initial commit

typester · typester · commit 40cd977c9a5d · 2014-07-14T16:06:04.000+09:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+config.yml
+gate
diff --git a/conf.go b/conf.go
@@ -0,0 +1,77 @@
+package main
+
+import (
+	"errors"
+	"gopkg.in/yaml.v1"
+	"io/ioutil"
+)
+
+type Conf struct {
+	Addr    string      `yaml:"address"`
+	SSL     SSLConf     `yaml:"ssl"`
+	Auth    AuthConf    `yaml:"auth"`
+	Domain  string      `yaml:"domain"`
+	Proxies []ProxyConf `yaml:"proxy"`
+	Htdocs  string      `yaml:"htdocs"`
+}
+
+type SSLConf struct {
+	Cert string `yaml:"cert"`
+	Key  string `yaml:"key"`
+}
+
+type AuthConf struct {
+	Session AuthSessionConf `yaml:"session"`
+	Google  AuthGoogleConf  `yaml:"google"`
+}
+
+type AuthSessionConf struct {
+	Key string `yaml:"key"`
+}
+
+type AuthGoogleConf struct {
+	ClientId     string `yaml:"client_id"`
+	ClientSecret string `yaml:"client_secret"`
+	RedirectURL  string `yaml:"redirect_url"`
+}
+
+type ProxyConf struct {
+	Path  string `yaml:"path"`
+	Dest  string `yaml:"dest"`
+	Strip bool   `yaml:"strip_path"`
+}
+
+func ParseConf(path string) (*Conf, error) {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	c := &Conf{}
+	if err := yaml.Unmarshal(data, c); err != nil {
+		return nil, err
+	}
+
+	if c.Addr == "" {
+		return nil, errors.New("address config is required")
+	}
+
+	if c.Auth.Session.Key == "" {
+		return nil, errors.New("auth.session.key config is required")
+	}
+	if c.Auth.Google.ClientId == "" {
+		return nil, errors.New("auth.google.client_id config is required")
+	}
+	if c.Auth.Google.ClientSecret == "" {
+		return nil, errors.New("auth.google.client_secret config is required")
+	}
+	if c.Auth.Google.RedirectURL == "" {
+		return nil, errors.New("auth.google.redirect_url config is required")
+	}
+
+	if c.Htdocs == "" {
+		c.Htdocs = "."
+	}
+
+	return c, nil
+}
diff --git a/config_sample.yml b/config_sample.yml
@@ -0,0 +1,35 @@
+# address to bind
+address: :9999
+
+# # ssl keys (optional)
+# ssl:
+#   cert: ./ssl/ssl.cer
+#   key: ./ssl/ssl.key
+
+auth:
+  session:
+    # authentication key for cookie store
+    key: secret123
+
+  google:
+    # your google app keys
+    client_id: your client id
+    client_secret: your client secret
+    # your google app redirect_url: path is always "/oauth2callback"
+    redirect_url: https://yourapp.example.com/oauth2callback
+
+# # restrict domain. (optional)
+# domain: yourdomain.com
+
+# document root for static files
+htdocs: ./
+
+# proxy definitions
+proxy:
+  - path: /elasticsearch
+    dest: http://127.0.0.1:9200
+    strip_path: yes
+
+  - path: /influxdb
+    dest: http://127.0.0.1:8086
+    strip_path: yes
diff --git a/config_test.go b/config_test.go
@@ -0,0 +1,41 @@
+package main
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+	"fmt"
+)
+
+func TestParse(t *testing.T) {
+	f, err := ioutil.TempFile("", "")
+	if err != nil {
+		t.Error(err)
+	}
+	defer os.Remove(f.Name())
+
+	data := `---
+address: ":9999"
+
+htdocs: ./
+
+proxy:
+  - path: /foo
+    dest: http://example.com/bar
+    strip_path: yes
+`
+	if err := ioutil.WriteFile(f.Name(), []byte(data), 0644); err != nil {
+		t.Error(err)
+	}
+
+	conf, err := ParseConf(f.Name())
+	if err != nil {
+		t.Error(err)
+	}
+
+	if conf.Addr != ":9999" {
+		t.Errorf("unexpected address: %s", conf.Addr)
+	}
+
+	fmt.Printf("conf: %+v\n", conf)
+}
diff --git a/httpd.go b/httpd.go
@@ -0,0 +1,154 @@
+package main
+
+import (
+	"log"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strings"
+
+	"encoding/base64"
+	"encoding/json"
+
+	"github.com/go-martini/martini"
+	"github.com/martini-contrib/oauth2"
+	"github.com/martini-contrib/sessions"
+	"path/filepath"
+)
+
+type Server struct {
+	Conf *Conf
+}
+
+type User struct {
+	Email string
+}
+
+func NewServer(conf *Conf) *Server {
+	return &Server{conf}
+}
+
+func (s *Server) Run() error {
+	m := martini.Classic()
+
+	m.Use(sessions.Sessions("session", sessions.NewCookieStore([]byte(s.Conf.Auth.Session.Key))))
+	m.Use(oauth2.Google(&oauth2.Options{
+		ClientId:     s.Conf.Auth.Google.ClientId,
+		ClientSecret: s.Conf.Auth.Google.ClientSecret,
+		RedirectURL:  s.Conf.Auth.Google.RedirectURL,
+		Scopes:       []string{"email"},
+	}))
+
+	m.Use(oauth2.LoginRequired)
+	m.Use(restrictDomain(s.Conf.Domain))
+
+	for i := range s.Conf.Proxies {
+		p := s.Conf.Proxies[i]
+
+		if strings.HasSuffix(p.Path, "/") == false {
+			p.Path += "/"
+		}
+		strip_path := p.Path
+
+		if strings.HasSuffix(p.Path, "**") == false {
+			p.Path += "**"
+		}
+
+		u, err := url.Parse(p.Dest)
+		if err != nil {
+			return err
+		}
+
+		proxy := httputil.NewSingleHostReverseProxy(u)
+		if p.Strip {
+			m.Any(p.Path, http.StripPrefix(strip_path, proxy))
+		} else {
+			m.Any(p.Path, proxy)
+		}
+
+		log.Printf("register proxy path:%s dest:%s", strip_path, u.String())
+	}
+
+	path, err := filepath.Abs(s.Conf.Htdocs)
+	if err != nil {
+		return err
+	}
+
+	log.Printf("starting static file server for: %s", path)
+	fileServer := http.FileServer(http.Dir(path))
+	m.Get("/**", fileServer.ServeHTTP)
+
+	log.Printf("starting server at %s", s.Conf.Addr)
+
+	if s.Conf.SSL.Cert != "" && s.Conf.SSL.Key != "" {
+		return http.ListenAndServeTLS(s.Conf.Addr, s.Conf.SSL.Cert, s.Conf.SSL.Key, m)
+	} else {
+		return http.ListenAndServe(s.Conf.Addr, m)
+	}
+}
+
+func forbidden(w http.ResponseWriter) {
+	w.WriteHeader(403)
+	w.Write([]byte("Access denied"))
+}
+
+// base64Decode decodes the Base64url encoded string
+//
+// steel from code.google.com/p/goauth2/oauth/jwt
+func base64Decode(s string) ([]byte, error) {
+	// add back missing padding
+	switch len(s) % 4 {
+	case 2:
+		s += "=="
+	case 3:
+		s += "="
+	}
+	return base64.URLEncoding.DecodeString(s)
+}
+
+func restrictDomain(domain string) martini.Handler {
+	return func(c martini.Context, tokens oauth2.Tokens, w http.ResponseWriter) {
+		extra := tokens.ExtraData()
+		if _, ok := extra["id_token"]; ok == false {
+			log.Printf("id_token not found")
+			forbidden(w)
+			return
+		}
+
+		keys := strings.Split(extra["id_token"], ".")
+		if len(keys) < 2 {
+			log.Printf("invalid id_token")
+			forbidden(w)
+			return
+		}
+
+		data, err := base64Decode(keys[1])
+		if err != nil {
+			log.Printf("failed to decode base64: %s", err.Error())
+			forbidden(w)
+			return
+		}
+
+		var info map[string]interface{}
+		if err := json.Unmarshal(data, &info); err != nil {
+			log.Printf("failed to decode json: %s", err.Error())
+			forbidden(w)
+			return
+		}
+
+		if email, ok := info["email"].(string); ok {
+			if domain == "" || strings.HasSuffix(email, "@"+domain) {
+				user := &User{email}
+				c.Map(user)
+			} else {
+				log.Printf("email doesn't allow: %s", email)
+				forbidden(w)
+				return
+			}
+		} else {
+			log.Printf("email not found")
+			forbidden(w)
+			return
+		}
+	}
+}
diff --git a/main.go b/main.go
@@ -0,0 +1,22 @@
+package main
+
+import (
+	"flag"
+	"log"
+)
+
+var (
+	confFile = flag.String("conf", "config.yml", "config file path")
+)
+
+func main() {
+	flag.Parse()
+
+	conf, err := ParseConf(*confFile)
+	if err != nil {
+		panic(err)
+	}
+
+	server := NewServer(conf)
+	log.Fatal(server.Run())
+}
