Commit 018bd88d authored by ale's avatar ale

Add go.mod, update dependencies, build on Bullseye

parent 71512831
Pipeline #10510 passed with stages
in 55 seconds
include: ""
include: ""
......@@ -2,7 +2,7 @@ Source: go-sso
Section: admin
Priority: optional
Maintainer: Autistici/Inventati <>
Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-systemd, dh-golang
Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-golang
Standards-Version: 3.9.6
Package: sso-server
......@@ -7,9 +7,8 @@ export DH_GOLANG_EXCLUDES = vendor
dh $@ --with systemd --with golang --buildsystem golang
rm -fr $(CURDIR)/debian/tmp/usr/share/gocode
dh_auto_install -- --no-source
dh_systemd_enable --no-enable
require ( v0.0.0-20210110180225-a05c683cfe23 v0.0.0-20200212081728-3d44524ae2e5 v0.0.0-20190630084729-9f1f2da00729 v0.0.0-20171015221209-af219c0c7ea1 // indirect v0.0.0-20190521120225-344d075952c9 v1.0.0 v1.7.0 v1.7.3 v1.1.1 v0.0.0-20170906152553-a2f39d5a9b15 v0.0.0-20170901134056-26fe5ace1c70 v1.9.0 v0.0.0-20190613161432-33ffc0734c60 v0.0.0-20170911191014-b7efc6231e45 // indirect v1.2.0 // indirect v1.0.0 v0.22.5 v0.0.0-20201221181555-eec23a3978ad v2.3.0
This diff is collapsed.
language: go
- 1.11.x
- make install-tools
- make travis-ci
- test
stage: test
image: "debian:bullseye"
- "apt update"
- "env DEBIAN_FRONTEND=noninteractive apt -y install golang git"
- "go test -v ./..."
go 1.14
go 1.11
require ( v0.1.1 v0.1.2 v0.0.0-20191109212615-b2ff80594b7f v2.3.0+incompatible v2.5.0 v2.2.1+incompatible v0.0.0-20191104093116-d3cd4ed1dbcf v0.0.0-20160606182133-d0e65e56babe v0.4.0 v1.4.2 v0.0.0-20190916212049-a5c72983bc42 v4.1.0 v22.1.0 v0.0.0-20200911093747-65d896831594 v1.5.3 v3.2.4 v0.8.0 // indirect v0.5.4 v1.5.1 v0.0.0-20200707160740-784aaebc1d40 v0.0.0-20200214223636-26d376326b75 v0.2.2 v1.5.1 v2.0.1 v1.0.0 // indirect v0.7.1 v0.0.0-20180306012644-bacd9c7ef1dd // indirect v0.2.5 v2.0.5+incompatible // indirect v1.9.0 v2.1.0 v0.8.0 v1.0.0 v0.22.3 v0.0.0-20200403201458-baeed622b8d8 v0.0.0-20200317015054-43a5402ce75a v1.0.0-20181015200546-f715ec2f112d v3.1.0 v0.22.5 v0.0.0-20201221181555-eec23a3978ad v0.0.0-20190226205417-e64efc72b421 // indirect v0.0.0-20201207232520-09787c993a3a v1.0.0-20190902080502-41f04d3bba15 // indirect
"$schema": "",
"extends": [
......@@ -16,7 +16,7 @@ import (
include: ""
......@@ -162,6 +162,9 @@ Each service definition is a dictionary with the following attributes:
only for interactive services)
* `enforce_2fa` is a boolean flag that, when true, will disable
non-2FA logins for this service
* `ignore_2fa` is a boolean flag that, when set, will ignore the
presence of application-specific passwords for the user, and will
always authenticate against the primary password
* `enable_last_login_reporting` is a boolean flag that enables last login
reporting to usermetadb
* `enable_device_tracking` is a boolean flag that enables device
......@@ -34,9 +34,6 @@ func (d *DeviceInfo) encodeToMap(m map[string]string, prefix string) {
func decodeDeviceInfoFromMap(m map[string]string, prefix string) *DeviceInfo {
if _, ok := m[prefix+"id"]; !ok {
return nil
return &DeviceInfo{
ID: m[prefix+"id"],
RemoteAddr: m[prefix+"remote_addr"],
include: ""
......@@ -57,10 +57,17 @@ Forget the key for a given user.
The final consumer for user encryption keys is the Dovecot
service. The *dovecot-keylookupd* daemon can read the user public and
private keys from LDAP, and serve the *unencrypted* keys to Dovecot
using its [dict proxy
private keys from the database, and serve the *unencrypted* keys to
Dovecot using its [dict proxy
*NOTE* that passdb lookups using *dovecot-keylookupd* contain the
cleartext password as part of the key, which may be logged in case of
error! This is currently a huge limitation of this solution, but there
seems to be no workaround that does not involve switching to a
fork()-based solution (like the checkpassword script). That might be a
better solution long-term.
TODO: explain the lookup protocol.
# Configuration
......@@ -72,21 +79,10 @@ following attributes:
* `sso_public_key_file`: path to the SSO Ed25519 public key
* `sso_service`: SSO service for this application
* `sso_domain`: SSO domain
* `ldap`: LDAP backend configuration
* `uri`: LDAP server URI
* `bind_dn`: bind DN (for simple bind, SASL is not supported)
* `bind_pw`: bind password
* `bind_pw_file`: bind password (load from this file), in
alternative to *bind_pw*
* `query`: Parameters for the LDAP search query
* `search_base`: base DN for the search
* `search_filter`: search filter. The filter string may contain a
literal `%s` token somewhere, that will be replaced with the
(escaped) username.
* `scope`: search scope, one of *sub* (default), *one* or *base*
* `public_key_attr`: attribute that contains the user's public key
* `private_key_attr`: attribute that contains the user's encrypted
* `backend`: backend configuration
* `type`: backend type, one of *ldap* or *sql*
* `params`: backend parameters, type-specific (see *Backend
configuration*, below)
* `http_server`: HTTP server configuration
* `tls`: contains the server-side TLS configuration:
* `cert`: path to the server certificate
......@@ -103,7 +99,10 @@ following attributes:
The *dovecot-keylookupd* daemon uses a similar configuration, read by
default from */etc/keystore/dovecot.yml*:
* `ldap`: LDAP backend configuration, see above
* `backend`: backend configuration
* `type`: backend type, one of *ldap* or *sql*
* `params`: backend parameters, type-specific (see *Backend
configuration*, below)
* `keystore`: configures the connection to the keystore service
* `url`: URL for the keystore service
* `sharded`: if true, requests to the keystore service will be
......@@ -114,3 +113,45 @@ default from */etc/keystore/dovecot.yml*:
* `ca`: path to the CA used to validate the server
* `shard`: shard identifier for the local host. Must be set if
keystore.sharded is true.
## Backend configuration