dex/cmd/dex-worker/main.go
Bobby Rullo d0c199b62c cmd, server: base64 encode multiple secrets
Two things here:

    * key secrets are now base64 encoded strings, so we get the full key
      space

    * we can pass >1 of them in so we can rotate them
2015-08-26 10:43:24 -07:00

152 lines
4.4 KiB
Go

package main
import (
"expvar"
"flag"
"fmt"
"net/http"
"net/url"
"os"
"github.com/gorilla/handlers"
"github.com/coreos/dex/db"
pflag "github.com/coreos/dex/pkg/flag"
"github.com/coreos/dex/pkg/log"
"github.com/coreos/dex/server"
"github.com/coreos/pkg/flagutil"
)
var version = "DEV"
func init() {
versionVar := expvar.NewString("dex.version")
versionVar.Set(version)
}
func main() {
fs := flag.NewFlagSet("dex-worker", flag.ExitOnError)
listen := fs.String("listen", "http://0.0.0.0:5556", "")
issuer := fs.String("issuer", "http://127.0.0.1:5556", "")
templates := fs.String("html-assets", "./static/html", "directory of html template files")
emailTemplateDirs := flagutil.StringSliceFlag{"./static/email"}
fs.Var(&emailTemplateDirs, "email-templates", "comma separated list of directories of email template files")
emailFrom := fs.String("email-from", "no-reply@coreos.com", "emails sent from dex will come from this address")
emailConfig := fs.String("email-cfg", "./static/fixtures/emailer.json", "configures emailer.")
noDB := fs.Bool("no-db", false, "manage entities in-process w/o any encryption, used only for single-node testing")
// ignored if --no-db is set
dbURL := fs.String("db-url", "", "DSN-formatted database connection string")
keySecrets := pflag.NewBase64List(32)
fs.Var(keySecrets, "key-secrets", "A comma-separated list of base64 encoded 32 byte strings used as symmetric keys used to encrypt/decrypt signing key data in DB. The first key is considered the active key and used for encryption, while the others are used to decrypt.")
dbMaxIdleConns := fs.Int("db-max-idle-conns", 0, "maximum number of connections in the idle connection pool")
dbMaxOpenConns := fs.Int("db-max-open-conns", 0, "maximum number of open connections to the database")
// used only if --no-db is set
connectors := fs.String("connectors", "./static/fixtures/connectors.json", "JSON file containg set of IDPC configs")
clients := fs.String("clients", "./static/fixtures/clients.json", "json file containing set of clients")
users := fs.String("users", "./static/fixtures/users.json", "json file containing set of users")
logDebug := fs.Bool("log-debug", false, "log debug-level information")
logTimestamps := fs.Bool("log-timestamps", false, "prefix log lines with timestamps")
if err := fs.Parse(os.Args[1:]); err != nil {
fmt.Fprintln(os.Stderr, err.Error())
os.Exit(1)
}
if err := pflag.SetFlagsFromEnv(fs, "DEX_WORKER"); err != nil {
fmt.Fprintln(os.Stderr, err.Error())
os.Exit(1)
}
if *logDebug {
log.EnableDebug()
log.Infof("Debug logging enabled.")
log.Debugf("Debug logging enabled.")
}
if *logTimestamps {
log.EnableTimestamps()
}
lu, err := url.Parse(*listen)
if err != nil {
log.Fatalf("Unable to use --listen flag: %v", err)
}
if lu.Scheme != "http" {
log.Fatalf("Unable to listen using scheme %s", lu.Scheme)
}
scfg := server.ServerConfig{
IssuerURL: *issuer,
TemplateDir: *templates,
EmailTemplateDirs: emailTemplateDirs,
EmailFromAddress: *emailFrom,
EmailerConfigFile: *emailConfig,
}
if *noDB {
log.Warning("Running in-process without external database or key rotation")
scfg.StateConfig = &server.SingleServerConfig{
ClientsFile: *clients,
ConnectorsFile: *connectors,
UsersFile: *users,
}
} else {
if *dbMaxIdleConns == 0 {
log.Warning("Running with no limit on: database idle connections")
}
if *dbMaxOpenConns == 0 {
log.Warning("Running with no limit on: database open connections")
}
dbCfg := db.Config{
DSN: *dbURL,
MaxIdleConnections: *dbMaxIdleConns,
MaxOpenConnections: *dbMaxOpenConns,
}
scfg.StateConfig = &server.MultiServerConfig{
KeySecrets: keySecrets.BytesSlice(),
DatabaseConfig: dbCfg,
}
}
srv, err := scfg.Server()
if err != nil {
log.Fatalf("Unable to build Server: %v", err)
}
cfgs, err := srv.ConnectorConfigRepo.All()
if err != nil {
log.Fatalf("Unable to fetch connector configs from repo: %v", err)
}
for _, cfg := range cfgs {
cfg := cfg
if err = srv.AddConnector(cfg); err != nil {
log.Fatalf("Failed registering connector: %v", err)
}
}
h := srv.HTTPHandler()
h = handlers.LoggingHandler(log.InfoWriter(), h)
httpsrv := &http.Server{
Addr: lu.Host,
Handler: h,
}
log.Infof("Binding to %s...", httpsrv.Addr)
go func() {
log.Fatal(httpsrv.ListenAndServe())
}()
<-srv.Run()
}