Browse Source

booking and defautl idp working

master
Caleb Rogers 2 years ago
parent
commit
dc46e42352
7 changed files with 195 additions and 1 deletions
  1. +0
    -1
      cmd/config.go
  2. +2
    -0
      dev.env
  3. +3
    -0
      dev.sh
  4. +1
    -0
      gate.hcl
  5. +1
    -0
      go.mod
  6. +14
    -0
      go.sum
  7. +174
    -0
      pkg/core/identity/booking.go

+ 0
- 1
cmd/config.go View File

@ -26,7 +26,6 @@ func LoadConfig(name string) (*Config, error) {
if err != nil {
return nil, err
}
config := &Config{
//SecureShell: &secureshell.DefaultServer,
//Web: &web.DefaultServer,


+ 2
- 0
dev.env View File

@ -0,0 +1,2 @@
export LDAP_SERVER=127.0.0.1:8083
export AUTHX_KVM=10.221.6.10

+ 3
- 0
dev.sh View File

@ -0,0 +1,3 @@
#!/bin/bash
source dev.env
ssh -f -N -L 8083:ldaps.dqs.booking.com:636 $USER@$AUTHX_KVM

+ 1
- 0
gate.hcl View File

@ -2,6 +2,7 @@
# =====
#
# Configures the buitin HTTP daemon.
pubkey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDR53BU8fZnycwkKpPqsVBA7r0zVrrMU6xbtC5mXGC/Sl1QQDvc5qBodZxWRzhCfMrrmMQx2C9fS5WHjYRAA3pYlnluD8yscdmgYN/uu8Rh8C+mm2Ah9tuRgsnGgaIIZb0YtWtIK4AYmAQWB8RMMfdpi+51Hjc4dSqe++bZPzEhPqgNWFMmQKAIPER0IEg7FauukzylHHk/gXZcB41pvgBPPVPVIeS0dGeVagV6ZM2YsjMzQdefMi6LzAfBSvSlF9AhJYgS1OcpyrHd6qql2VdAvdhK+UpGPypSrsBFMBitp2xOUGbunBtZWCkpyGZlDvYoj0iQ6wVMw+klY8PzmlSf Booking.com Certificate Authority Primary\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAS9IwqzpNtJywAX7EQn+PdJRib7qxVMEVeZfXBjL5s5E2xrgnIoBa6dQ19abkT/m/ItiSb0BbapQqSUSN8BPTJFZXiVZQ/SImivPukt5Q9Md12r1cXx8T+N7/uvKJ6tPN50tsz3YbzliwPJ5z6+X/gDG2NBLV/ljQ7JtQmYeS2qaZMcRa8xuC4dZeJt7WxFGMoen2CdmORYIcTUzsCqBxgIbAtasWLb+kMPcoTMAH5RMG/WmQheSya3DsbGa+ghjgIwfHR6eMEay/+kyW6UbLutWlM9jcjROue4r6hWBqpQFtqV6wx0ZlmJXBHjcMKkulOYHnq2f3EAD4S8TM8IIz Booking.com Certificate Authority Secondary"
httpd {
bind = "localhost:4443"
tls = true


+ 1
- 0
go.mod View File

@ -19,6 +19,7 @@ require (
github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942
github.com/shinichy/go-wcwidth v0.0.0-20140219061058-b202ee861e25
github.com/sirupsen/logrus v1.4.2
gitlab.booking.com/pps/lib v1.0.3
golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472
golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a
golang.org/x/text v0.3.0


+ 14
- 0
go.sum View File

@ -5,6 +5,7 @@ github.com/c-bata/go-prompt v0.2.3 h1:jjCS+QhG/sULBhAaBdjb2PlMRVaKXQgn+4yzaauvs2
github.com/c-bata/go-prompt v0.2.3/go.mod h1:VzqtzE2ksDBcdln8G7mk2RX9QyGjH+OVqOCSiVIqS34=
github.com/cloudian/readline v1.4.4 h1:B7AzvPDzcscnnBDstHaKpiN37NlelgHB7bPZqyKGYgc=
github.com/cloudian/readline v1.4.4/go.mod h1:RP0woDmS6tvrgKZRa3HyMZIyzmPY+/e3g+LEsqhZINY=
github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -40,6 +41,7 @@ github.com/mattn/go-tty v0.0.0-20190424173100-523744f04859/go.mod h1:XPvLUNfbS4f
github.com/namsral/flag v1.7.4-pre/go.mod h1:OXldTctbM6SWH1K899kPZcf65KxJiD7MsceFUpB5yDo=
github.com/natefinch/lumberjack v2.0.0+incompatible h1:4QJd3OLAMgj7ph+yZTuX13Ld4UpgHp07nNdFX7mqFfM=
github.com/natefinch/lumberjack v2.0.0+incompatible/go.mod h1:Wi9p2TTF5DG5oU+6YfsmYQpsTIOm0B1VNzQg9Mw6nPk=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/term v0.0.0-20180423043932-cda20d4ac917/go.mod h1:eCbImbZ95eXtAUIbLAuAVnBnwf83mjf6QIVH8SHYwqQ=
github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942 h1:A7GG7zcGjl3jqAqGPmcNjd/D9hzL95SuoOQAaFNdLU0=
github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942/go.mod h1:eCbImbZ95eXtAUIbLAuAVnBnwf83mjf6QIVH8SHYwqQ=
@ -47,6 +49,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/shinichy/go-wcwidth v0.0.0-20140219061058-b202ee861e25 h1:8RgNB2/qHJ5bzBd6b7yjLxnE8rSJnv5mGVp0kijd3FY=
github.com/shinichy/go-wcwidth v0.0.0-20140219061058-b202ee861e25/go.mod h1:jaaU71/7CKovUsOskljAdTI37gElMSQZpHOxE7EEfI0=
github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@ -59,11 +63,16 @@ github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6Kllzaw
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
github.com/valyala/fasttemplate v1.0.1 h1:tY9CJiPnMXf1ERmG2EyK7gNUd+c6RKGD0IfU8WdUSz8=
github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
gitlab.booking.com/pps/lib v1.0.3 h1:/KJstU/mPT8vnblTZnmRQn6luvXri3RuVi+99/icIhM=
gitlab.booking.com/pps/lib v1.0.3/go.mod h1:p7KHN6anGdxaU3rPGuTHahALlHUsDqGjxkzq3cuW6vU=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472 h1:Gv7RPwsi3eZ2Fgewe3CBsuOebPwO27PoXzRpJPsvSSM=
golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180620133508-ad87a3a340fa/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -75,8 +84,13 @@ golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a h1:aYOabOQFp6Vj6W1F80affTUvO
golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/ldap.v2 v2.5.1 h1:wiu0okdNfjlBzg6UWvd1Hn8Y+Ux17/u/4nlk4CQr6tU=
gopkg.in/ldap.v2 v2.5.1/go.mod h1:oI0cpe/D7HRtBQl8aTg+ZmzFUAvu4lsv3eLXMLGFxWk=
gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=


+ 174
- 0
pkg/core/identity/booking.go View File

@ -0,0 +1,174 @@
package identity
import (
"bytes"
"errors"
"fmt"
"golang.org/x/crypto/ssh"
"gitlab.booking.com/pps/lib/auth/staff"
"maze.io/gate/pkg/core"
logger2 "maze.io/gate/pkg/core/logger"
"maze.io/gate/pkg/util/compact"
)
const (
sshUsersGroup = "sshUsers"
)
type BookingIdentityProvider struct {
certChecker *ssh.CertChecker
}
type staffUser struct {
user *staff.User
}
type staffGroup struct {
group *staff.Group
}
func (u staffUser) ID() compact.ID { return compact.String(u.user.Username) }
func (u staffUser) Login() string { return u.user.Username }
func (u staffUser) Name() string { return u.user.Name }
func (u staffUser) Groups() []core.Group { return nil }
func (g staffGroup) Name() string { return g.group.Name }
func (g staffGroup) Members() []core.User { return nil }
func NewBookingIdentityProvider(pubKeys []ssh.PublicKey) *BookingIdentityProvider {
CertChecker := &ssh.CertChecker{
IsUserAuthority: func(pk ssh.PublicKey) bool {
for _, pubKey := range pubKeys {
if bytes.Equal(pk.Marshal(), pubKey.Marshal()) {
return true
}
}
return false
},
}
return &BookingIdentityProvider{
certChecker: CertChecker,
}
}
func (idp *BookingIdentityProvider) LookupUser(name string) (core.User, error) {
u, err := staff.Lookup(staff.FilterUsername(name))
if err != nil {
return staffUser{}, err
}
return staffUser{u}, nil
}
func (idp *BookingIdentityProvider) LookupGroup(name string) (core.Group, error) {
g, err := staff.LookupGroup(staff.FilterCommonName(name))
if err != nil {
return staffGroup{}, err
}
return staffGroup{g}, nil
}
func (idp *BookingIdentityProvider) PasswordCallback(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {
user, err := idp.LookupUser(conn.User())
if err != nil {
return nil, err
}
_ = user
return nil, errors.New("password not implemented")
}
func (idp *BookingIdentityProvider) PublicKeyCallback(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
log := logger2.Default.WithFields(logger2.Fields{
logger2.User: conn.User(),
"key": ssh.FingerprintSHA256(key),
"key_type": key.Type(),
}).WithSourceAddr(conn.RemoteAddr())
// attempt to validate a certificate
cert, ok := key.(*ssh.Certificate)
if !ok {
// try fall back pubkey check
return nil, fmt.Errorf("ssh: not cert found")
// return idp.pubKeyFallback(conn, key, log)
}
if cert.CertType != ssh.UserCert {
return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType)
}
if !idp.certChecker.IsUserAuthority(cert.SignatureKey) {
return nil, fmt.Errorf("ssh: certificate signed by unrecognized authority")
}
// if err := idp.certChecker.CheckCert(conn.User(), cert); err != nil {
// return nil, err
// }
// we have a valid cert
log.Debug("booking cert authentication")
// validate user esists, and is in sshUsers group
u, err := idp.LookupUser(conn.User())
if err != nil {
return nil, err
}
g, err := idp.LookupGroup(sshUsersGroup)
if err != nil {
return nil, err
}
user := u.(staffUser)
group := g.(staffGroup)
if !group.group.Contains(user.user) {
return nil, errors.New(fmt.Sprintf("expected %s to be a member of sshUsers", user.user.Username))
}
return &ssh.Permissions{
Extensions: map[string]string{
"gate-idp": "system",
"gate-obj": user.user.Username,
},
}, nil
}
// func (idp *BookingIdentityProvider) pubKeyFallback(conn ssh.ConnMetadata, key ssh.PublicKey, log *logger2.Logger) (*ssh.Permissions, error) { //needs work
// user, err := idp.LookupUser(conn.User())
// if err != nil {
// return nil, err
// }
// group, err := idp.LookupGroup(sshUsersGroup)
// if err != nil {
// return nil, err
// }
// name := filepath.Join(user.(staff.User).Obj.HomeDir, ".ssh", "authorized_keys")
// b, err := ioutil.ReadFile(name)
// if err != nil {
// return nil, err
// }
// marshaled := key.Marshal()
// for len(b) > 0 {
// var (
// authorizedKey ssh.PublicKey
// comment string
// )
// if authorizedKey, comment, _, b, err = ssh.ParseAuthorizedKey(b); err != nil {
// break
// }
// log.WithFields(logger2.Fields{
// "authorized_key": ssh.FingerprintSHA256(authorizedKey),
// "authorized_key_type": authorizedKey.Type(),
// "authorized_key_comment": comment,
// }).Debug("checking key")
// if bytes.Equal(authorizedKey.Marshal(), marshaled) {
// return &ssh.Permissions{
// Extensions: map[string]string{
// "gate-idp": "system",
// "gate-obj": user.Login(),
// },
// }, nil
// }
// }
// return nil, errors.New("key not found")
// }

Loading…
Cancel
Save