Merge branch 'develop' into feature/cleanup-update

Author: briskt

.dockerignore

@@ -3,7 +3,7 @@
 
 # Whitelist required files
 !.env.encrypted
-!codeship/*
+!scripts/*
 !lambda/*
 !server/*
 !u2fsimulator/*

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+* @silinternational/developers
+*.tf @silinternational/tf-devs
+*.go @silinternational/go-devs
+go.* @silinternational/go-devs

.github/workflows/test-deploy-publish.yml

@@ -0,0 +1,119 @@
+name: Test, Deploy, Publish
+
+on:
+  push:
+    branches: [ '**' ]
+    tags: [ 'v*' ]
+    paths-ignore:
+    - 'terraform/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  tests:
+    name: Tests
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }}
+      STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+      PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }}
+      PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Test
+        run: docker compose -f actions-services.yml run --rm test ./scripts/test.sh
+
+  lint:
+    name: Lint and Vulnerability Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: ${{ fromJSON(vars.DEFAULT_JOB_TIMEOUT_MINUTES) }}
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+        check-latest: true
+    - name: golangci-lint
+      uses: golangci/golangci-lint-action@v6
+      with:
+        version: latest
+    - name: govulncheck
+      run: |
+        go install golang.org/x/vuln/cmd/govulncheck@latest
+        govulncheck ./...
+
+  deploy:
+    name: Deploy to AWS Lambda
+    needs: [ 'tests', 'lint' ]
+    if: github.ref_name == 'main' || github.ref_name == 'develop'
+    runs-on: ubuntu-latest
+    concurrency: 
+      group: deploy-${{ github.ref }}-${{ matrix.region }}
+      cancel-in-progress: false
+    strategy:
+      matrix:
+        region: [ us-east-1, us-west-2 ]
+    env:
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }}
+      STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+      STG_LAMBDA_ROLE: ${{ vars.STG_LAMBDA_ROLE }}
+      STG_API_KEY_TABLE: ${{ vars.STG_API_KEY_TABLE }}
+      STG_WEBAUTHN_TABLE: ${{ vars.STG_WEBAUTHN_TABLE }}
+      PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }}
+      PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }}
+      PRD_LAMBDA_ROLE: ${{ vars.PRD_LAMBDA_ROLE }}
+      PRD_API_KEY_TABLE: ${{ vars.PRD_API_KEY_TABLE }}
+      PRD_WEBAUTHN_TABLE: ${{ vars.PRD_WEBAUTHN_TABLE }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Deploy
+        run: docker compose -f actions-services.yml run --rm app ./scripts/deploy.sh ${{ matrix.region }}
+
+  build-and-publish:
+    name: Build and Publish
+    needs: [ 'tests', 'lint' ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4        
+       
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor}}
+          password: ${{ secrets.GITHUB_TOKEN}}
+  
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ vars.IMAGE_NAME }}
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major.minor}}
+            type=semver,pattern={{major}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -8,10 +8,8 @@ bootstrap
 dockercfg
 
 # credentials and other env files
-aws.env
 *.aes
-local.env
-.env
+*.env
 .cert/
 
 # dev tools metadata

.golangci.yaml

@@ -0,0 +1,19 @@
+run:
+    timeout: 2m
+linters:
+    disable-all: true
+    enable:
+#    - errcheck
+#    - gosimple
+#    - govet
+#    - ineffassign
+#    - staticcheck
+#    - unused
+    - bodyclose
+    - gocheckcompilerdirectives
+    - godox
+#    - gofmt
+#    - goimports
+#    - gosec
+#    - whitespace
+#    - usestdlibvars

Dockerfile

@@ -1,16 +1,17 @@
-FROM golang:1.22
+FROM golang:1.23
 
-RUN curl -o- -L https://slss.io/install | VERSION=3.38.0 bash && \
+RUN curl -o- -L --proto "=https" https://slss.io/install | VERSION=3.38.0 bash && \
   mv $HOME/.serverless/bin/serverless /usr/local/bin && \
   ln -s /usr/local/bin/serverless /usr/local/bin/sls
 
 WORKDIR /src
 
-RUN curl -sSfL https://raw.githubusercontent.com/cosmtrek/air/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
+RUN curl -sSfL --proto "=https" https://raw.githubusercontent.com/cosmtrek/air/master/install.sh | \
+    sh -s -- -b $(go env GOPATH)/bin
 
 COPY ./ .
 RUN go get ./...
 
 EXPOSE 8080
 
-CMD ["air"]
+CMD ["air"]

Makefile

@@ -2,21 +2,21 @@ demo: proxy ui app dbinit
 	./local_data.sh
 
 proxy:
-	docker-compose up -d proxy
+	docker compose up -d proxy
 
 ui:
-	docker-compose up -d ui
+	docker compose up -d ui
 
 app:
-	docker-compose kill app
-	docker-compose rm -f app
-	docker-compose up -d app
+	docker compose kill app
+	docker compose rm -f app
+	docker compose up -d app
 
 test: clean dbinit
-	docker-compose run --rm app go test ./...
+	docker compose run --rm app go test ./...
 
 db:
-	docker-compose up -d dynamo
+	docker compose up -d dynamo
 
 dbinit: db wait createwebauthntable createapikeytable
 
@@ -55,5 +55,5 @@ showwebauth:
 		--region localhost
 
 clean:
-	docker-compose kill
-	docker-compose rm -f
+	docker compose kill
+	docker compose rm -f

README.md

@@ -20,8 +20,8 @@ to the WebAuthn library and fit the structures it was expecting without causing
 ### Required Headers
 1. `x-mfa-apikey` - The API Key
 2. `x-mfa-apisecret` - The API Key Secret
-3. `x-mfa-RPDisplayName` - The Relay Party Display Name, ex: `ACME Inc.`
-4. `x-mfa-RPID` - The Relay Party ID, ex: `domain.com` (should only be the top level domain, no subdomain, protocol, 
+3. `x-mfa-RPDisplayName` - The Relying Party Display Name, ex: `ACME Inc.`
+4. `x-mfa-RPID` - The Relying Party ID, ex: `domain.com` (should only be the top level domain, no subdomain, protocol, 
 or path)
 5. `x-mfa-RPOrigin` - The browser Origin for the request, ex: `https://sub.domain.com` (include appropriate subdomain 
 and protocol, no path or port)
@@ -30,6 +30,11 @@ to do with WebAuthn, but is the primary key for finding the right records in Dyn
 7. `x-mfa-Username` - The user's username of your service
 8. `x-mfa-UserDisplayName` - The user's display name
 
+### Optional headers
+
+1. `x-mfa-Usericon` - 
+2. `x-mfa-Rpicon` -
+
 ### Begin Registration
 `POST /webauthn/register`
 

actions-services.yml

@@ -0,0 +1,41 @@
+services:
+  test:
+    build: .
+    environment:
+      AWS_ENDPOINT: http://dynamo:8000
+      API_KEY_TABLE: ApiKey
+      WEBAUTHN_TABLE: WebAuthn
+      LAMBDA_ROLE: placeholder
+      AWS_REGION: localhost
+      GITHUB_REF_NAME: $GITHUB_REF_NAME
+      STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID
+      STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY
+      PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID
+      PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY
+    depends_on:
+      - dynamo
+
+  app:
+    build: .
+    working_dir: /src
+    environment:
+      AWS_REGION: $AWS_REGION
+      GITHUB_REF_NAME: $GITHUB_REF_NAME
+      STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID
+      STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY
+      STG_LAMBDA_ROLE: $STG_LAMBDA_ROLE
+      STG_API_KEY_TABLE: $STG_API_KEY_TABLE
+      STG_WEBAUTHN_TABLE: $STG_WEBAUTHN_TABLE
+      PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID
+      PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY
+      PRD_LAMBDA_ROLE: $PRD_LAMBDA_ROLE
+      PRD_API_KEY_TABLE: $PRD_API_KEY_TABLE
+      PRD_WEBAUTHN_TABLE: $PRD_WEBAUTHN_TABLE
+
+  dynamo:
+    image: amazon/dynamodb-local
+    environment:
+      AWS_ACCESS_KEY_ID: abc123
+      AWS_SECRET_ACCESS_KEY: abc123
+      AWS_DEFAULT_REGION: us-east-1
+    command: "-jar DynamoDBLocal.jar -sharedDb"

apikey.go

@@ -17,13 +17,13 @@ import (
 const ApiKeyTablePK = "value"
 
 type ApiKey struct {
-	Key          string   `json:"value"`
-	Secret       string   `json:"-"`
-	HashedSecret string   `json:"hashedApiSecret"`
-	Email        string   `json:"email"`
-	CreatedAt    int      `json:"createdAt"`
-	ActivatedAt  int      `json:"activatedAt"`
-	Store        *Storage `json:"-"`
+	Key          string   `dynamodbav:"value" json:"value"`
+	Secret       string   `dynamodbav:"-" json:"-"`
+	HashedSecret string   `dynamodbav:"hashedApiSecret" json:"hashedApiSecret"`
+	Email        string   `dynamodbav:"email" json:"email"`
+	CreatedAt    int      `dynamodbav:"createdAt" json:"createdAt"`
+	ActivatedAt  int      `dynamodbav:"activatedAt" json:"activatedAt"`
+	Store        *Storage `dynamodbav:"-" json:"-"`
 }
 
 func (k *ApiKey) Load() error {