Browse Source

feat: commited build file

master
QuentinN42 6 months ago
parent
commit
e14efb9f54
Signed by: number42 GPG Key ID: 2CD7D563712B3A50
  1. 1
      .gitignore
  2. 15
      build/install/entrypoint
  3. 7
      build/install/get_qr
  4. 1
      build/install/oidc_config.json
  5. 2
      build/install/oidc_env
  6. 92
      build/install/oidc_pam
  7. 14
      build/install/oidc_setup
  8. 32
      build/install/oidc_verify
  9. 25
      build/install/setup_ssh

1
.gitignore

@ -1,4 +1,3 @@
*.o
*.so
*.log
build

15
build/install/entrypoint

@ -0,0 +1,15 @@
#!/bin/bash
# the entrypoint script
# invoked by inetd on a new connection on the ssh port
oidc_file="$(/home/n42/git/SR2I204/ansible/../build/install/setup_ssh)"
# setup oidc
/home/n42/git/SR2I204/ansible/../build/install/oidc_setup "${oidc_file}"
# retrive the qr code
/home/n42/git/SR2I204/ansible/../build/install/get_qr "${oidc_file}" > /etc/ssh/banner
# run sshd client
mkdir -p -m 700 /run/sshd
/usr/sbin/sshd -i

7
build/install/get_qr

@ -0,0 +1,7 @@
#!/bin/bash
# first arg : the oidc file
tmp_file="$1"
cat $tmp_file | jq '.verification_uri_complete' -r
cat $tmp_file | jq '.verification_uri_complete' -r | qrencode -t utf8

1
build/install/oidc_config.json

File diff suppressed because one or more lines are too long

2
build/install/oidc_env

@ -0,0 +1,2 @@
CLIENT_ID=serv1
CLIENT_SECRET=VbL5OELpk3wmp3ZqEw5Ef9arky48r4N4

92
build/install/oidc_pam

@ -0,0 +1,92 @@
#!/bin/bash
PAM_SUCCESS=0
PAM_SERVICE_ERR=3
PAM_PERM_DENIED=6
PAM_AUTH_ERR=7
# env > /home/n42/git/SR2I204/ansible/../build/tmp/.env
# date >> /home/n42/git/SR2I204/ansible/../build/tmp/.env
case $PAM_TYPE in
auth)
# In the authentication stage, we assure that the user is who he claims to be.
# For example by checking username and password.
tmp_file=""
case $PAM_SERVICE in
sshd)
echo "Auth from ssh handled" | logger -t "pam_oidc"
# If authentication comes from SSH, our inetd script already created a device auth token
port=$(echo $SSH_CONNECTION | cut -d ' ' -f 2)
tmp_file="/home/n42/git/SR2I204/ansible/../build/tmp/$port"
;;
*)
echo "Auth from $PAM_SERVICE" | logger -t "pam_oidc"
# Otherwise, initiate a new device flow
tmp_file="$(mktemp -p /home/n42/git/SR2I204/ansible/../build/tmp/ $PAM_SERVICE.XXXXX)"
/home/n42/git/SR2I204/ansible/../build/install/oidc_setup "$tmp_file"
/home/n42/git/SR2I204/ansible/../build/install/get_qr "$tmp_file"
;;
esac
/home/n42/git/SR2I204/ansible/../build/install/oidc_verify "$tmp_file" > "${tmp_file}.result"
oidc_verify_code="$?"
echo "Check $PAM_USER with response : $(cat ${tmp_file}.result)" | logger -t "pam_oidc"
if [ "$oidc_verify_code" == "0" ]; then
if [ "$PAM_USER" == "$(cat ${tmp_file}.result | jq -r '.user')" ]; then
if [ "true" == "$(cat ${tmp_file}.result | jq -r '.groups | contains(["SSH"])')" ]; then
echo "Success !" | logger -t "pam_oidc"
cat /etc/passwd | grep -Eq "^$PAM_USER\:" || useradd -m "$PAM_USER"
cat "${tmp_file}.result" | jq -r '.groups[]' | grep -vE "^SSH$" > "/home/n42/git/SR2I204/ansible/../build/tmp/$PAM_USER"
if [ "sshd" != "$PAM_SERVICE" ]; then
rm "${tmp_file}"
rm "${tmp_file}.result"
fi
exit $PAM_SUCCESS
else
echo "Not in SSH groups : $(cat ${tmp_file}.result | jq -r '.groups[]' | xargs)" | logger -t "pam_oidc"
fi
else
echo "Invalid user, expecting $PAM_USER, got $(cat ${tmp_file}.result | jq -r '.user')" | logger -t "pam_oidc"
fi
else
echo "Error code $oidc_verify_code." | logger -t "pam_oidc"
fi
echo "Error... deleting ${tmp_file} and exit." | logger -t "pam_oidc"
rm "${tmp_file}"
rm "${tmp_file}.result"
exit $PAM_PERM_DENIED
;;
account)
# After we authenticate the user we may still want to do some checks.
# For example, if the account is expired.
exit $PAM_SUCCESS
;;
open_session)
echo "Opening session for $PAM_USER." | logger -t "pam_oidc"
while read group
do
echo "$group -> $PAM_USER" | logger -t "pam_oidc"
groupadd -f "$group"
done </home/n42/git/SR2I204/ansible/../build/tmp/$PAM_USER
usermod -G "$((echo $PAM_USER && cat /home/n42/git/SR2I204/ansible/../build/tmp/$PAM_USER) | xargs | sed -e 's/\s\s*/,/g')" "$PAM_USER"
exit $PAM_SUCCESS
# In this stage we build the user environment.
# We can set user variables, load configuration files, mounting directories and much more.
;;
close_session)
if [ "sshd" == "$PAM_SERVICE" ]; then
port="$(echo $SSH_CONNECTION | cut -d ' ' -f 2)"
echo "Closing SSH:$port session." | logger -t "pam_oidc"
# If authentication comes from SSH, we remove the tmp file associated to this port
tmp_file="/home/n42/git/SR2I204/ansible/../build/tmp/$port"
rm "$tmp_file"
rm "${tmp_file}.result"
fi
exit $PAM_SUCCESS
;;
*)
exit $PAM_SERVICE_ERR
;;
esac

14
build/install/oidc_setup

@ -0,0 +1,14 @@
#!/bin/bash
# first arg : the oidc file
source /home/n42/git/SR2I204/ansible/../build/install/oidc_env
tmp_file="$1"
URL="$( cat /home/n42/git/SR2I204/ansible/../build/install/oidc_config.json | jq '.mtls_endpoint_aliases.device_authorization_endpoint' -r )"
curl -fs --request POST --url "$URL" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data client_secret=$CLIENT_SECRET \
--data client_id=$CLIENT_ID > $tmp_file

32
build/install/oidc_verify

@ -0,0 +1,32 @@
#!/bin/bash
# verify if the user authenticate
# first arg : the oidc file
# return the res file
tmp_file="$1"
source /home/n42/git/SR2I204/ansible/../build/install/oidc_env
URL="$( cat /home/n42/git/SR2I204/ansible/../build/install/oidc_config.json | jq '.mtls_endpoint_aliases.token_endpoint' -r )"
while true;
do
res=$(curl -s --request POST --url "$URL" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=urn:ietf:params:oauth:grant-type:device_code \
--data client_secret=$CLIENT_SECRET \
--data client_id=$CLIENT_ID \
--data device_code="$(cat $tmp_file | jq -r '.device_code')")
if $(echo "$res" | jq 'has("error")');
then
if [ "$(echo "$res" | jq -r '.error')" = "authorization_pending" ];
then
sleep $(cat $tmp_file | jq '.interval')
else
exit 1
fi
else
echo "$res" | jq -r '.access_token' | cut -d. -f2 | base64 -d 2>/dev/null | jq '. | {"user": .preferred_username, "groups": (.realm_access.roles + .resource_access.'$CLIENT_ID'.roles - ["default-roles-servers", "offline_access", "uma_authorization"])}'
exit 0
fi
done

25
build/install/setup_ssh

@ -0,0 +1,25 @@
#!/bin/bash
# get all the open ports for the ssh service
all_ports="$(ss | grep -E "^tcp\s.*\:ssh" | sed -e "s/^\ *//g" -e "s/\ *$//g" | rev | cut -d: -f1 | rev | grep -v ssh)"
# create the temp dir if not set
mkdir -p -m 700 "/home/n42/git/SR2I204/ansible/../build/tmp/"
current_port=$(echo "${all_ports}" | grep -Ev "^($(/bin/ls -1 /home/n42/git/SR2I204/ansible/../build/tmp/ | xargs | sed -e 's/\s/|/g'))$")
# logging ports for debug
echo "Ports for this run :" | logger -t "pam_oidc"
echo "${all_ports}" | xargs | logger -t "pam_oidc"
echo "After filter :" | logger -t "pam_oidc"
echo "${current_port}" | xargs | logger -t "pam_oidc"
# Assert there is only one port, this is the flaky part
# Maybe improve this by talking with the other current handlers
test "$(echo "${current_port}" | wc -l)" = 1 || current_port="$(echo "${current_port}" | tail -n 1)"
oidc_file="/home/n42/git/SR2I204/ansible/../build/tmp/${current_port}"
# then return the oidc file
echo "${oidc_file}"
Loading…
Cancel
Save