From 76c26804f87e6fbdfa3d5ace8783c9322061e941 Mon Sep 17 00:00:00 2001
From: Vic Luo <vicluo96@gmail.com>
Date: Fri, 2 Mar 2018 23:19:05 +0800
Subject: [PATCH 1/3] json-api: remove TLS/HTTP basic auth support

They should be implemented in Caddy
---
 config.example.yaml |  4 ----
 config/config.go    |  8 --------
 main.go             | 33 +--------------------------------
 3 files changed, 1 insertion(+), 44 deletions(-)

diff --git a/config.example.yaml b/config.example.yaml
index b0642f3..d53db10 100644
--- a/config.example.yaml
+++ b/config.example.yaml
@@ -11,10 +11,6 @@ exporter_address: :8081
 # Address where JSON API will be served
 json_api:
     address: :7001
-    # certfile: "/foobar/tls.cer"
-    # keyfile: "/foobar/foobar.com.key"
-    # username: "example"
-    # password: "example"
 
 repos:
     - type: rsync
diff --git a/config/config.go b/config/config.go
index 1b48344..af743f8 100644
--- a/config/config.go
+++ b/config/config.go
@@ -15,14 +15,6 @@ type RepoConfig map[string]string
 type JsonAPIConfig struct {
 	// The address that lug listens for JSON API
 	Address string
-	// HTTP basic auth username
-	Username string
-	// HTTP basic auth password
-	Password string
-	// Https certfile
-	CertFile string
-	// Https keyfile
-	KeyFile string
 }
 
 type LogStashConfig struct {
diff --git a/main.go b/main.go
index 57f8d81..44a17b8 100644
--- a/main.go
+++ b/main.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/cheshir/logrustash"
 	"github.com/davecgh/go-spew/spew"
-	"github.com/goji/httpauth"
 	log "github.com/sirupsen/logrus"
 	"github.com/sjtug/lug/config"
 	"github.com/sjtug/lug/exporter"
@@ -31,10 +30,6 @@ type CommandFlags struct {
 	license      bool
 	jsonAPIAddr  string
 	exporterAddr string
-	certFile     string
-	keyFile      string
-	apiUser      string
-	apiPassword  string
 }
 
 // parse command line options and return CommandFlags
@@ -45,10 +40,6 @@ func getFlags() (flags CommandFlags) {
 	flag.BoolVarP(&flags.version, "version", "v", false, "Prints version of lug")
 	flag.StringVarP(&flags.jsonAPIAddr, "jsonapi", "j", "", "JSON API Address")
 	flag.StringVarP(&flags.exporterAddr, "exporter", "e", "", "Exporter Address")
-	flag.StringVar(&flags.certFile, "cert", "", "HTTPS Cert file of JSON API")
-	flag.StringVar(&flags.keyFile, "key", "", "HTTPS Key file of JSON API")
-	flag.StringVarP(&flags.apiUser, "api-user", "u", "", "User for authentication of JSON API")
-	flag.StringVarP(&flags.apiPassword, "api-password", "p", "", "Password for authentication of JSON API")
 	flag.Parse()
 	return
 }
@@ -76,10 +67,6 @@ func init() {
 
 	cfgViper := config.CfgViper
 	cfgViper.BindPFlag("json_api.address", flag.Lookup("jsonapi"))
-	cfgViper.BindPFlag("json_api.certfile", flag.Lookup("cert"))
-	cfgViper.BindPFlag("json_api.keyfile", flag.Lookup("key"))
-	cfgViper.BindPFlag("json_api.username", flag.Lookup("api-user"))
-	cfgViper.BindPFlag("json_api.password", flag.Lookup("api-password"))
 	cfgViper.BindPFlag("exporter_address", flag.Lookup("exporter"))
 
 	if flags.version {
@@ -117,25 +104,7 @@ func main() {
 	}
 	jsonapi := manager.NewRestfulAPI(m)
 	handler := jsonapi.GetAPIHandler()
-	if cfg.JsonAPIConfig.Username != "" && cfg.JsonAPIConfig.Password != "" {
-		auth := httpauth.BasicAuth(httpauth.AuthOptions{
-			Realm:    "Require authentication",
-			User:     cfg.JsonAPIConfig.Username,
-			Password: cfg.JsonAPIConfig.Password,
-		})
-		handler = auth(handler)
-	}
-	if cfg.JsonAPIConfig.KeyFile == "" || cfg.JsonAPIConfig.CertFile == "" {
-		if cfg.JsonAPIConfig.Username != "" && cfg.JsonAPIConfig.Password != "" {
-			log.Warn("JSON API with HTTP auth without TLS/SSL is vulnerable")
-		}
-		log.Infof("Http JSON API listening on %s", cfg.JsonAPIConfig.Address)
-		go http.ListenAndServe(cfg.JsonAPIConfig.Address, handler)
-	} else {
-		log.Infof("Https JSON API listening on %s with certfile %s and keyfile %s", cfg.JsonAPIConfig.Address,
-			cfg.JsonAPIConfig.CertFile, cfg.JsonAPIConfig.KeyFile)
-		go http.ListenAndServeTLS(cfg.JsonAPIConfig.Address, cfg.JsonAPIConfig.CertFile, cfg.JsonAPIConfig.KeyFile, handler)
-	}
+	go http.ListenAndServe(cfg.JsonAPIConfig.Address, handler)
 
 	go exporter.Expose(cfg.ExporterAddr)
 	m.Run()

From 10231357daf1947d4e591a738dbe132b46a686a0 Mon Sep 17 00:00:00 2001
From: Vic Luo <vicluo96@gmail.com>
Date: Fri, 2 Mar 2018 23:25:25 +0800
Subject: [PATCH 2/3] move admin API into separate base

/lug/v1/manager/start -> /lug/v1/admin/manager/start
/lug/v1/manager/stop -> /lug/v1/admin/manager/stop
DELETE /lug/v1/manager -> DELETE /lug/v1/admin/manager
---
 manager/json_rest.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/manager/json_rest.go b/manager/json_rest.go
index cfbe195..bb25d29 100644
--- a/manager/json_rest.go
+++ b/manager/json_rest.go
@@ -26,9 +26,9 @@ func (r *RestfulAPI) GetAPIHandler() http.Handler {
 	router, err := rest.MakeRouter(
 		rest.Get("/lug/v1/manager", r.getManagerStatusDetail),
 		rest.Get("/lug/v1/manager/summary", r.getManagerStatusSummary),
-		rest.Post("/lug/v1/manager/start", r.startManager),
-		rest.Post("/lug/v1/manager/stop", r.stopManager),
-		rest.Delete("/lug/v1/manager", r.exitManager),
+		rest.Post("/lug/v1/admin/manager/start", r.startManager),
+		rest.Post("/lug/v1/admin/manager/stop", r.stopManager),
+		rest.Delete("/lug/v1/admin/manager", r.exitManager),
 	)
 	if err != nil {
 		log.Fatal(err)

From 94bc2ac5c5219f88742b33eb3664e696637099f9 Mon Sep 17 00:00:00 2001
From: Vic Luo <vicluo96@gmail.com>
Date: Sat, 3 Mar 2018 00:07:41 +0800
Subject: [PATCH 3/3] Caddyfile.template: add auth

This commit adds auth section in Caddyfile.template.
The example configuration uses Github OAuth to allow a specific user to
call privileged APIs.
---
 Caddyfile.template | 41 +++++++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 8 deletions(-)

diff --git a/Caddyfile.template b/Caddyfile.template
index 205afcb..a0b092a 100644
--- a/Caddyfile.template
+++ b/Caddyfile.template
@@ -5,6 +5,23 @@
 {{/* input data source should be named as "cfg": -d cfg=config.yaml */}}
 {{ $cfg := (ds "cfg") }}
 
+{{/* address of lug backend */}}
+{{ $lug_addr := "127.0.0.1:7001" }}
+
+{{/* configure methods to protect your admin API */}}
+{{ define "login_config" }}
+    {{/* by default this uses Github OAuth, change it to your needs! */}}
+    {{/* the sample OAuth application only allows redirection to 127.0.0.1:2015, so register your own OAuth App! */}}
+    github client_id=d8d4b5b349b0172af159,client_secret=aa4a70fe46d309220fefce5a567a0a884dea715b
+    jwt_expiry 24h
+    cookie_expiry 2400h
+{{ end }}
+
+{{ define "jwt_config" }}
+    {{/* only allow username=htfy96 */}}
+    allow sub htfy96
+{{ end }}
+
 {{define "serve_local_common_config"}}
     log stdout
     ratelimit / 32 32 second
@@ -27,6 +44,22 @@
 # Exposed at :9180
 / {
     prometheus
+
+    # API
+    proxy /lug/ {{$lug_addr}} {
+        {{ template "reverse_proxy_common_proxy_config" }}
+    }
+
+    jwt {
+        path /lug/v1/admin
+        {{ template "jwt_config" }}
+    }
+
+    login {
+        {{ template "login_config" }}
+    }
+    ratelimit / 4 8 second
+    gzip
 }
 
 {{ range $name, $worker := $cfg.repos }}
@@ -49,11 +82,3 @@
 {{ end }} {{/* if $worker */}}
 {{ end }} {{/* range */}}
 
-# API
-/lug {
-    proxy / lug:7001 {
-        {{ template "reverse_proxy_common_proxy_config" }}
-    }
-    ratelimit / 4 8 second
-    gzip
-}