Merge branch 'upstream-master' into fix-testcert-generation

Cloud-Foundations · Dec 8, 2024 · 0db1252 · 0db1252
2 parents 869ec71 + 10b9ce0
commit 0db1252
Show file tree

Hide file tree

Showing 52 changed files with 1,191 additions and 921 deletions.
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -0,0 +1,46 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '17 11 * * 2'
+
+jobs:
+  analyzecover:
+    name: Analyzecover
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 'stable'
+      - uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: gcc pkg-config libudev-dev libudev
+      - name: Gather dependencies
+        run: go mod download
+      - name: Run coverage
+        # disable race condition test for now as it breaks because of the rrdialer
+        #run: go test -race -coverprofile=coverage.txt -covermode=atomic ./...
+        run: go test  -coverprofile=coverage.txt -covermode=atomic ./...
+      - name: Upload coverage reports to Codecov
+        uses: codecov/[email protected]
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,16 +1,71 @@
 on: [push, pull_request]
 name: Test
 jobs:
-  test:
+  testlinux:
     strategy:
       matrix:
-        go-version: [1.21.x]
-        os: [ubuntu-latest, macos-latest]
+        go-version: [1.23.x]
+        os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ${{ matrix.go-version }}
+    - uses: awalsh128/cache-apt-pkgs-action@latest
+      with:
+        packages: gcc rpm alien rsync pkg-config libudev-dev libudev    
+    - uses: actions/checkout@v3
+    - run: make test
+  testmacos:
+    strategy:
+      matrix:
+        go-version: [1.23.x]
+        os: [macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/setup-go@v3
       with:
         go-version: ${{ matrix.go-version }}
     - uses: actions/checkout@v3
     - run: make test
+  testwindowsclient:
+    strategy:
+      matrix:
+        go-version: [1.23.x]
+        os: [windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ${{ matrix.go-version }}
+    - uses: actions/checkout@v3
+    - run: go test -v  ./cmd/keymaster/...
+
+  testwindowsclientlibs:
+    strategy:
+      matrix:
+        go-version: [1.23.x]
+        os: [windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ${{ matrix.go-version }}
+    - uses: actions/checkout@v3
+    - run: go test -v  ./lib/client/util/...
+
+  buildlinuxpackage:
+    strategy:
+      matrix:
+        go-version: [1.23.x]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ${{ matrix.go-version }}
+    - uses: awalsh128/cache-apt-pkgs-action@latest
+      with:
+        packages: gcc rpm alien rsync pkg-config libudev-dev libudev
+    - uses: actions/checkout@v3
+    - run: make rpm
 
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 config.yml
+keymaster.spec
diff --git a/Dockerfile b/Dockerfile
@@ -1,63 +1,43 @@
 #################
 # Build Step
 #################
-
-FROM golang:latest as build
+FROM golang:bookworm as build
 
 # Setup work env
 RUN mkdir -p /app/ /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
 ADD . /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
 WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
 
-
 # Required envs for GO
 ENV GOPATH=/tmp/gocode
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Update and confirm deps
 RUN apt-get update && apt-get -y dist-upgrade && apt-get -y install build-essential
 
-# Install deps
-RUN make get-deps
-
-## Dirty Hack - Remove when https://github.com/golang/go/issues/37278 is closed
-# Compatibility with OpenSSH 8.2 and above
-WORKDIR /tmp/gocode/src/golang.org/x/crypto/
-RUN git config user.email "[email protected]"
-RUN git config user.name "Your Name"
-RUN git pull --no-edit https://go.googlesource.com/crypto refs/changes/37/220037/3
-WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
-## Dirty Hack End
-
 # Build and copy final result
 RUN make
+RUN strip /tmp/gocode/bin/keymaster*
 
 #################
 # Run Step
 #################
-
-FROM debian:buster as run
+FROM debian:bookworm as run
 
 # Copy binary from build container
 COPY --from=build /tmp/gocode/bin/keymasterd /app/keymasterd
 COPY --from=build /tmp/gocode/bin/keymaster-unlocker /app/keymaster-unlocker
 COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/customization_data /usr/share/keymasterd/customization_data
 COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/static_files /usr/share/keymasterd/static_files
 
-# Copy docker specific scripts from build container
-COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/misc/docker/start.sh /app/docker/
-
 # Perform update and clear cache
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update
 RUN apt-get -y --no-install-recommends install procps apache2-utils ca-certificates dumb-init
 RUN apt-get -y dist-upgrade && rm -rf /var/cache/apt/*
 
-
-# Install init
-
 # Expose web and LDAP ports
 EXPOSE 80 443 6920
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
-CMD ["/bin/sh", "/app/docker/start.sh"]
+CMD ["/app/keymasterd", "-config", "/etc/keymaster/config.yml", "-alsoLogToStderr"]
diff --git a/Makefile b/Makefile
@@ -10,51 +10,75 @@ endif
 BINARY=keymaster
 
 # These are the values we want to pass for Version and BuildTime
-VERSION=1.15.1
+VERSION?=1.15.5
+DEFAULT_HOST?=
+VERSION_FLAVOUR?=
+EXTRA_LDFLAGS?=
+PRINTVERSION=${VERSION}
+ifneq ($(VERSION_FLAVOUR),)
+PRINTVERSION=${VERSION}-${VERSION_FLAVOUR}
+endif
+DEFAULT_LDFLAGS=-X main.Version=${PRINTVERSION} ${EXTRA_LDFLAGS}
+CLIENT_LDFLAGS=${DEFAULT_LDFLAGS} -X main.defaultHost=${DEFAULT_HOST}
 #BUILD_TIME=`date +%FT%T%z`
 
 # keymaster client requires special tags on linux
-#EXTRA_BUILD_FLAGS 
+EXTRA_BUILD_FLAGS?=
 ifneq ($(OS),Windows_NT)
 	UNAME_S := $(shell uname -s)
 	ifeq ($(UNAME_S),Linux)
 		EXTRA_BUILD_FLAGS+= -tags=hidraw
 	endif
+	CLIENT_DEST?="./cmd/keymaster/"
+	OUTPUT_DIR?=bin/
+else
+	CLIENT_DEST?=".\\\\cmd\\\\keymaster\\\\"
+	OUTPUT_DIR?=bin\\
 endif
 
 
 # Setup the -ldflags option for go build here, interpolate the variable values
 #LDFLAGS=-ldflags "-X github.com/ariejan/roll/core.Version=${VERSION} -X github.com/ariejan/roll/core.BuildTime=${BUILD_TIME}"
 
-all:	init-config-host cmd/keymasterd/binData.go
-	cd cmd/keymaster; go install ${EXTRA_BUILD_FLAGS} -ldflags "-X main.Version=${VERSION}"
-	cd cmd/keymasterd; go install -ldflags "-X main.Version=${VERSION}"
-	cd cmd/keymaster-unlocker; go install -ldflags "-X main.Version=${VERSION}"
-	cd cmd/keymaster-eventmond;  go install -ldflags "-X main.Version=${VERSION}"
+all:	install-client
+	cd cmd/keymasterd; go install -ldflags "${DEFAULT_LDFLAGS}"
+	cd cmd/keymaster-unlocker; go install -ldflags "${DEFAULT_LDFLAGS}"
+	cd cmd/keymaster-eventmond;  go install -ldflags "${DEFAULT_LDFLAGS}"
+
+build:	prebuild
+	go build ${EXTRA_BUILD_FLAGS} -ldflags "${CLIENT_LDFLAGS}" -o $(OUTPUT_DIR) ./...
+
 
-build:	cmd/keymasterd/binData.go
-	go build ${EXTRA_BUILD_FLAGS} -ldflags "-X main.Version=${VERSION}" -o bin/   ./...
+keymaster.spec:
+    ifeq ($(OS), Windows_NT)
+		powershell -Command "Get-Content keymaster.spec.tpl | ForEach-Object { \$$_.Replace('{{VERSION}}', '$(VERSION)') } | Set-Content keymaster.spec"
+    else
+		sed 's/{{VERSION}}/$(VERSION)/g' keymaster.spec.tpl > keymaster.spec;
+    endif
 
-cmd/keymasterd/binData.go:
-	-go-bindata -fs -o cmd/keymasterd/binData.go -prefix cmd/keymasterd/data cmd/keymasterd/data/...
+prebuild: keymaster.spec
+
+install-client:	prebuild
+	cd cmd/keymaster; go install ${EXTRA_BUILD_FLAGS} -ldflags "${CLIENT_LDFLAGS}"
+
+build-client:	prebuild
+	go build -ldflags "${CLIENT_LDFLAGS}" -o $(OUTPUT_DIR) $(CLIENT_DEST)
 
 win-client: client-test
-	 go build -ldflags "-X main.Version=${VERSION}" -o bin .\cmd\keymaster\
+	 go build -ldflags "${CLIENT_LDFLAGS}" -o $(OUTPUT_DIR) .\cmd\keymaster\
 
 client-test:
 	go test -v  ./cmd/keymaster/...
 
-get-deps:	init-config-host
+get-deps:
 	go get -t ./...
 
 clean:
 	rm -f bin/*
 	rm -f keymaster-*.tar.gz
+	rm -f keymaster.spec
 
-init-config-host:
-	@test -f cmd/keymaster/config_host.go || (cp -p templates/config_host_go cmd/keymaster/config_host.go && echo 'Created initial cmd/keymaster/config_host.go')
-
-${BINARY}-${VERSION}.tar.gz:
+${BINARY}-${VERSION}.tar.gz:	prebuild
 	mkdir ${BINARY}-${VERSION}
 	rsync -av --exclude="config.yml" --exclude="*.pem" --exclude="*.out" lib/ ${BINARY}-${VERSION}/lib/
 	rsync -av --exclude="config.yml" --exclude="*.pem" --exclude="*.out" --exclude="*.key" cmd/ ${BINARY}-${VERSION}/cmd/
@@ -71,11 +95,11 @@ rpm:	${BINARY}-${VERSION}.tar.gz
 
 tar:	${BINARY}-${VERSION}.tar.gz
 
-test:	init-config-host
+test:
 	make -f makefile.certs
 	go test ./...
 
-verbose-test:	init-config-host
+verbose-test:
 	go test -v ./...
 
 format:

diff --git a/README.md b/README.md
@@ -1,9 +1,8 @@
 # Keymaster
 
 [![Build Status](https://github.com/Cloud-Foundations/keymaster/actions/workflows/test.yml/badge.svg?query=branch%3Amaster)](https://github.com/Cloud-Foundations/keymaster/actions/workflows/test.yml?query=branch%3Amaster)
-[![Coverage Status](https://coveralls.io/repos/github/Cloud-Foundations/keymaster/badge.svg?branch=master)](https://coveralls.io/github/Cloud-Foundations/keymaster?branch=master)
 
-Keymaster is usable short-term certificate based identity system. With a primary goal to be a single-sign-on (with optional second factor with [Symantec VIP](https://vip.symantec.com/), [U2F](https://fidoalliance.org/specifications/overview/) tokens or [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) compatible apps ([FreeOTP](https://freeotp.github.io/)/google authenticator ) ) for CLI operations (both SSHD and TLS).
+Keymaster is usable short-term certificate based identity system. With a primary goal to be a single-sign-on (with optional second factor with [Symantec VIP](https://vip.symantec.com/), [U2F](https://fidoalliance.org/specifications/overview/) tokens, [OKTA](https://developer.okta.com/docs/reference/api/authn/)  (requires using also using OKTA for password), or [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) compatible apps ([FreeOTP](https://freeotp.github.io/)/google authenticator ) ) for CLI operations (both SSHD and TLS).
 
 As a secondary role keymaster is compliant openidc provider intended for easy use for internal web based applications.
 
@@ -39,7 +38,7 @@ In addition for linux you will also need:
 * pkg-config
 * libudev-dev
 
-For Windows (both gcc and gnu-make) use: [TDM-GCC (64 bit)](https://sourceforge.net/projects/tdm-gcc/). Recent windows builds fail  when using TDM-GCC 5.x. Successful builds are known with golang 1.16.X and gcc 10.X.
+For Windows (both gcc and gnu-make) use: [TDM-GCC (64 bit)](https://sourceforge.net/projects/tdm-gcc/). Recent windows builds fail  when using TDM-GCC 5.x. Successful builds are known with golang 1.21.X and gcc 10.X.
 
 #### Building
 1. make get-deps

diff --git a/cmd/keymaster-unlocker/main.go b/cmd/keymaster-unlocker/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"flag"
 	"fmt"
 	"io/ioutil"
@@ -16,7 +17,7 @@ import (
 
 	"github.com/Cloud-Foundations/Dominator/lib/log/cmdlogger"
 	"github.com/Cloud-Foundations/golib/pkg/log"
-	"github.com/howeyc/gopass"
+	"golang.org/x/term"
 )
 
 var (
@@ -32,6 +33,8 @@ var (
 	retryInterval = flag.Duration("retryInterval", 0, "If > 0: retry")
 )
 
+const maxPasswordLength = 512
+
 func Usage() {
 	fmt.Fprintf(os.Stderr, "Usage of %s (version %s):\n", os.Args[0], Version)
 	flag.PrintDefaults()
@@ -40,10 +43,18 @@ func Usage() {
 func getPassword(password string) (string, error) {
 	if password == "" {
 		fmt.Printf("Password for unlocking %s: ", *keymasterHostname)
-		passwd, err := gopass.GetPasswd()
+		passwd, err := term.ReadPassword(int(os.Stdin.Fd()))
+
+		// Add a newline after the password input
+		fmt.Println()
+
 		if err != nil {
 			return "", err
-			// Handle gopass.ErrInterrupted or getch() read error
+		}
+
+		// Check password length
+		if len(password) > maxPasswordLength {
+			return "", errors.New("maximum length exceeded")
 		}
 		password = string(passwd)
 	}