booking and defautl idp working

1 year ago · dc46e42352
--- a/cmd/config.go
+++ b/cmd/config.go
@ -26,7 +26,6 @@ func LoadConfig(name string) (*Config, error) {
 	if err != nil {
 		return nil, err
 	}

 	config := &Config{
 		//SecureShell: &secureshell.DefaultServer,
 		//Web:         &web.DefaultServer,
--- a/dev.env
+++ b/dev.env
@ -0,0 +1,2 @@
 export LDAP_SERVER=127.0.0.1:8083
 export AUTHX_KVM=10.221.6.10
--- a/dev.sh
+++ b/dev.sh
@ -0,0 +1,3 @@
 #!/bin/bash
 source dev.env
 ssh -f -N -L 8083:ldaps.dqs.booking.com:636 $USER@$AUTHX_KVM
--- a/gate.hcl
+++ b/gate.hcl
@ -2,6 +2,7 @@
 # =====
 #
 # Configures the buitin HTTP daemon.
 pubkey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDR53BU8fZnycwkKpPqsVBA7r0zVrrMU6xbtC5mXGC/Sl1QQDvc5qBodZxWRzhCfMrrmMQx2C9fS5WHjYRAA3pYlnluD8yscdmgYN/uu8Rh8C+mm2Ah9tuRgsnGgaIIZb0YtWtIK4AYmAQWB8RMMfdpi+51Hjc4dSqe++bZPzEhPqgNWFMmQKAIPER0IEg7FauukzylHHk/gXZcB41pvgBPPVPVIeS0dGeVagV6ZM2YsjMzQdefMi6LzAfBSvSlF9AhJYgS1OcpyrHd6qql2VdAvdhK+UpGPypSrsBFMBitp2xOUGbunBtZWCkpyGZlDvYoj0iQ6wVMw+klY8PzmlSf Booking.com Certificate Authority Primary\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAS9IwqzpNtJywAX7EQn+PdJRib7qxVMEVeZfXBjL5s5E2xrgnIoBa6dQ19abkT/m/ItiSb0BbapQqSUSN8BPTJFZXiVZQ/SImivPukt5Q9Md12r1cXx8T+N7/uvKJ6tPN50tsz3YbzliwPJ5z6+X/gDG2NBLV/ljQ7JtQmYeS2qaZMcRa8xuC4dZeJt7WxFGMoen2CdmORYIcTUzsCqBxgIbAtasWLb+kMPcoTMAH5RMG/WmQheSya3DsbGa+ghjgIwfHR6eMEay/+kyW6UbLutWlM9jcjROue4r6hWBqpQFtqV6wx0ZlmJXBHjcMKkulOYHnq2f3EAD4S8TM8IIz Booking.com Certificate Authority Secondary"
 httpd {
  bind = "localhost:4443"
  tls  = true
--- a/go.mod
+++ b/go.mod
@ -19,6 +19,7 @@ require (
 	github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942
 	github.com/shinichy/go-wcwidth v0.0.0-20140219061058-b202ee861e25
 	github.com/sirupsen/logrus v1.4.2
 	gitlab.booking.com/pps/lib v1.0.3
 	golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472
 	golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a
 	golang.org/x/text v0.3.0
--- a/go.sum
+++ b/go.sum
@ -5,6 +5,7 @@ github.com/c-bata/go-prompt v0.2.3 h1:jjCS+QhG/sULBhAaBdjb2PlMRVaKXQgn+4yzaauvs2
 github.com/c-bata/go-prompt v0.2.3/go.mod h1:VzqtzE2ksDBcdln8G7mk2RX9QyGjH+OVqOCSiVIqS34=
 github.com/cloudian/readline v1.4.4 h1:B7AzvPDzcscnnBDstHaKpiN37NlelgHB7bPZqyKGYgc=
 github.com/cloudian/readline v1.4.4/go.mod h1:RP0woDmS6tvrgKZRa3HyMZIyzmPY+/e3g+LEsqhZINY=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -40,6 +41,7 @@ github.com/mattn/go-tty v0.0.0-20190424173100-523744f04859/go.mod h1:XPvLUNfbS4f
 github.com/namsral/flag v1.7.4-pre/go.mod h1:OXldTctbM6SWH1K899kPZcf65KxJiD7MsceFUpB5yDo=
 github.com/natefinch/lumberjack v2.0.0+incompatible h1:4QJd3OLAMgj7ph+yZTuX13Ld4UpgHp07nNdFX7mqFfM=
 github.com/natefinch/lumberjack v2.0.0+incompatible/go.mod h1:Wi9p2TTF5DG5oU+6YfsmYQpsTIOm0B1VNzQg9Mw6nPk=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/term v0.0.0-20180423043932-cda20d4ac917/go.mod h1:eCbImbZ95eXtAUIbLAuAVnBnwf83mjf6QIVH8SHYwqQ=
 github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942 h1:A7GG7zcGjl3jqAqGPmcNjd/D9hzL95SuoOQAaFNdLU0=
 github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942/go.mod h1:eCbImbZ95eXtAUIbLAuAVnBnwf83mjf6QIVH8SHYwqQ=
@ -47,6 +49,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/shinichy/go-wcwidth v0.0.0-20140219061058-b202ee861e25 h1:8RgNB2/qHJ5bzBd6b7yjLxnE8rSJnv5mGVp0kijd3FY=
 github.com/shinichy/go-wcwidth v0.0.0-20140219061058-b202ee861e25/go.mod h1:jaaU71/7CKovUsOskljAdTI37gElMSQZpHOxE7EEfI0=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@ -59,11 +63,16 @@ github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6Kllzaw
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.0.1 h1:tY9CJiPnMXf1ERmG2EyK7gNUd+c6RKGD0IfU8WdUSz8=
 github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 gitlab.booking.com/pps/lib v1.0.3 h1:/KJstU/mPT8vnblTZnmRQn6luvXri3RuVi+99/icIhM=
 gitlab.booking.com/pps/lib v1.0.3/go.mod h1:p7KHN6anGdxaU3rPGuTHahALlHUsDqGjxkzq3cuW6vU=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472 h1:Gv7RPwsi3eZ2Fgewe3CBsuOebPwO27PoXzRpJPsvSSM=
 golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180620133508-ad87a3a340fa/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -75,8 +84,13 @@ golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a h1:aYOabOQFp6Vj6W1F80affTUvO
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/ldap.v2 v2.5.1 h1:wiu0okdNfjlBzg6UWvd1Hn8Y+Ux17/u/4nlk4CQr6tU=
 gopkg.in/ldap.v2 v2.5.1/go.mod h1:oI0cpe/D7HRtBQl8aTg+ZmzFUAvu4lsv3eLXMLGFxWk=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
--- a/pkg/core/identity/booking.go
+++ b/pkg/core/identity/booking.go
@ -0,0 +1,174 @@
 package identity

 import (
 	"bytes"
 	"errors"
 	"fmt"

 	"golang.org/x/crypto/ssh"

 	"gitlab.booking.com/pps/lib/auth/staff"
 	"maze.io/gate/pkg/core"
 	logger2 "maze.io/gate/pkg/core/logger"
 	"maze.io/gate/pkg/util/compact"
 )

 const (
 	sshUsersGroup = "sshUsers"
 )

 type BookingIdentityProvider struct {
 	certChecker *ssh.CertChecker
 }

 type staffUser struct {
 	user *staff.User
 }

 type staffGroup struct {
 	group *staff.Group
 }

 func (u staffUser) ID() compact.ID       { return compact.String(u.user.Username) }
 func (u staffUser) Login() string        { return u.user.Username }
 func (u staffUser) Name() string         { return u.user.Name }
 func (u staffUser) Groups() []core.Group { return nil }

 func (g staffGroup) Name() string         { return g.group.Name }
 func (g staffGroup) Members() []core.User { return nil }

 func NewBookingIdentityProvider(pubKeys []ssh.PublicKey) *BookingIdentityProvider {

 	CertChecker := &ssh.CertChecker{
 		IsUserAuthority: func(pk ssh.PublicKey) bool {
 			for _, pubKey := range pubKeys {
 				if bytes.Equal(pk.Marshal(), pubKey.Marshal()) {
 					return true
 				}
 			}
 			return false
 		},
 	}

 	return &BookingIdentityProvider{
 		certChecker: CertChecker,
 	}
 }

 func (idp *BookingIdentityProvider) LookupUser(name string) (core.User, error) {
 	u, err := staff.Lookup(staff.FilterUsername(name))
 	if err != nil {
 		return staffUser{}, err
 	}

 	return staffUser{u}, nil
 }

 func (idp *BookingIdentityProvider) LookupGroup(name string) (core.Group, error) {
 	g, err := staff.LookupGroup(staff.FilterCommonName(name))
 	if err != nil {
 		return staffGroup{}, err
 	}
 	return staffGroup{g}, nil
 }

 func (idp *BookingIdentityProvider) PasswordCallback(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {
 	user, err := idp.LookupUser(conn.User())
 	if err != nil {
 		return nil, err
 	}
 	_ = user
 	return nil, errors.New("password not implemented")
 }

 func (idp *BookingIdentityProvider) PublicKeyCallback(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 	log := logger2.Default.WithFields(logger2.Fields{
 		logger2.User: conn.User(),
 		"key":        ssh.FingerprintSHA256(key),
 		"key_type":   key.Type(),
 	}).WithSourceAddr(conn.RemoteAddr())
 	// attempt to validate a certificate
 	cert, ok := key.(*ssh.Certificate)
 	if !ok {
 		// try fall back pubkey check
 		return nil, fmt.Errorf("ssh: not cert found")
 		// return idp.pubKeyFallback(conn, key, log)
 	}

 	if cert.CertType != ssh.UserCert {
 		return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType)
 	}
 	if !idp.certChecker.IsUserAuthority(cert.SignatureKey) {
 		return nil, fmt.Errorf("ssh: certificate signed by unrecognized authority")
 	}

 	// if err := idp.certChecker.CheckCert(conn.User(), cert); err != nil {
 	// 	return nil, err
 	// }
 	// we have a valid cert
 	log.Debug("booking cert authentication")
 	// validate user esists, and is in sshUsers group
 	u, err := idp.LookupUser(conn.User())
 	if err != nil {
 		return nil, err
 	}
 	g, err := idp.LookupGroup(sshUsersGroup)
 	if err != nil {
 		return nil, err
 	}
 	user := u.(staffUser)
 	group := g.(staffGroup)
 	if !group.group.Contains(user.user) {
 		return nil, errors.New(fmt.Sprintf("expected %s to be a member of sshUsers", user.user.Username))
 	}

 	return &ssh.Permissions{
 		Extensions: map[string]string{
 			"gate-idp": "system",
 			"gate-obj": user.user.Username,
 		},
 	}, nil
 }

 // func (idp *BookingIdentityProvider) pubKeyFallback(conn ssh.ConnMetadata, key ssh.PublicKey, log *logger2.Logger) (*ssh.Permissions, error) { //needs work
 // user, err := idp.LookupUser(conn.User())
 // if err != nil {
 // 	return nil, err
 // }

 // group, err := idp.LookupGroup(sshUsersGroup)
 // if err != nil {
 // 	return nil, err
 // }

 // name := filepath.Join(user.(staff.User).Obj.HomeDir, ".ssh", "authorized_keys")
 // b, err := ioutil.ReadFile(name)
 // if err != nil {
 // 	return nil, err
 // }
 // marshaled := key.Marshal()
 // for len(b) > 0 {
 // 	var (
 // 		authorizedKey ssh.PublicKey
 // 		comment       string
 // 	)
 // 	if authorizedKey, comment, _, b, err = ssh.ParseAuthorizedKey(b); err != nil {
 // 		break
 // 	}

 // 	log.WithFields(logger2.Fields{
 // 		"authorized_key":         ssh.FingerprintSHA256(authorizedKey),
 // 		"authorized_key_type":    authorizedKey.Type(),
 // 		"authorized_key_comment": comment,
 // 	}).Debug("checking key")
 // 	if bytes.Equal(authorizedKey.Marshal(), marshaled) {
 // 		return &ssh.Permissions{
 // 			Extensions: map[string]string{
 // 				"gate-idp": "system",
 // 				"gate-obj": user.Login(),
 // 			},
 // 		}, nil
 // 	}
 // }
 // return nil, errors.New("key not found")
 // }