From bc4c2aada16223d4b56efccf9216c353ad323c62 Mon Sep 17 00:00:00 2001
From: JP <jpkonijn@protonmail.ch>
Date: Sun, 22 Sep 2024 16:42:10 +0200
Subject: [PATCH] added http skip verify

---
 .env.example                |  1 +
 auth/auth.go                | 29 +++++++++++++++++++++++++++--
 auth/gin_oidc.go            | 12 ++++++------
 handlers/oidc_handler.go    |  3 +++
 routes/routes.go            |  5 +----
 server/main.go              |  3 +--
 views/auth/oidc_login.templ | 33 ++++++++++++++-------------------
 7 files changed, 53 insertions(+), 33 deletions(-)

diff --git a/.env.example b/.env.example
index 72da962..f06fcae 100644
--- a/.env.example
+++ b/.env.example
@@ -6,3 +6,4 @@ OIDC_PROVIDER: "https://localhost:9443/application/u/test/"
 OIDC_CLIENT_ID: "SOME_CLIENT_ID"
 OIDC_CLIENT_SECRET: "SOME_CLIENT_SECRET"
 COOKIE_SECRET_KEY: "SOME_COOKIE_SECRET" #openssl rand -base64 32  or head -c 32 /dev/urandom | base64
+OIDC_SKIP_TLS_VERIFY: true
diff --git a/auth/auth.go b/auth/auth.go
index 22a0559..613d6f0 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -2,9 +2,12 @@ package auth
 
 import (
 	"context"
+	"crypto/tls"
 	"log"
+	"net/http"
 	"soarca-gui/auth/cookies"
 	"soarca-gui/utils"
+	"strconv"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
@@ -22,7 +25,10 @@ func SetupOIDCAuthHandler() *Authenticator {
 	clientID := utils.GetEnv("OIDC_CLIENT_ID", "")
 	clientSecret := utils.GetEnv("OIDC_CLIENT_SECRET", "")
 	redirectURL := utils.GetEnv("OIDC_REDIRECT_URL", "")
+	skipTLSVerify := utils.GetEnv("OIDC_SKIP_TLS_VERIFY", "false")
 	cookieJarSecret := utils.GetEnv("COOKIE_SECRET_KEY", "")
+
+	// Environment variable checks
 	if providerLink == "" {
 		log.Fatal("invalid provider link for the env: OIDC_PROVIDER")
 	}
@@ -36,10 +42,28 @@ func SetupOIDCAuthHandler() *Authenticator {
 		log.Fatal("invalid redirect URL for the env: OIDC_REDIRECT_URL")
 	}
 	if cookieJarSecret == "" || len(cookieJarSecret) < 32 {
-		log.Fatal("invalid cookie secret key for the env: COOKIE_SECRET_KEY. Note: should be at least 32 characters")
+		log.Fatal("invalid cookie secret key for the env: COOKIE_SECRET_KEY. Note: should be at least 33 characters")
+	}
+
+	skipTLS, err := strconv.ParseBool(skipTLSVerify)
+	if err != nil {
+		log.Printf("Invalid SKIP_TLS_VERIFY value. Defaulting to false. Error: %v", err)
+		skipTLS = false
 	}
 
-	ctx := context.Background()
+	var client *http.Client
+	if skipTLS {
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+		client = &http.Client{Transport: tr}
+		log.Println("Warning: TLS verification is disabled. This should not be used in production.")
+	} else {
+		client = http.DefaultClient
+	}
+
+	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, client)
+
 	provider, err := oidc.NewProvider(ctx, providerLink)
 	if err != nil {
 		log.Fatal(err)
@@ -58,6 +82,7 @@ func SetupOIDCAuthHandler() *Authenticator {
 	}
 
 	cookieJar := cookies.NewCookieJar([]byte(cookieJarSecret))
+
 	return NewAuthenticator(cookieJar, oidcConfig, oauthConfig, provider)
 }
 
diff --git a/auth/gin_oidc.go b/auth/gin_oidc.go
index f92d5d0..8a15f2b 100644
--- a/auth/gin_oidc.go
+++ b/auth/gin_oidc.go
@@ -14,19 +14,19 @@ const (
 	CALLBACK_NONCE = "soarca_gui_nonce"
 )
 
-func (auth *Authenticator) redirectToOIDCLogin(ctx *gin.Context) {
+func (auth *Authenticator) RedirectToOIDCLogin(context *gin.Context) {
 	state, err := randString(32)
 	if err != nil {
-		api.JSONErrorStatus(ctx, http.StatusInsufficientStorage, errors.New("failed to generate state"))
+		api.JSONErrorStatus(context, http.StatusInsufficientStorage, errors.New("failed to generate state"))
 		return
 	}
 	nonce, err := randString(32)
 	if err != nil {
-		api.JSONErrorStatus(ctx, http.StatusInsufficientStorage, errors.New("failed to generate nonce"))
+		api.JSONErrorStatus(context, http.StatusInsufficientStorage, errors.New("failed to generate nonce"))
 		return
 	}
-	auth.Cookiejar.SetCallBackCookie(ctx, CALLBACK_STATE, state)
-	auth.Cookiejar.SetCallBackCookie(ctx, CALLBACK_NONCE, nonce)
+	auth.Cookiejar.SetCallBackCookie(context, CALLBACK_STATE, state)
+	auth.Cookiejar.SetCallBackCookie(context, CALLBACK_NONCE, nonce)
 
-	ctx.Redirect(http.StatusFound, auth.OauthConfig.AuthCodeURL(state, oidc.Nonce(nonce)))
+	context.Redirect(http.StatusFound, auth.OauthConfig.AuthCodeURL(state, oidc.Nonce(nonce)))
 }
diff --git a/handlers/oidc_handler.go b/handlers/oidc_handler.go
index d76179e..b1d8ad1 100644
--- a/handlers/oidc_handler.go
+++ b/handlers/oidc_handler.go
@@ -19,9 +19,12 @@ func NewOIDCAuthHanlder(authenticator *auth.Authenticator) *OIDCAuthHandler {
 }
 
 func (a *OIDCAuthHandler) OIDCAuthPageHandler(context *gin.Context) {
+	// context.Header("HX-Redirect", "/dashboard")
+	// context.String(http.StatusFound, "")
 	render := utils.NewTempl(context, http.StatusOK, authviews.OIDCLoginIndex())
 	context.Render(http.StatusOK, render)
 }
 
 func (a *OIDCAuthHandler) OIDCLoginHandler(context *gin.Context) {
+	a.authenticator.RedirectToOIDCLogin(context)
 }
diff --git a/routes/routes.go b/routes/routes.go
index 7b6158e..e3f1d76 100644
--- a/routes/routes.go
+++ b/routes/routes.go
@@ -1,7 +1,6 @@
 package routes
 
 import (
-	"fmt"
 	"log"
 	"net/http"
 	"soarca-gui/auth"
@@ -26,7 +25,6 @@ func Setup(app *gin.Engine) {
 	authEnabledStr := utils.GetEnv("AUTH_ENABLED", "false")
 	authEnabled, err := strconv.ParseBool(authEnabledStr)
 	publicRoutes := app.Group("/")
-	fmt.Println(authEnabled)
 	if err != nil {
 		log.Fatal("AUTH_ENABLED flag could not be parsed properly should be 'true' | 'false'")
 	}
@@ -36,7 +34,6 @@ func Setup(app *gin.Engine) {
 		PublicRoutes(publicRoutes)
 	}
 	ReportingRoutes(reporter, publicRoutes)
-	// PublicRoutes(publicRoutes)
 	StatusRoutes(status, publicRoutes)
 	SettingsRoutes(publicRoutes)
 }
@@ -47,7 +44,7 @@ func PublicOIDCRoutes(app *gin.RouterGroup) {
 	publicRoute := app.Group("/")
 	{
 		publicRoute.GET("/", authHandler.OIDCAuthPageHandler)
-		publicRoute.POST("/login-redirect", authHandler.OIDCLoginHandler)
+		publicRoute.GET("/oidc-login", authHandler.OIDCLoginHandler)
 		publicRoute.GET("/dashboard", handlers.HomeDashboard)
 
 	}
diff --git a/server/main.go b/server/main.go
index 5a1c715..7048af8 100644
--- a/server/main.go
+++ b/server/main.go
@@ -20,9 +20,8 @@ var (
 func main() {
 	fmt.Println("Version: ", Version)
 	fmt.Println("Buildtime ", Buildtime)
-	// errenv := godotenv.Load(".env")
+	errenv := godotenv.Load(".env")
 
-	errenv := godotenv.Load(".env.example")
 	if errenv != nil {
 		fmt.Println("Failed to read env variable, but will continue")
 	}
diff --git a/views/auth/oidc_login.templ b/views/auth/oidc_login.templ
index a1252aa..5a13b8f 100644
--- a/views/auth/oidc_login.templ
+++ b/views/auth/oidc_login.templ
@@ -27,14 +27,7 @@ templ OIDCLoginBaseLayout() {
 					</div>
 					<div class="py-5">
 						<div class="grid grid-cols-2 gap-1">
-							<div class="text-center sm:text-left whitespace-nowrap">
-								<button class="transition duration-200 mx-5 px-5 py-4 cursor-pointer font-normal text-sm rounded-lg text-gray-500 hover:bg-gray-100 focus:outline-none focus:bg-gray-200 focus:ring-2 focus:ring-gray-400 focus:ring-opacity-50 ring-inset">
-									<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" class="w-4 h-4 inline-block align-text-top">
-										<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M8 11V7a4 4 0 118 0m-4 8v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2z"></path>
-									</svg>
-									<span class="inline-block ml-1">Forgot Password</span>
-								</button>
-							</div>
+							<div class="text-center sm:text-left whitespace-nowrap"></div>
 							<div class="text-center sm:text-right whitespace-nowrap">
 								<button class="transition duration-200 mx-5 px-5 py-4 cursor-pointer font-normal text-sm rounded-lg text-gray-500 hover:bg-gray-100 focus:outline-none focus:bg-gray-200 focus:ring-2 focus:ring-gray-400 focus:ring-opacity-50 ring-inset">
 									<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" class="w-4 h-4 inline-block align-text-bottom	">
@@ -53,16 +46,18 @@ templ OIDCLoginBaseLayout() {
 
 
 templ OIDCLoginForm() {
-	<div class="px-5 py-7">
-		<button
-			hx-get="/oidc-login"
-			class="transition duration-200 bg-blue-500 hover:bg-blue-600 focus:bg-blue-700 focus:shadow-sm focus:ring-4 focus:ring-blue-500 focus:ring-opacity-50 text-white w-full py-2.5 rounded-lg text-sm shadow-sm hover:shadow-md font-semibold text-center inline-block"
-		>
-			<span class="inline-block mr-2">Login with OIDC</span>
-			<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" class="w-4 h-4 inline-block">
-				<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M11 16l-4-4m0 0l4-4m-4 4h14m-5 4v1a3 3 0 01-3 3H6a3 3 0 01-3-3V7a3 3 0 013-3h7a3 3 0 013 3v1"></path>
-			</svg>
-		</button>
-	</div>
+  <form action="/oidc-login" method="GET">
+    <div class="px-5 py-7">
+      <button
+        type="submit"
+        class="transition duration-200 bg-blue-500 hover:bg-blue-600 focus:bg-blue-700 focus:shadow-sm focus:ring-4 focus:ring-blue-500 focus:ring-opacity-50 text-white w-full py-2.5 rounded-lg text-sm shadow-sm hover:shadow-md font-semibold text-center inline-block"
+      >
+        <span class="inline-block mr-2">Login with OIDC</span>
+        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" class="w-4 h-4 inline-block">
+          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M11 16l-4-4m0 0l4-4m-4 4h14m-5 4v1a3 3 0 01-3 3H6a3 3 0 01-3-3V7a3 3 0 013-3h7a3 3 0 013 3v1"></path>
+        </svg>
+      </button>
+    </div>
+  </form>
 }