-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement support for kerberos authentication (#13)
* Initial kerberos authentication implementation * Implement credetial delegation * Implement kerberos-based password authentication * Log successful GSSAPI auths * Implement authorization webhook for kerberos * Document kerberos configuration * Use agent path from configuration * Send remote address and connectionId to authz * Add auth handler constructor * Add support for logging in as other users * fixup! Initial kerberos authentication implementation * fixup! Implement authorization webhook for kerberos * Improve comments * Fix swagger operation * Properly wrap (some) kerberos error messages * Integrate retry library * Fix retry attempts check * Implement authz retrying * Add kerberos tests * Update go.mod * Update gokrb5 to use containerssh fork * fixup! Add kerberos tests * Update delegation handling to new API * fixup! fixup! Implement authorization webhook for kerberos * Fix AllowLogin * Fix tests on other modules * Fix linter warnings * Address review comments * Update gokrb5 version to fix credential delegation * Safeguard the case that delegated credentials are nil * Change auth metadata to be a struct * Make kubernetes backend write all files to the pod * fixup! Update gokrb5 version to fix credential delegation * Limit metadata transmission according to sensitivity * fixup! Change auth metadata to be a struct * fixup! Change auth metadata to be a struct * fixup! Limit metadata transmission according to sensitivity * fixup! Make kubernetes backend write all files to the pod * fixup! Change auth metadata to be a struct * fixup! fixup! Make kubernetes backend write all files to the pod * fixup! fixup! Limit metadata transmission according to sensitivity * Support files in session mode * Support file writing in docker backend * Document authorization call * fixup! Support file writing in docker backend * fixup! fixup! Support file writing in docker backend * Add config option for clockskew * Add option for strict acceptor check * Make authz available to all authentication backends * Ensure failed auths get rejected in sshserver * fixup! Make authz available to all authentication backends * Remove retry library * Address review comments * Address review comments * Remove sensitivity and add environment customization * Resolve golangci error * Address review comments * Fix lint issues
- Loading branch information
1 parent
ab477ce
commit 625361f
Showing
64 changed files
with
2,253 additions
and
112 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
package auth | ||
|
||
type ConnectionMetadata struct { | ||
// Metadata is a set of key-value pairs that can be returned and | ||
// either consumed by the configuration server or exposed in the | ||
// backend as environment variables. | ||
Metadata map[string]string `json:"metadata,omitempty"` | ||
// Environment is a set of key-value pairs that will be exposed to the | ||
// container as environment variables | ||
Environment map[string]string `json:"environment,omitempty"` | ||
// Files is a key-value pair of files to be placed inside containers. | ||
// The key represents the path to the file while the value is the | ||
// binary content. | ||
Files map[string][]byte `json:"files,omitempty"` | ||
} | ||
|
||
// Transmit returns a copy of the Metadata containing only the metadata map for transmission to external servers (file and environment maps are considered sensitive by default) | ||
func (m *ConnectionMetadata) Transmit() *ConnectionMetadata { | ||
if m == nil { | ||
return nil | ||
} | ||
return &ConnectionMetadata{ | ||
Metadata: m.Metadata, | ||
} | ||
} | ||
|
||
// Merge merges a metadata object into the current one. In case of duplicated keys the one in the new struct take precedence | ||
func (m *ConnectionMetadata) Merge(newmeta *ConnectionMetadata) { | ||
if m == nil { | ||
return | ||
} | ||
if newmeta == nil { | ||
return | ||
} | ||
for k, v := range newmeta.GetMetadata() { | ||
m.GetMetadata()[k] = v | ||
} | ||
for k, v := range newmeta.GetFiles() { | ||
m.GetFiles()[k] = v | ||
} | ||
for k, v := range newmeta.GetEnvironment() { | ||
m.GetEnvironment()[k] = v | ||
} | ||
} | ||
|
||
// GetMetadata returns an editable metadata map | ||
func (m *ConnectionMetadata) GetMetadata() map[string]string { | ||
if m == nil { | ||
return nil | ||
} | ||
if m.Metadata == nil { | ||
m.Metadata = make(map[string]string) | ||
} | ||
return m.Metadata | ||
} | ||
|
||
// GetFiles returns an editable files map | ||
func (m *ConnectionMetadata) GetFiles() map[string][]byte { | ||
if m == nil { | ||
return nil | ||
} | ||
if m.Files == nil { | ||
m.Files = make(map[string][]byte) | ||
} | ||
return m.Files | ||
} | ||
|
||
// GetFiles returns an editable files map | ||
func (m *ConnectionMetadata) GetEnvironment() map[string]string { | ||
if m == nil { | ||
return nil | ||
} | ||
if m.Environment == nil { | ||
m.Environment = make(map[string]string) | ||
} | ||
return m.Environment | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package webhook | ||
|
||
import ( | ||
"net/http" | ||
|
||
"github.com/containerssh/libcontainerssh/internal/auth" | ||
"github.com/containerssh/libcontainerssh/log" | ||
) | ||
|
||
// NewHandler creates a HTTP handler that forwards calls to the provided h config request handler. | ||
func NewHandler(h AuthRequestHandler, logger log.Logger) http.Handler { | ||
return auth.NewHandler(h, logger) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.