Update docs and configs for oauth2_proxy, 18f.gov

deploy/README.md

@@ -2,7 +2,7 @@
 
 ### Set up SSH
 
-Ask Mike Bland or Eric Mill to help add your public key (typically `$HOME/.ssh/id_rsa.pub`) to `$HOME/.ssh/authorized_keys` on `hub.18f.us` and `18f.gsa.gov`. Then make sure your `$HOME/.ssh/config` file on your machine contains the following entries:
+Ask Mike Bland or Eric Mill to help add your public key (typically `$HOME/.ssh/id_rsa.pub`) to `$HOME/.ssh/authorized_keys` on `hub.18f.gov` and `18f.gsa.gov`. Then make sure your `$HOME/.ssh/config` file on your machine contains the following entries:
 
 ```
 Host 18f-site
@@ -12,7 +12,7 @@ Host 18f-site
    IdentitiesOnly yes
 
 Host 18f-hub
-   Hostname hub.18f.us
+   Hostname hub.18f.gov
    User ubuntu
    IdentityFile [$HOME]/.ssh/id_rsa
    IdentitiesOnly yes
@@ -22,19 +22,19 @@ This configuration allows you to log into each machine as the appropriate user b
 
 ### DEPRECATED: `publish.sh` and `publish-prod.sh`
 
-Not much to see here; after regenerating the site with Jekyll, [publish.sh](publish.sh) just `rsync`s it to `hub.18f.us`. [publish-prod.sh](publish-prod.sh) does the same thing for the Public Hub.
+Not much to see here; after regenerating the site with Jekyll, [publish.sh](publish.sh) just `rsync`s it to `hub.18f.gov`. [publish-prod.sh](publish-prod.sh) does the same thing for the Public Hub.
 
 Now that automated deployments are underway (see below), these scripts are deprecated. They remain as examples for those wishing to deploy their own Hub instances quickly.
 
 ### AWS
 
-https://hub.18f.us/ is running as an AWS EC2 instance named `18f-hub` based on 18F's `m3.medium` image. The AWS Elastic IP of the instance is assigned to the `hub.18f.us` subdomain via the AWS Route 53 panel. The associated AWS Security Group restricts access to the SSH, HTTP, and HTTPS ports (22, 80, and 443), but those ports are reachable from any source IP address.
+https://hub.18f.gov/ is running as an AWS EC2 instance named `18f-hub` based on 18F's `m3.medium` image. The AWS Elastic IP of the instance is assigned to the `hub.18f.gov` subdomain via the AWS Route 53 panel. The associated AWS Security Group restricts access to the SSH, HTTP, and HTTPS ports (22, 80, and 443), but those ports are reachable from any source IP address.
 
 The Public Hub is served directly from https://18f.gsa.gov/.
 
 ### Nginx
 
-For the internal Hub, [/etc/nginx/nginx.conf](etc/nginx/nginx.conf) is the stock 18F nginx config that comes with the image, modified to include the Hub-specific config, [/etc/nginx/vhosts/hub.conf](etc/nginx/vhosts/hub.conf), further described in the Google Auth Proxy section below:
+For the internal Hub, [/etc/nginx/nginx.conf](etc/nginx/nginx.conf) is the stock 18F nginx config that comes with the image, modified to include the Hub-specific config, [/etc/nginx/vhosts/hub.conf](etc/nginx/vhosts/hub.conf), further described in the OAuth2 Proxy section below:
 
 ```
   ##
@@ -53,36 +53,40 @@ For the internal hub, [/etc/nginx/vhosts/hub.conf](etc/nginx/vhosts/hub.conf) is
 
 The public Hub is served by the same web server as https://18f.gsa.gov and doesn't require its own configuration.
 
-### Google Auth Proxy
+### OAuth2 Proxy
 
 _This pertains to the internal Hub only._
 
-The [etc](etc) and [usr](usr) subdirectory trees contain the files needed to configure Nginx and the [Google Auth Proxy](https://github.com/bitly/google_auth_proxy) in concert to ensure only 18F team members can access the Hub. The current version of `google_auth_proxy` running on `hub.18f.us` is 1.0; the latest version can be downloaded from: https://github.com/bitly/google_auth_proxy/releases and unpacked on the Hub machine as `/usr/local/18f/bin/google_auth_proxy`.
+The [etc](etc) and [usr](usr) subdirectory trees contain the files needed to configure Nginx and the [OAuth2 Proxy](https://github.com/bitly/oauth2_proxy) in concert to ensure only 18F team members can access the Hub. The current version of `oauth2_proxy` running on `hub.18f.gov` was built at commit a80aad04f7bbe821bca9ea9659fef04c869ac970. The latest packaged version can be downloaded from: https://github.com/bitly/oauth2_proxy/releases and unpacked on the Hub machine as `/usr/local/18f/bin/oauth2_proxy`.
 
-* [/etc/init.d/google_auth_proxy](etc/init.d/google_auth_proxy): Enables the `google_auth_proxy` service to be started and stopped like any other standard service, via `sudo service google_auth_proxy [start|stop|restart]`.
+* [/etc/init.d/oauth2_proxy](etc/init.d/oauth2_proxy): Enables the `oauth2_proxy` service to be started and stopped like any other standard service, via `sudo service oauth2_proxy [start|stop|restart]`.
 
-* [/etc/nginx/vhosts/hub.conf](etc/nginx/vhosts/hub.conf): All `http://` requests are permanently redirected (301) to the `https://` equivalent by the first `server` block. The second `server` block, listening for `https://` requests, is configured to forward all requests (except for the logo used for the Google OAuth consent screen) to the `google_auth_proxy` service. The content of the site is ultimately served by the final `server` block, accessible only by the running `google_auth_proxy` instance on the localhost, given the AWS Security Group port restrictions.
+* [/etc/nginx/vhosts/hub.conf](etc/nginx/vhosts/hub.conf): All `http://` requests are permanently redirected (301) to the `https://` equivalent by the first `server` block. The second `server` block, listening for `https://` requests, is configured to forward all requests (except for the logo used for the consent screen) to the `oauth2_proxy` service. The content of the site is ultimately served by the final `server` block, accessible only by the running `oauth2_proxy` instance on the localhost, given the AWS Security Group port restrictions.
 
   *Notice the `port_in_redirect off;` line in the third `server` block:* Without this line, permanent redirects from directory URLs _without_ a trailing slash to directory URLs _with_ a trailing slash will include the local server's port, which will cause the redirect to fail.
 
-* [/usr/local/18f/bin/google_auth_proxy.sh](usr/local/18f/bin/google_auth_proxy.sh): A shim that allows the `google_auth_proxy` logs to be captured in `/var/log/google_auth_proxy/access.log`.
+* [/usr/local/18f/bin/oauth2_proxy.sh](usr/local/18f/bin/oauth2_proxy.sh): A shim that allows the `oauth2_proxy` logs to be captured in `/var/log/oauth2_proxy/access.log`.
 
-* [/usr/local/18f/etc/google_auth_proxy.cfg](usr/local/18f/etc/google_auth_proxy.cfg): The configuration file for the `google_auth_proxy`, specified as a command line flag by [/etc/init.d/google_auth_proxy](etc/init.d/google_auth_proxy). The `client_id` and `client_secret` fields have been redacted from the repository. Currently they come from Mike Bland's personal account, since https://console.developers.google.com/ is currently disabled for the gsa.gov domain. A dedicated, shared `18f-hub-admin@gsa.gov` account would be ideal. For progress on this front, see 18F DevOps issues [60](https://github.com/18F/DevOps/issues/60) and [79](https://github.com/18F/DevOps/issues/79).
+* [/usr/local/18f/etc/oauth2_proxy.cfg](usr/local/18f/etc/oauth2_proxy.cfg): The configuration file for the `oauth2_proxy`, specified as a command line flag by [/etc/init.d/oauth2_proxy](etc/init.d/oauth2_proxy). The `client_id` and `client_secret` fields have been redacted from the repository. Currently they contain Mike Bland's MyUSA app credentials for the 18F Hub.
+
+  Previously they came from Mike Bland's personal account, since https://console.developers.google.com/ is currently disabled for the gsa.gov domain. A dedicated, shared `18f-hub-admin@gsa.gov` account would be ideal. For progress on this front, see 18F DevOps issues [60](https://github.com/18F/DevOps/issues/60) and [79](https://github.com/18F/DevOps/issues/79).
 
   *Notice the `authenticated_emails_file` setting, and that `google_apps_domains` has been commented out.* Access is granted to the union of these two sets, i.e. to everyone in the `authenticated_emails_file` _or_ in the `google_apps_domains`.
 
 #### Single Sign-On
 
-For the details on how the Hub's `google_auth_proxy` instance is configured as a single sign-on service for multiple 18f.gov domains, see the [Single Sign-On instructions](SSO.md).
+For the details on how the Hub's `oauth2_proxy` instance is configured as a single sign-on service for multiple 18f.gov domains, see the [Single Sign-On instructions](SSO.md).
 
 #### Adding/removing users
 
-The `authenticated_emails_file` is the list of Google Apps-authenticated users authorized to access the Hub. It is currently generated by the [auth.rb](../_plugins/auth.rb) plugin. Whenever team member email address information is updated in [_data/private/team.yml](../_data/private/team.yml) or [_data/private/hub/guest_users.yml](../_data/private/hub/guest_users.yml), a new version of this file will be generated, and the `google_auth_proxy` will need to be restarted.
+The `authenticated_emails_file` is the list of authenticated users authorized to access the Hub. It is currently generated by the [auth.rb](../_plugins/auth.rb) plugin. Whenever team member email address information is updated in [_data/private/team.yml](../_data/private/team.yml) or [_data/private/hub/guest_users.yml](../_data/private/hub/guest_users.yml), a new version of this file will be generated, and the `oauth2_proxy` will reload the file.
+
+#### Configuration changes
 
-One you have your `$HOME/.ssh/config` configured as described at the beginning of this document, you can restart the `google_auth_proxy` like so:
+The `oauth2_proxy` must be restarted if you update `/usr/local/18f/etc/oauth2_proxy.cfg`. One you have your `$HOME/.ssh/config` configured as described at the beginning of this document, you can restart the `oauth2_proxy` like so:
 
 ```
-$ ssh 18f-hub sudo service google_auth_proxy restart
+$ ssh 18f-hub sudo service oauth2_proxy restart
 ```
 
 ### Preparing for automated deployment

deploy/SSO.md

@@ -1,18 +1,18 @@
 ## Single Sign-On
 
-The Hub's `google_auth_proxy` instance is configured as a single sign-on
-service for multiple 18f.gov sub-domains using a single set of MyUSA OAuth
+The Hub's `oauth2_proxy` instance is configured as a single sign-on service
+for multiple 18f.gov sub-domains using a single set of MyUSA OAuth
 credentials. The configuration, inspired by the instructions in
-[bitly/google_auth_proxy#12](https://github.com/bitly/google_auth_proxy/issues/12),
-is subtle, but effective.
+[bitly/oauth2_proxy#12](https://github.com/bitly/oauth2_proxy/issues/12), is
+subtle, but effective.
 
 ### MyUSA
 
 The **Redirect uri** field in the Hub's MyUSA application settings is set to
 `https://auth.18f.gov/oauth2/callback`. auth.18f.gov is defined in
 `auth.conf`, described below.
 
-### /usr/local/18f/etc/google_auth_proxy.cfg
+### /usr/local/18f/etc/oauth2_proxy.cfg
 
 These are the critical two lines:
 
@@ -23,14 +23,14 @@ cookie_domain = ".18f.gov"
 
 The `cookie_domain` ensures that a single `.18f.gov` auth cookie will provide
 access to any application hosted on an 18f.gov sub-domain (for which the Hub's
-`google_auth_proxy` is configured to act as a reverse proxy, of course).
+`oauth2_proxy` is configured to act as a reverse proxy, of course).
 
 ### /etc/nginx/vhosts/auth-locations.conf
 
-Include this file at the end of every Nginx `server` block for which you want the
-`google_auth_proxy` to provide authentication. The `location /` block is the
+Include this file at the end of every Nginx `server` block for which you want
+the `oauth2_proxy` to provide authentication. The `location /` block is the
 normal case; after the user is authenticated, all requests will be routed
-through this block and passed to the `google_auth_proxy`.
+through this block and passed to the `oauth2_proxy`.
 
 ```
 location / {
@@ -49,9 +49,9 @@ the magic hack that makes single sign-on work. It sets the prefix of the `rd`
 (short for "redirect") parameter of the `/oauth2/start` query string to the
 name of the server in which this block is included.
 
-For example, for hub.18f.gov/foo, it will be `rd=%2Fhub.18f.gov/foo`. `%2F`
-is the hex-encoded version of the `/` character, so this is saying that once
-authentication is complete, the `google_auth_proxy` should redirect back to
+For example, for hub.18f.gov/foo, it will be `rd=%2Fhub.18f.gov/foo`. `%2F` is
+the hex-encoded version of the `/` character, so this is saying that once
+authentication is complete, the `oauth2_proxy` should redirect back to
 `/hub.18f.gov/foo`. As we will see, the full URL of the redirect will be
 `https://auth.18f.gov/hub.18f.gov/foo`.
 
@@ -70,8 +70,8 @@ location = /oauth2/start {
 ### /etc/nginx/vhosts/auth.conf
 
 This file defines the `auth.18f.gov` server. The `/oauth2/callback` block
-forwards the request from the OAuth provider to the `google_auth_proxy`
-running locally on port 4180:
+forwards the request from the OAuth provider to the `oauth2_proxy` running
+locally on port 4180:
 
 ```
   location = /oauth2/callback {
@@ -82,11 +82,11 @@ running locally on port 4180:
   }
 ```
 
-After the OAuth handshake succeeds, the `google_auth_proxy` will redirect back
-to the `rd` URL generated by the `/oauth/start` block from above. The
-following block parses the target host (e.g. hub.18f.gov) from the redirected
-request and forwards the request to the target host. Using the earlier
-example, `https://auth.18f.gov/hub.18f.gov/foo` will be rewritten as
+After the OAuth handshake succeeds, the `oauth2_proxy` will redirect back to
+the `rd` URL generated by the `/oauth/start` block from above. The following
+block parses the target host (e.g. hub.18f.gov) from the redirected request
+and forwards the request to the target host. Using the earlier example,
+`https://auth.18f.gov/hub.18f.gov/foo` will be rewritten as
 `https://hub.18f.gov/foo`.
 
 ```

deploy/ansible/roles/dev/tasks/main.yml

@@ -1,3 +1,3 @@
 ---
 - include: nginx.yml
-#- include: google_auth_proxy.yml
+#- include: oauth2_proxy.yml

deploy/ansible/roles/dev/tasks/oauth2_proxy.yml

@@ -0,0 +1,27 @@
+---
+- name: Download OAuth2 Proxy
+  get_url:
+    url=https://github.com/bitly/oauth2_proxy/releases/download/v1.0/google_auth_proxy-1.0.linux-amd64.go1.3.tar.gz
+    dest=/home/vagrant/oauth2_proxy-1.0.linux-amd64.go1.3.tar.gz
+- name: Unpack OAuth2 Proxy
+  unarchive:
+    src=/home/vagrant/oauth2_proxy-1.0.linux-amd64.go1.3.tar.gz
+    dest=/home/vagrant
+    copy=no
+- name: Symlink OAuth2 Proxy
+  file:
+    src=/home/vagrant/oauth2_proxy-1.0.linux-amd64.go1.3/google_auth_proxy
+    dest=/usr/local/18f/bin/oauth2_proxy
+    state=link
+- name: Copy OAuth2 Proxy wrapper script
+  copy:
+    src=../../../../usr/local/18f/bin/oauth2_proxy.sh
+    dest=/usr/local/18f/bin/oauth2_proxy.sh
+- name: Copy OAuth2 Proxy config
+  copy:
+    src=../../../../usr/local/18f/etc/oauth2_proxy.cfg
+    dest=/usr/local/18f/etc/oauth2_proxy.cfg
+- name: Copy OAuth2 Proxy init script
+  copy:
+    src=../../../../etc/init.d/oauth2_proxy
+    dest=/etc/init.d/oauth2_proxy

deploy/etc/init.d/google_auth_proxy → deploy/etc/init.d/oauth2_proxy

@@ -1,40 +1,40 @@
 #! /bin/sh
 
 ### BEGIN INIT INFO
-# Provides:          google_auth_proxy
+# Provides:          oauth2_proxy
 # Required-Start:    $all
 # Required-Stop:     $all
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
-# Short-Description: starts the google_auth_proxy for the 18F Hub
-# Description:       starts the google_auth_proxy for the 18F Hub
+# Short-Description: starts the oauth2_proxy for the 18F Hub
+# Description:       starts the oauth2_proxy for the 18F Hub
 ### END INIT INFO
 
 ###
 # Originally sourced from Jamie Curle:
 #   http://jamie.curle.io/blog/compiling-nginx-ubuntu/
 #   https://s3-eu-west-1.amazonaws.com/jcurle/code/nginx.sh
-# 
+#
 # Modified by Eric Mill, for 18F, 2014-07-15.
 #   https://github.com/18f/DevOps
 #
 # Modified by Mike Bland, for 18F, 2014-11-24.
 #   https://github.com/18F/hub
-### 
+###
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/local/18f/bin/google_auth_proxy.sh
-DAEMON_OPTS="--config=/usr/local/18f/etc/google_auth_proxy.cfg"
-NAME=google_auth_proxy
-DESC=google_auth_proxy
-LOGS=/var/log/google_auth_proxy
-PIDFILE=/var/run/google_auth_proxy.run
+DAEMON=/usr/local/18f/bin/oauth2_proxy.sh
+DAEMON_OPTS="--config=/usr/local/18f/etc/oauth2_proxy.cfg"
+NAME=oauth2_proxy
+DESC=oauth2_proxy
+LOGS=/var/log/oauth2_proxy
+PIDFILE=/var/run/oauth2_proxy.run
 
 test -x $DAEMON || exit 0
 
 # Include nginx defaults if available
-if [ -f /etc/default/google_auth_proxy ] ; then
-        . /etc/default/google_auth_proxy
+if [ -f /etc/default/oauth2_proxy ] ; then
+        . /etc/default/oauth2_proxy
 fi
 
 set -e

deploy/publish.sh

@@ -27,5 +27,5 @@ pushd $(dirname $0) >/dev/null
 HUB_ROOT=$(dirname $(pwd -P))
 popd >/dev/null
 
-REMOTE="ubuntu@hub.18f.us:18f-hub"
+REMOTE="ubuntu@hub.18f.gov:18f-hub"
 rsync -e ssh -vaxp --delete --ignore-errors $HUB_ROOT/_site{,_public} $REMOTE

deploy/usr/local/18f/bin/oauth2_proxy.sh

@@ -0,0 +1,8 @@
+#! /bin/sh
+LOGS=/var/log/oauth2_proxy
+
+if [ ! -d $LOGS ]; then
+  mkdir -p $LOGS
+fi
+
+exec /usr/local/18f/bin/oauth2_proxy "$@" >>$LOGS/access.log 2>&1

deploy/usr/local/18f/etc/google_auth_proxy.cfg → deploy/usr/local/18f/etc/oauth2_proxy.cfg

@@ -1,5 +1,5 @@
-## Google Auth Proxy Config File
-## https://github.com/bitly/google_auth_proxy
+## OAuth2 Proxy Config File
+## https://github.com/bitly/oauth2_proxy
 
 ## <addr>:<port> to listen on for HTTP clients
 http_address = "127.0.0.1:4180"
@@ -21,7 +21,7 @@ pass_basic_auth = true
 #]
 
 
-## The Google OAuth Client ID, Secret
+## The OAuth2 Client ID, Secret
 # mbland: I've redacted these values from the repository. On the Hub, these
 # are set to the app keys from my MyUSA account.
 client_id = ""
@@ -44,6 +44,8 @@ authenticated_emails_file = "/home/ubuntu/hub/_site/auth/hub-authenticated-email
 cookie_secret = ""
 cookie_domain = ".18f.gov"
 cookie_expire = "168h"
+cookie_refresh = "144h"
 cookie_https_only = true
+
 provider = "myusa"
 pass_access_token = true