Merge pull request #5 from linuxfoundation/ems/megalinter

Add MegaLinter; module updates

.github/workflows/license-header-check.yaml

@@ -11,6 +11,9 @@ name: License Header Check
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   license-header-check:
     name: License Header Check

.github/workflows/mega-linter.yml

@@ -0,0 +1,33 @@
+---
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+name: MegaLinter
+
+"on":
+  pull_request: null
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  megalinter:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+
+    steps:
+      # Git Checkout
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # MegaLinter
+      - name: MegaLinter
+        id: ml
+        # Use the Go flavor.
+        uses: oxsecurity/megalinter/flavors/go@v7

.github/workflows/publish.yaml

@@ -9,10 +9,16 @@ name: Publish
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Publish
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4

.gitignore

@@ -2,5 +2,8 @@
 # SPDX-License-Identifier: MIT
 
 .env
-bin/
-sbom/
+go.work
+/bin/
+/sbom/
+
+/megalinter-reports/

.mega-linter.yml

@@ -0,0 +1,17 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+DISABLE_LINTERS:
+  # Revive covers this, plus golangci-lint has trouble with newer go toolchains
+  # in go.mod.
+  - GO_GOLANGCI_LINT
+  # cspell is laughably bad at code/comments/etc.
+  - SPELL_CSPELL
+  # Link checking more likely to cause false positives than be useful for us.
+  - SPELL_LYCHEE
+  # yamllint is sufficient for us.
+  - YAML_PRETTIER
+DISABLE_ERRORS_LINTERS:
+  # These are informative but don't need to break the build.
+  - COPYPASTE_JSCPD
+GITHUB_COMMENT_REPORTER: false

.trivyignore

@@ -0,0 +1,6 @@
+# No free access to Chainguard versioned labels.
+AVD-DS-0001
+
+# Allow no health check: Docker-built container is for local development only
+# (ko-build is used for build artifact).
+AVD-DS-0026

0_config.go

@@ -1,6 +1,7 @@
 // Copyright The Linux Foundation and its contributors.
 // SPDX-License-Identifier: MIT
 
+// The auth0-cas-service-go service.
 package main
 
 import (

Dockerfile

@@ -1,6 +1,9 @@
 # Copyright The Linux Foundation and its contributors.
 # SPDX-License-Identifier: MIT
 
+# checkov:skip=CKV_DOCKER_7:No free access to Chainguard versioned labels.
+# hadolint global ignore=DL3007
+
 FROM --platform=$BUILDPLATFORM cgr.dev/chainguard/go:latest AS builder
 
 # Set necessary environment variables needed for our image. Allow building to
@@ -24,6 +27,9 @@ RUN go build -o /go/bin/auth0-cas-server-go -trimpath -ldflags="-w -s" github.co
 # Run our go binary standalone
 FROM cgr.dev/chainguard/static:latest
 
+# Implicit with base image: setting explicitly for linters.
+USER nonroot
+
 EXPOSE 8080
 
 COPY --from=builder /go/bin/auth0-cas-server-go /auth0-cas-server-go

Makefile

@@ -12,6 +12,15 @@ bin/auth0-cas-server-go: *.go go.mod go.sum
 	@mkdir -p bin
 	go build -o bin/auth0-cas-server-go github.com/linuxfoundation/auth0-cas-server-go
 
+all: bin/auth0-cas-server-go docker-build
+
+lint:
+	docker pull --platform linux/amd64 oxsecurity/megalinter-go:v7
+	docker run --rm --platform linux/amd64 -v '$(CURDIR):/tmp/lint:rw' oxsecurity/megalinter-go:v7
+
+test:
+	@echo "No tests to run ... would you like to 'make lint'?"
+
 # Build and label a local Docker container of auth0-cas-server-go.
 docker-build:
 	docker build -t $(IMAGE_NAME):$(GIT_HASH) -t $(IMAGE_NAME):latest .

README.md

@@ -2,56 +2,89 @@
 
 ## Overview
 
-This service was inspired by Auth0, through their example at https://github.com/auth0-samples/auth0-cas-server. It is a simple authentication redirector which wraps an OpenID Connect authentication flow to expose it as server implementing the Central Authentication Service (CAS) SSO protocol. The service leverages configuration stored within Auth0 client metadata, which it reads using a privileged connection to the Auth0 API, in order to emulate multiple different clients dynamically per login session.
+This service was inspired by Auth0, through their example at
+[auth0-samples/auth0-cas-server](https://github.com/auth0-samples/auth0-cas-server).
+It is a simple authentication redirector which wraps an OpenID Connect
+authentication flow to expose it as server implementing the Central
+Authentication Service (CAS) SSO protocol. The service leverages configuration
+stored within Auth0 client metadata, which it reads using a privileged
+connection to the Auth0 API, in order to emulate multiple different clients
+dynamically per login session.
 
 Notable differeces with this implementation:
 
-- Rewritten in Go, including OpenTelemetry instrumentation and multi-arch build outputs including SPDX SBOMs.
-- Supports several additional CAS protocol endpoints implementing multiple CAS versions.
+- Rewritten in Go, including OpenTelemetry instrumentation and multi-arch build
+  outputs including SPDX SBOMs.
+- Supports several additional CAS protocol endpoints implementing multiple CAS
+  versions.
 - Implements CAS single-logout.
-- Implements CAS "gateway mode" to test for authentication without prompting the user.
+- Implements CAS "gateway mode" to test for authentication without prompting
+  the user.
 - Supports both XML and JSON CAS response formats.
-- Allows for path wildcards and multiple, comma-separated CAS service definitions in `client_metadata.cas_service` configuration.
+- Allows for path wildcards and multiple, comma-separated CAS service
+  definitions in `client_metadata.cas_service` configuration.
 
 ## Linux Foundation specific changes
 
-The following hardcoded behavior is specific to the Linux Foundation's Auth0 environment:
+The following hardcoded behavior is specific to the Linux Foundation's Auth0
+environment:
 
-- LF-namespaced OIDC claims used for username and group attributes coming from IdP.
-- Custom CAS attributes: `uid`, `field_lf_*` and `profile_name_*` added to match our reference implementation.
+- LF-namespaced OIDC claims used for username and group attributes coming from
+  IdP.
+- Custom CAS attributes: `uid`, `field_lf_*` and `profile_name_*` added to
+  match our reference implementation.
 
-Porting these into a dynamic configuration system would be useful for generalizing this tool. For instance, a toml file could map upstream OIDC claims to both required CAS fields as well as optional additional CAS attributes, and provide per-attribute customization of the mb4-filtering feature.
+Porting these into a dynamic configuration system would be useful for
+generalizing this tool. For instance, a toml file could map upstream OIDC
+claims to both required CAS fields as well as optional additional CAS
+attributes, and provide per-attribute customization of the mb4-filtering
+feature.
 
 ## Deploying and running the server
 
 You can pull the latest image from the GitHub Container Registry:
 
-```
+```bash
 docker pull ghcr.io/linuxfoundation/auth0-cas-server-go:latest
 ```
 
-Pinning your deployments to a release label (rather than ":latest") is recommended for production use.
+Pinning your deployments to a release label (rather than ":latest") is
+recommended for production use.
 
-Please see `env-example` for a list of required and optional environment variables that can be used to configure the server. For local development, you can copy this file to `.env` and modify it to suit your needs.
+Please see `env-example` for a list of required and optional environment
+variables that can be used to configure the server. For local development, you
+can copy this file to `.env` and modify it to suit your needs.
 
 ## Auth0 client configuration
 
 To create a CAS-enabled Auth0 application, specify the follow settings:
 
 - Application Type: Regular Web Application
 - Allowed Callback URLs: `https://<auth0-cas-server-go>/cas/oidc_callback`
-- Allowed Logout URLs (optional): the CAS logout return URL of your application, if passed by the CAS client ("service" for v3 logout, or "url" for v2 logout).
-- Advanced -> Application Metadata: add Key "cas\_service" with Value of one-or-more (comma-separated) URLs which match the "service" parameter of the CAS application's login request. A `*` will match any subdomain or a single path component, while `**` matches anything (including `/`).
+- Allowed Logout URLs (optional): the CAS logout return URL of your
+  application, if passed by the CAS client ("service" for v3 logout, or "url"
+  for v2 logout).
+- Advanced -> Application Metadata: add Key "cas\_service" with Value of
+  one-or-more (comma-separated) URLs which match the "service" parameter of the
+  CAS application's login request. A `*` will match any subdomain or a single
+  path component, while `**` matches anything (including `/`).
 - Advanced -> OAuth -> OIDC Conformant: Enabled
 
-Multiple apps CAS can be created for different sites: each will have the same callback URL, but they will have different `cas_service` URLs (and logout URLs, if needed).
+Multiple apps CAS can be created for different sites: each will have the same
+callback URL, but they will have different `cas_service` URLs (and logout URLs,
+if needed).
 
-Auth0 client configurations read by this service are cached for performance. New apps should work automatically, but changes to `cas_service` URL patterns for existing apps may require a restart of the service to take effect.
+Auth0 client configurations read by this service are cached for performance.
+New apps should work automatically, but changes to `cas_service` URL patterns
+for existing apps may require a restart of the service to take effect.
 
 ## License
 
 Copyright The Linux Foundation and its contributors.
 
-This project's source code is licensed under the MIT License. A copy of the license is available in LICENSE.
+This project's source code is licensed under the MIT License. A copy of the
+license is available in LICENSE.
 
-This project's documentation is licensed under the Creative Commons Attribution 4.0 International License (CC-BY-4.0). A copy of the license is available in LICENSE-docs.
+This project's documentation is licensed under the Creative Commons Attribution
+4.0 International License (CC-BY-4.0). A copy of the license is available in
+LICENSE-docs.

auth0_clients.go

@@ -1,6 +1,7 @@
 // Copyright The Linux Foundation and its contributors.
 // SPDX-License-Identifier: MIT
 
+// The auth0-cas-service-go service.
 package main
 
 import (

cas.go

@@ -1,6 +1,7 @@
 // Copyright The Linux Foundation and its contributors.
 // SPDX-License-Identifier: MIT
 
+// The auth0-cas-service-go service.
 package main
 
 import (
@@ -233,6 +234,22 @@ func casServiceValidate(w http.ResponseWriter, r *http.Request) {
 
 	appLogger(r.Context()).WithField("auth0_client", casClient).Debug("found client")
 
+	// Construct an OAuth2 config that lets us complete the authorization code
+	// handshake to to get an access token.
+	//
+	// TODO: Currently, this service uses the access_token retrieved at this
+	// point to make a request to the OIDC userinfo endpoint to get the user's
+	// profile. HOWEVER, we might consider instead capturing the id_token
+	// returned from the token URL. If we do this, we also would then validate
+	// the id_token DIFFERENTLY based on whether the client was configured with
+	// HS256 or RS256 token signing (similar to how we read the
+	// token_endpoint_auth_method from the Auth0 client configuration). Since
+	// RSA/JWKS type validation is more complex, we might only do id_token
+	// parsing for HS256-configured clients, and fall back to the simpler
+	// userinfo endpoint for RS256-configured clients. This gives us the
+	// capability to skip the userinfo endpoint for performance gains (provided
+	// the client is configured for it), without significantly increasing the
+	// complexity of the codebase.
 	config := oauth2CfgFromAuth0Client(*casClient, r.Host)
 	appLogger(r.Context()).WithFields(logrus.Fields{
 		"client_id": config.ClientID,

go.mod

@@ -3,7 +3,7 @@
 
 module github.com/linuxfoundation/auth0-cas-server-go
 
-go 1.22
+go 1.22.4
 
 require (
 	github.com/bmatcuk/doublestar/v4 v4.6.1
@@ -12,35 +12,33 @@ require (
 	github.com/joho/godotenv v1.5.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/sirupsen/logrus v1.9.3
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0
-	go.opentelemetry.io/otel v1.24.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0
-	go.opentelemetry.io/otel/sdk v1.24.0
-	go.opentelemetry.io/otel/trace v1.24.0
-	golang.org/x/oauth2 v0.17.0
-	golang.org/x/text v0.14.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0
+	go.opentelemetry.io/otel v1.27.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0
+	go.opentelemetry.io/otel/sdk v1.27.0
+	go.opentelemetry.io/otel/trace v1.27.0
+	golang.org/x/oauth2 v0.21.0
+	golang.org/x/text v0.16.0
 )
 
 require (
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
-	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluent/fluent-logger-golang v1.9.0 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
 	github.com/philhofer/fwd v1.1.2 // indirect
 	github.com/tinylib/msgp v1.1.9 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 // indirect
-	go.opentelemetry.io/otel/metric v1.24.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240228224816-df926f6c8641 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240228224816-df926f6c8641 // indirect
-	google.golang.org/grpc v1.62.0 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
+	go.opentelemetry.io/otel/metric v1.27.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
+	google.golang.org/grpc v1.64.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 )