git » remoteu2f » master » tree

[master] / remoteu2f-proxy / main.go 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
// remoteu2f-proxy is the http+grpc server for remoteu2f.
package main

import (
	"flag"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"

	// Enable profiling via HTTP.
	// We will only use this if --debug_addr is given.
	_ "net/http/pprof"

	"github.com/golang/glog"
)

// Command-line flags.
var (
	baseURL = flag.String("base_url", "",
		"base URL to send the clients (e.g. https://domain:8800); "+
			"must be https and not have a trailing '/'")

	httpAddr = flag.String("http_addr", ":8800",
		"address where to listen for HTTP requests")
	grpcAddr = flag.String("grpc_addr", ":8801",
		"address where to listen for GPRC requests")
	debugAddr = flag.String("debug_addr", "",
		"address where to listen for debug/trace/profile HTTP requests")

	tlsCert = flag.String("tls_cert", "cert.pem",
		"file containing the TLS certificate to use")
	tlsKey = flag.String("tls_key", "key.pem",
		"file containing the TLS key to use")
	grpcCert = flag.String("tls_cert_grpc", "",
		"if set, use this certificate for GRPC instead of --tls_cert")
	grpcKey = flag.String("tls_key_grpc", "",
		"if set, use this key for GRPC instead of --tls_key")

	tokenFile = flag.String("token_file", "tokens",
		"file containing the valid client access tokens")
)

func validateBaseURL(s string) error {
	u, err := url.Parse(*baseURL)
	if err != nil {
		return fmt.Errorf("malformed url: %v", err)
	}
	if u.Scheme != "https" {
		return fmt.Errorf("scheme MUST be 'https'")
	}
	if u.Path != "" {
		return fmt.Errorf("path MUST be empty (not even a trailing '/')")
	}

	return nil
}

func getValidTokens(path string) (map[string]bool, error) {
	contents, err := ioutil.ReadFile(path)
	if err != nil {
		return nil, err
	}

	tokens := map[string]bool{}
	for _, t := range strings.Split(string(contents), "\n") {
		// Remove empty lines, and make sure all tokens have a minimum lenght.
		t = strings.TrimSpace(t)
		if t == "" {
			continue
		}
		if len(t) < 10 {
			return nil, fmt.Errorf(
				"token %q too short (minimum lenght: 10)", t)
		}

		tokens[t] = true
	}

	return tokens, nil
}

func main() {
	flag.Parse()

	// We have strict requirements on baseURL because we use it as the appID.
	if err := validateBaseURL(*baseURL); err != nil {
		glog.Fatalf("invalid --base_url: %s", err)
	}

	validTokens, err := getValidTokens(*tokenFile)
	if err != nil {
		glog.Fatalf("error reading token file: %s", err)
	}

	s := NewServer()
	s.BaseURL = *baseURL
	s.HTTPAddr = *httpAddr
	s.GRPCAddr = *grpcAddr
	s.ValidTokens = validTokens

	s.HTTPCert = *tlsCert
	s.HTTPKey = *tlsKey
	s.GRPCCert = *tlsCert
	s.GRPCKey = *tlsKey
	if *grpcCert != "" {
		s.GRPCCert = *grpcCert
	}
	if *grpcKey != "" {
		s.GRPCKey = *grpcKey
	}

	if *debugAddr != "" {
		// Launch the default HTTP server at the given address.
		// This is the one pprof and grpc register automatically against.
		go func() {
			glog.Infof("Debug HTTP listening on %s", *debugAddr)
			err := http.ListenAndServe(*debugAddr, nil)
			glog.Fatalf("Debug HTTP exiting: %s", err)
		}()
	}

	s.ListenAndServe()
}