Use goproxy for both forw/rev proxies and start HMAC->JWT transition

ca.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICSjCCAbWgAwIBAgIBADALBgkqhkiG9w0BAQUwSjEjMCEGA1UEChMaZ2l0aHVi
+LmNvbS9lbGF6YXJsL2dvcHJveHkxIzAhBgNVBAMTGmdpdGh1Yi5jb20vZWxhemFy
+bC9nb3Byb3h5MB4XDTAwMDEwMTAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowSjEjMCEG
+A1UEChMaZ2l0aHViLmNvbS9lbGF6YXJsL2dvcHJveHkxIzAhBgNVBAMTGmdpdGh1
+Yi5jb20vZWxhemFybC9nb3Byb3h5MIGdMAsGCSqGSIb3DQEBAQOBjQAwgYkCgYEA
+vz9BbCaJjxs73Tvcq3leP32hAGerQ1RgvlZ68Z4nZmoVHfl+2Nr/m0dmW+GdOfpT
+cs/KzfJjYGr/84x524fiuR8GdZ0HOtXJzyF5seoWnbBIuyr1PbEpgRhGQMqqOUuj
+YExeLbfNHPIoJ8XZ1Vzyv3YxjbmjWA+S/uOe9HWtDbMCAwEAAaNGMEQwDgYDVR0P
+AQH/BAQDAgCkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8w
+DAYDVR0RBAUwA4IBKjALBgkqhkiG9w0BAQUDgYEAIcL8huSmGMompNujsvePTUnM
+oEUKtX4Eh/+s+DSfV/TyI0I+3GiPpLplEgFWuoBIJGios0r1dKh5N0TGjxX/RmGm
+qo7E4jjJuo8Gs5U8/fgThZmshax2lwLtbRNwhvUVr65GdahLsZz8I+hySLuatVvR
+qHHq/FQORIiNyNpq/Hg=
+-----END CERTIFICATE-----

ca.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC/P0FsJomPGzvdO9yreV4/faEAZ6tDVGC+VnrxnidmahUd+X7Y
+2v+bR2Zb4Z05+lNyz8rN8mNgav/zjHnbh+K5HwZ1nQc61cnPIXmx6hadsEi7KvU9
+sSmBGEZAyqo5S6NgTF4tt80c8ignxdnVXPK/djGNuaNYD5L+4570da0NswIDAQAB
+AoGBALzIv1b4D7ARTR3NOr6V9wArjiOtMjUrdLhO+9vIp9IEA8ZsA9gjDlCEwbkP
+VDnoLjnWfraff5Os6+3JjHy1fYpUiCdnk2XA6iJSL1XWKQZPt3wOunxP4lalDgED
+QTRReFbA/y/Z4kSfTXpVj68ytcvSRW/N7q5/qRtbN9804jpBAkEA0s6lvH2btSLA
+mcEdwhs7zAslLbdld7rvfUeP82gPPk0S6yUqTNyikqshM9AwAktHY7WvYdKl+ghZ
+HTxKVC4DoQJBAOg/IAW5RbXknP+Lf7AVtBgw3E+Yfa3mcdLySe8hjxxyZq825Zmu
+Rt5Qj4Lw6ifSFNy4kiiSpE/ZCukYvUXGENMCQFkPxSWlS6tzSzuqQxBGwTSrYMG3
+wb6b06JyIXcMd6Qym9OMmBpw/J5KfnSNeDr/4uFVWQtTG5xO+pdHaX+3EQECQQDl
+qcbY4iX1gWVfr2tNjajSYz751yoxVbkpiT9joiQLVXYFvpu+JYEfRzsjmWl0h2Lq
+AftG8/xYmaEYcMZ6wSrRAkBUwiom98/8wZVlB6qbwhU1EKDFANvICGSWMIhPx3v7
+MJqTIj4uJhte2/uyVvZ6DC6noWYgy+kLgqG0S97tUEG8
+-----END RSA PRIVATE KEY-----

cmd/jwtproxy/main.go

@@ -0,0 +1,90 @@
+// Copyright 2015 CoreOS, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"flag"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+
+	log "github.com/Sirupsen/logrus"
+	"github.com/coreos-inc/hmacproxy/config"
+	"github.com/coreos-inc/hmacproxy/jwt"
+	"github.com/coreos-inc/hmacproxy/proxy"
+)
+
+func main() {
+	flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
+	flagConfigPath := flag.String("config", "", "Load configuration from the specified yaml file.")
+	flagLogLevel := flag.String("log-level", "info", "Define the logging level.")
+	flag.Parse()
+
+	// Load configuration.
+	config, err := config.Load(*flagConfigPath)
+	if err != nil {
+		flag.Usage()
+		log.Fatalf("failed to load configuration: %s", err)
+	}
+
+	// Initialize logging system.
+	level, err := log.ParseLevel(*flagLogLevel)
+	if err != nil {
+		log.Fatalf("failed to parse the log level: %s", err)
+	}
+	log.SetLevel(level)
+
+	// Create JWT proxy handlers.
+	fwp := jwt.NewJWTSignerHandler()
+	rvp := jwt.NewJWTVerifierHandler(config.Verifier.Upstream.URL)
+
+	// Create forward and reverse proxies.
+	forwardProxy, err := proxy.NewProxy(fwp, config.Signer.CAKeyFile, config.Signer.CACrtFile)
+	if err != nil {
+		log.Fatalf("failed to create forward proxy: %s", err)
+	}
+
+	reverseProxy, err := proxy.NewReverseProxy(rvp)
+	if err != nil {
+		log.Fatalf("failed to create reverse proxy: %s", err)
+	}
+
+	// Start proxies.
+	go func() {
+		log.Info("Starting forward proxy")
+		log.Fatal(http.ListenAndServe(config.Signer.ListenAddr, forwardProxy))
+	}()
+
+	go func() {
+		if config.Verifier.CrtFile != "" && config.Verifier.KeyFile != "" {
+			log.Info("Starting reverse proxy (TLS Enabled)")
+			log.Fatal(http.ListenAndServeTLS(config.Verifier.ListenAddr, config.Verifier.CrtFile, config.Verifier.KeyFile, reverseProxy))
+
+		} else {
+			log.Info("Starting reverse proxy (TLS Disabled)")
+			go log.Fatal(http.ListenAndServe(config.Verifier.ListenAddr, reverseProxy))
+		}
+	}()
+
+	waitForSignals(syscall.SIGINT, syscall.SIGTERM)
+	// TODO: Graceful stop.
+}
+
+func waitForSignals(signals ...os.Signal) {
+	interrupts := make(chan os.Signal, 1)
+	signal.Notify(interrupts, signals...)
+	<-interrupts
+}

config.example.yaml

@@ -1,23 +1,13 @@
-hmacproxy:
+jwtproxy:
   signer:
-    key:
-      id: 123abc
-      secret: 123abc456def
-      region: quay
-      service: clair
-    listeneraddr: ":8080"
+    listenaddr: :8080
+    # CA used to forge certificates used by
+    # the proxy's MITM mechanism.
+    cakeyfile: ca.key
+    cacrtfile: ca.crt
   verifier:
-    upstream: http://localhost:6060
-    maxclockskew: 15s
-    tls:
-      certfile: ssl.crt
-      keyfile: ssl.key
-      cafile: ca.crt
-      requireclientcertificate: false
-    credentialsource:
-      type: SingleCredential
-      options:
-        keyid: 123abc
-        keysecret: 123abc456def
-        keyregion: quay
-        service: quay
+    listenaddr: :8082
+    upstream: http://127.0.0.1:8888/
+    # Key pair used to terminate TLS.
+    keyfile: localhost.key
+    crtfile: localhost.crt

config/config.go

@@ -19,7 +19,6 @@ import (
 	"io/ioutil"
 	"net/url"
 	"os"
-	"time"
 
 	"gopkg.in/yaml.v2"
 )
@@ -55,7 +54,7 @@ func (u URL) MarshalYAML() (interface{}, error) {
 // Represents a config file, which may have configuration for other programs
 // as a top level key.
 type configFile struct {
-	HmacProxy *Config
+	JWTProxy *Config
 }
 
 // Config is the global configuration
@@ -64,55 +63,27 @@ type Config struct {
 	Verifier *VerifierConfig
 }
 
-// SignerConfig is used to enable and configure the signing half of the proxy.
-type SignerConfig struct {
-	ListenerAddr string
-	Key          *HMACKey
-}
-
-// HMACKey represents a single hard coded credential.
-type HMACKey struct {
-	ID      string
-	Secret  string
-	Region  string
-	Service string
-}
-
-// VerifierConfig is used to enable and configure the verifier half of the
-// proxy.
 type VerifierConfig struct {
-	ListenerAddr     string
-	Upstream         URL
-	MaxClockSkew     time.Duration
-	TLS              *TLSConfig
-	CredentialSource *CredentialSourceConfig
-}
-
-// TLSConfig enables TLS(SSL) when specified, and optionally requires the use
-// of client certificates.
-type TLSConfig struct {
-	CertFile                 string
-	KeyFile                  string
-	CAFile                   string
-	RequireClientCertificate string
+	ListenAddr string
+	CrtFile    string
+	KeyFile    string
+	Upstream   URL
 }
 
-// CredentialSourceConfig specified a credential source and the options
-// required to instantiate it.
-type CredentialSourceConfig struct {
-	Type    string
-	Options map[string]interface{} `yaml:",inline"`
+type SignerConfig struct {
+	ListenAddr string
+	CAKeyFile  string
+	CACrtFile  string
 }
 
 // DefaultConfig is a configuration that can be used as a fallback value.
 var DefaultConfig = configFile{
-	HmacProxy: &Config{
+	JWTProxy: &Config{
 		Signer: &SignerConfig{
-			ListenerAddr: ":8080",
+			ListenAddr: ":8080",
 		},
 		Verifier: &VerifierConfig{
-			MaxClockSkew: 1 * time.Minute,
-			ListenerAddr: ":8081",
+			ListenAddr: ":8081",
 		},
 	},
 }
@@ -142,6 +113,6 @@ func Load(path string) (config *Config, err error) {
 		return
 	}
 
-	config = cFile.HmacProxy
+	config = cFile.JWTProxy
 	return
 }