mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
647fd26e60dcbd8e8a30525c68b8a8340c629ce8
metacrypt/internal/config/config.go
Kyle Isom 647fd26e60 Add SSO login support 
- Add [sso] config section with redirect_uri
- Create mcdsl/sso client when SSO is configured
- Add /login (landing page), /sso/redirect, /sso/callback routes
- Add /logout route
- Update login template with SSO landing page variant
- Bump mcdsl to v1.6.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 20:23:25 -07:00

138 lines
4.3 KiB
Go
Raw Blame History

// Package config provides TOML configuration loading and validation.
package config
import (
"fmt"
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
mcdslconfig "git.wntrmute.dev/mc/mcdsl/config"
)
// Config is the top-level configuration for Metacrypt.
type Config struct {
Server ServerConfig `toml:"server"`
Web WebConfig `toml:"web"`
MCIAS MCIASConfig `toml:"mcias"`
SSO SSOConfig `toml:"sso"`
Database mcdslconfig.DatabaseConfig `toml:"database"`
Log mcdslconfig.LogConfig `toml:"log"`
Seal SealConfig `toml:"seal"`
Audit AuditConfig `toml:"audit"`
}
// ServerConfig holds HTTP/gRPC server settings. It embeds the standard
// mcdsl server config and adds the ACME external URL.
type ServerConfig struct {
mcdslconfig.ServerConfig
ExternalURL string `toml:"external_url"` // public base URL for ACME directory
}
// MCIASConfig holds MCIAS integration settings. It embeds the standard
// mcdsl auth config and adds the service token for web UI login.
type MCIASConfig struct {
mcdslauth.Config
ServiceToken string `toml:"service_token"`
}
// SSOConfig holds SSO redirect settings for the web UI.
type SSOConfig struct {
// RedirectURI is the callback URL that MCIAS redirects to after login.
// Must exactly match the redirect_uri registered in MCIAS config.
RedirectURI string `toml:"redirect_uri"`
}
// WebConfig holds settings for the standalone web UI server (metacrypt-web).
type WebConfig struct {
// ListenAddr is the address the web server listens on (default: 127.0.0.1:8080).
ListenAddr string `toml:"listen_addr"`
// VaultGRPC is the gRPC address of the vault server (e.g. "127.0.0.1:9443").
VaultGRPC string `toml:"vault_grpc"`
// VaultCACert is the path to the CA certificate used to verify the vault's TLS cert.
VaultCACert string `toml:"vault_ca_cert"`
// VaultSNI overrides the TLS server name used to verify the vault's
// certificate. Use when the dial address (e.g., a container hostname)
// does not match any SAN on the vault's TLS certificate.
VaultSNI string `toml:"vault_sni"`
// TLSCert and TLSKey are optional. If empty, the web server uses plain HTTP
// (suitable for deployment behind a TLS-terminating reverse proxy).
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
}
// AuditConfig holds audit logging settings.
type AuditConfig struct {
// Mode controls audit log output: "file", "stdout", or "" (disabled).
Mode string `toml:"mode"`
// Path is the audit log file path (required when mode is "file").
Path string `toml:"path"`
// IncludeReads enables audit logging for read-only operations.
IncludeReads bool `toml:"include_reads"`
}
// SealConfig holds Argon2id parameters for the seal process.
type SealConfig struct {
Argon2Time uint32 `toml:"argon2_time"`
Argon2Memory uint32 `toml:"argon2_memory"`
Argon2Threads uint8 `toml:"argon2_threads"`
}
// Load reads and parses a TOML config file with METACRYPT_ env var overrides.
func Load(path string) (*Config, error) {
return mcdslconfig.Load[Config](path, "METACRYPT")
}
// Validate implements mcdslconfig.Validator for metacrypt-specific rules.
func (c *Config) Validate() error {
// Required fields.
if c.Server.ListenAddr == "" {
return fmt.Errorf("server.listen_addr is required")
}
if c.Server.TLSCert == "" {
return fmt.Errorf("server.tls_cert is required")
}
if c.Server.TLSKey == "" {
return fmt.Errorf("server.tls_key is required")
}
if c.Database.Path == "" {
return fmt.Errorf("database.path is required")
}
if c.MCIAS.ServerURL == "" {
return fmt.Errorf("mcias.server_url is required")
}
// Seal defaults.
if c.Seal.Argon2Time == 0 {
c.Seal.Argon2Time = 3
}
if c.Seal.Argon2Memory == 0 {
c.Seal.Argon2Memory = 128 * 1024
}
if c.Seal.Argon2Threads == 0 {
c.Seal.Argon2Threads = 4
}
// Log default.
if c.Log.Level == "" {
c.Log.Level = "info"
}
// Web default.
if c.Web.ListenAddr == "" {
c.Web.ListenAddr = "127.0.0.1:8080"
}
// Audit validation.
switch c.Audit.Mode {
case "", "stdout":
// ok
case "file":
if c.Audit.Path == "" {
return fmt.Errorf("audit.path is required when audit.mode is \"file\"")
}
default:
return fmt.Errorf("audit.mode must be \"file\", \"stdout\", or empty")
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink