admin.1f349.com/test-server/main.go

package main

import (
	"crypto/rand"
	"encoding/json"
	"fmt"
	"log"
	"net/http"
	"net/url"
	"strings"
	"time"

	"github.com/1f349/mjwt"
	"github.com/1f349/mjwt/auth"
	"github.com/1f349/mjwt/claims"
	"github.com/golang-jwt/jwt/v4"
	"github.com/google/uuid"
	"github.com/rs/cors"
)

func main() {
	log.Println("Starting test server")
	signer, err := mjwt.NewMJwtSignerFromFileOrCreate("Test SSO Service", "private.key.local", rand.Reader, 2048)
	if err != nil {
		log.Fatal(err)
	}

	go ssoServer(signer)
	go apiServer(signer)
	done := make(chan struct{})
	<-done
}

func ssoServer(signer mjwt.Signer) {
	r := http.NewServeMux()
	r.HandleFunc("/authorize", func(w http.ResponseWriter, r *http.Request) {
		// request url: http://localhost:9090/authorize?response_type=token&redirect_uri=http://localhost:5173/&scope=openid%20profile%20name&client_id=b5a9a8df-827c-4925-b1c1-1940abcf356b
		// redirect url: http://localhost:5173/#access_token=<token>&scope=openid%20profile%20name&token_type=Bearer
		if r.FormValue("response_type") != "token" {
			panic("invalid response_type")
		}
		if r.FormValue("redirect_uri") != "http://localhost:5173/" {
			panic("invalid redirect_uri")
		}
		if r.FormValue("scope") != "openid profile name" {
			panic("invalid scope")
		}
		if r.FormValue("client_id") != "b5a9a8df-827c-4925-b1c1-1940abcf356b" {
			panic("invalid client_id")
		}

		ps := claims.NewPermStorage()
		ps.Set("violet:route")
		ps.Set("violet:redirect")
		ps.Set("domain:owns=example.com")
		ps.Set("domain:owns=example.org")
		accessToken, err := signer.GenerateJwt("81b99bd7-bf74-4cc2-9133-80ed2393dfe6", uuid.NewString(), jwt.ClaimStrings{"b5a9a8df-827c-4925-b1c1-1940abcf356b"}, 15*time.Minute, auth.AccessTokenClaims{
			Perms: ps,
		})
		if err != nil {
			http.Error(w, "Failed to generate access token", http.StatusInternalServerError)
			return
		}
		v := url.Values{}
		v.Set("access_token", accessToken)
		v.Set("scope", "openid profile name")
		v.Set("token_type", "Bearer")
		v.Set("expires_in", "900")
		http.Redirect(w, r, "http://localhost:5173/#"+v.Encode(), http.StatusFound)
	})
	var corsAccessControl = cors.New(cors.Options{
		AllowOriginFunc: func(origin string) bool {
			return origin == "http://localhost:5173"
		},
		AllowedMethods:   []string{http.MethodGet, http.MethodOptions},
		AllowedHeaders:   []string{"Content-Type", "Authorization"},
		AllowCredentials: true,
	})
	r.HandleFunc("/userinfo", func(w http.ResponseWriter, r *http.Request) {
		corsAccessControl.ServeHTTP(w, r, func(w http.ResponseWriter, r *http.Request) {
			w.WriteHeader(http.StatusOK)
			w.Write([]byte(`{"aud":"b5a9a8df-827c-4925-b1c1-1940abcf356b","name":"Test User","picture":"","profile":"http://localhost:9090/user/test-user","sub":"b429562a-20e9-4466-9e8e-bdeb55f2f4a3@localhost","updated_at":1572278406,"website":""}`))
		})
	})
	log.Println("[SSO Server]", http.ListenAndServe(":9090", r))
}

var serveApiCors = cors.New(cors.Options{
	AllowOriginFunc: func(origin string) bool {
		return origin == "http://localhost:5173"
	}, // allow all origins for api requests
	AllowedHeaders: []string{"Content-Type", "Authorization"},
	AllowedMethods: []string{
		http.MethodGet,
		http.MethodHead,
		http.MethodPost,
		http.MethodPut,
		http.MethodPatch,
		http.MethodDelete,
		http.MethodConnect,
	},
	AllowCredentials: true,
})

func apiServer(verify mjwt.Verifier) {
	r := http.NewServeMux()
	r.Handle("/v1/violet/route", hasPerm(verify, "violet:route", func(rw http.ResponseWriter, req *http.Request) {
		m := make([]map[string]any, 0, 40)
		for i := 0; i < 20; i++ {
			m = append(m, map[string]any{
				"src":    uuid.NewString() + ".example.com",
				"dst":    "127.0.0.1:8080",
				"desc":   "This is a test description",
				"flags":  181,
				"active": true,
			})
		}
		for i := 0; i < 20; i++ {
			m = append(m, map[string]any{
				"src":    uuid.NewString() + ".example.org",
				"dst":    "127.0.0.1:8085",
				"desc":   "This is a test description",
				"flags":  17,
				"active": true,
			})
		}
		json.NewEncoder(rw).Encode(m)
	}))
	r.Handle("/v1/violet/redirect", hasPerm(verify, "violet:redirect", func(rw http.ResponseWriter, req *http.Request) {
		m := make([]map[string]any, 0, 40)
		for i := 0; i < 20; i++ {
			m = append(m, map[string]any{
				"src":    uuid.NewString() + ".example.com",
				"dst":    "test1.example.com",
				"desc":   "This is a test description",
				"flags":  1,
				"code":   308,
				"active": true,
			})
		}
		for i := 0; i < 20; i++ {
			m = append(m, map[string]any{
				"src":    uuid.NewString() + ".example.org",
				"dst":    "test2.example.org",
				"desc":   "This is a test description",
				"flags":  3,
				"code":   307,
				"active": true,
			})
		}
		json.NewEncoder(rw).Encode(m)
	}))
	r.Handle("/v1/orchid/owned", hasPerm(verify, "orchid:cert", func(rw http.ResponseWriter, req *http.Request) {
		m := make(map[int]any, 41)
		for i := 0; i < 20; i++ {
			u := uuid.NewString()
			m[i] = map[string]any{
				"id":           i + 1,
				"auto_renew":   true,
				"active":       true,
				"renewing":     false,
				"renew_failed": false,
				"not_after":    "2024-02-06T11:52:05Z",
				"updated_at":   "2023-11-08T07:32:08Z",
				"domains": []string{
					u + ".example.com",
					"*." + u + ".example.com",
				},
			}
		}
		for i := 0; i < 20; i++ {
			u := uuid.NewString()
			m[i+20] = map[string]any{
				"id":           i + 21,
				"auto_renew":   false,
				"active":       false,
				"renewing":     false,
				"renew_failed": false,
				"not_after":    "2024-02-06T11:52:05Z",
				"updated_at":   "2023-11-08T07:32:08Z",
				"domains": []string{
					u + ".example.org",
					"*." + u + ".example.org",
				},
			}
		}
		u := uuid.NewString()
		m[40] = map[string]any{
			"id":           41,
			"auto_renew":   false,
			"active":       false,
			"renewing":     false,
			"renew_failed": true,
			"not_after":    "2024-02-06T11:52:05Z",
			"updated_at":   "2023-11-08T07:32:08Z",
			"domains": []string{
				u + ".example.org",
				"*." + u + ".example.org",
			},
		}
		json.NewEncoder(rw).Encode(m)
	}))
	r.Handle("/v1/sites", hasPerm(verify, "sites:manage", func(rw http.ResponseWriter, req *http.Request) {
		if req.Method == http.MethodPost {
			defer req.Body.Close()
			dec := json.NewDecoder(req.Body)
			var m map[string]string
			if err := dec.Decode(&m); err != nil {
				http.Error(rw, err.Error(), http.StatusBadRequest)
				return
			}
			switch m["submit"] {
			case "secret":
				rw.WriteHeader(http.StatusOK)
				fmt.Fprintf(rw, "{\"secret\":\"%s\"}\n", uuid.NewString())
				return
			case "delete-branch":
				rw.WriteHeader(http.StatusOK)
			}
			return
		}
		m := make([]any, 0, 40)
		for i := 0; i < 20; i++ {
			m = append(m, map[string]any{
				"domain":   uuid.NewString() + ".example.com",
				"branches": []string{"", "beta"},
			})
		}
		for i := 0; i < 20; i++ {
			m = append(m, map[string]any{
				"domain":   uuid.NewString() + ".example.org",
				"branches": []string{"", "alpha"},
			})
		}
		json.NewEncoder(rw).Encode(m)
	}))

	logger := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
		log.Println("[API Server]", req.URL.String())
		r.ServeHTTP(rw, req)
	})
	http.ListenAndServe(":9095", serveApiCors.Handler(logger))
	log.Println("[API Server]", http.ListenAndServe(":9090", r))
}

func hasPerm(verify mjwt.Verifier, perm string, next func(rw http.ResponseWriter, req *http.Request)) http.Handler {
	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
		a := req.Header.Get("Authorization")
		if !strings.HasPrefix(a, "Bearer ") {
			http.Error(rw, "Missing bearer authorization", http.StatusForbidden)
			return
		}
		_, b, err := mjwt.ExtractClaims[auth.AccessTokenClaims](verify, a[len("Bearer "):])
		if err != nil {
			http.Error(rw, "Invalid token", http.StatusForbidden)
			log.Println("Invalid token:", err)
			return
		}
		if !b.Claims.Perms.Has("violet:route") {
			http.Error(rw, "Missing permission", http.StatusForbidden)
			return
		}
		next(rw, req)
	})
}