fix merge

.github/workflows/codecov.yml

@@ -0,0 +1,43 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '17 11 * * 2'
+
+jobs:
+  analyzecover:
+    name: Analyzecover
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 'stable'
+      - name: Gather dependencies
+        run: go mod download
+      - name: Run coverage
+        # disable race condition test for now as it breaks because of the rrdialer
+        #run: go test -race -coverprofile=coverage.txt -covermode=atomic ./...
+        run: go test  -coverprofile=coverage.txt -covermode=atomic ./...
+      - name: Upload coverage reports to Codecov
+        uses: codecov/[email protected]
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -36,11 +36,16 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
+
+    - name: Install Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -51,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -65,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/test.yml

@@ -4,7 +4,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.17.x]
+        go-version: [1.22.x]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -13,4 +13,18 @@ jobs:
         go-version: ${{ matrix.go-version }}
     - uses: actions/checkout@v3
     - run: make test
+  buildlinuxpackage:
+    strategy:
+      matrix:
+        go-version: [1.22.x]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ${{ matrix.go-version }}
+    - uses: awalsh128/cache-apt-pkgs-action@latest
+      with:
+        packages: gcc rpm alien rsync pkg-config libudev-dev
+    - uses: actions/checkout@v3
+    - run: make rpm
 

.gitignore

@@ -1 +1,2 @@
 config.yml
+keymaster.spec

Dockerfile

@@ -1,63 +1,43 @@
 #################
 # Build Step
 #################
-
-FROM golang:latest as build
+FROM golang:bookworm as build
 
 # Setup work env
 RUN mkdir -p /app/ /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
 ADD . /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
 WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
 
-
 # Required envs for GO
 ENV GOPATH=/tmp/gocode
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Update and confirm deps
 RUN apt-get update && apt-get -y dist-upgrade && apt-get -y install build-essential
 
-# Install deps
-RUN make get-deps
-
-## Dirty Hack - Remove when https://github.com/golang/go/issues/37278 is closed
-# Compatibility with OpenSSH 8.2 and above
-WORKDIR /tmp/gocode/src/golang.org/x/crypto/
-RUN git config user.email "[email protected]"
-RUN git config user.name "Your Name"
-RUN git pull --no-edit https://go.googlesource.com/crypto refs/changes/37/220037/3
-WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
-## Dirty Hack End
-
 # Build and copy final result
 RUN make
+RUN strip /tmp/gocode/bin/keymaster*
 
 #################
 # Run Step
 #################
-
-FROM debian:buster as run
+FROM debian:bookworm as run
 
 # Copy binary from build container
 COPY --from=build /tmp/gocode/bin/keymasterd /app/keymasterd
 COPY --from=build /tmp/gocode/bin/keymaster-unlocker /app/keymaster-unlocker
 COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/customization_data /usr/share/keymasterd/customization_data
 COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/static_files /usr/share/keymasterd/static_files
 
-# Copy docker specific scripts from build container
-COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/misc/docker/start.sh /app/docker/
-
 # Perform update and clear cache
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update
 RUN apt-get -y --no-install-recommends install procps apache2-utils ca-certificates dumb-init
 RUN apt-get -y dist-upgrade && rm -rf /var/cache/apt/*
 
-
-# Install init
-
 # Expose web and LDAP ports
 EXPOSE 80 443 6920
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
-CMD ["/bin/sh", "/app/docker/start.sh"]
+CMD ["/app/keymasterd", "-config", "/etc/keymaster/config.yml", "-alsoLogToStderr"]

Makefile

@@ -10,41 +10,74 @@ endif
 BINARY=keymaster
 
 # These are the values we want to pass for Version and BuildTime
-VERSION=1.10.3
+VERSION?=1.15.4
+DEFAULT_HOST?=
+VERSION_FLAVOUR?=
+EXTRA_LDFLAGS?=
+PRINTVERSION=${VERSION}
+ifneq ($(VERSION_FLAVOUR),)
+PRINTVERSION=${VERSION}-${VERSION_FLAVOUR}
+endif
+DEFAULT_LDFLAGS=-X main.Version=${PRINTVERSION} ${EXTRA_LDFLAGS}
+CLIENT_LDFLAGS=${DEFAULT_LDFLAGS} -X main.defaultHost=${DEFAULT_HOST}
 #BUILD_TIME=`date +%FT%T%z`
 
+# keymaster client requires special tags on linux
+EXTRA_BUILD_FLAGS?=
+ifneq ($(OS),Windows_NT)
+	UNAME_S := $(shell uname -s)
+	ifeq ($(UNAME_S),Linux)
+		EXTRA_BUILD_FLAGS+= -tags=hidraw
+	endif
+	CLIENT_DEST?="./cmd/keymaster/"
+	OUTPUT_DIR?=bin/
+else
+	CLIENT_DEST?=".\\\\cmd\\\\keymaster\\\\"
+	OUTPUT_DIR?=bin\\
+endif
+
+
 # Setup the -ldflags option for go build here, interpolate the variable values
 #LDFLAGS=-ldflags "-X github.com/ariejan/roll/core.Version=${VERSION} -X github.com/ariejan/roll/core.BuildTime=${BUILD_TIME}"
 
-all:	init-config-host cmd/keymasterd/binData.go
-	cd cmd/keymaster; go install -ldflags "-X main.Version=${VERSION}"
-	cd cmd/keymasterd; go install -ldflags "-X main.Version=${VERSION}"
-	cd cmd/keymaster-unlocker; go install -ldflags "-X main.Version=${VERSION}"
-	cd cmd/keymaster-eventmond;  go install -ldflags "-X main.Version=${VERSION}"
+all:	install-client
+	cd cmd/keymasterd; go install -ldflags "${DEFAULT_LDFLAGS}"
+	cd cmd/keymaster-unlocker; go install -ldflags "${DEFAULT_LDFLAGS}"
+	cd cmd/keymaster-eventmond;  go install -ldflags "${DEFAULT_LDFLAGS}"
 
-build:	cmd/keymasterd/binData.go
-	go build -ldflags "-X main.Version=${VERSION}" -o bin/   ./...
+build:	prebuild
+	go build ${EXTRA_BUILD_FLAGS} -ldflags "${CLIENT_LDFLAGS}" -o $(OUTPUT_DIR) ./...
 
-cmd/keymasterd/binData.go:
-	-go-bindata -fs -o cmd/keymasterd/binData.go -prefix cmd/keymasterd/data cmd/keymasterd/data/...
+
+keymaster.spec:
+    ifeq ($(OS), Windows_NT)
+		powershell -Command "Get-Content keymaster.spec.tpl | ForEach-Object { \$$_.Replace('{{VERSION}}', '$(VERSION)') } | Set-Content keymaster.spec"
+    else
+		sed 's/{{VERSION}}/$(VERSION)/g' keymaster.spec.tpl > keymaster.spec;
+    endif
+
+prebuild: keymaster.spec
+
+install-client:	prebuild
+	cd cmd/keymaster; go install ${EXTRA_BUILD_FLAGS} -ldflags "${CLIENT_LDFLAGS}"
+
+build-client:	prebuild
+	go build -ldflags "${CLIENT_LDFLAGS}" -o $(OUTPUT_DIR) $(CLIENT_DEST)
 
 win-client: client-test
-	 go build -ldflags "-X main.Version=${VERSION}" -o bin .\cmd\keymaster\
+	 go build -ldflags "${CLIENT_LDFLAGS}" -o $(OUTPUT_DIR) .\cmd\keymaster\
 
 client-test:
 	go test -v  ./cmd/keymaster/...
 
-get-deps:	init-config-host
+get-deps:
 	go get -t ./...
 
 clean:
 	rm -f bin/*
 	rm -f keymaster-*.tar.gz
 
-init-config-host:
-	@test -f cmd/keymaster/config_host.go || (cp -p templates/config_host_go cmd/keymaster/config_host.go && echo 'Created initial cmd/keymaster/config_host.go')
-
-${BINARY}-${VERSION}.tar.gz:
+${BINARY}-${VERSION}.tar.gz:	prebuild
 	mkdir ${BINARY}-${VERSION}
 	rsync -av --exclude="config.yml" --exclude="*.pem" --exclude="*.out" lib/ ${BINARY}-${VERSION}/lib/
 	rsync -av --exclude="config.yml" --exclude="*.pem" --exclude="*.out" --exclude="*.key" cmd/ ${BINARY}-${VERSION}/cmd/
@@ -61,11 +94,11 @@ rpm:	${BINARY}-${VERSION}.tar.gz
 
 tar:	${BINARY}-${VERSION}.tar.gz
 
-test:	init-config-host
+test:
 	make -f makefile.certs
 	go test ./...
 
-verbose-test:	init-config-host
+verbose-test:
 	go test -v ./...
 
 format:

README.md

@@ -1,9 +1,8 @@
 # Keymaster
 
 [![Build Status](https://github.com/Cloud-Foundations/keymaster/actions/workflows/test.yml/badge.svg?query=branch%3Amaster)](https://github.com/Cloud-Foundations/keymaster/actions/workflows/test.yml?query=branch%3Amaster)
-[![Coverage Status](https://coveralls.io/repos/github/Cloud-Foundations/keymaster/badge.svg?branch=master)](https://coveralls.io/github/Cloud-Foundations/keymaster?branch=master)
 
-Keymaster is usable short-term certificate based identity system. With a primary goal to be a single-sign-on (with optional second factor with [Symantec VIP](https://vip.symantec.com/), [U2F](https://fidoalliance.org/specifications/overview/) tokens or [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) compatible apps ([FreeOTP](https://freeotp.github.io/)/google authenticator ) ) for CLI operations (both SSHD and TLS).
+Keymaster is usable short-term certificate based identity system. With a primary goal to be a single-sign-on (with optional second factor with [Symantec VIP](https://vip.symantec.com/), [U2F](https://fidoalliance.org/specifications/overview/) tokens, [OKTA](https://developer.okta.com/docs/reference/api/authn/)  (requires using also using OKTA for password), or [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) compatible apps ([FreeOTP](https://freeotp.github.io/)/google authenticator ) ) for CLI operations (both SSHD and TLS).
 
 As a secondary role keymaster is compliant openidc provider intended for easy use for internal web based applications.
 
@@ -31,11 +30,15 @@ Pre-build binaries (both RPM and DEB) can be found here: [releases page](https:/
 ### Building from Source
 
 #### Prerequisites
-* go >= 1.13
+* go >= 1.21
 * make
 * gcc
 
-For Windows (both gcc and gnu-make) use: [TDM-GCC (64 bit)](https://sourceforge.net/projects/tdm-gcc/). Recent windows builds fail  when using TDM-GCC 5.x. Successful builds are known with golang 1.16.X and gcc 10.X.
+In addition for linux you will also need:
+* pkg-config
+* libudev-dev
+
+For Windows (both gcc and gnu-make) use: [TDM-GCC (64 bit)](https://sourceforge.net/projects/tdm-gcc/). Recent windows builds fail  when using TDM-GCC 5.x. Successful builds are known with golang 1.21.X and gcc 10.X.
 
 #### Building
 1. make get-deps
@@ -68,6 +71,7 @@ Notice: Keymaster has a bug where the directory locations are not written correc
 ##### Supported backend authentication methods
 Several authentication methods are supported by the `keymasterd` service. You can separately specify which authentication methods you accept for the web backend (`allowed_auth_backends_for_webui`) and for obtaining certificates (`allowed_auth_backends_for_certs`).
 * **LDAP**: For LDAP the `bind_pattern` is a printf string where `%s` is the place where the username will be substituted. For example for an 389ds/openldap string might be: `"uid=%s,ou=People,dc=example,dc=com`. To leverage LDAP authentication set the appropriate `allowed_auth_*` setting to `["ldap"]`.
+* **OKTA** Keymasted can also use the public api for okta authentication, for both password and MFA (including both pushed and codes)
 * **Apache htpass**: The `passfile.htpass` file contains the usernames and their passwords allowed to access the `keymasterd` web interface. New users can be added via the following command: `htpasswd -B /etc/keymaster/passfile.htpass <username>`. `htpasswd` is distributed via the `httpd-tools` package. Keymaster will only accept htpass files that store BCRYPT encrypted credentials. To use Apache password files to authenticate users to the web interface set the following configuration item: `allowed_auth_*` to `["password"]`
 * **U2F tokens**: To enable U2F tokens set set the appropriate `allowed_auth_*` setting to `["U2F"]``
 * **VIP Manager**: To enable VIP Manager set set the appropriate `allowed_auth_*` setting to `["SymantecVIP"]`
@@ -79,6 +83,10 @@ Keymaster supports SQLite and PostgreSQL to store u2f tokens or username and pas
 To use keymasterd as an openid connect IDP please consult the documents
 [here](docs/website/openidc-idp.md)
 
+##### SSH Cerfificate exteansion expansion
+Some systems like github.com allow the use of ssh certificates to authenticate users. To do so it is required to have speficic extensions in the ssh certificate. To accomodate this we have a bash like extension mechanism for expanding the username (some deployments require prefixes and some require some character subsituttions). We use posix expression expanding system, but we also reserve the pipe "|" so that we can do some future expansions.
+As of Feb 2024 only character replacement is part of the test-suite, so any other more complicated replacements are not considered forward compatible (as in the configuration may as expected in future versions).
+
 #### keymaster-unlocker
 The `keymaster-unlocker` binary allows you to 'unseal' the Keymaster environment. This binary requires a client side certificate signed by the adminCA.
 
@@ -98,7 +106,7 @@ patents and contracts.
 ## LICENSE
 Copyright 2016-2019 Symantec Corporation.
 
-Copyright 2019-2021 Cloud-Foundations.org
+Copyright 2019-2024 Cloud-Foundations.org
 
 Licensed under the Apache License, Version 2.0 (the “License”); you
 may not use this file except in compliance with the License.

cmd/keymaster-unlocker/main.go

@@ -69,7 +69,8 @@ func main() {
 		logger.Fatal(err)
 	}
 	// Setup HTTPS clients.
-	tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}}
+	tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert},
+		MinVersion: tls.VersionTLS12}
 	tlsConfig.BuildNameToCertificate()
 	clients := makeClients(addrs, tlsConfig)
 	var password string