Merge pull request #30 from oidc-mytoken/dev

0.3.0

.gitignore

@@ -5,7 +5,13 @@
 tags
 client.config
 config/config.yaml
+config/docker-config.yaml
 IP2LOCATION-LITE-DB1.IPV6.BIN
 /cmd/test
 generateDDL.sh
 dist/
+/mytoken-migratedb
+/docker/docker-compose.yaml
+/docker/db.env
+/docker/haproxy/haproxy.cfg
+/docker/.env

.goreleaser.yml

@@ -4,7 +4,7 @@ before:
     - go mod tidy
 builds:
   - id: server
-    main: ./cmd/mytoken-server/main.go
+    main: ./cmd/mytoken-server
     binary: mytoken-server
     env:
       - CGO_ENABLED=0
@@ -13,14 +13,21 @@ builds:
   #      - windows
   #      - darwin
   - id: setup
-    main: ./cmd/mytoken-server/mytoken-setup/setup.go
+    main: ./cmd/mytoken-server/mytoken-setup
     binary: mytoken-setup
     env:
       - CGO_ENABLED=0
     goos:
       - linux
+  - id: migratedb
+    main: ./cmd/mytoken-server/mytoken-migratedb
+    binary: mytoken-migratedb
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
   - id: garbage
-    main: ./cmd/mytoken-server/mytoken-dbGarbageCollector/main.go
+    main: ./cmd/mytoken-server/mytoken-dbGarbageCollector
     binary: mytoken-dbgc
     env:
       - CGO_ENABLED=0
@@ -48,6 +55,7 @@ nfpms:
       - rpm
     release: 1
     section: misc
+    bindir: /usr/bin
     empty_folders:
       - /var/log/mytoken
     contents:
@@ -69,6 +77,21 @@ nfpms:
       - rpm
     release: 1
     section: misc
+    bindir: /usr/bin
+  - id: migratedb-pkg
+    package_name: mytoken-server-migratedb
+    builds:
+      - migratedb
+    homepage: https://mytoken-doc.data.kit.edu/server/intro
+    maintainer: Gabriel Zachmann <[email protected]>
+    description: A tool for migrating the database between versions
+    license: MIT
+    formats:
+      - deb
+      - rpm
+    release: 1
+    section: misc
+    bindir: /usr/bin
   - id: garbage-pkg
     package_name: mytoken-server-dbgc
     builds:
@@ -82,6 +105,76 @@ nfpms:
       - rpm
     release: 1
     section: misc
+    bindir: /usr/bin
+dockers:
+  - goos: linux
+    goarch: amd64
+    ids:
+      - server
+    image_templates:
+      - "oidcmytoken/mytoken-server:latest"
+      - "oidcmytoken/mytoken-server:{{ .Tag }}"
+      - "oidcmytoken/mytoken-server:v{{ .Major }}"
+      - "oidcmytoken/mytoken-server:v{{ .Major }}.{{ .Minor }}"
+    skip_push: true
+    dockerfile: cmd/mytoken-server/Dockerfile
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title=mytoken-server"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+  - goos: linux
+    goarch: amd64
+    ids:
+      - setup
+    image_templates:
+      - "oidcmytoken/mytoken-setup:latest"
+      - "oidcmytoken/mytoken-setup:{{ .Tag }}"
+      - "oidcmytoken/mytoken-setup:v{{ .Major }}"
+      - "oidcmytoken/mytoken-setup:v{{ .Major }}.{{ .Minor }}"
+    skip_push: true
+    dockerfile: cmd/mytoken-server/mytoken-setup/Dockerfile
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title=mytoken-setup"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+  - goos: linux
+    goarch: amd64
+    ids:
+      - migratedb
+    image_templates:
+      - "oidcmytoken/mytoken-migratedb:latest"
+      - "oidcmytoken/mytoken-migratedb:{{ .Tag }}"
+      - "oidcmytoken/mytoken-migratedb:v{{ .Major }}"
+      - "oidcmytoken/mytoken-migratedb:v{{ .Major }}.{{ .Minor }}"
+    skip_push: true
+    dockerfile: cmd/mytoken-server/mytoken-migratedb/Dockerfile
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title=mytoken-migratedb"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+  - goos: linux
+    goarch: amd64
+    ids:
+      - garbage
+    image_templates:
+      - "oidcmytoken/mytoken-dbgc:latest"
+      - "oidcmytoken/mytoken-dbgc:{{ .Tag }}"
+      - "oidcmytoken/mytoken-dbgc:v{{ .Major }}"
+      - "oidcmytoken/mytoken-dbgc:v{{ .Major }}.{{ .Minor }}"
+    skip_push: true
+    dockerfile: cmd/mytoken-server/mytoken-dbGarbageCollector/Dockerfile
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title=mytoken-dbgc"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
 checksum:
   name_template: 'checksums.txt'
 snapshot:

CHANGELOG.md

@@ -0,0 +1,53 @@
+<!-- Template: -->
+<!-- ### Features -->
+<!--  -->
+<!-- ### API -->
+<!--  -->
+<!-- ### Enhancements -->
+<!--  -->
+<!-- ### Bugfixes -->
+<!--  -->
+<!-- ### OpenID Provider -->
+<!--  -->
+<!-- ### Dependencies -->
+<!--  -->
+
+## mytoken 0.3.0
+### Features
+- Changes to the mytoken
+  - Added a version to the mytoken token
+  - Added token type 'mytoken'
+  - Now using a hash value as the subject
+- Added Dockerfiles; mytoken can easily run with swarm
+- Added OIDC-compatibility for requesting ATs
+  - ATs can be requested using the mytoken as the refresh token in a OIDC refresh flow
+- Deployment Configuration
+  - Added option to set maximum lifetime of mytokens
+  - Added option to disable restriction keys 
+  - Made request limits configurable
+- Changed setup db to new db migration tool
+- Added support for token rotation, incl. optional auto revocation
+- Added option to set maximum token length when requesting a mytoken
+
+### Webinterface
+- Added option to create mytoken in the web interface
+- Reworked consent screen
+- Added possibility to set scopes and audiences when requesting an AT
+- Improvements
+
+### Enhancements
+- Using better cryptographic functions
+- Set cookie as secure if issuer uses https, indepent of a potential proxy
+- Improved packaging
+- Improved code base
+- Improved error tracebility
+
+### Bugfixes
+- Fixed bugs in the webinterface
+- Fixed other bugs
+
+### OIDC
+- Add PKCE support
+
+### Dependencies
+- Bumped several dependencies

README.md

@@ -14,8 +14,9 @@
 
 `mytoken` is a central web service with the goal to easily obtain OpenID Connect access tokens across devices.
 
-A user can create a special string called `super token`. This super token then can be used to obtain OpenID Connect access tokens from any device.
-The power of a super token can be restricted by the user, so he can create exactly the token he needs for a certain use case.
+A user can create a special string called `mytoken`. This mytoken then can be used to obtain OpenID Connect access
+tokens from any device. The power of a mytoken can be restricted by the user, so they can create exactly the token they
+need for a certain use case.
 
 The mytoken command line client can be found at [https://github.com/oidc-mytoken/client](https://github.com/oidc-mytoken/client).
 

cmd/mytoken-server/Dockerfile

@@ -0,0 +1,5 @@
+FROM oidcmytoken/debian-wait-for:latest
+WORKDIR /mytoken
+COPY mytoken-server /usr/bin/mytoken-server
+ENTRYPOINT ["/opt/mytoken/scripts/run.sh"]
+CMD ["mytoken-server"]

cmd/mytoken-server/main.go

@@ -5,6 +5,7 @@ import (
 	"os/signal"
 	"syscall"
 
+	"github.com/oidc-mytoken/server/internal/db/dbrepo/versionrepo"
 	log "github.com/sirupsen/logrus"
 
 	"github.com/oidc-mytoken/server/internal/config"
@@ -25,7 +26,7 @@ func main() {
 	server.Init()
 	configurationEndpoint.Init()
 	authcode.Init()
-	db.Connect()
+	versionrepo.ConnectToVersion()
 	jws.LoadKey()
 	httpClient.Init(config.Get().IssuerURL)
 	geoip.Init()

cmd/mytoken-server/mytoken-dbGarbageCollector/Dockerfile

@@ -0,0 +1,4 @@
+FROM debian:stable
+WORKDIR /mytoken
+COPY mytoken-dbgc /usr/bin/mytoken-dbgc
+CMD ["mytoken-dbgc"]

cmd/mytoken-server/mytoken-dbGarbageCollector/main.go

@@ -27,7 +27,9 @@ func execSimpleQuery(sql string) {
 }
 
 func deleteExpiredTransferCodes() {
-	execSimpleQuery(`DELETE FROM ProxyTokens WHERE id = ANY(SELECT id FROM TransferCodesAttributes WHERE expires_at < CURRENT_TIMESTAMP())`)
+	execSimpleQuery(
+		`DELETE FROM ProxyTokens WHERE id = ANY(SELECT id FROM TransferCodesAttributes
+               WHERE expires_at < CURRENT_TIMESTAMP())`)
 }
 
 func deleteExpiredAuthInfo() {

cmd/mytoken-server/mytoken-migratedb/Dockerfile

@@ -0,0 +1,5 @@
+FROM oidcmytoken/debian-wait-for:latest
+WORKDIR /mytoken
+COPY mytoken-migratedb /usr/bin/mytoken-migratedb
+ENTRYPOINT ["/opt/mytoken/scripts/run.sh"]
+CMD ["mytoken-migratedb"]

cmd/mytoken-server/mytoken-migratedb/main.go

@@ -0,0 +1,132 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/oidc-mytoken/server/internal/config"
+	"github.com/oidc-mytoken/server/internal/db"
+	"github.com/oidc-mytoken/server/shared/utils/fileutil"
+	"github.com/zachmann/cli/v2"
+	"golang.org/x/term"
+
+	"github.com/oidc-mytoken/server/internal/model/version"
+	log "github.com/sirupsen/logrus"
+)
+
+var configFile string
+var force bool
+
+var dbConfig struct {
+	config.DBConf
+	Hosts cli.StringSlice
+}
+
+var app = &cli.App{
+	Name:     "mytoken-migratedb",
+	Usage:    "Command line client for easy database migration between mytoken versions",
+	Version:  version.VERSION(),
+	Compiled: time.Time{},
+	Authors: []*cli.Author{{
+		Name:  "Gabriel Zachmann",
+		Email: "[email protected]",
+	}},
+	Copyright:              "Karlsruhe Institute of Technology 2020-2021",
+	UseShortOptionHandling: true,
+	Flags: []cli.Flag{
+		&cli.StringFlag{
+			Name:        "nodes",
+			Aliases:     []string{"n", "s", "server"},
+			Usage:       "The passed file lists the mytoken nodes / servers (one server per line)",
+			EnvVars:     []string{"MYTOKEN_NODES_FILE"},
+			TakesFile:   true,
+			Placeholder: "FILE",
+			Destination: &configFile,
+		},
+		&cli.BoolFlag{
+			Name:             "force",
+			Aliases:          []string{"f"},
+			Usage:            "Force a complete database migration. Mytoken servers are not checked if they are compatible with the changes.",
+			Destination:      &force,
+			HideDefaultValue: true,
+		},
+
+		&cli.StringFlag{
+			Name:        "db",
+			Usage:       "The name of the database",
+			EnvVars:     []string{"DB_DATABASE"},
+			Value:       "mytoken",
+			Destination: &dbConfig.DB,
+			Placeholder: "DB",
+		},
+		&cli.StringFlag{
+			Name:        "user",
+			Aliases:     []string{"u"},
+			Usage:       "The user for connecting to the database (Needs correct privileges)",
+			EnvVars:     []string{"DB_USER"},
+			Value:       "root",
+			Destination: &dbConfig.User,
+			Placeholder: "USER",
+		},
+		&cli.StringFlag{
+			Name:        "password",
+			Aliases:     []string{"p"},
+			Usage:       "The password for connecting to the database",
+			EnvVars:     []string{"DB_PASSWORD"},
+			Destination: &dbConfig.Password,
+			Placeholder: "PASSWORD",
+		},
+		&cli.StringFlag{
+			Name:        "password-file",
+			Aliases:     []string{"pass-file"},
+			Usage:       "Read the password for connecting to the database from this file",
+			EnvVars:     []string{"DB_PASSWORD_FILE"},
+			Destination: &dbConfig.PasswordFile,
+			Placeholder: "FILE",
+		},
+		&cli.StringSliceFlag{
+			Name:        "host",
+			Aliases:     []string{"hosts"},
+			Usage:       "The hostnames of the database nodes",
+			EnvVars:     []string{"DB_HOST", "DB_HOSTS", "DB_NODES"},
+			Value:       cli.NewStringSlice("localhost"),
+			Destination: &dbConfig.Hosts,
+			Placeholder: "HOST",
+		},
+	},
+	Action: func(context *cli.Context) error {
+		mytokenNodes := []string{}
+		if context.Args().Len() > 0 {
+			mytokenNodes = context.Args().Slice()
+		} else if configFile != "" {
+			mytokenNodes = readConfigFile(configFile)
+		} else if os.Getenv("MYTOKEN_NODES") != "" {
+			mytokenNodes = strings.Split(os.Getenv("MYTOKEN_NODES"), ",")
+		} else if !force {
+			return fmt.Errorf("No mytoken servers specified. Please provide mytoken servers or use '-f' to force database migration.")
+		}
+		dbConfig.ReconnectInterval = 60
+		dbConfig.DBConf.Hosts = dbConfig.Hosts.Value()
+		db.ConnectConfig(dbConfig.DBConf)
+		return migrateDB(nil, mytokenNodes)
+	},
+}
+
+func readConfigFile(file string) []string {
+	data := string(fileutil.MustReadFile(file))
+	return strings.Split(data, "\n")
+}
+
+func main() {
+
+	termWidth, _, err := term.GetSize(int(os.Stdout.Fd()))
+	if err == nil {
+		cli.HelpWrapAt = termWidth
+	}
+
+	if err = app.Run(os.Args); err != nil {
+		log.Fatal(err)
+	}
+}