enhance: add validate tool for github auth provider

auth-providers-common/pkg/env/env.go

@@ -1,6 +1,7 @@
 package env
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"reflect"
@@ -64,3 +65,55 @@ func LoadEnvForStruct[T any](s *T) error {
 
 	return nil
 }
+
+type ValidationError struct {
+	Err error `json:"error"`
+}
+
+func (e ValidationError) Error() string {
+	return e.Err.Error()
+}
+
+type FieldValidationError struct {
+	EnvVar    string `json:"envVar"`
+	Message   string `json:"message"`
+	Value     string `json:"value"`
+	Sensitive bool   `json:"sensitive"`
+}
+
+func (e FieldValidationError) Error() string {
+	if e.Sensitive {
+		return fmt.Sprintf("invalid environment variable %s: %s (value: %s)", e.EnvVar, e.Message, "REDACTED")
+	}
+	return fmt.Sprintf("invalid environment variable %s: %s (value: %s)", e.EnvVar, e.Message, e.Value)
+}
+
+func (e FieldValidationError) MarshalJSON() ([]byte, error) {
+	// Create a copy of the struct for JSON marshaling
+	value := e.Value
+	if e.Sensitive {
+		value = "REDACTED"
+	}
+
+	return json.Marshal(struct {
+		EnvVar    string `json:"envVar"`
+		Message   string `json:"message"`
+		Value     string `json:"value"`
+		Sensitive bool   `json:"sensitive"`
+	}{
+		EnvVar:    e.EnvVar,
+		Message:   e.Message,
+		Value:     value,
+		Sensitive: e.Sensitive,
+	})
+}
+
+type FieldValidationErrors []FieldValidationError
+
+func (e FieldValidationErrors) Error() string {
+	msgs := make([]string, len(e))
+	for i, err := range e {
+		msgs[i] = err.Error()
+	}
+	return strings.Join(msgs, "\n")
+}

github-auth-provider/go.mod

@@ -12,6 +12,8 @@ replace (
 require (
 	github.com/oauth2-proxy/oauth2-proxy/v7 v7.8.1
 	github.com/obot-platform/tools/auth-providers-common v0.0.0-20241008222508-3c6174b443e7
+	github.com/sahilm/fuzzy v0.1.1
+	github.com/stretchr/testify v1.10.0
 )
 
 require (
@@ -26,6 +28,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/coreos/go-oidc/v3 v3.13.0 // indirect
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
@@ -55,14 +58,14 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.21.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/redis/go-redis/v9 v9.7.3 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	github.com/sahilm/fuzzy v0.1.1 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.12.0 // indirect
 	github.com/spf13/cast v1.7.1 // indirect

github-auth-provider/main.go

@@ -16,37 +16,29 @@ import (
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/validation"
 	"github.com/obot-platform/tools/auth-providers-common/pkg/env"
 	"github.com/obot-platform/tools/auth-providers-common/pkg/state"
+	"github.com/obot-platform/tools/github-auth-provider/pkg/config"
 	"github.com/obot-platform/tools/github-auth-provider/pkg/profile"
 	"github.com/sahilm/fuzzy"
 )
 
-type Options struct {
-	ClientID                 string  `env:"OBOT_GITHUB_AUTH_PROVIDER_CLIENT_ID"`
-	ClientSecret             string  `env:"OBOT_GITHUB_AUTH_PROVIDER_CLIENT_SECRET"`
-	ObotServerURL            string  `env:"OBOT_SERVER_URL"`
-	PostgresConnectionDSN    string  `env:"OBOT_AUTH_PROVIDER_POSTGRES_CONNECTION_DSN" optional:"true"`
-	AuthCookieSecret         string  `usage:"Secret used to encrypt cookie" env:"OBOT_AUTH_PROVIDER_COOKIE_SECRET"`
-	AuthEmailDomains         string  `usage:"Email domains allowed for authentication" default:"*" env:"OBOT_AUTH_PROVIDER_EMAIL_DOMAINS"`
-	AuthTokenRefreshDuration string  `usage:"Duration to refresh auth token after" optional:"true" default:"1h" env:"OBOT_AUTH_PROVIDER_TOKEN_REFRESH_DURATION"`
-	GitHubOrg                *string `usage:"restrict logins to members of this GitHub organization" optional:"true" env:"OBOT_GITHUB_AUTH_PROVIDER_ORG"`
-	GitHubAllowUsers         *string `usage:"users allowed to log in, even if they do not belong to the specified org and team or collaborators" optional:"true" env:"OBOT_GITHUB_AUTH_PROVIDER_ALLOW_USERS"`
-}
-
 func main() {
-	var opts Options
-	if err := env.LoadEnvForStruct(&opts); err != nil {
-		fmt.Printf("ERROR: github-auth-provider: failed to load options: %v\n", err)
-		os.Exit(1)
-	}
+	opts, err := config.LoadEnv()
+	if len(os.Args) > 1 && os.Args[1] == "validate" {
+		if err != nil {
+			var validationErr env.ValidationError
+			if errors.As(err, &validationErr) {
+				if err := json.NewEncoder(os.Stdout).Encode(validationErr); err != nil {
+					fmt.Printf("ERROR: github-auth-provider: failed to encode validation errors: %v\n", err)
+					os.Exit(1)
+				}
+			}
+		}
 
-	refreshDuration, err := time.ParseDuration(opts.AuthTokenRefreshDuration)
-	if err != nil {
-		fmt.Printf("ERROR: github-auth-provider: failed to parse token refresh duration: %v\n", err)
-		os.Exit(1)
+		return
 	}
 
-	if refreshDuration < 0 {
-		fmt.Printf("ERROR: github-auth-provider: token refresh duration must be greater than 0\n")
+	if err != nil {
+		fmt.Printf("ERROR: github-auth-provider: failed to load and validate options: %v\n", err)
 		os.Exit(1)
 	}
 
@@ -64,12 +56,8 @@ func main() {
 	legacyOpts.LegacyProvider.ClientSecret = opts.ClientSecret
 
 	// GitHub-specific options
-	if opts.GitHubOrg != nil {
-		legacyOpts.LegacyProvider.GitHubOrg = *opts.GitHubOrg
-	}
-	if opts.GitHubAllowUsers != nil {
-		legacyOpts.LegacyProvider.GitHubUsers = strings.Split(*opts.GitHubAllowUsers, ",")
-	}
+	legacyOpts.LegacyProvider.GitHubOrg = opts.GitHubOrg
+	legacyOpts.LegacyProvider.GitHubUsers = opts.GitHubAllowUsers
 
 	oauthProxyOpts, err := legacyOpts.ToOptions()
 	if err != nil {
@@ -84,20 +72,14 @@ func main() {
 		oauthProxyOpts.Session.Postgres.ConnectionDSN = opts.PostgresConnectionDSN
 		oauthProxyOpts.Session.Postgres.TableNamePrefix = "github_"
 	}
-	oauthProxyOpts.Cookie.Refresh = refreshDuration
+	oauthProxyOpts.Cookie.Refresh = opts.AuthTokenRefreshDuration
 	oauthProxyOpts.Cookie.Name = "obot_access_token"
 	oauthProxyOpts.Cookie.Secret = string(cookieSecret)
 	oauthProxyOpts.Cookie.Secure = strings.HasPrefix(opts.ObotServerURL, "https://")
 	oauthProxyOpts.Cookie.CSRFExpire = 30 * time.Minute
 	oauthProxyOpts.Templates.Path = os.Getenv("GPTSCRIPT_TOOL_DIR") + "/../auth-providers-common/templates"
 	oauthProxyOpts.RawRedirectURL = opts.ObotServerURL + "/"
-	if opts.AuthEmailDomains != "" {
-		emailDomains := strings.Split(opts.AuthEmailDomains, ",")
-		for i := range emailDomains {
-			emailDomains[i] = strings.TrimSpace(emailDomains[i])
-		}
-		oauthProxyOpts.EmailDomains = emailDomains
-	}
+	oauthProxyOpts.EmailDomains = opts.AuthEmailDomains
 	oauthProxyOpts.Logging.RequestEnabled = false
 	oauthProxyOpts.Logging.AuthEnabled = false
 	oauthProxyOpts.Logging.StandardEnabled = false
@@ -131,7 +113,7 @@ func main() {
 		}
 		json.NewEncoder(w).Encode(userInfo)
 	})
-	mux.HandleFunc("/obot-list-auth-groups", listGroups(*opts.GitHubOrg))
+	mux.HandleFunc("/obot-list-auth-groups", listGroups(opts.GitHubOrg))
 	mux.HandleFunc("/obot-list-user-auth-groups", listUserGroups)
 	mux.HandleFunc("/", oauthProxy.ServeHTTP)
 

github-auth-provider/pkg/config/config.go

@@ -0,0 +1,176 @@
+package config
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/obot-platform/tools/auth-providers-common/pkg/env"
+)
+
+// options is the private struct that holds raw environment variable values
+type options struct {
+	ClientID                 string  `env:"OBOT_GITHUB_AUTH_PROVIDER_CLIENT_ID"`
+	ClientSecret             string  `env:"OBOT_GITHUB_AUTH_PROVIDER_CLIENT_SECRET"`
+	ObotServerURL            string  `env:"OBOT_SERVER_URL"`
+	PostgresConnectionDSN    string  `env:"OBOT_AUTH_PROVIDER_POSTGRES_CONNECTION_DSN" optional:"true"`
+	AuthCookieSecret         string  `usage:"Secret used to encrypt cookie" env:"OBOT_AUTH_PROVIDER_COOKIE_SECRET"`
+	AuthEmailDomains         string  `usage:"Email domains allowed for authentication" default:"*" env:"OBOT_AUTH_PROVIDER_EMAIL_DOMAINS"`
+	AuthTokenRefreshDuration string  `usage:"Duration to refresh auth token after" optional:"true" default:"1h" env:"OBOT_AUTH_PROVIDER_TOKEN_REFRESH_DURATION"`
+	GitHubOrg                *string `usage:"restrict logins to members of this GitHub organization" optional:"true" env:"OBOT_GITHUB_AUTH_PROVIDER_ORG"`
+	GitHubAllowUsers         *string `usage:"users allowed to log in, even if they do not belong to the specified org and team or collaborators" optional:"true" env:"OBOT_GITHUB_AUTH_PROVIDER_ALLOW_USERS"`
+}
+
+// Options is the public struct that holds validated and processed configuration values
+type Options struct {
+	options
+	AuthEmailDomains         []string
+	AuthTokenRefreshDuration time.Duration
+	GitHubOrg                string
+	GitHubAllowUsers         []string
+}
+
+var (
+	gitHubLoginRegex = regexp.MustCompile(`^[a-zA-Z0-9]+(-[a-zA-Z0-9]+)*$`)
+	emailDomainRegex = regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*$`)
+)
+
+// LoadEnv loads environment variables, validates them, and returns the completed configuration
+func LoadEnv() (*Options, error) {
+	completed, err := loadEnv()
+	if err != nil {
+		return nil, env.ValidationError{Err: err}
+	}
+
+	return completed, nil
+}
+
+func loadEnv() (*Options, error) {
+	var opts options
+	if err := env.LoadEnvForStruct(&opts); err != nil {
+		return nil, fmt.Errorf("failed to load environment variables: %w", err)
+	}
+
+	return complete(opts)
+}
+
+func complete(o options) (*Options, error) {
+	var (
+		validationErrors env.FieldValidationErrors
+		completedOptions = Options{
+			options: o,
+		}
+	)
+
+	if o.AuthEmailDomains != "" {
+		// TODO(njhale): Add validation for email domains
+		var (
+			emailDomains = strings.Split(o.AuthEmailDomains, ",")
+			errorMsg     string
+		)
+		for i := range emailDomains {
+			switch domain := strings.TrimSpace(emailDomains[i]); {
+			case domain == "":
+				errorMsg = "cannot contain empty email domains"
+			case domain == "*" && len(emailDomains) > 1:
+				errorMsg = "cannot specify multiple email domains when * is provided"
+			case domain != "*" && !emailDomainRegex.MatchString(domain):
+				errorMsg = fmt.Sprintf("'%s' is not a valid email domain", domain)
+			default:
+				emailDomains[i] = domain
+				continue
+			}
+
+			// Stop after the first email domain validation error
+			break
+		}
+
+		if errorMsg != "" {
+			validationErrors = append(validationErrors, env.FieldValidationError{
+				EnvVar:    "OBOT_AUTH_PROVIDER_EMAIL_DOMAINS",
+				Message:   errorMsg,
+				Value:     o.AuthEmailDomains,
+				Sensitive: false,
+			})
+		} else {
+			completedOptions.AuthEmailDomains = emailDomains
+		}
+
+	}
+
+	refreshDuration, err := time.ParseDuration(o.AuthTokenRefreshDuration)
+	if err != nil || refreshDuration <= 0 {
+		validationErrors = append(validationErrors, env.FieldValidationError{
+			EnvVar:    "OBOT_AUTH_PROVIDER_TOKEN_REFRESH_DURATION",
+			Message:   "must be a valid duration string and greater than 0",
+			Value:     o.AuthTokenRefreshDuration,
+			Sensitive: false,
+		})
+	} else {
+		completedOptions.AuthTokenRefreshDuration = refreshDuration
+	}
+
+	if o.GitHubOrg != nil && *o.GitHubOrg != "" {
+		var (
+			org      = *o.GitHubOrg
+			errorMsg string
+		)
+		if len(org) > 39 {
+			errorMsg = fmt.Sprintf("must be 39 characters or less, got %d characters", len(org))
+		}
+		if !gitHubLoginRegex.MatchString(org) {
+			errorMsg = "is not a valid GitHub organization login (must contain only alphanumeric characters and single hyphens, cannot start or end with hyphen)"
+		}
+		if errorMsg != "" {
+			validationErrors = append(validationErrors, env.FieldValidationError{
+				EnvVar:    "OBOT_GITHUB_AUTH_PROVIDER_ORG",
+				Message:   errorMsg,
+				Value:     org,
+				Sensitive: false,
+			})
+		} else {
+			completedOptions.GitHubOrg = org
+		}
+	}
+
+	if o.GitHubAllowUsers != nil && *o.GitHubAllowUsers != "" {
+		var (
+			users    = strings.Split(*o.GitHubAllowUsers, ",")
+			errorMsg string
+		)
+		for i := range users {
+			switch user := strings.TrimSpace(users[i]); {
+			case user == "":
+				errorMsg = "cannot contain empty users"
+			case len(user) > 39:
+				errorMsg = fmt.Sprintf("user '%s' must be 39 characters or less, got %d characters", user, len(user))
+			case !gitHubLoginRegex.MatchString(user):
+				errorMsg = fmt.Sprintf("user '%s' is not a valid GitHub username (must contain only alphanumeric characters and single hyphens, cannot start or end with hyphen)", user)
+			default:
+				users[i] = user
+				continue
+			}
+
+			// Stop after the first user validation error
+			break
+		}
+
+		if errorMsg != "" {
+			validationErrors = append(validationErrors, env.FieldValidationError{
+				EnvVar:    "OBOT_GITHUB_AUTH_PROVIDER_ALLOW_USERS",
+				Message:   errorMsg,
+				Value:     *o.GitHubAllowUsers,
+				Sensitive: false,
+			})
+		} else {
+			completedOptions.GitHubAllowUsers = users
+		}
+	}
+
+	if len(validationErrors) > 0 {
+		return nil, validationErrors
+	}
+
+	return &completedOptions, nil
+}