Add go.mod, update dependencies, build on Bullseye

.gitlab-ci.yml

-include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"
+include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-nextstable.yml"

debian/control

@@ -2,7 +2,7 @@ Source: go-sso
 Section: admin
 Priority: optional
 Maintainer: Autistici/Inventati <debian@autistici.org>
-Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-systemd, dh-golang
+Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-golang
 Standards-Version: 3.9.6
 
 Package: sso-server

debian/rules

@@ -7,9 +7,8 @@ export DH_GOLANG_EXCLUDES = vendor
 %:
 	dh $@ --with systemd --with golang --buildsystem golang
 
-override_dh_install:
-	rm -fr $(CURDIR)/debian/tmp/usr/share/gocode
-	dh_install
+override_dh_auto_install:
+	dh_auto_install -- --no-source
 
 override_dh_systemd_enable:
 	dh_systemd_enable --no-enable

go.mod

+module git.autistici.org/id/go-sso
+
+require (
+	git.autistici.org/ai3/go-common v0.0.0-20210110180225-a05c683cfe23
+	git.autistici.org/id/auth v0.0.0-20200212081728-3d44524ae2e5
+	git.autistici.org/id/keystore v0.0.0-20190630084729-9f1f2da00729
+	github.com/beevik/etree v0.0.0-20171015221209-af219c0c7ea1 // indirect
+	github.com/crewjam/saml v0.0.0-20190521120225-344d075952c9
+	github.com/elazarl/go-bindata-assetfs v1.0.0
+	github.com/gorilla/csrf v1.7.0
+	github.com/gorilla/mux v1.7.3
+	github.com/gorilla/securecookie v1.1.1
+	github.com/mssola/user_agent v0.0.0-20170906152553-a2f39d5a9b15
+	github.com/oschwald/maxminddb-golang v0.0.0-20170901134056-26fe5ace1c70
+	github.com/prometheus/client_golang v1.9.0
+	github.com/rs/cors v0.0.0-20190613161432-33ffc0734c60
+	github.com/russellhaering/goxmldsig v0.0.0-20170911191014-b7efc6231e45 // indirect
+	github.com/satori/go.uuid v1.2.0 // indirect
+	github.com/tstranex/u2f v1.0.0
+	go.opencensus.io v0.22.5
+	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
+	gopkg.in/yaml.v2 v2.3.0
+)

vendor/contrib.go.opencensus.io/exporter/zipkin/.travis.yml

+language: go
+
+go_import_path: contrib.go.opencensus.io
+
+go:
+  - 1.11.x
+
+env:
+  global:
+    GO111MODULE=on
+
+before_script:
+  - make install-tools
+
+script:
+  - make travis-ci
+

vendor/git.autistici.org/ai3/go-common/.gitlab-ci.yml

+stages:
+  - test
+
+run_tests:
+  stage: test
+  image: "debian:bullseye"
+  script:
+    - "apt update"
+    - "env DEBIAN_FRONTEND=noninteractive apt -y install golang git"
+    - "go test -v ./..."

vendor/git.autistici.org/ai3/go-common/go.mod

 module git.autistici.org/ai3/go-common
 
-go 1.14
+go 1.11
 
 require (
-	contrib.go.opencensus.io/exporter/zipkin v0.1.1
+	contrib.go.opencensus.io/exporter/zipkin v0.1.2
 	github.com/amoghe/go-crypt v0.0.0-20191109212615-b2ff80594b7f
-	github.com/bbrks/wrap v2.3.0+incompatible
+	github.com/bbrks/wrap/v2 v2.5.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
-	github.com/emersion/go-textwrapper v0.0.0-20160606182133-d0e65e56babe
-	github.com/google/go-cmp v0.4.0
-	github.com/gorilla/handlers v1.4.2
-	github.com/lunixbochs/struc v0.0.0-20190916212049-a5c72983bc42
+	github.com/cenkalti/backoff/v4 v4.1.0
+	github.com/coreos/go-systemd/v22 v22.1.0
+	github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594
+	github.com/go-asn1-ber/asn1-ber v1.5.3
+	github.com/go-ldap/ldap/v3 v3.2.4
+	github.com/gofrs/flock v0.8.0 // indirect
+	github.com/google/go-cmp v0.5.4
+	github.com/gorilla/handlers v1.5.1
+	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
 	github.com/miscreant/miscreant.go v0.0.0-20200214223636-26d376326b75
-	github.com/openzipkin/zipkin-go v0.2.2
-	github.com/prometheus/client_golang v1.5.1
-	github.com/russross/blackfriday/v2 v2.0.1
-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
-	github.com/theckman/go-flock v0.7.1
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/openzipkin/zipkin-go v0.2.5
+	github.com/pierrec/lz4 v2.0.5+incompatible // indirect
+	github.com/prometheus/client_golang v1.9.0
+	github.com/russross/blackfriday/v2 v2.1.0
+	github.com/theckman/go-flock v0.8.0
 	github.com/tstranex/u2f v1.0.0
-	go.opencensus.io v0.22.3
-	golang.org/x/crypto v0.0.0-20200403201458-baeed622b8d8
-	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
-	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d
-	gopkg.in/ldap.v3 v3.1.0
+	go.opencensus.io v0.22.5
+	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
+	golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 // indirect
+	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
+	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 )

vendor/git.autistici.org/ai3/go-common/renovate.json

+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

vendor/git.autistici.org/ai3/go-common/serverutil/http.go

@@ -16,7 +16,7 @@ import (
 	"time"
 
 	"git.autistici.org/ai3/go-common/tracing"
-	"github.com/coreos/go-systemd/daemon"
+	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )

vendor/git.autistici.org/id/auth/.gitignore

+*.swp

vendor/git.autistici.org/id/auth/.gitlab-ci.yml

+include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"

vendor/git.autistici.org/id/auth/README.md

@@ -162,6 +162,9 @@ Each service definition is a dictionary with the following attributes:
   only for interactive services)
 * `enforce_2fa` is a boolean flag that, when true, will disable
   non-2FA logins for this service
+* `ignore_2fa` is a boolean flag that, when set, will ignore the
+  presence of application-specific passwords for the user, and will
+  always authenticate against the primary password
 * `enable_last_login_reporting` is a boolean flag that enables last login
   reporting to usermetadb
 * `enable_device_tracking` is a boolean flag that enables device

vendor/git.autistici.org/id/auth/protocol.go

@@ -34,9 +34,6 @@ func (d *DeviceInfo) encodeToMap(m map[string]string, prefix string) {
 }
 
 func decodeDeviceInfoFromMap(m map[string]string, prefix string) *DeviceInfo {
-	if _, ok := m[prefix+"id"]; !ok {
-		return nil
-	}
 	return &DeviceInfo{
 		ID:         m[prefix+"id"],
 		RemoteAddr: m[prefix+"remote_addr"],

vendor/git.autistici.org/id/keystore/.gitlab-ci.yml

+include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"

vendor/git.autistici.org/id/keystore/README.md

@@ -57,10 +57,17 @@ Forget the key for a given user.
 
 The final consumer for user encryption keys is the Dovecot
 service. The *dovecot-keylookupd* daemon can read the user public and
-private keys from LDAP, and serve the *unencrypted* keys to Dovecot
-using its [dict proxy
+private keys from the database, and serve the *unencrypted* keys to
+Dovecot using its [dict proxy
 protocol](https://wiki2.dovecot.org/AuthDatabase/Dict).
 
+*NOTE* that passdb lookups using *dovecot-keylookupd* contain the
+cleartext password as part of the key, which may be logged in case of
+error! This is currently a huge limitation of this solution, but there
+seems to be no workaround that does not involve switching to a
+fork()-based solution (like the checkpassword script). That might be a
+better solution long-term.
+
 TODO: explain the lookup protocol.
 
 # Configuration
@@ -72,21 +79,10 @@ following attributes:
 * `sso_public_key_file`: path to the SSO Ed25519 public key
 * `sso_service`: SSO service for this application
 * `sso_domain`: SSO domain
-* `ldap`: LDAP backend configuration
-  * `uri`: LDAP server URI
-  * `bind_dn`: bind DN (for simple bind, SASL is not supported)
-  * `bind_pw`: bind password
-  * `bind_pw_file`: bind password (load from this file), in
-    alternative to *bind_pw*
-  * `query`: Parameters for the LDAP search query
-    * `search_base`: base DN for the search
-    * `search_filter`: search filter. The filter string may contain a
-      literal `%s` token somewhere, that will be replaced with the
-      (escaped) username.
-    * `scope`: search scope, one of *sub* (default), *one* or *base*
-    * `public_key_attr`: attribute that contains the user's public key
-    * `private_key_attr`: attribute that contains the user's encrypted
-      key(s)
+* `backend`: backend configuration
+  * `type`: backend type, one of *ldap* or *sql*
+  * `params`: backend parameters, type-specific (see *Backend
+    configuration*, below)
 * `http_server`: HTTP server configuration
   * `tls`: contains the server-side TLS configuration:
     * `cert`: path to the server certificate
@@ -103,7 +99,10 @@ following attributes:
 The *dovecot-keylookupd* daemon uses a similar configuration, read by
 default from */etc/keystore/dovecot.yml*:
 
-* `ldap`: LDAP backend configuration, see above
+* `backend`: backend configuration
+  * `type`: backend type, one of *ldap* or *sql*
+  * `params`: backend parameters, type-specific (see *Backend
+    configuration*, below)
 * `keystore`: configures the connection to the keystore service
   * `url`: URL for the keystore service
   * `sharded`: if true, requests to the keystore service will be
@@ -114,3 +113,45 @@ default from */etc/keystore/dovecot.yml*:
     * `ca`: path to the CA used to validate the server
 * `shard`: shard identifier for the local host. Must be set if
   keystore.sharded is true.
+
+## Backend configuration
+
+The keystore servers can talk to a LDAP or a SQL database. In both
+cases it is possible to adapt to the database schema by defining the
+exact queries to use. All we need to do is to retrieve the public and
+private parts of the user encryption key.
+
+The *ldap* database backend understands the following configuration
+parameters:
+
+* `uri`: LDAP server URI
+* `bind_dn`: bind DN (for simple bind, SASL is not supported)
+* `bind_pw`: bind password
+* `bind_pw_file`: bind password (load from this file), in
+  alternative to *bind_pw*
+* `query`: Parameters for the LDAP search query
+  * `search_base`: base DN for the search
+  * `search_filter`: search filter. The filter string may contain a
+    literal `%s` token somewhere, that will be replaced with the
+    (escaped) username.
+  * `scope`: search scope, one of *sub* (default), *one* or *base*
+  * `public_key_attr`: attribute that contains the user's public key
+  * `private_key_attr`: attribute that contains the user's encrypted
+    key(s)
+
+The *sql* database backend requires the following parameters:
+
+* `driver`: SQL driver, one of *sqlite3*, *mysql* or *postgres*
+* `db_uri`: database URI (a.k.a. DSN), whose exact syntax will depend
+  on the chosen driver. Check out the documentation for the
+  database/sql [sqlite](https://github.com/mattn/go-sqlite3),
+  [mysql](https://github.com/go-sql-driver/mysql) and
+  [postgres](https://godoc.org/github.com/lib/pq) drivers.
+* `queries`: map with the known queries. All SQL queries take one
+  parameter (the user name), and return one or more rows with a single
+  column. Use the `?` placeholder for the parameter. Known queries:
+  * `get_user_public_key`: must return a single row with the public
+    key
+  * `get_user_private_keys`: must return one or more rows with the
+    user's private keys (copies of the same key encrypted with
+    different passwords).

vendor/github.com/beevik/etree/.travis.yml

+language: go
+sudo: false
+
+go:
+  - 1.5.x
+  - 1.6.x
+  - 1.7.x
+  - 1.8.x
+  - 1.9.x
+  - tip
+
+matrix:
+  allow_failures:
+    - go: tip
+
+script:
+  - go vet ./...
+  - go test -v ./...

vendor/github.com/cenkalti/backoff/.gitignore

+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe

vendor/github.com/cenkalti/backoff/.travis.yml

+language: go
+go:
+  - 1.7
+  - 1.x
+  - tip
+before_install:
+  - go get github.com/mattn/goveralls
+  - go get golang.org/x/tools/cmd/cover
+script:
+  - $HOME/gopath/bin/goveralls -service=travis-ci