Commit 018bd88d authored by ale's avatar ale
Browse files

Add go.mod, update dependencies, build on Bullseye

parent 71512831
Pipeline #10510 passed with stages
in 55 seconds
include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"
include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-nextstable.yml"
......@@ -2,7 +2,7 @@ Source: go-sso
Section: admin
Priority: optional
Maintainer: Autistici/Inventati <debian@autistici.org>
Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-systemd, dh-golang
Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-golang
Standards-Version: 3.9.6
Package: sso-server
......
......@@ -7,9 +7,8 @@ export DH_GOLANG_EXCLUDES = vendor
%:
dh $@ --with systemd --with golang --buildsystem golang
override_dh_install:
rm -fr $(CURDIR)/debian/tmp/usr/share/gocode
dh_install
override_dh_auto_install:
dh_auto_install -- --no-source
override_dh_systemd_enable:
dh_systemd_enable --no-enable
......
module git.autistici.org/id/go-sso
require (
git.autistici.org/ai3/go-common v0.0.0-20210110180225-a05c683cfe23
git.autistici.org/id/auth v0.0.0-20200212081728-3d44524ae2e5
git.autistici.org/id/keystore v0.0.0-20190630084729-9f1f2da00729
github.com/beevik/etree v0.0.0-20171015221209-af219c0c7ea1 // indirect
github.com/crewjam/saml v0.0.0-20190521120225-344d075952c9
github.com/elazarl/go-bindata-assetfs v1.0.0
github.com/gorilla/csrf v1.7.0
github.com/gorilla/mux v1.7.3
github.com/gorilla/securecookie v1.1.1
github.com/mssola/user_agent v0.0.0-20170906152553-a2f39d5a9b15
github.com/oschwald/maxminddb-golang v0.0.0-20170901134056-26fe5ace1c70
github.com/prometheus/client_golang v1.9.0
github.com/rs/cors v0.0.0-20190613161432-33ffc0734c60
github.com/russellhaering/goxmldsig v0.0.0-20170911191014-b7efc6231e45 // indirect
github.com/satori/go.uuid v1.2.0 // indirect
github.com/tstranex/u2f v1.0.0
go.opencensus.io v0.22.5
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
gopkg.in/yaml.v2 v2.3.0
)
This diff is collapsed.
language: go
go_import_path: contrib.go.opencensus.io
go:
- 1.11.x
env:
global:
GO111MODULE=on
before_script:
- make install-tools
script:
- make travis-ci
stages:
- test
run_tests:
stage: test
image: "debian:bullseye"
script:
- "apt update"
- "env DEBIAN_FRONTEND=noninteractive apt -y install golang git"
- "go test -v ./..."
module git.autistici.org/ai3/go-common
go 1.14
go 1.11
require (
contrib.go.opencensus.io/exporter/zipkin v0.1.1
contrib.go.opencensus.io/exporter/zipkin v0.1.2
github.com/amoghe/go-crypt v0.0.0-20191109212615-b2ff80594b7f
github.com/bbrks/wrap v2.3.0+incompatible
github.com/bbrks/wrap/v2 v2.5.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
github.com/emersion/go-textwrapper v0.0.0-20160606182133-d0e65e56babe
github.com/google/go-cmp v0.4.0
github.com/gorilla/handlers v1.4.2
github.com/lunixbochs/struc v0.0.0-20190916212049-a5c72983bc42
github.com/cenkalti/backoff/v4 v4.1.0
github.com/coreos/go-systemd/v22 v22.1.0
github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594
github.com/go-asn1-ber/asn1-ber v1.5.3
github.com/go-ldap/ldap/v3 v3.2.4
github.com/gofrs/flock v0.8.0 // indirect
github.com/google/go-cmp v0.5.4
github.com/gorilla/handlers v1.5.1
github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
github.com/miscreant/miscreant.go v0.0.0-20200214223636-26d376326b75
github.com/openzipkin/zipkin-go v0.2.2
github.com/prometheus/client_golang v1.5.1
github.com/russross/blackfriday/v2 v2.0.1
github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
github.com/theckman/go-flock v0.7.1
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/openzipkin/zipkin-go v0.2.5
github.com/pierrec/lz4 v2.0.5+incompatible // indirect
github.com/prometheus/client_golang v1.9.0
github.com/russross/blackfriday/v2 v2.1.0
github.com/theckman/go-flock v0.8.0
github.com/tstranex/u2f v1.0.0
go.opencensus.io v0.22.3
golang.org/x/crypto v0.0.0-20200403201458-baeed622b8d8
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d
gopkg.in/ldap.v3 v3.1.0
go.opencensus.io v0.22.5
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 // indirect
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
)
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
]
}
......@@ -16,7 +16,7 @@ import (
"time"
"git.autistici.org/ai3/go-common/tracing"
"github.com/coreos/go-systemd/daemon"
"github.com/coreos/go-systemd/v22/daemon"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promhttp"
)
......
include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"
......@@ -162,6 +162,9 @@ Each service definition is a dictionary with the following attributes:
only for interactive services)
* `enforce_2fa` is a boolean flag that, when true, will disable
non-2FA logins for this service
* `ignore_2fa` is a boolean flag that, when set, will ignore the
presence of application-specific passwords for the user, and will
always authenticate against the primary password
* `enable_last_login_reporting` is a boolean flag that enables last login
reporting to usermetadb
* `enable_device_tracking` is a boolean flag that enables device
......
......@@ -34,9 +34,6 @@ func (d *DeviceInfo) encodeToMap(m map[string]string, prefix string) {
}
func decodeDeviceInfoFromMap(m map[string]string, prefix string) *DeviceInfo {
if _, ok := m[prefix+"id"]; !ok {
return nil
}
return &DeviceInfo{
ID: m[prefix+"id"],
RemoteAddr: m[prefix+"remote_addr"],
......
include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"
......@@ -57,10 +57,17 @@ Forget the key for a given user.
The final consumer for user encryption keys is the Dovecot
service. The *dovecot-keylookupd* daemon can read the user public and
private keys from LDAP, and serve the *unencrypted* keys to Dovecot
using its [dict proxy
private keys from the database, and serve the *unencrypted* keys to
Dovecot using its [dict proxy
protocol](https://wiki2.dovecot.org/AuthDatabase/Dict).
*NOTE* that passdb lookups using *dovecot-keylookupd* contain the
cleartext password as part of the key, which may be logged in case of
error! This is currently a huge limitation of this solution, but there
seems to be no workaround that does not involve switching to a
fork()-based solution (like the checkpassword script). That might be a
better solution long-term.
TODO: explain the lookup protocol.
# Configuration
......@@ -72,21 +79,10 @@ following attributes:
* `sso_public_key_file`: path to the SSO Ed25519 public key
* `sso_service`: SSO service for this application
* `sso_domain`: SSO domain
* `ldap`: LDAP backend configuration
* `uri`: LDAP server URI
* `bind_dn`: bind DN (for simple bind, SASL is not supported)
* `bind_pw`: bind password
* `bind_pw_file`: bind password (load from this file), in
alternative to *bind_pw*
* `query`: Parameters for the LDAP search query
* `search_base`: base DN for the search
* `search_filter`: search filter. The filter string may contain a
literal `%s` token somewhere, that will be replaced with the
(escaped) username.
* `scope`: search scope, one of *sub* (default), *one* or *base*
* `public_key_attr`: attribute that contains the user's public key
* `private_key_attr`: attribute that contains the user's encrypted
key(s)
* `backend`: backend configuration
* `type`: backend type, one of *ldap* or *sql*
* `params`: backend parameters, type-specific (see *Backend
configuration*, below)
* `http_server`: HTTP server configuration
* `tls`: contains the server-side TLS configuration:
* `cert`: path to the server certificate
......@@ -103,7 +99,10 @@ following attributes:
The *dovecot-keylookupd* daemon uses a similar configuration, read by
default from */etc/keystore/dovecot.yml*:
* `ldap`: LDAP backend configuration, see above
* `backend`: backend configuration
* `type`: backend type, one of *ldap* or *sql*
* `params`: backend parameters, type-specific (see *Backend
configuration*, below)
* `keystore`: configures the connection to the keystore service
* `url`: URL for the keystore service
* `sharded`: if true, requests to the keystore service will be
......@@ -114,3 +113,45 @@ default from */etc/keystore/dovecot.yml*:
* `ca`: path to the CA used to validate the server
* `shard`: shard identifier for the local host. Must be set if
keystore.sharded is true.
## Backend configuration
The keystore servers can talk to a LDAP or a SQL database. In both
cases it is possible to adapt to the database schema by defining the
exact queries to use. All we need to do is to retrieve the public and
private parts of the user encryption key.
The *ldap* database backend understands the following configuration
parameters:
* `uri`: LDAP server URI
* `bind_dn`: bind DN (for simple bind, SASL is not supported)
* `bind_pw`: bind password
* `bind_pw_file`: bind password (load from this file), in
alternative to *bind_pw*
* `query`: Parameters for the LDAP search query
* `search_base`: base DN for the search
* `search_filter`: search filter. The filter string may contain a
literal `%s` token somewhere, that will be replaced with the
(escaped) username.
* `scope`: search scope, one of *sub* (default), *one* or *base*
* `public_key_attr`: attribute that contains the user's public key
* `private_key_attr`: attribute that contains the user's encrypted
key(s)
The *sql* database backend requires the following parameters:
* `driver`: SQL driver, one of *sqlite3*, *mysql* or *postgres*
* `db_uri`: database URI (a.k.a. DSN), whose exact syntax will depend
on the chosen driver. Check out the documentation for the
database/sql [sqlite](https://github.com/mattn/go-sqlite3),
[mysql](https://github.com/go-sql-driver/mysql) and
[postgres](https://godoc.org/github.com/lib/pq) drivers.
* `queries`: map with the known queries. All SQL queries take one
parameter (the user name), and return one or more rows with a single
column. Use the `?` placeholder for the parameter. Known queries:
* `get_user_public_key`: must return a single row with the public
key
* `get_user_private_keys`: must return one or more rows with the
user's private keys (copies of the same key encrypted with
different passwords).
language: go
sudo: false
go:
- 1.5.x
- 1.6.x
- 1.7.x
- 1.8.x
- 1.9.x
- tip
matrix:
allow_failures:
- go: tip
script:
- go vet ./...
- go test -v ./...
# Compiled Object files, Static and Dynamic libs (Shared Objects)
*.o
*.a
*.so
# Folders
_obj
_test
# Architecture specific extensions/prefixes
*.[568vq]
[568vq].out
*.cgo1.go
*.cgo2.c
_cgo_defun.c
_cgo_gotypes.go
_cgo_export.*
_testmain.go
*.exe
language: go
go:
- 1.7
- 1.x
- tip
before_install:
- go get github.com/mattn/goveralls
- go get golang.org/x/tools/cmd/cover
script:
- $HOME/gopath/bin/goveralls -service=travis-ci
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment