Add TLS support to http server

.defaults.yml

@@ -15,6 +15,11 @@ vouch:
   # whiteList:
   # teamWhitelist:
 
+  tls:
+    # cert:
+    # key:
+    profile: intermediate
+
   jwt:
     #   secret:
     issuer: Vouch

.gitignore

@@ -9,6 +9,7 @@ config/secret
 !config/testing/*
 pkg/model/storage-test.db
 .vscode/*
+certs/*
 coverage.out
 coverage.html.env_google
 .env*

README.md

@@ -180,6 +180,7 @@ The variable `VOUCH_CONFIG` can be used to set an alternate location for the con
 - [Kubernetes architecture post ingress](https://github.com/vouch/vouch-proxy/pull/263#issuecomment-628297832)
 - [set `HTTP_PROXY` to relay Vouch Proxy IdP requests through an outbound proxy server](https://github.com/vouch/vouch-proxy/issues/291)
 - [Reverse Proxy for Google Cloud Run Services](https://github.com/karthikv2k/oauth_reverse_proxy)
+- [Enable native TLS in Vouch Proxy](https://github.com/vouch/vouch-proxy/pull/332#issue-522612010)
 
 Please do help us to expand this list.
 

config/config.yml_example

@@ -55,6 +55,12 @@ vouch:
   # - myOrg
   # - myOrg/myTeam
 
+  tls:
+    # cert: /path/to/signed_cert_plus_intermediates # VOUCH_TLS_CERT
+    # key: /path/to/private_key                     # VOUCH_TLS_KEY
+    # profile - defines the TLS configuration profile (modern, intermediate, old, default)
+    profile: intermediate                           # VOUCH_TLS_PROFILE
+
   jwt:
     # secret - VOUCH_JWT_SECRET
     # a random string used to cryptographically sign the jwt

do.sh

@@ -318,6 +318,17 @@ gosec() {
   # segfault's without exec since it would just call this function infinitely :)
   exec gosec ./...
 }
+
+selfcert() {
+  # https://stackoverflow.com/questions/63588254/how-to-set-up-an-https-server-with-a-self-signed-certificate-in-golang
+  set -e
+  mkdir -p $SDIR/certs
+  # openssl genrsa -out $SDIR/certs/server.key 2048
+  openssl ecparam -genkey -name secp384r1 -out $SDIR/certs/server.key
+  openssl req -new -x509 -sha256 -key $SDIR/certs/server.key -out $SDIR/certs/server.crt -days 3650
+  echo -e "created self signed certs in '$SDIR/certs'\n"  
+}
+
 usage() {
    cat <<EOF
    usage:
@@ -327,6 +338,7 @@ usage() {
      $0 goget                  - get all dependencies
      $0 gofmt                  - gofmt the entire code base
      $0 gosec                  - gosec security audit of the entire code base
+     $0 selfcert               - calls openssl to create a self signed key and cert
      $0 dbuild                 - build docker container
      $0 drun [args]            - run docker container
      $0 dbuildalpine           - build docker container for alpine
@@ -360,6 +372,7 @@ case "$ARG" in
    |'install' \
    |'test' \
    |'goget' \
+   |'selfcert' \
    |'gogo' \
    |'watch' \
    |'gobuildstatic' \

main.go

@@ -60,6 +60,10 @@ var (
 	logger    *zap.SugaredLogger
 	fastlog   *zap.Logger
 	help      = flag.Bool("help", false, "show usage")
+	scheme    = map[bool]string{
+		false: "http",
+		true:  "https",
+	}
 	// doProfile = flag.Bool("profile", false, "run profiler at /debug/pprof")
 )
 
@@ -112,6 +116,7 @@ func main() {
 	configure()
 	var listen = cfg.Cfg.Listen + ":" + strconv.Itoa(cfg.Cfg.Port)
 	checkTCPPortAvailable(listen)
+	tls := (cfg.Cfg.TLS.Cert != "" && cfg.Cfg.TLS.Key != "")
 
 	logger.Infow("starting "+cfg.Branding.FullName,
 		// "semver":    semver,
@@ -120,7 +125,8 @@ func main() {
 		"buildhost", host,
 		"branch", branch,
 		"semver", semver,
-		"listen", listen,
+		"listen", scheme[tls]+"://"+listen,
+		"tls", tls,
 		"oauth.provider", cfg.GenOAuth.Provider)
 
 	muxR := mux.NewRouter()
@@ -166,7 +172,12 @@ func main() {
 		ErrorLog:     log.New(&fwdToZapWriter{fastlog}, "", 0),
 	}
 
-	logger.Fatal(srv.ListenAndServe())
+	if tls {
+		srv.TLSConfig = cfg.TLSConfig(cfg.Cfg.TLS.Profile)
+		logger.Fatal(srv.ListenAndServeTLS(cfg.Cfg.TLS.Cert, cfg.Cfg.TLS.Key))
+	} else {
+		logger.Fatal(srv.ListenAndServe())
+	}
 
 }
 

pkg/cfg/cfg.go

@@ -43,7 +43,13 @@ type Config struct {
 	TeamWhiteList []string `mapstructure:"teamWhitelist"`
 	AllowAllUsers bool     `mapstructure:"allowAllUsers"`
 	PublicAccess  bool     `mapstructure:"publicAccess"`
-	JWT           struct {
+
+	TLS struct {
+		Cert    string `mapstructure:"cert"`
+		Key     string `mapstructure:"key"`
+		Profile string `mapstructure:"profile"`
+	}
+	JWT struct {
 		MaxAge   int    `mapstructure:"maxAge"` // in minutes
 		Issuer   string `mapstructure:"issuer"`
 		Secret   string `mapstructure:"secret"`
@@ -397,6 +403,15 @@ func basicTest() error {
 	if Cfg.Cookie.MaxAge > Cfg.JWT.MaxAge {
 		return fmt.Errorf("configuration error: Cookie maxAge (%d) cannot be larger than the JWT maxAge (%d)", Cfg.Cookie.MaxAge, Cfg.JWT.MaxAge)
 	}
+
+	// check tls config
+	if Cfg.TLS.Key != "" && Cfg.TLS.Cert == "" {
+		return fmt.Errorf("configuration error: TLS certificate file not provided but TLS key is set (%s)", Cfg.TLS.Key)
+	}
+	if Cfg.TLS.Cert != "" && Cfg.TLS.Key == "" {
+		return fmt.Errorf("configuration error: TLS key file not provided but TLS certificate is set (%s)", Cfg.TLS.Cert)
+	}
+
 	return nil
 }
 

pkg/cfg/cfg_test.go

@@ -54,6 +54,31 @@ func TestConfigEnvPrecedence(t *testing.T) {
 
 }
 
+func TestConfigWithTLS(t *testing.T) {
+	tests := []struct {
+		name        string
+		tlsKeyFile  string
+		tlsCertFile string
+		wantErr     bool
+	}{
+		{"TLSConfigOK", "/path/to/key", "/path/to/cert", false},
+		{"TLSConfigKONoCert", "/path/to/key", "", true},
+		{"TLSConfigKONoKey", "", "/path/to/cert", true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Cleanup(cleanupEnv)
+			InitForTestPurposes()
+			Cfg.TLS.Cert = tt.tlsCertFile
+			Cfg.TLS.Key = tt.tlsKeyFile
+			err := ValidateConfiguration()
+
+			if (err != nil) != tt.wantErr {
+				t.Errorf("error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
 func TestSetGitHubDefaults(t *testing.T) {
 	InitForTestPurposesWithProvider("github")
 	assert.Equal(t, []string{"read:user"}, GenOAuth.Scopes)

pkg/cfg/tls.go

@@ -0,0 +1,69 @@
+/*
+
+Copyright 2020 The Vouch Proxy Authors.
+Use of this source code is governed by The MIT License (MIT) that
+can be found in the LICENSE file. Software distributed under The
+MIT License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+OR CONDITIONS OF ANY KIND, either express or implied.
+
+*/
+
+package cfg
+
+import (
+	"crypto/tls"
+)
+
+// TLSConfig config returns a *tls.Config with the specified profile (modern, intermediate, old, default) configuration.
+func TLSConfig(profile string) *tls.Config {
+	c := &tls.Config{}
+
+	// Source: https://ssl-config.mozilla.org/#server=go&version=1.14&config=modern&hsts=false&guideline=5.6
+	switch profile {
+	case "modern":
+		c = &tls.Config{
+			MinVersion: tls.VersionTLS13,
+		}
+	case "intermediate":
+		c = &tls.Config{
+			MinVersion:               tls.VersionTLS12,
+			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+			PreferServerCipherSuites: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			},
+		}
+	case "old":
+		c = &tls.Config{
+			MinVersion:               tls.VersionTLS10,
+			PreferServerCipherSuites: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+				tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+				tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+				tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+			},
+		}
+	}
+
+	return c
+}

pkg/cfg/tls_test.go

@@ -0,0 +1,37 @@
+/*
+
+Copyright 2020 The Vouch Proxy Authors.
+Use of this source code is governed by The MIT License (MIT) that
+can be found in the LICENSE file. Software distributed under The
+MIT License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+OR CONDITIONS OF ANY KIND, either express or implied.
+
+*/
+
+package cfg
+
+import (
+	"crypto/tls"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTLSConfig(t *testing.T) {
+	tests := []struct {
+		name              string
+		profile           string
+		wantTLSMinVersion uint16
+	}{
+		{"TLSDefaultProfile", "", 0},
+		{"TLSModernProfile", "modern", tls.VersionTLS13},
+		{"TLSIntermediateProfile", "intermediate", tls.VersionTLS12},
+		{"TLSOldProfile", "old", tls.VersionTLS10},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tlsConfig := TLSConfig(tt.profile)
+			assert.Equal(t, tt.wantTLSMinVersion, tlsConfig.MinVersion)
+		})
+	}
+}