updated dependencies and posix expansion for values (#209)

* updated dependencies and posix expansion for values

* update codeql workflow

* enhanced readme.md

.github/workflows/codeql-analysis.yml

@@ -36,11 +36,16 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
+
+    - name: Install Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -51,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -65,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/test.yml

@@ -4,7 +4,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.20.x]
+        go-version: [1.21.x]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:

README.md

@@ -31,7 +31,7 @@ Pre-build binaries (both RPM and DEB) can be found here: [releases page](https:/
 ### Building from Source
 
 #### Prerequisites
-* go >= 1.13
+* go >= 1.21
 * make
 * gcc
 
@@ -68,6 +68,7 @@ Notice: Keymaster has a bug where the directory locations are not written correc
 ##### Supported backend authentication methods
 Several authentication methods are supported by the `keymasterd` service. You can separately specify which authentication methods you accept for the web backend (`allowed_auth_backends_for_webui`) and for obtaining certificates (`allowed_auth_backends_for_certs`).
 * **LDAP**: For LDAP the `bind_pattern` is a printf string where `%s` is the place where the username will be substituted. For example for an 389ds/openldap string might be: `"uid=%s,ou=People,dc=example,dc=com`. To leverage LDAP authentication set the appropriate `allowed_auth_*` setting to `["ldap"]`.
+* **OKTA** Keymasted can also use the public api for okta authentication, for both password and MFA (including both pushed and codes)
 * **Apache htpass**: The `passfile.htpass` file contains the usernames and their passwords allowed to access the `keymasterd` web interface. New users can be added via the following command: `htpasswd -B /etc/keymaster/passfile.htpass <username>`. `htpasswd` is distributed via the `httpd-tools` package. Keymaster will only accept htpass files that store BCRYPT encrypted credentials. To use Apache password files to authenticate users to the web interface set the following configuration item: `allowed_auth_*` to `["password"]`
 * **U2F tokens**: To enable U2F tokens set set the appropriate `allowed_auth_*` setting to `["U2F"]``
 * **VIP Manager**: To enable VIP Manager set set the appropriate `allowed_auth_*` setting to `["SymantecVIP"]`
@@ -79,6 +80,10 @@ Keymaster supports SQLite and PostgreSQL to store u2f tokens or username and pas
 To use keymasterd as an openid connect IDP please consult the documents
 [here](docs/website/openidc-idp.md)
 
+##### SSH Cerfificate exteansion expansion
+Some systems like github.com allow the use of ssh certificates to authenticate users. To do so it is required to have speficic extensions in the ssh certificate. To accomodate this we have a bash like extension mechanism for expanding the username (some deployments require prefixes and some require some character subsituttions). We use posix expression expanding system, but we also reserve the pipe "|" so that we can do some future expansions.
+As of Feb 2024 only character replacement is part of the test-suite, so any other more complicated replacements are not considered forward compatible (as in the configuration may as expected in future versions).
+
 #### keymaster-unlocker
 The `keymaster-unlocker` binary allows you to 'unseal' the Keymaster environment. This binary requires a client side certificate signed by the adminCA.
 
@@ -98,7 +103,7 @@ patents and contracts.
 ## LICENSE
 Copyright 2016-2019 Symantec Corporation.
 
-Copyright 2019-2021 Cloud-Foundations.org
+Copyright 2019-2024 Cloud-Foundations.org
 
 Licensed under the Apache License, Version 2.0 (the “License”); you
 may not use this file except in compliance with the License.

cmd/keymasterd/certgen.go

@@ -8,11 +8,12 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"os"
 	"regexp"
 	"strings"
 	"time"
 
+	"mvdan.cc/sh/v3/shell"
+
 	"github.com/Cloud-Foundations/keymaster/lib/authutil"
 	"github.com/Cloud-Foundations/keymaster/lib/certgen"
 	"github.com/Cloud-Foundations/keymaster/lib/instrumentedwriter"
@@ -217,8 +218,14 @@ func (state *RuntimeState) expandSSHExtensions(username string) (map[string]stri
 	}
 	userExtensions := make(map[string]string)
 	for _, extension := range state.Config.Base.SSHCertConfig.Extensions {
-		key := os.Expand(extension.Key, mapper)
-		value := os.Expand(extension.Value, mapper)
+		key, err := shell.Expand(extension.Key, mapper)
+		if err != nil {
+			return nil, err
+		}
+		value, err := shell.Expand(extension.Value, mapper)
+		if err != nil {
+			return nil, err
+		}
 		userExtensions[key] = value
 	}
 

cmd/keymasterd/certgen_test.go

@@ -227,7 +227,7 @@ func TestGenSSHEd25519(t *testing.T) {
 
 }
 
-func TestExpandSSHExtensions(t *testing.T) {
+func TestExpandSSHExtensionsSimple(t *testing.T) {
 	state, passwdFile, err := setupValidRuntimeStateSigner(t)
 	if err != nil {
 		t.Fatal(err)
@@ -267,3 +267,41 @@ func TestExpandSSHExtensions(t *testing.T) {
 		}
 	}
 }
+
+func TestExpandSSHExtensionsReplace(t *testing.T) {
+	state, passwdFile, err := setupValidRuntimeStateSigner(t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(passwdFile.Name()) // clean up
+
+	expansionTest := map[string]string{
+		"username":  "username",
+		".username": "-username",
+		"username.": "username-",
+		"user.name": "user-name",
+	}
+	for username, expected := range expansionTest {
+		state.Config.Base.SSHCertConfig.Extensions = []sshExtension{
+			sshExtension{
+				Key:   "somekey",
+				Value: "${USERNAME/./-}",
+			},
+		}
+		extensions, err := state.expandSSHExtensions(username)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if extensions == nil {
+			t.Fatal("nil extension")
+		}
+		if len(state.Config.Base.SSHCertConfig.Extensions) != len(extensions) {
+			t.Fatal("incomplete expansion")
+		}
+		for _, value := range extensions {
+			if value != expected {
+				t.Fatalf("Expansion does not match got %s expected %s, username=%s", value, expected, username)
+			}
+		}
+	}
+}

go.mod

@@ -1,6 +1,8 @@
 module github.com/Cloud-Foundations/keymaster
 
-go 1.18
+go 1.21
+
+toolchain go1.22.0
 
 replace github.com/bearsh/hid v1.3.0 => github.com/bearsh/hid v1.5.0
 
@@ -29,13 +31,14 @@ require (
 	github.com/prometheus/client_golang v1.17.0
 	github.com/tstranex/u2f v1.0.0
 	github.com/vjeantet/ldapserver v1.0.1
-	golang.org/x/crypto v0.13.0
-	golang.org/x/net v0.15.0
+	golang.org/x/crypto v0.18.0
+	golang.org/x/net v0.20.0
 	golang.org/x/oauth2 v0.12.0
-	golang.org/x/term v0.12.0
+	golang.org/x/term v0.17.0
 	gopkg.in/ldap.v2 v2.5.1
 	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v2 v2.4.0
+	mvdan.cc/sh/v3 v3.8.0
 )
 
 require (
@@ -91,10 +94,10 @@ require (
 	github.com/prometheus/common v0.44.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/time v0.3.0
-	golang.org/x/tools v0.13.0 // indirect
+	golang.org/x/tools v0.17.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect