Update docs and spell-check linting

- Upgrade to v8 of MegaLinter
- Uncomment cspell checks and build out dictionary, including exclusions
  for non-inclusive language.
- Fix typos
- Add M2M client config notes to README (are otherwise buried in
  env-example).

Signed-off-by: Eric Searcy <eric@linuxfoundation.org>

Author: emsearcy

.cspell.json

@@ -0,0 +1,61 @@
+{
+  "language": "en",
+  "dictionaries": ["companies", "filetypes", "fullstack", "softwareTerms"],
+  "words": [
+    "trufflehog",
+    "golangci",
+    "godotenv",
+    "doublestar",
+    "clientcredentials",
+    "logrus",
+    "nosniff",
+    "tcsh",
+    "jasig",
+    "linuxfoundation",
+    "jaegertracing",
+    "pprof",
+    "zpages",
+    "fluentbit",
+    "chainguard",
+    "hadolint",
+    "GOARCH",
+    "trimpath",
+    "ldflags",
+    "nonroot",
+    "otelhttp",
+    "vhost",
+    "hostmetrics",
+    "otelcol",
+    "otlptracegrpc",
+    "sdktrace",
+    "tracecontext",
+    "semconv",
+    "securecookie",
+    "zoneinfo",
+    "chardata"
+  ],
+  "flagWords": [
+    "abort",
+    "abortion",
+    "blackhat",
+    "black-hat",
+    "whitehat",
+    "white-hat",
+    "cripple",
+    "crippled",
+    "master",
+    "slave",
+    "tribe",
+    "sanity-check",
+    "whitelist",
+    "white-list",
+    "blacklist",
+    "black-list"
+  ],
+  "ignorePaths": [
+    ".cspell.json",
+    "LICENSE",
+    "LICENSE-docs",
+    "megalinter-reports"
+  ]
+}

.github/workflows/mega-linter.yml

@@ -30,4 +30,4 @@ jobs:
       - name: MegaLinter
         id: ml
         # Use the Go flavor.
-        uses: oxsecurity/megalinter/flavors/go@v7
+        uses: oxsecurity/megalinter/flavors/go@v8

.mega-linter.yml

@@ -5,8 +5,6 @@ DISABLE_LINTERS:
   # Revive covers this, plus golangci-lint has trouble with newer go toolchains
   # in go.mod.
   - GO_GOLANGCI_LINT
-  # cspell is laughably bad at code/comments/etc.
-  - SPELL_CSPELL
   # Link checking more likely to cause false positives than be useful for us.
   - SPELL_LYCHEE
   # yamllint is sufficient for us.

0_config.go

@@ -4,6 +4,7 @@
 // The auth0-cas-service-go service.
 package main
 
+// spell-checker:disable
 import (
 	"fmt"
 	"os"
@@ -13,6 +14,8 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+// spell-checker:enable
+
 type config struct {
 	Auth0Tenant  string
 	Auth0Domain  string

Dockerfile

@@ -6,8 +6,8 @@
 
 FROM --platform=$BUILDPLATFORM cgr.dev/chainguard/go:latest AS builder
 
-# Set necessary environment variables needed for our image. Allow building to
-# other architectures via cross-compliation build-arg.
+# Set necessary environment variables needed for our image. Allow cross-compile
+# builds to other architectures via build-arg.
 ARG TARGETARCH
 ENV CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH
 

Makefile

@@ -15,8 +15,8 @@ bin/auth0-cas-server-go: *.go go.mod go.sum
 all: bin/auth0-cas-server-go docker-build
 
 lint:
-	docker pull --platform linux/amd64 oxsecurity/megalinter-go:v7
-	docker run --rm --platform linux/amd64 -v '$(CURDIR):/tmp/lint:rw' oxsecurity/megalinter-go:v7
+	docker pull --platform linux/amd64 oxsecurity/megalinter-go:v8
+	docker run --rm --platform linux/amd64 -v '$(CURDIR):/tmp/lint:rw' oxsecurity/megalinter-go:v8
 
 test:
 	@echo "No tests to run ... would you like to 'make lint'?"

README.md

@@ -4,19 +4,18 @@
 
 This service was inspired by Auth0, through their `auth0-cas-server` service
 formerly hosted at `github.com/auth0-samples/auth0-cas-server` (link now dead).
-It is a simple authentication redirector which wraps an OpenID Connect
-authentication flow to expose it as server implementing the Central
-Authentication Service (CAS) SSO protocol. The service leverages configuration
-stored within Auth0 client metadata, which it reads using a privileged
-connection to the Auth0 API, in order to emulate multiple different clients
-dynamically per login session.
+Like that service, it uses HTTP redirects to wrap an OpenID Connect
+authentication flow with the Central Authentication Service (CAS) SSO protocol,
+emulating multiple CAS clients from a single instance of the service. It does
+this by using a privileged connection to the Auth0 Management API to find
+clients tagged with CAS metadata, and dynamically adopting their client
+credentials.
 
-Notable differeces with this implementation:
+Notable differences include:
 
 - Rewritten in Go, including OpenTelemetry instrumentation and multi-arch build
   outputs including SPDX SBOMs.
-- Supports several additional CAS protocol endpoints implementing multiple CAS
-  versions.
+- Additional HTTP endpoints to implement additional CAS protocol versions.
 - Implements CAS single-logout.
 - Implements CAS "gateway mode" to test for authentication without prompting
   the user.
@@ -55,7 +54,19 @@ Please see `env-example` for a list of required and optional environment
 variables that can be used to configure the server. For local development, you
 can copy this file to `.env` and modify it to suit your needs.
 
-## Auth0 client configuration
+## Auth0 API client configuration
+
+This service requires a non-interactive (machine-to-machine) client that
+supports the `client_credentials` grant type and is authorized for the
+following scopes on the Auth0 Management API:
+
+- `read:clients`
+- `read:client_keys`
+
+The client ID and client secret for this API client must be passed as
+environmental variables to the service.
+
+## Auth0 CAS client configuration
 
 To create a CAS-enabled Auth0 application, specify the follow settings:
 

auth0_clients.go

@@ -4,6 +4,7 @@
 // The auth0-cas-service-go service.
 package main
 
+// spell-checker:disable
 import (
 	"context"
 	"encoding/json"
@@ -22,6 +23,8 @@ import (
 	"golang.org/x/oauth2/clientcredentials"
 )
 
+// spell-checker:enable
+
 var (
 	auth0Client *http.Client
 	auth0Cache  = cache.New(60*time.Minute, 5*time.Minute)
@@ -171,7 +174,7 @@ func getAuth0ClientByService(ctx context.Context, serviceURL string) (*auth0Clie
 			}
 
 			// There is a match
-			appLogger(ctx).WithFields(logrus.Fields{"service": serviceURL, "glob": glob, "auth0_client": client.Name}).Debugln("matched service in glob cache")
+			appLogger(ctx).WithFields(logrus.Fields{"service": serviceURL, "glob": glob, "auth0_client": client.Name}).Debug("matched service in glob cache")
 			auth0Cache.Set("cas-service-url/"+url.PathEscape(serviceURL), client, cache.NoExpiration)
 			return &client, nil
 		}
@@ -204,7 +207,7 @@ func getAuth0ClientByService(ctx context.Context, serviceURL string) (*auth0Clie
 
 		serviceGlobs := strings.Split(client.ClientMetadata["cas_service"], ",")
 
-		// Iterate over any comma-delimeted cas_service globs in the
+		// Iterate over any comma-delimited cas_service globs in the
 		// client_metadata.
 		for _, glob := range serviceGlobs {
 			match, err := doublestar.Match(glob, serviceURL)
@@ -222,7 +225,7 @@ func getAuth0ClientByService(ctx context.Context, serviceURL string) (*auth0Clie
 				continue
 			}
 
-			appLogger(ctx).WithFields(logrus.Fields{"service": serviceURL, "glob": glob, "auth0_client": client.Name}).Debugln("matched service")
+			appLogger(ctx).WithFields(logrus.Fields{"service": serviceURL, "glob": glob, "auth0_client": client.Name}).Debug("matched service")
 			// If the glob matches, save the match, but keep processing remaining
 			// comma-delimited globs AND clients to complete the glob-to-client cache
 			// update.

cas.go

@@ -4,6 +4,7 @@
 // The auth0-cas-service-go service.
 package main
 
+// spell-checker:disable
 import (
 	"context"
 	"crypto/rand"
@@ -21,6 +22,8 @@ import (
 	"golang.org/x/oauth2"
 )
 
+// spell-checker:enable
+
 var store *sessions.CookieStore
 
 type userAttributes struct {

check-headers.sh

@@ -8,7 +8,7 @@
 # Exits with a 1 if one or more source files are missing a license header
 
 # Exclude code coming from a third-party. Typically these won't be checked into
-# source control, but occassionally "vendored" code is committed.
+# source control, but occasionally "vendored" code is committed.
 exclude_pattern='^(.*/)?(node_modules|vendor)/'
 
 # Include build definitions.