Commit 018bd88d authored by ale's avatar ale

Add go.mod, update dependencies, build on Bullseye

parent 71512831
Pipeline #10510 passed with stages
in 55 seconds
include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"
include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-nextstable.yml"
......@@ -2,7 +2,7 @@ Source: go-sso
Section: admin
Priority: optional
Maintainer: Autistici/Inventati <debian@autistici.org>
Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-systemd, dh-golang
Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-golang
Standards-Version: 3.9.6
Package: sso-server
......
......@@ -7,9 +7,8 @@ export DH_GOLANG_EXCLUDES = vendor
%:
dh $@ --with systemd --with golang --buildsystem golang
override_dh_install:
rm -fr $(CURDIR)/debian/tmp/usr/share/gocode
dh_install
override_dh_auto_install:
dh_auto_install -- --no-source
override_dh_systemd_enable:
dh_systemd_enable --no-enable
......
module git.autistici.org/id/go-sso
require (
git.autistici.org/ai3/go-common v0.0.0-20210110180225-a05c683cfe23
git.autistici.org/id/auth v0.0.0-20200212081728-3d44524ae2e5
git.autistici.org/id/keystore v0.0.0-20190630084729-9f1f2da00729
github.com/beevik/etree v0.0.0-20171015221209-af219c0c7ea1 // indirect
github.com/crewjam/saml v0.0.0-20190521120225-344d075952c9
github.com/elazarl/go-bindata-assetfs v1.0.0
github.com/gorilla/csrf v1.7.0
github.com/gorilla/mux v1.7.3
github.com/gorilla/securecookie v1.1.1
github.com/mssola/user_agent v0.0.0-20170906152553-a2f39d5a9b15
github.com/oschwald/maxminddb-golang v0.0.0-20170901134056-26fe5ace1c70
github.com/prometheus/client_golang v1.9.0
github.com/rs/cors v0.0.0-20190613161432-33ffc0734c60
github.com/russellhaering/goxmldsig v0.0.0-20170911191014-b7efc6231e45 // indirect
github.com/satori/go.uuid v1.2.0 // indirect
github.com/tstranex/u2f v1.0.0
go.opencensus.io v0.22.5
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
gopkg.in/yaml.v2 v2.3.0
)
This diff is collapsed.
language: go
go_import_path: contrib.go.opencensus.io
go:
- 1.11.x
env:
global:
GO111MODULE=on
before_script:
- make install-tools
script:
- make travis-ci
stages:
- test
run_tests:
stage: test
image: "debian:bullseye"
script:
- "apt update"
- "env DEBIAN_FRONTEND=noninteractive apt -y install golang git"
- "go test -v ./..."
module git.autistici.org/ai3/go-common
go 1.14
go 1.11
require (
contrib.go.opencensus.io/exporter/zipkin v0.1.1
contrib.go.opencensus.io/exporter/zipkin v0.1.2
github.com/amoghe/go-crypt v0.0.0-20191109212615-b2ff80594b7f
github.com/bbrks/wrap v2.3.0+incompatible
github.com/bbrks/wrap/v2 v2.5.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
github.com/emersion/go-textwrapper v0.0.0-20160606182133-d0e65e56babe
github.com/google/go-cmp v0.4.0
github.com/gorilla/handlers v1.4.2
github.com/lunixbochs/struc v0.0.0-20190916212049-a5c72983bc42
github.com/cenkalti/backoff/v4 v4.1.0
github.com/coreos/go-systemd/v22 v22.1.0
github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594
github.com/go-asn1-ber/asn1-ber v1.5.3
github.com/go-ldap/ldap/v3 v3.2.4
github.com/gofrs/flock v0.8.0 // indirect
github.com/google/go-cmp v0.5.4
github.com/gorilla/handlers v1.5.1
github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
github.com/miscreant/miscreant.go v0.0.0-20200214223636-26d376326b75
github.com/openzipkin/zipkin-go v0.2.2
github.com/prometheus/client_golang v1.5.1
github.com/russross/blackfriday/v2 v2.0.1
github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
github.com/theckman/go-flock v0.7.1
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/openzipkin/zipkin-go v0.2.5
github.com/pierrec/lz4 v2.0.5+incompatible // indirect
github.com/prometheus/client_golang v1.9.0
github.com/russross/blackfriday/v2 v2.1.0
github.com/theckman/go-flock v0.8.0
github.com/tstranex/u2f v1.0.0
go.opencensus.io v0.22.3
golang.org/x/crypto v0.0.0-20200403201458-baeed622b8d8
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d
gopkg.in/ldap.v3 v3.1.0
go.opencensus.io v0.22.5
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 // indirect
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
)
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
]
}
......@@ -16,7 +16,7 @@ import (
"time"
"git.autistici.org/ai3/go-common/tracing"
"github.com/coreos/go-systemd/daemon"
"github.com/coreos/go-systemd/v22/daemon"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promhttp"
)
......
include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"
......@@ -162,6 +162,9 @@ Each service definition is a dictionary with the following attributes:
only for interactive services)
* `enforce_2fa` is a boolean flag that, when true, will disable
non-2FA logins for this service
* `ignore_2fa` is a boolean flag that, when set, will ignore the
presence of application-specific passwords for the user, and will
always authenticate against the primary password
* `enable_last_login_reporting` is a boolean flag that enables last login
reporting to usermetadb
* `enable_device_tracking` is a boolean flag that enables device
......
......@@ -34,9 +34,6 @@ func (d *DeviceInfo) encodeToMap(m map[string]string, prefix string) {
}
func decodeDeviceInfoFromMap(m map[string]string, prefix string) *DeviceInfo {
if _, ok := m[prefix+"id"]; !ok {
return nil
}
return &DeviceInfo{
ID: m[prefix+"id"],
RemoteAddr: m[prefix+"remote_addr"],
......
include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-common.yml"
......@@ -57,10 +57,17 @@ Forget the key for a given user.
The final consumer for user encryption keys is the Dovecot
service. The *dovecot-keylookupd* daemon can read the user public and
private keys from LDAP, and serve the *unencrypted* keys to Dovecot
using its [dict proxy
private keys from the database, and serve the *unencrypted* keys to
Dovecot using its [dict proxy
protocol](https://wiki2.dovecot.org/AuthDatabase/Dict).
*NOTE* that passdb lookups using *dovecot-keylookupd* contain the
cleartext password as part of the key, which may be logged in case of
error! This is currently a huge limitation of this solution, but there
seems to be no workaround that does not involve switching to a
fork()-based solution (like the checkpassword script). That might be a
better solution long-term.
TODO: explain the lookup protocol.
# Configuration
......@@ -72,21 +79,10 @@ following attributes:
* `sso_public_key_file`: path to the SSO Ed25519 public key
* `sso_service`: SSO service for this application
* `sso_domain`: SSO domain
* `ldap`: LDAP backend configuration
* `uri`: LDAP server URI
* `bind_dn`: bind DN (for simple bind, SASL is not supported)
* `bind_pw`: bind password
* `bind_pw_file`: bind password (load from this file), in
alternative to *bind_pw*
* `query`: Parameters for the LDAP search query
* `search_base`: base DN for the search
* `search_filter`: search filter. The filter string may contain a
literal `%s` token somewhere, that will be replaced with the
(escaped) username.
* `scope`: search scope, one of *sub* (default), *one* or *base*
* `public_key_attr`: attribute that contains the user's public key
* `private_key_attr`: attribute that contains the user's encrypted
key(s)
* `backend`: backend configuration
* `type`: backend type, one of *ldap* or *sql*
* `params`: backend parameters, type-specific (see *Backend
configuration*, below)
* `http_server`: HTTP server configuration
* `tls`: contains the server-side TLS configuration:
* `cert`: path to the server certificate
......@@ -103,7 +99,10 @@ following attributes:
The *dovecot-keylookupd* daemon uses a similar configuration, read by
default from */etc/keystore/dovecot.yml*:
* `ldap`: LDAP backend configuration, see above
* `backend`: backend configuration
* `type`: backend type, one of *ldap* or *sql*
* `params`: backend parameters, type-specific (see *Backend
configuration*, below)
* `keystore`: configures the connection to the keystore service
* `url`: URL for the keystore service
* `sharded`: if true, requests to the keystore service will be
......@@ -114,3 +113,45 @@ default from */etc/keystore/dovecot.yml*:
* `ca`: path to the CA used to validate the server
* `shard`: shard identifier for the local host. Must be set if
keystore.sharded is true.
## Backend configuration