Browse Source

refactor: mv all files

master
QuentinN42 8 months ago
parent
commit
9e5ca73e04
Signed by: number42 GPG Key ID: 2CD7D563712B3A50
  1. 0
      ansible/ansible.cfg
  2. 0
      ansible/hosts.yml
  3. 0
      ansible/install.yml
  4. 0
      ansible/roles/base/tasks/main.yml
  5. 0
      ansible/roles/inetd/handlers/main.yml
  6. 0
      ansible/roles/inetd/tasks/main.yml
  7. 0
      ansible/roles/inetd/templates/inetd.conf.j2
  8. 0
      ansible/roles/pre_pam/tasks/main.yml
  9. 0
      ansible/roles/pre_pam/templates/entrypoint.j2
  10. 0
      ansible/roles/pre_pam/templates/get_qr.j2
  11. 0
      ansible/roles/pre_pam/templates/oidc_env.j2
  12. 0
      ansible/roles/pre_pam/templates/oidc_setup.j2
  13. 0
      ansible/roles/pre_pam/templates/oidc_verify.j2
  14. 0
      ansible/roles/pre_pam/templates/setup_ssh.j2
  15. 0
      ansible/roles/ssh/files/sshd_config
  16. 0
      ansible/roles/ssh/tasks/main.yml
  17. 50
      docker-compose.yaml
  18. 13
      server/Dockerfile
  19. 18
      server/connect.sh
  20. 98
      server/get_qr.sh
  21. 85
      server/pam_keycloak.c
  22. 19
      server/pam_keycloak.h

0
server/ansible/ansible.cfg → ansible/ansible.cfg

0
server/ansible/hosts.yml → ansible/hosts.yml

0
server/ansible/install.yml → ansible/install.yml

0
server/ansible/roles/base/tasks/main.yml → ansible/roles/base/tasks/main.yml

0
server/ansible/roles/inetd/handlers/main.yml → ansible/roles/inetd/handlers/main.yml

0
server/ansible/roles/inetd/tasks/main.yml → ansible/roles/inetd/tasks/main.yml

0
server/ansible/roles/inetd/templates/inetd.conf.j2 → ansible/roles/inetd/templates/inetd.conf.j2

0
server/ansible/roles/pre_pam/tasks/main.yml → ansible/roles/pre_pam/tasks/main.yml

0
server/ansible/roles/pre_pam/templates/entrypoint.j2 → ansible/roles/pre_pam/templates/entrypoint.j2

0
server/ansible/roles/pre_pam/templates/get_qr.j2 → ansible/roles/pre_pam/templates/get_qr.j2

0
server/ansible/roles/pre_pam/templates/oidc_env.j2 → ansible/roles/pre_pam/templates/oidc_env.j2

0
server/ansible/roles/pre_pam/templates/oidc_setup.j2 → ansible/roles/pre_pam/templates/oidc_setup.j2

0
server/ansible/roles/pre_pam/templates/oidc_verify.j2 → ansible/roles/pre_pam/templates/oidc_verify.j2

0
server/ansible/roles/pre_pam/templates/setup_ssh.j2 → ansible/roles/pre_pam/templates/setup_ssh.j2

0
server/ansible/roles/ssh/files/sshd_config → ansible/roles/ssh/files/sshd_config

0
server/ansible/roles/ssh/tasks/main.yml → ansible/roles/ssh/tasks/main.yml

50
docker-compose.yaml

@ -1,50 +0,0 @@
version: "3.7"
services:
mysql:
image: mysql:5.7.34
container_name: mysql
ports:
- "3306:3306"
environment:
- MYSQL_DATABASE=keycloak
- MYSQL_USER=keycloak
- MYSQL_PASSWORD=password
- MYSQL_ROOT_PASSWORD=root_password
healthcheck:
test: "mysqladmin ping -u root -p$${MYSQL_ROOT_PASSWORD}"
start_period: 10s
volumes:
- ./mysqldata:/var/log/mysql
keycloak:
image: quay.io/keycloak/keycloak:16.1.0
container_name: keycloak
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- DB_VENDOR=mysql
- DB_ADDR=mysql
- DB_USER=keycloak
- DB_PASSWORD=password
- JDBC_PARAMS=useSSL=false
ports:
- "8080:8080"
depends_on:
- mysql
healthcheck:
test: "curl -f http://localhost:8080/auth || exit 1"
start_period: 20s
serv1:
build: server
container_name: serv1
serv2:
build: server
container_name: serv2
volumes:
mysqldata:

13
server/Dockerfile

@ -1,13 +0,0 @@
FROM alpine:3.14.0
RUN apk add openssh-server vim python3 net-tools
# setup ssh
RUN cd /etc/ssh && ssh-keygen -A
# add user
RUN addgroup -S localuser && adduser -S localuser -G localuser -s /bin/ash && echo 'localuser:localuser' | chpasswd
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

18
server/connect.sh

@ -1,18 +0,0 @@
#!/bin/sh
USER=$1
PASS=$2
SERVER=serv1
BASE_URL="http://localhost:8080"
REALM=servers
curl -sf --request POST \
--url "${BASE_URL}/auth/realms/${REALM}/protocol/openid-connect/token" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data client_id="${SERVER}" \
--data username="${USER}" \
--data password="${PASS}"
exit $?

98
server/get_qr.sh

@ -1,98 +0,0 @@
#!/bin/bash
CLIENT_ID=serv1
CLIENT_SECRET=VbL5OELpk3wmp3ZqEw5Ef9arky48r4N4
KEYCLOAK_URL="https://keycloak.local.rezel.net"
keycloak_user=""
keycloak_groups=""
PAM_SUCCESS=0
PAM_SERVICE_ERR=3
PAM_AUTH_ERR=7
PAM_PERM_DENIED=6
env > /tmp/pam.env
echo $(filan -s) >> /tmp/pam.env
device_flow() {
tmp_file=$(mktemp)
echo $tmp_file
curl -fs --request POST --url $KEYCLOAK_URL/auth/realms/servers/protocol/openid-connect/auth/device \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data client_secret=$CLIENT_SECRET \
--data client_id=$CLIENT_ID > $tmp_file
cat $tmp_file | jq '.verification_uri_complete' -r
cat $tmp_file | jq '.verification_uri_complete' -r | qrencode -t utf8
while true;
do
res=$(curl -s --request POST --url $KEYCLOAK_URL/auth/realms/servers/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=urn:ietf:params:oauth:grant-type:device_code \
--data client_secret=$CLIENT_SECRET \
--data client_id=$CLIENT_ID \
--data device_code="$(cat $tmp_file | jq -r '.device_code')")
if $(echo "$res" | jq 'has("error")');
then
if [ $(echo "$res" | jq -r '.error') = "authorization_pending" ];
then
sleep $(cat $tmp_file | jq '.interval')
else
exit $PAM_AUTH_ERR
fi
else
results=$(echo "$res" | jq -r '.access_token' | cut -d. -f2 | base64 -d | jq '. | {"user": .preferred_username, "groups": (.realm_access.roles + .resource_access.'$CLIENT_ID'.roles - ["default-roles-servers", "offline_access", "uma_authorization"])}')
break
fi
done
keycloak_user=$(echo "$results" | jq -r '.user')
keycloak_groups=$(echo "$results" | jq -r '.groups[]' | xargs )
echo "Connected as $keycloak_user"
echo "User is in groups: $keycloak_groups"
}
case $PAM_TYPE in
auth)
# In the authentication stage, we assure that the user is who he claims to be.
# For example by checking username and password.
exit $PAM_SUCCESS
;;
account)
# After we authenticate the user we may still want to do some checks.
# For example, if the account is expired.
exit $PAM_SUCCESS
;;
open_session)
# In this stage we build the user environment.
# We can set user variables, load configuration files, mounting directories and much more.
device_flow
if [ "$PAM_USER" = "$keycloak_user" ];
then
echo "$keycloak_groups" | grep -qE "(^|\s)SSH(\s|$)" || exit $PAM_PERM_DENIED
cat /etc/passwd | grep -Eq "^$PAM_USER\:" || useradd -m "$keycloak_user"
for group in $keycloak_groups;
do
if [ "$group" != "SSH" ];
then
echo "creating group $group"
groupadd -f "$group"
usermod -aG "$group" "$keycloak_user"
fi
done
exit $PAM_SUCCESS
else
exit $PAM_AUTH_ERR
fi
;;
password)
# We trigger this stage when we change the authentication token.
exit $PAM_SERVICE_ERR
;;
*)
exit $PAM_SERVICE_ERR
;;
esac

85
server/pam_keycloak.c

@ -1,85 +0,0 @@
#include <security/pam_modules.h>
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <security/pam_ext.h>
#include <curl/curl.h>
#include <stdio.h>
extern int asprintf (char **__restrict __ptr,
const char *__restrict __fmt, ...)
__THROWNL __attribute__ ((__format__ (__printf__, 2, 3))) __wur;
void init() {
printf("initializing libcurl");
// libcurl doc : https://curl.se/libcurl/c/libcurl-easy.html
curl_global_init(CURL_GLOBAL_ALL);
}
int test_login(const char *user, const char *pass)
{
init();
// test if user/pass is correct on keycloak
CURL* easyhandle;
easyhandle = curl_easy_init();
char *data;
if(0 > asprintf(&data, "grant_type=password&client_id=occupation&client_secret=client_secret=lSm1EDNdrw2Tz6CJYRA15vnz9pmQ3xov&username=%s&password=%s", user, pass)) return 10;
curl_easy_setopt(easyhandle, CURLOPT_POSTFIELDS, data);
printf("Sending curl with data : %s\n", data);
curl_easy_setopt(easyhandle, CURLOPT_URL, "http://192.168.1.161/auth/realms/servers/protocol/openid-connect/token");
CURLcode res;
res = curl_easy_perform(easyhandle);
free(data);
if(CURLE_OK == res) {
return 0;
} else {
return 1;
}
}
int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc, const char **argv)
{
printf("authenticating...");
int pam_code;
const char *username = NULL;
const char *password = NULL;
/* Asking the application for an username */
pam_code = pam_get_user(handle, &username, "USERNAME: ");
if (pam_code != PAM_SUCCESS)
{
fprintf(stderr, "Can't get username");
return PAM_PERM_DENIED;
}
/* Asking the application for a password */
pam_code = pam_get_authtok(handle, PAM_AUTHTOK, &password, "PASSWORD: ");
if (pam_code != PAM_SUCCESS)
{
fprintf(stderr, "Can't get password");
return PAM_PERM_DENIED;
}
/* Checking the PAM_DISALLOW_NULL_AUTHTOK flag: if on, we can't accept empty passwords */
if (flags & PAM_DISALLOW_NULL_AUTHTOK)
{
if (password == NULL || strcmp(password, "") == 0)
{
fprintf(stderr, "Null authentication token is not allowed!.");
return PAM_PERM_DENIED;
}
}
/*Auth user reads a file with usernames and passwords and returns true if username
*and password are correct. Obviously, you must not save clear text passwords */
if (test_login(username, password)==0)
{
printf("Welcome, user");
return PAM_SUCCESS;
}
else
{
fprintf(stderr, "Wrong username or password");
return PAM_PERM_DENIED;
}
}

19
server/pam_keycloak.h

@ -1,19 +0,0 @@
#ifndef _PAM_KEYCLOAK_H_
#define _PAM_KEYCLOAK_H_
#ifdef __cplusplus
extern "C" {
#endif
#include <security/pam_modules.h>
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <security/pam_ext.h>
int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc, const char **argv);
#ifdef __cplusplus
}
#endif
#endif
Loading…
Cancel
Save