description:"IP/Port to listen on"`
		LogLevel      string `flag:"log-level" default:"info" description:"Set log level (debug, info, warning, error)"`
		SessionSecret string `flag:"session-secret" default:"" env:"SESSION_SECRET" description:"Secret to encrypt the session with"`
		Vault         struct {
			Address     string `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"`
			Prefix      string `flag:"vault-prefix" env:"VAULT_PREFIX" default:"/totp" description:"Prefix to search for OTP secrets / tokens in"`
			SecretField string `flag:"vault-secret-field" env:"VAULT_SECRET_FIELD" default:"secret" description:"Field to search the secret in"`
		}
		VersionAndExit bool `flag:"version" default:"false" description:"Print version information and exit"`
	}

	version     = "dev"
	mini        = minify.New()
	cookieStore *sessions.CookieStore
)

func loadConfig() error {
	if err := rconfig.Parse(&cfg); err != nil {
		return err
	}

	if err := validator.Validate(cfg); err != nil {
		return err
	}

	if l, err := log.ParseLevel(cfg.LogLevel); err == nil {
		log.SetLevel(l)
	} else {
		log.Fatalf("Invalid log level: %s", err)
	}

	if cfg.VersionAndExit {
		fmt.Printf("vault-otp-ui %s\n", version)
		os.Exit(0)
	}

	if cfg.SessionSecret == "" {
		cookieStore = sessions.NewCookieStore(securecookie.GenerateRandomKey(64), securecookie.GenerateRandomKey(32))
	} else {
		cookieStore = sessions.NewCookieStore([]byte(cfg.SessionSecret), []byte(fmt.Sprintf("%x", sha1.Sum([]byte(cfg.SessionSecret)))[0:32]))
	}

	mini.AddFunc("text/html", html.Minify)
	mini.AddFunc("application/javascript", js.Minify)

	return nil
}

func main() {
	var err error
	if err = loadConfig(); err != nil {
		log.Fatalf("Unable to parse CLI parameters: %s", err)
	}

	r := mux.NewRouter()
	r.HandleFunc("/oauth2", handleOAuthCallback)
	r.HandleFunc("/application.js", handleApplicationJS)
	r.HandleFunc("/vars.js", handleApplicationVars)
	r.HandleFunc("/codes.json", handleCodesJSON)
	r.PathPrefix("/static").HandlerFunc(handleStatics)
	r.HandleFunc("/", handleIndexPage)
	log.Fatalf("HTTP server exitted: %s", http.ListenAndServe(cfg.Listen, r))
}

func getFileContentFallback(filename string) (io.Reader, error) {
	if f, err := os.Open(filename); err == nil {
		defer f.Close()
		buf := new(bytes.Buffer)
		io.Copy(buf, f)
		return buf, nil
	}

	if b, err := Asset(filename); err == nil {
		return bytes.NewReader(b), nil
	}

	return nil, errors.New("No suitable index page found")
}

func handleIndexPage(res http.ResponseWriter, r *http.Request) {
	content, err := getFileContentFallback("index.html")

	if err != nil {
		http.Error(res, "No suitable index page found", http.StatusInternalServerError)
	}

	mini.Minify("text/html", res, content)
}

func handleApplicationJS(res http.ResponseWriter, r *http.Request) {
	content, err := getFileContentFallback("application.js")

	if err != nil {
		http.Error(res, "No suitable file found", http.StatusInternalServerError)
	}

	mini.Minify("application/javascript", res, content)
}

func handleApplicationVars(w http.ResponseWriter, r *http.Request) {
	sess, _ := cookieStore.Get(r, sessionName)
	_, hasAccessToken := sess.Values["access_token"]

	var buf = new(bytes.Buffer)

	fmt.Fprintf(buf, "const signedIn = %v\n", hasAccessToken)
	fmt.Fprintf(buf, "const authUrl = %q\n", getAuthenticationURL())

	mini.Minify("application/javascript", w, buf)
}

func handleOAuthCallback(res http.ResponseWriter, r *http.Request) {
	sess, _ := cookieStore.Get(r, sessionName)

	accessToken, err := getAccessToken(r.URL.Query().Get("code"))
	if err != nil {
		log.Errorf("An error occurred while fetching the access token: %s", err)
		http.Error(res, "Something went wrong when fetching your access token. Sorry.", http.StatusInternalServerError)
		return
	}

	if accessToken == "" {
		log.Errorf("Code %q was not resolved to an access token", r.URL.Query().Get("code"))
		http.Error(res, "Something went wrong when fetching your access token. Sorry.", http.StatusInternalServerError)
		return
	}

	sess.Values["access_token"] = accessToken
	if err := sess.Save(r, res); err != nil {
		log.Errorf("Was not able to set the cookie: %s", err)
		http.Error(res, "Something went wrong when fetching your access token. Sorry.", http.StatusInternalServerError)
		return
	}

	http.Redirect(res, r, "/", http.StatusFound)
}

func handleCodesJSON(res http.ResponseWriter, r *http.Request) {
	sess, _ := cookieStore.Get(r, sessionName)
	iAccessToken, hasAccessToken := sess.Values["access_token"]
	iToken := sess.Values["vault_token"]

	if !hasAccessToken {
		http.Error(res, `{"error":"Not logged in"}`, http.StatusUnauthorized)
		return
	}
	accessToken := iAccessToken.(string)

	var tok string
	if iToken != nil {
		tok = iToken.(string)
		log.WithFields(log.Fields{"token": hashSecret(tok)}).Debugf("Restored token from Session")
	}

	tok, err := useOrRenewToken(tok, accessToken)
	if err != nil {
		log.Errorf("Unable to authorize against vault: %s", err)
		http.Error(res, `{"error":"Unexpected error while fetching tokens"}`, http.StatusInternalServerError)
		return
	}
	log.WithFields(log.Fields{"token": hashSecret(tok)}).Debugf("Checked / renewed token")

	nextTokens := r.URL.Query().Get("it") == "next"

	tokens, err := getSecretsFromVault(tok, nextTokens)
	if err != nil {
		log.Errorf("Unable to fetch codes: %s", err)
		http.Error(res, `{"error":"Unexpected error while fetching tokens"}`, http.StatusInternalServerError)
		return
	}

	sess.Values["vault_token"] = tok
	if err := sess.Save(r, res); err != nil {
		log.Errorf("Was not able to set the cookie: %s", err)
		http.Error(res, "Something went wrong while fetching token. Sorry.", http.StatusInternalServerError)
		return
	}

	var (
		minPeriod   = tokenList(tokens).MinPeriod()
		pointOfTime = time.Now()
	)

	if nextTokens {
		pointOfTime = pointOfTime.Add(time.Duration(minPeriod) * time.Second)
	}

	result := struct {
		Tokens   []*token  `json:"tokens"`
		NextWrap time.Time `json:"next_wrap"`
	}{
		Tokens:   tokens,
		NextWrap: pointOfTime.Add(time.Duration(minPeriod-(pointOfTime.Second()%minPeriod)) * time.Second),
	}

	res.Header().Set("Content-Type", "application/json")
	res.Header().Set("Cache-Control", "no-cache")
	json.NewEncoder(res).Encode(result)
}

func handleStatics(res http.ResponseWriter, r *http.Request) {
	req := strings.TrimLeft(r.URL.Path, "/")
	ext := req[strings.LastIndex(req, "."):]
	t := mime.TypeByExtension(ext)

	b, err := Asset(req)
	if err != nil {
		log.WithFields(log.Fields{
			"file": req,
		}).Errorf("Static file not found")
		http.Error(res, "I don't have that.", http.StatusNotFound)
		return
	}

	res.Header().Set("Content-Type", t)
	res.Write(b)
}

func hashSecret(in string) string {
	return fmt.Sprintf("sha256:%x", sha256.Sum256([]byte(in)))
}