Initial checkin of Pomerium

[desimone]

Happy new years. 🎉

All

• Consolidated many instances of duplicated code, likely the result of the project's history.
• Removed statsd / datadog code. *: statsd should be optional buzzfeed/sso#5, Metrics configuration should be optional buzzfeed/sso#35
• Removed support for HTTP in favor of HTTPS only.
• Renamed structures for clarity (e.g., both auth and proxy use the term provider to mean very different things)
• Refactored package scoped http response structs in favor of anonymous structs.
• Replaced hardcoded integer status codes with their respective http package enums (e.g. http.StatusOK).
• Replaced how Authorization validators, and providers are injected via functions.
• Replaced vendoring to use go mod.
• Replace logrus with a zero allocation logger, zerolog, that does not use interface{} unmarshalling. sso-{auth,proxy}: more verbose logging for debugging  buzzfeed/sso#126
• Options are now set to parse URLs directly as environmental configuration variables instead of as strings.
• Option structures throw errors on first encounter instead of building error string slices which had (at least for me, especially when testing) where struct.New() would create unpredictable struct state and runtime nil pointer errors.
• Add version flag *: add a --version flag buzzfeed/sso#36
• Add debug flag for more verbose and human friendly debugging sso-{auth,proxy}: more verbose logging for debugging  buzzfeed/sso#126
• Combine authenticate and proxy into a single binary *: combine sso-{auth,proxy} into a single binary buzzfeed/sso#85

Authenticate

• Refactored template code to use template package directly instead of as a wrapper (oddly, this differed between auth and proxy).
• Removed code to generate and serve a single static css file, which be served directly as an inline.
• Remove skip provider setting sso-auth/ sso-proxy remove SkipProviderButton field from options  buzzfeed/sso#134
• Removed "groups" from the authentication abstraction in favor of having it handled by authorization package. Though google supports groups, support amongst other identity providers is spottier.
• Document preference for generating random keys from urandom over openssl rand.
• Abstracted out templates, middleware, templates, and sessions into their own internal packages where appropriate.

Authenticate/providers

• Add support for additional identity providers (IdP). sso-auth: add all providers from oauth2_proxy buzzfeed/sso#27
  • Generic OpenID Connect OIDC ID Token, Authorization Headers, Refreshing and Verification bitly/oauth2_proxy#621
  • Google, updated to track google maintained /x/oauth2 Update formatting of Google OAuth2 URLs buzzfeed/sso#131 Outdated Google Endpoints can prevent authentication and token refresh bitly/oauth2_proxy#632
  • Okta sso-auth: support okta as provider  buzzfeed/sso#99 providers: add okta (take two) bitly/oauth2_proxy#528
• Changed authorization to be OpenID based.
• Replaced vanilla http client with /x/oauth2 and oidc libraries for identity calls. The big benefit here is as providers update their endpoint URLs in .wellknown we will update as well.
  • Updated google oauth2 url Update formatting of Google OAuth2 URLs buzzfeed/sso#131. See above.
  • Non standard OpenID connect endpoints like revoke still use vanilla http (see google/okta for examples). Revoke URLs are still populated from .well-known/openid-configuration
• Removed internal_utils. If we are concerned about secrets in logs we should either use a secure hash function, or not log it.
• Broke out "googleClient" to be its own package since there's nothing really google specific about it. Useful for non-oauth2 endpoints like revoke.

Proxy

• Fixed a bug where RequireHTTPS middleware which would cause infinite redirects when served directly where scheme and http-forward-protocol could be empty .
• Removed provider interface. Proxy has a http client to interact with authentication model. Provider interface is unnecessary. sso-proxy: remove provider interface buzzfeed/sso#82
• Replaced duplicate "sessions" package. sso-proxy: use internal/pkg/sessions for session load and save logic buzzfeed/sso#43
• With the removal of HTTP support, HMAC request signing is no longer required (covered by TLS).
  Deployment
• Added script to generate wildcard, TLS certificates from LetsEncrypt. In the future, we may build this functionality in directly.
• Added alpine based docker image. switch to using alpine or a smaller container buzzfeed/sso#20

Session/Cookie

• Added TokenID for OpenID. sso-proxy: support Authorization: Bearer <token> buzzfeed/sso#45
• isExpired func refactored to single boolean check
• Add gzip compression to session (compress then encrypt). sso-proxy: avoid oversized cookies buzzfeed/sso#95
• Removed unused 'addPadding' and 'SecretBytes' functions.
• Use internal sessions package for proxy. sso-proxy: use internal/pkg/sessions for session load and save logic buzzfeed/sso#43

Nota bene, the following significant features were removed:

• Regex proxying
• Group membership validation and caching (to be handled in the authorization model).
• Cleartext HTTP support.