Add check endpoint which can be used with nginx' auth_request function (#266)

* Add check endpoint which can be used with nginx' auth_request function

* feat(cmd): allow configuring redirect domains

* test: add test environment for the nginx_auth PR

This is a full local setup of the nginx_auth PR including HTTPS so that
it's easier to validate in isolation.

This requires an install of k3s (https://k3s.io) with traefik set to
listen on localhost. This will be amended in the future but for now this
works enough to ship it.

Signed-off-by: Xe Iaso <me@xeiaso.net>

* fix(cmd|lib): allow empty redirect domains variable

Signed-off-by: Xe Iaso <me@xeiaso.net>

* fix(test): add space to target variable in anubis container

Signed-off-by: Xe Iaso <me@xeiaso.net>

* docs(admin): rewrite subrequest auth docs, make generic

* docs(install): document REDIRECT_DOMAINS flag

Signed-off-by: Xe Iaso <me@xeiaso.net>

* feat(lib): clamp redirects to the same HTTP host

Only if REDIRECT_DOMAINS is not set.

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Xe Iaso <me@xeiaso.net>

test/k8s/cert-manager/selfsigned-issuer.yaml

@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}

test/k8s/deps/cert-manager.yaml

@@ -0,0 +1,13 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cert-manager
+  namespace: kube-system
+spec:
+  repo: https://charts.jetstack.io
+  chart: cert-manager
+  targetNamespace: cert-manager
+  createNamespace: true
+  set:
+    installCRDs: "true"
+    "prometheus.enabled": "false"

test/nginx-external-auth/conf.d/default.conf

@@ -0,0 +1,25 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name nginx.local.cetacean.club;
+
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+  location /.within.website/ {
+    proxy_pass http://localhost:8923;
+    auth_request off;
+  }
+
+  location @redirectToAnubis {
+    return 307 /.within.website/?redir=$scheme://$host$request_uri;
+    auth_request off;
+  }
+
+  location / {
+    auth_request /.within.website/x/cmd/anubis/api/check;
+    error_page 401 = @redirectToAnubis;
+    root /usr/share/nginx/html;
+    index index.html index.htm;
+  }
+}

test/nginx-external-auth/deployment.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-external-auth
+spec:
+  selector:
+    matchLabels:
+      app: nginx-external-auth
+  template:
+    metadata:
+      labels:
+        app: nginx-external-auth
+    spec:
+      volumes:
+      - name: config
+        configMap:
+          name: nginx-cfg
+      containers:
+      - name: www
+        image: nginx:alpine
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+          requests:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - name: config
+          mountPath: /etc/nginx/conf.d
+          readOnly: true
+      - name: anubis
+        image: ttl.sh/techaro/anubis-external-auth:latest
+        imagePullPolicy: Always
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 250m
+            memory: 128Mi
+        env:
+        - name: TARGET
+          value: " "
+        - name: REDIRECT_DOMAINS
+          value: nginx.local.cetacean.club
+
+

test/nginx-external-auth/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx-external-auth
+  labels:
+    name: nginx-external-auth
+  annotations:
+    cert-manager.io/cluster-issuer: "selfsigned"
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - nginx.local.cetacean.club
+    secretName: nginx-local-cetacean-club-public-tls
+  rules:
+  - host: nginx.local.cetacean.club
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: nginx-external-auth
+            port: 
+              name: http

test/nginx-external-auth/kustomization.yaml

@@ -0,0 +1,10 @@
+resources:
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+configMapGenerator:
+  - name: nginx-cfg
+    behavior: create
+    files:
+    - ./conf.d/default.conf

test/nginx-external-auth/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-external-auth
+spec:
+  selector:
+    app: nginx-external-auth
+  ports:
+  - name: http
+    protocol: TCP
+    port: 80
+    targetPort: 80
+  type: ClusterIP

test/nginx-external-auth/start.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Build container image
+(
+  cd ../.. \
+  && npm ci \
+  && npm run container -- \
+      --docker-repo ttl.sh/techaro/anubis-external-auth \
+      --docker-tags ttl.sh/techaro/anubis-external-auth:latest
+)
+
+kubectl apply -k .
+echo "open https://nginx.local.cetacean.club, press control c when done"
+
+control_c() {
+  kubectl delete -k .
+  exit
+}
+trap control_c SIGINT
+
+sleep infinity

test/pki/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

test/shared/www/index.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Anubis works!</title>
+    <link rel="stylesheet" href="/.within.website/x/xess/xess.css"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+  </head>
+  <body id="top">
+    <main>
+      <h1>Anubis works!</h1>
+
+      <p>If you see this, everything has gone according to keikaku.</p>
+
+      <img height=128 src="/.within.website/x/cmd/anubis/static/img/happy.webp"/>
+    </main>
+  </body>
+</html>