From a9680d6088178d052ce9e0f40b4bb83fee756a9c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Sun, 8 Jan 2023 20:33:04 +0100
Subject: [PATCH] internal: fix race condition with config loading on startup,
 add index on debug server

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 cmd/ldap/{server.go => main.go}  |  2 +-
 cmd/proxy/{server.go => main.go} |  2 +-
 cmd/server/main.go               |  3 +--
 internal/config/config.go        |  2 +-
 internal/config/struct.go        |  9 ++++++---
 internal/debug/debug.go          | 26 ++++++++++++++++++++++++--
 internal/outpost/ak/api_ws.go    |  9 ++-------
 internal/outpost/ak/global.go    |  9 ++-------
 8 files changed, 38 insertions(+), 24 deletions(-)
 rename cmd/ldap/{server.go => main.go} (98%)
 rename cmd/proxy/{server.go => main.go} (98%)

diff --git a/cmd/ldap/server.go b/cmd/ldap/main.go
similarity index 98%
rename from cmd/ldap/server.go
rename to cmd/ldap/main.go
index 724b86d2b..eb16c0ffc 100644
--- a/cmd/ldap/server.go
+++ b/cmd/ldap/main.go
@@ -30,7 +30,7 @@ func main() {
 		},
 		DisableHTMLEscape: true,
 	})
-	go debug.EnableDebugServer()
+	debug.EnableDebugServer()
 	akURL := config.Get().AuthentikHost
 	if akURL == "" {
 		fmt.Println("env AUTHENTIK_HOST not set!")
diff --git a/cmd/proxy/server.go b/cmd/proxy/main.go
similarity index 98%
rename from cmd/proxy/server.go
rename to cmd/proxy/main.go
index 49ef5fa95..52fb6b4ba 100644
--- a/cmd/proxy/server.go
+++ b/cmd/proxy/main.go
@@ -33,7 +33,7 @@ func main() {
 		},
 		DisableHTMLEscape: true,
 	})
-	go debug.EnableDebugServer()
+	debug.EnableDebugServer()
 	akURL := config.Get().AuthentikHost
 	if akURL == "" {
 		fmt.Println("env AUTHENTIK_HOST not set!")
diff --git a/cmd/server/main.go b/cmd/server/main.go
index 7b9700fd2..9a5e33389 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -32,9 +32,8 @@ func main() {
 		},
 		DisableHTMLEscape: true,
 	})
-	go debug.EnableDebugServer()
+	debug.EnableDebugServer()
 	l := log.WithField("logger", "authentik.root")
-	config.Get().Setup("./authentik/lib/default.yml", "./local.env.yml")
 
 	if config.Get().ErrorReporting.Enabled {
 		err := sentry.Init(sentry.ClientOptions{
diff --git a/internal/config/config.go b/internal/config/config.go
index 01ca493b2..72cc9f58b 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -18,7 +18,7 @@ var cfg *Config
 func Get() *Config {
 	if cfg == nil {
 		c := defaultConfig()
-		c.Setup()
+		c.Setup("./authentik/lib/default.yml", "./local.env.yml")
 		cfg = c
 	}
 	return cfg
diff --git a/internal/config/struct.go b/internal/config/struct.go
index f8d6e3b28..ec3411ada 100644
--- a/internal/config/struct.go
+++ b/internal/config/struct.go
@@ -2,13 +2,15 @@ package config
 
 type Config struct {
 	// Core specific config
-	SecretKey      string               `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"`
 	Paths          PathsConfig          `yaml:"paths"`
 	LogLevel       string               `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"`
 	ErrorReporting ErrorReportingConfig `yaml:"error_reporting"`
 	Redis          RedisConfig          `yaml:"redis"`
 	Outposts       OutpostConfig        `yaml:"outposts"`
 
+	// Config for core and embedded outpost
+	SecretKey string `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"`
+
 	// Config for both core and outposts
 	Debug  bool         `yaml:"debug" env:"AUTHENTIK_DEBUG"`
 	Listen ListenConfig `yaml:"listen"`
@@ -16,8 +18,9 @@ type Config struct {
 	// Outpost specific config
 	// These are only relevant for proxy/ldap outposts, and cannot be set via YAML
 	// They are loaded via this config loader to support file:// schemas
-	AuthentikHost  string `env:"AUTHENTIK_HOST"`
-	AuthentikToken string `env:"AUTHENTIK_TOKEN"`
+	AuthentikHost     string `env:"AUTHENTIK_HOST"`
+	AuthentikToken    string `env:"AUTHENTIK_TOKEN"`
+	AuthentikInsecure bool   `env:"AUTHENTIK_INSECURE"`
 }
 
 type RedisConfig struct {
diff --git a/internal/debug/debug.go b/internal/debug/debug.go
index 353e445c1..4a8140452 100644
--- a/internal/debug/debug.go
+++ b/internal/debug/debug.go
@@ -1,11 +1,14 @@
 package debug
 
 import (
+	"fmt"
 	"net/http"
 	"net/http/pprof"
 
+	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/config"
+	"goauthentik.io/internal/utils/web"
 )
 
 func EnableDebugServer() {
@@ -14,11 +17,30 @@ func EnableDebugServer() {
 		l.Info("not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it.")
 		return
 	}
-	h := http.NewServeMux()
+	h := mux.NewRouter()
 	h.HandleFunc("/debug/pprof/", pprof.Index)
 	h.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
 	h.HandleFunc("/debug/pprof/profile", pprof.Profile)
 	h.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
 	h.HandleFunc("/debug/pprof/trace", pprof.Trace)
-	l.Println(http.ListenAndServe(config.Get().Listen.Debug, nil))
+	h.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		h.Walk(func(route *mux.Route, router *mux.Router, ancestors []*mux.Route) error {
+			tpl, err := route.GetPathTemplate()
+			if err != nil {
+				return nil
+			}
+			w.Write([]byte(fmt.Sprintf("<a href='%[1]s'>%[1]s</a><br>", tpl)))
+			return nil
+		})
+	})
+	go func() {
+		l.WithField("listen", config.Get().Listen.Debug).Info("Starting Debug server")
+		err := http.ListenAndServe(
+			config.Get().Listen.Debug,
+			web.NewLoggingHandler(l, nil)(h),
+		)
+		if l != nil {
+			l.WithError(err).Warn("failed to start debug server")
+		}
+	}()
 }
diff --git a/internal/outpost/ak/api_ws.go b/internal/outpost/ak/api_ws.go
index 9d8d0d265..681b26fa4 100644
--- a/internal/outpost/ak/api_ws.go
+++ b/internal/outpost/ak/api_ws.go
@@ -5,13 +5,13 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"os"
 	"strconv"
 	"strings"
 	"time"
 
 	"github.com/gorilla/websocket"
 	"github.com/prometheus/client_golang/prometheus"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
 )
 
@@ -26,16 +26,11 @@ func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
 		"User-Agent":    []string{constants.OutpostUserAgent()},
 	}
 
-	value, set := os.LookupEnv("AUTHENTIK_INSECURE")
-	if !set {
-		value = "false"
-	}
-
 	dialer := websocket.Dialer{
 		Proxy:            http.ProxyFromEnvironment,
 		HandshakeTimeout: 10 * time.Second,
 		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: strings.ToLower(value) == "true",
+			InsecureSkipVerify: config.Get().AuthentikInsecure,
 		},
 	}
 
diff --git a/internal/outpost/ak/global.go b/internal/outpost/ak/global.go
index fbe9fb98d..7373463ee 100644
--- a/internal/outpost/ak/global.go
+++ b/internal/outpost/ak/global.go
@@ -3,13 +3,12 @@ package ak
 import (
 	"fmt"
 	"net/http"
-	"os"
-	"strings"
 
 	"github.com/getsentry/sentry-go"
 	httptransport "github.com/go-openapi/runtime/client"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api/v3"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
 	sentryutils "goauthentik.io/internal/utils/sentry"
 	webutils "goauthentik.io/internal/utils/web"
@@ -75,12 +74,8 @@ func GetTLSTransport() http.RoundTripper {
 	if tlsTransport != nil {
 		return *tlsTransport
 	}
-	value, set := os.LookupEnv("AUTHENTIK_INSECURE")
-	if !set {
-		value = "false"
-	}
 	tmp, err := httptransport.TLSTransport(httptransport.TLSClientOptions{
-		InsecureSkipVerify: strings.ToLower(value) == "true",
+		InsecureSkipVerify: config.Get().AuthentikInsecure,
 	})
 	if err != nil {
 		panic(err)