func makeTestFixtures() (*UsersAPI, *testEmailer) {
ur := user.NewUserRepoFromUsers([]user.UserWithRemoteIdentities{
{
User: user.User{
ID: "ID-1",
Email: "*****@*****.**",
Admin: true,
CreatedAt: clock.Now(),
},
}, {
User: user.User{
ID: "ID-2",
Email: "*****@*****.**",
CreatedAt: clock.Now(),
},
}, {
User: user.User{
ID: "ID-3",
Email: "*****@*****.**",
CreatedAt: clock.Now(),
},
}, {
User: user.User{
ID: "ID-4",
Email: "*****@*****.**",
CreatedAt: clock.Now(),
Disabled: true,
},
},
})
pwr := user.NewPasswordInfoRepoFromPasswordInfos([]user.PasswordInfo{
{
UserID: "ID-1",
Password: []byte("password-1"),
},
{
UserID: "ID-2",
Password: []byte("password-2"),
},
})
mgr := user.NewManager(ur, pwr, repo.InMemTransactionFactory, user.ManagerOptions{})
mgr.Clock = clock
ci := oidc.ClientIdentity{
Credentials: oidc.ClientCredentials{
ID: "XXX",
Secret: "secrete",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
validRedirURL,
},
},
}
cir := client.NewClientIdentityRepo([]oidc.ClientIdentity{ci})
emailer := &testEmailer{}
api := NewUsersAPI(mgr, cir, emailer, "local")
return api, emailer
}
func makeUserObjects(users []user.UserWithRemoteIdentities, passwords []user.PasswordInfo) (user.UserRepo, user.PasswordInfoRepo, *user.Manager) {
ur := user.NewUserRepoFromUsers(users)
pwr := user.NewPasswordInfoRepoFromPasswordInfos(passwords)
um := user.NewManager(ur, pwr, repo.InMemTransactionFactory, user.ManagerOptions{})
um.Clock = clock
return ur, pwr, um
}
func (cfg *SingleServerConfig) Configure(srv *Server) error {
k, err := key.GeneratePrivateKey()
if err != nil {
return err
}
ks := key.NewPrivateKeySet([]*key.PrivateKey{k}, time.Now().Add(24*time.Hour))
kRepo := key.NewPrivateKeySetRepo()
if err = kRepo.Set(ks); err != nil {
return err
}
cf, err := os.Open(cfg.ClientsFile)
if err != nil {
return fmt.Errorf("unable to read clients from file %s: %v", cfg.ClientsFile, err)
}
defer cf.Close()
ciRepo, err := client.NewClientIdentityRepoFromReader(cf)
if err != nil {
return fmt.Errorf("unable to read client identities from file %s: %v", cfg.ClientsFile, err)
}
cfgRepo, err := connector.NewConnectorConfigRepoFromFile(cfg.ConnectorsFile)
if err != nil {
return fmt.Errorf("unable to create ConnectorConfigRepo: %v", err)
}
sRepo := session.NewSessionRepo()
skRepo := session.NewSessionKeyRepo()
sm := session.NewSessionManager(sRepo, skRepo)
userRepo, err := user.NewUserRepoFromFile(cfg.UsersFile)
if err != nil {
return fmt.Errorf("unable to read users from file: %v", err)
}
pwiRepo := user.NewPasswordInfoRepo()
refTokRepo := refresh.NewRefreshTokenRepo()
txnFactory := repo.InMemTransactionFactory
userManager := user.NewManager(userRepo, pwiRepo, txnFactory, user.ManagerOptions{})
srv.ClientIdentityRepo = ciRepo
srv.KeySetRepo = kRepo
srv.ConnectorConfigRepo = cfgRepo
srv.UserRepo = userRepo
srv.UserManager = userManager
srv.PasswordInfoRepo = pwiRepo
srv.SessionManager = sm
srv.RefreshTokenRepo = refTokRepo
return nil
}
func (cfg *MultiServerConfig) Configure(srv *Server) error {
if len(cfg.KeySecrets) == 0 {
return errors.New("missing key secret")
}
if cfg.DatabaseConfig.DSN == "" {
return errors.New("missing database connection string")
}
dbc, err := db.NewConnection(cfg.DatabaseConfig)
if err != nil {
return fmt.Errorf("unable to initialize database connection: %v", err)
}
kRepo, err := db.NewPrivateKeySetRepo(dbc, cfg.UseOldFormat, cfg.KeySecrets...)
if err != nil {
return fmt.Errorf("unable to create PrivateKeySetRepo: %v", err)
}
ciRepo := db.NewClientIdentityRepo(dbc)
sRepo := db.NewSessionRepo(dbc)
skRepo := db.NewSessionKeyRepo(dbc)
cfgRepo := db.NewConnectorConfigRepo(dbc)
userRepo := db.NewUserRepo(dbc)
pwiRepo := db.NewPasswordInfoRepo(dbc)
userManager := user.NewManager(userRepo, pwiRepo, db.TransactionFactory(dbc), user.ManagerOptions{})
refreshTokenRepo := db.NewRefreshTokenRepo(dbc)
sm := session.NewSessionManager(sRepo, skRepo)
srv.ClientIdentityRepo = ciRepo
srv.KeySetRepo = kRepo
srv.ConnectorConfigRepo = cfgRepo
srv.UserRepo = userRepo
srv.UserManager = userManager
srv.PasswordInfoRepo = pwiRepo
srv.SessionManager = sm
srv.RefreshTokenRepo = refreshTokenRepo
return nil
}
func makeTestFixtures() (*testFixtures, error) {
userRepo := user.NewUserRepoFromUsers(testUsers)
pwRepo := user.NewPasswordInfoRepoFromPasswordInfos(testPasswordInfos)
manager := user.NewManager(userRepo, pwRepo, repo.InMemTransactionFactory, user.ManagerOptions{})
connConfigs := []connector.ConnectorConfig{
&connector.OIDCConnectorConfig{
ID: "oidc",
IssuerURL: testIssuerURL.String(),
ClientID: "12345",
ClientSecret: "567789",
},
&connector.OIDCConnectorConfig{
ID: "oidc-trusted",
IssuerURL: testIssuerURL.String(),
ClientID: "12345-trusted",
ClientSecret: "567789-trusted",
TrustedEmailProvider: true,
},
&connector.LocalConnectorConfig{
ID: "local",
},
}
sessionManager := session.NewSessionManager(session.NewSessionRepo(), session.NewSessionKeyRepo())
sessionManager.GenerateCode = sequentialGenerateCodeFunc()
emailer, err := email.NewTemplatizedEmailerFromGlobs(
emailTemplatesLocation+"/*.txt",
emailTemplatesLocation+"/*.html",
&email.FakeEmailer{})
if err != nil {
return nil, err
}
clientIdentityRepo := client.NewClientIdentityRepo([]oidc.ClientIdentity{
oidc.ClientIdentity{
Credentials: oidc.ClientCredentials{
ID: "XXX",
Secret: testClientSecret,
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
testRedirectURL,
},
},
},
})
km := key.NewPrivateKeyManager()
err = km.Set(key.NewPrivateKeySet([]*key.PrivateKey{testPrivKey}, time.Now().Add(time.Minute)))
if err != nil {
return nil, err
}
tpl, err := getTemplates("dex", "https://coreos.com/assets/images/brand/coreos-mark-30px.png", templatesLocation)
if err != nil {
return nil, err
}
srv := &Server{
IssuerURL: testIssuerURL,
SessionManager: sessionManager,
ClientIdentityRepo: clientIdentityRepo,
Templates: tpl,
UserRepo: userRepo,
PasswordInfoRepo: pwRepo,
UserManager: manager,
KeyManager: km,
}
err = setTemplates(srv, tpl)
if err != nil {
return nil, err
}
for _, config := range connConfigs {
if err := srv.AddConnector(config); err != nil {
return nil, err
}
}
srv.UserEmailer = useremail.NewUserEmailer(srv.UserRepo,
srv.PasswordInfoRepo,
srv.KeyManager.Signer,
srv.SessionManager.ValidityWindow,
srv.IssuerURL,
emailer,
"*****@*****.**",
srv.absURL(httpPathResetPassword),
srv.absURL(httpPathEmailVerify))
return &testFixtures{
srv: srv,
redirectURL: testRedirectURL,
userRepo: userRepo,
sessionManager: sessionManager,
emailer: emailer,
clientIdentityRepo: clientIdentityRepo,
}, nil
}
func main() {
fs := flag.NewFlagSet("dex-overlord", flag.ExitOnError)
keySecrets := pflag.NewBase64List(32)
fs.Var(keySecrets, "key-secrets", "A comma-separated list of base64 encoded 32 byte strings used as symmetric keys used to encrypt/decrypt signing key data in DB. The first key is considered the active key and used for encryption, while the others are used to decrypt.")
dbURL := fs.String("db-url", "", "DSN-formatted database connection string")
dbMigrate := fs.Bool("db-migrate", true, "perform database migrations when starting up overlord. This includes the initial DB objects creation.")
keyPeriod := fs.Duration("key-period", 24*time.Hour, "length of time for-which a given key will be valid")
gcInterval := fs.Duration("gc-interval", time.Hour, "length of time between garbage collection runs")
adminListen := fs.String("admin-listen", "http://127.0.0.1:5557", "scheme, host and port for listening for administrative operation requests ")
localConnectorID := fs.String("local-connector", "local", "ID of the local connector")
logDebug := fs.Bool("log-debug", false, "log debug-level information")
logTimestamps := fs.Bool("log-timestamps", false, "prefix log lines with timestamps")
if err := fs.Parse(os.Args[1:]); err != nil {
fmt.Fprintln(os.Stderr, err.Error())
os.Exit(1)
}
if err := pflag.SetFlagsFromEnv(fs, "DEX_OVERLORD"); err != nil {
fmt.Fprintln(os.Stderr, err.Error())
os.Exit(1)
}
if *logDebug {
log.EnableDebug()
}
if *logTimestamps {
log.EnableTimestamps()
}
adminURL, err := url.Parse(*adminListen)
if err != nil {
log.Fatalf("Unable to use --admin-listen flag: %v", err)
}
dbCfg := db.Config{
DSN: *dbURL,
MaxIdleConnections: 1,
MaxOpenConnections: 1,
}
dbc, err := db.NewConnection(dbCfg)
if err != nil {
log.Fatalf(err.Error())
}
if *dbMigrate {
var sleep time.Duration
for {
var err error
var migrations int
if migrations, err = db.MigrateToLatest(dbc); err == nil {
log.Infof("Performed %d db migrations", migrations)
break
}
sleep = ptime.ExpBackoff(sleep, time.Minute)
log.Errorf("Unable to migrate database, retrying in %v: %v", sleep, err)
time.Sleep(sleep)
}
}
userRepo := db.NewUserRepo(dbc)
pwiRepo := db.NewPasswordInfoRepo(dbc)
userManager := user.NewManager(userRepo,
pwiRepo, db.TransactionFactory(dbc), user.ManagerOptions{})
adminAPI := admin.NewAdminAPI(userManager, userRepo, pwiRepo, *localConnectorID)
kRepo, err := db.NewPrivateKeySetRepo(dbc, keySecrets.BytesSlice()...)
if err != nil {
log.Fatalf(err.Error())
}
var sleep time.Duration
for {
var done bool
_, err := kRepo.Get()
switch err {
case nil:
done = true
case key.ErrorNoKeys:
done = true
case db.ErrorCannotDecryptKeys:
log.Fatalf("Cannot decrypt keys using any of the given key secrets. The key secrets must be changed to include one that can decrypt the existing keys, or the existing keys must be deleted.")
}
if done {
break
}
sleep = ptime.ExpBackoff(sleep, time.Minute)
log.Errorf("Unable to get keys from repository, retrying in %v: %v", sleep, err)
time.Sleep(sleep)
}
krot := key.NewPrivateKeyRotator(kRepo, *keyPeriod)
s := server.NewAdminServer(adminAPI, krot)
h := s.HTTPHandler()
httpsrv := &http.Server{
Addr: adminURL.Host,
Handler: h,
}
gc := db.NewGarbageCollector(dbc, *gcInterval)
log.Infof("Binding to %s...", httpsrv.Addr)
go func() {
log.Fatal(httpsrv.ListenAndServe())
}()
gc.Run()
<-krot.Run()
}
