Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/master' into keymaster-tool
Browse files Browse the repository at this point in the history
  • Loading branch information
cviecco committed Aug 1, 2024
2 parents 8f94af9 + fb0dbe7 commit d9ee25c
Show file tree
Hide file tree
Showing 73 changed files with 3,981 additions and 1,298 deletions.
43 changes: 43 additions & 0 deletions .github/workflows/codecov.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: "CodeQL"

on:
push:
branches: [ master ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
schedule:
- cron: '17 11 * * 2'

jobs:
analyzecover:
name: Analyzecover
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: [ 'go' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://git.io/codeql-language-support

steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: 'stable'
- name: Gather dependencies
run: go mod download
- name: Run coverage
# disable race condition test for now as it breaks because of the rrdialer
#run: go test -race -coverprofile=coverage.txt -covermode=atomic ./...
run: go test -coverprofile=coverage.txt -covermode=atomic ./...
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v4.0.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
13 changes: 9 additions & 4 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,16 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Install Go
uses: actions/setup-go@v4
with:
go-version-file: go.mod

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -51,7 +56,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v1
uses: github/codeql-action/autobuild@v2

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -65,4 +70,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
uses: github/codeql-action/analyze@v2
30 changes: 30 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
on: [push, pull_request]
name: Test
jobs:
test:
strategy:
matrix:
go-version: [1.22.x]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/setup-go@v3
with:
go-version: ${{ matrix.go-version }}
- uses: actions/checkout@v3
- run: make test
buildlinuxpackage:
strategy:
matrix:
go-version: [1.22.x]
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v3
with:
go-version: ${{ matrix.go-version }}
- uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: gcc rpm alien rsync pkg-config libudev-dev
- uses: actions/checkout@v3
- run: make rpm

1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
config.yml
keymaster.spec
28 changes: 4 additions & 24 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,63 +1,43 @@
#################
# Build Step
#################

FROM golang:latest as build
FROM golang:bookworm as build

# Setup work env
RUN mkdir -p /app/ /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
ADD . /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster


# Required envs for GO
ENV GOPATH=/tmp/gocode
ENV DEBIAN_FRONTEND=noninteractive

# Update and confirm deps
RUN apt-get update && apt-get -y dist-upgrade && apt-get -y install build-essential

# Install deps
RUN make get-deps

## Dirty Hack - Remove when https://github.com/golang/go/issues/37278 is closed
# Compatibility with OpenSSH 8.2 and above
WORKDIR /tmp/gocode/src/golang.org/x/crypto/
RUN git config user.email "you@example.com"
RUN git config user.name "Your Name"
RUN git pull --no-edit https://go.googlesource.com/crypto refs/changes/37/220037/3
WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
## Dirty Hack End

# Build and copy final result
RUN make
RUN strip /tmp/gocode/bin/keymaster*

#################
# Run Step
#################

FROM debian:buster as run
FROM debian:bookworm as run

# Copy binary from build container
COPY --from=build /tmp/gocode/bin/keymasterd /app/keymasterd
COPY --from=build /tmp/gocode/bin/keymaster-unlocker /app/keymaster-unlocker
COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/customization_data /usr/share/keymasterd/customization_data
COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/static_files /usr/share/keymasterd/static_files

# Copy docker specific scripts from build container
COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/misc/docker/start.sh /app/docker/

# Perform update and clear cache
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update
RUN apt-get -y --no-install-recommends install procps apache2-utils ca-certificates dumb-init
RUN apt-get -y dist-upgrade && rm -rf /var/cache/apt/*


# Install init

# Expose web and LDAP ports
EXPOSE 80 443 6920

ENTRYPOINT ["/usr/bin/dumb-init", "--"]
CMD ["/bin/sh", "/app/docker/start.sh"]
CMD ["/app/keymasterd", "-config", "/etc/keymaster/config.yml", "-alsoLogToStderr"]
77 changes: 61 additions & 16 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -10,38 +10,83 @@ endif
BINARY=keymaster

# These are the values we want to pass for Version and BuildTime
VERSION=1.10.0
VERSION?=1.15.4
DEFAULT_HOST?=
VERSION_FLAVOUR?=
EXTRA_LDFLAGS?=
PRINTVERSION=${VERSION}
ifneq ($(VERSION_FLAVOUR),)
PRINTVERSION=${VERSION}-${VERSION_FLAVOUR}
endif
DEFAULT_LDFLAGS=-X main.Version=${PRINTVERSION} ${EXTRA_LDFLAGS}
CLIENT_LDFLAGS=${DEFAULT_LDFLAGS} -X main.defaultHost=${DEFAULT_HOST}
#BUILD_TIME=`date +%FT%T%z`

# keymaster client requires special tags on linux
EXTRA_BUILD_FLAGS?=
ifneq ($(OS),Windows_NT)
UNAME_S := $(shell uname -s)
ifeq ($(UNAME_S),Linux)
EXTRA_BUILD_FLAGS+= -tags=hidraw
endif
CLIENT_DEST?="./cmd/keymaster/"
OUTPUT_DIR?=bin/
else
CLIENT_DEST?=".\\\\cmd\\\\keymaster\\\\"
OUTPUT_DIR?=bin\\
endif


# Setup the -ldflags option for go build here, interpolate the variable values
#LDFLAGS=-ldflags "-X github.com/ariejan/roll/core.Version=${VERSION} -X github.com/ariejan/roll/core.BuildTime=${BUILD_TIME}"

all: init-config-host keymasterd-bin-data
cd $(GOPATH)/src; go install -ldflags "-X main.Version=${VERSION}" github.com/Cloud-Foundations/keymaster/cmd/*
all: install-client
cd cmd/keymasterd; go install -ldflags "${DEFAULT_LDFLAGS}"
cd cmd/keymaster-unlocker; go install -ldflags "${DEFAULT_LDFLAGS}"
cd cmd/keymaster-eventmond; go install -ldflags "${DEFAULT_LDFLAGS}"

build: prebuild
go build ${EXTRA_BUILD_FLAGS} -ldflags "${CLIENT_LDFLAGS}" -o $(OUTPUT_DIR) ./...

keymasterd-bin-data:
-go-bindata -fs -o cmd/keymasterd/binData.go -prefix cmd/keymasterd/data cmd/keymasterd/data/...

win-client:
cd $(GOPATH)\src && go install -ldflags "-X main.Version=${VERSION}" github.com\Cloud-Foundations\keymaster\cmd\keymaster
cd $(GOPATH)\src\github.com\Cloud-Foundations\keymaster\cmd\keymaster && go test -v ./...
keymaster.spec:
ifeq ($(OS), Windows_NT)
powershell -Command "Get-Content keymaster.spec.tpl | ForEach-Object { \$$_.Replace('{{VERSION}}', '$(VERSION)') } | Set-Content keymaster.spec"
else
sed 's/{{VERSION}}/$(VERSION)/g' keymaster.spec.tpl > keymaster.spec;
endif

get-deps: init-config-host
prebuild: keymaster.spec

install-client: prebuild
cd cmd/keymaster; go install ${EXTRA_BUILD_FLAGS} -ldflags "${CLIENT_LDFLAGS}"

build-client: prebuild
go build -ldflags "${CLIENT_LDFLAGS}" -o $(OUTPUT_DIR) $(CLIENT_DEST)

win-client: client-test
go build -ldflags "${CLIENT_LDFLAGS}" -o $(OUTPUT_DIR) .\cmd\keymaster\

client-test:
go test -v ./cmd/keymaster/...

get-deps:
go get -t ./...

clean:
rm -f bin/*
rm -f keymaster-*.tar.gz
rm -f keymaster.spec

init-config-host:
@test -f cmd/keymaster/config_host.go || (cp -p templates/config_host_go cmd/keymaster/config_host.go && echo 'Created initial cmd/keymaster/config_host.go')

${BINARY}-${VERSION}.tar.gz:
${BINARY}-${VERSION}.tar.gz: prebuild
mkdir ${BINARY}-${VERSION}
rsync -av --exclude="config.yml" --exclude="*.pem" --exclude="*.out" lib/ ${BINARY}-${VERSION}/lib/
rsync -av --exclude="config.yml" --exclude="*.pem" --exclude="*.out" --exclude="*.key" cmd/ ${BINARY}-${VERSION}/cmd/
rsync -av misc/ ${BINARY}-${VERSION}/misc/
cp LICENSE Makefile keymaster.spec README.md ${BINARY}-${VERSION}/
rsync -av proto/ ${BINARY}-${VERSION}/proto/
rsync -av keymasterd/ ${BINARY}-${VERSION}/keymasterd/
rsync -av eventmon/ ${BINARY}-${VERSION}/eventmon/
cp -p LICENSE Makefile keymaster.spec README.md go.mod go.sum ${BINARY}-${VERSION}/
tar -cvzf ${BINARY}-${VERSION}.tar.gz ${BINARY}-${VERSION}/
rm -rf ${BINARY}-${VERSION}/

Expand All @@ -50,11 +95,11 @@ rpm: ${BINARY}-${VERSION}.tar.gz

tar: ${BINARY}-${VERSION}.tar.gz

test: init-config-host
test:
make -f makefile.certs
go test ./...

verbose-test: init-config-host
verbose-test:
go test -v ./...

format:
Expand Down
22 changes: 15 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
# Keymaster
[![Build Status](https://travis-ci.org/Cloud-Foundations/keymaster.svg?branch=master)](https://travis-ci.org/Cloud-Foundations/keymaster)
[![Coverage Status](https://coveralls.io/repos/github/Cloud-Foundations/keymaster/badge.svg?branch=master)](https://coveralls.io/github/Cloud-Foundations/keymaster?branch=master)
[![Go Report Card](https://goreportcard.com/badge/github.com/Cloud-Foundations/keymaster)](https://goreportcard.com/report/github.com/Cloud-Foundations/keymaster)

Keymaster is usable short-term certificate based identity system. With a primary goal to be a single-sign-on (with optional second factor with [Symantec VIP](https://vip.symantec.com/), [U2F](https://fidoalliance.org/specifications/overview/) tokens or [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) compatible apps ([FreeOTP](https://freeotp.github.io/)/google authenticator ) ) for CLI operations (both SSHD and TLS).
[![Build Status](https://github.com/Cloud-Foundations/keymaster/actions/workflows/test.yml/badge.svg?query=branch%3Amaster)](https://github.com/Cloud-Foundations/keymaster/actions/workflows/test.yml?query=branch%3Amaster)

Keymaster is usable short-term certificate based identity system. With a primary goal to be a single-sign-on (with optional second factor with [Symantec VIP](https://vip.symantec.com/), [U2F](https://fidoalliance.org/specifications/overview/) tokens, [OKTA](https://developer.okta.com/docs/reference/api/authn/) (requires using also using OKTA for password), or [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) compatible apps ([FreeOTP](https://freeotp.github.io/)/google authenticator ) ) for CLI operations (both SSHD and TLS).

As a secondary role keymaster is compliant openidc provider intended for easy use for internal web based applications.

Expand Down Expand Up @@ -31,11 +30,15 @@ Pre-build binaries (both RPM and DEB) can be found here: [releases page](https:/
### Building from Source

#### Prerequisites
* go >= 1.13
* go >= 1.21
* make
* gcc

For Windows (both gcc and gnu-make) use: [TDM-GCC (64 bit)](https://sourceforge.net/projects/tdm-gcc/).
In addition for linux you will also need:
* pkg-config
* libudev-dev

For Windows (both gcc and gnu-make) use: [TDM-GCC (64 bit)](https://sourceforge.net/projects/tdm-gcc/). Recent windows builds fail when using TDM-GCC 5.x. Successful builds are known with golang 1.21.X and gcc 10.X.

#### Building
1. make get-deps
Expand Down Expand Up @@ -68,6 +71,7 @@ Notice: Keymaster has a bug where the directory locations are not written correc
##### Supported backend authentication methods
Several authentication methods are supported by the `keymasterd` service. You can separately specify which authentication methods you accept for the web backend (`allowed_auth_backends_for_webui`) and for obtaining certificates (`allowed_auth_backends_for_certs`).
* **LDAP**: For LDAP the `bind_pattern` is a printf string where `%s` is the place where the username will be substituted. For example for an 389ds/openldap string might be: `"uid=%s,ou=People,dc=example,dc=com`. To leverage LDAP authentication set the appropriate `allowed_auth_*` setting to `["ldap"]`.
* **OKTA** Keymasted can also use the public api for okta authentication, for both password and MFA (including both pushed and codes)
* **Apache htpass**: The `passfile.htpass` file contains the usernames and their passwords allowed to access the `keymasterd` web interface. New users can be added via the following command: `htpasswd -B /etc/keymaster/passfile.htpass <username>`. `htpasswd` is distributed via the `httpd-tools` package. Keymaster will only accept htpass files that store BCRYPT encrypted credentials. To use Apache password files to authenticate users to the web interface set the following configuration item: `allowed_auth_*` to `["password"]`
* **U2F tokens**: To enable U2F tokens set set the appropriate `allowed_auth_*` setting to `["U2F"]``
* **VIP Manager**: To enable VIP Manager set set the appropriate `allowed_auth_*` setting to `["SymantecVIP"]`
Expand All @@ -79,6 +83,10 @@ Keymaster supports SQLite and PostgreSQL to store u2f tokens or username and pas
To use keymasterd as an openid connect IDP please consult the documents
[here](docs/website/openidc-idp.md)

##### SSH Cerfificate exteansion expansion
Some systems like github.com allow the use of ssh certificates to authenticate users. To do so it is required to have speficic extensions in the ssh certificate. To accomodate this we have a bash like extension mechanism for expanding the username (some deployments require prefixes and some require some character subsituttions). We use posix expression expanding system, but we also reserve the pipe "|" so that we can do some future expansions.
As of Feb 2024 only character replacement is part of the test-suite, so any other more complicated replacements are not considered forward compatible (as in the configuration may as expected in future versions).

#### keymaster-unlocker
The `keymaster-unlocker` binary allows you to 'unseal' the Keymaster environment. This binary requires a client side certificate signed by the adminCA.

Expand All @@ -98,7 +106,7 @@ patents and contracts.
## LICENSE
Copyright 2016-2019 Symantec Corporation.

Copyright 2019-2021 Cloud-Foundations.org
Copyright 2019-2024 Cloud-Foundations.org

Licensed under the Apache License, Version 2.0 (the “License”); you
may not use this file except in compliance with the License.
Expand Down
3 changes: 2 additions & 1 deletion cmd/keymaster-unlocker/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,8 @@ func main() {
logger.Fatal(err)
}
// Setup HTTPS clients.
tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}}
tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS12}
tlsConfig.BuildNameToCertificate()
clients := makeClients(addrs, tlsConfig)
var password string
Expand Down
Loading

0 comments on commit d9ee25c

Please sign in to comment.