Merge pull request jumanjihouse#102 from jumanjiman/v2.10.1

upgrade to version 2.10.1
iandday · Oct 8, 2018 · 5ff8f19 · 5ff8f19
2 parents ae3adcd + a38113c
commit 5ff8f19
Show file tree

Hide file tree

Showing 14 changed files with 91 additions and 56 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@ runtime/duoauthproxy.tgz
 environment
 ci/vars
 fixtures/*/authproxy.cfg
+fixtures/**/ca-bundle.crt
diff --git a/.gitlint b/.gitlint
@@ -1,6 +1,6 @@
 # http://jorisroovers.github.io/gitlint/configuration/
 [general]
-ignore=body-is-missing
+ignore=body-is-missing,body-max-line-length
 
 [title-max-length]
 line-length=72
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -27,7 +27,7 @@ repos:
       - id: forbid-tabs
 
   - repo: https://github.com/jumanjihouse/pre-commit-hooks
-    rev: 1.7.1
+    rev: 1.10.2
     hooks:
       - id: forbid-binary
         exclude: >
@@ -36,6 +36,7 @@ repos:
           )$
       - id: git-check  # Configure in .gitattributes
       - id: git-dirty  # Configure in .gitignore
+      - id: require-ascii
       - id: shellcheck
       - id: shfmt
 

diff --git a/README.md b/README.md
@@ -12,15 +12,14 @@ Docker hub: [https://registry.hub.docker.com/u/jumanjiman/duoauthproxy/](https:/
 <br />
 Image metadata: [https://microbadger.com/#/images/jumanjiman/duoauthproxy](https://microbadger.com/#/images/jumanjiman/duoauthproxy)
 <br />
-Current version: Duo Authproxy 2.9.0
+Current version: Duo Authproxy 2.10.1
 ([release notes](https://duo.com/support/documentation/authproxy-notes))
 
-:warning: Duo Authproxy 2.4.18 resolves
-[DUO-PSA-2016-002](https://duo.com/labs/psa/duo-psa-2016-002).
 
 **Table of Contents**
 
 - [Overview](#overview)
+  - [Warnings](#warnings)
   - [Network diagram](#network-diagram)
   - [References](#references)
   - [Build integrity](#build-integrity)
@@ -48,6 +47,26 @@ This repo provides a way to build Duo Authentication Proxy into
 a docker image and run it as a container.
 
 
+### Warnings
+
+:warning: Upstream authproxy introduced breaking changes effective 2.10.0:
+
+* Authproxy absolutely needs to write to a logfile.<br/>
+  The image declares `/opt/duoauthproxy/log` as a volume.
+
+* Authproxy no longer has the `-c CONFIG` option.<br/>
+  The path to config is hard-coded.
+
+* Authproxy requires `FIPS_mode` that is not in LibreSSL.<br/>
+  Therefore the image is based on Centos, not Alpine.<br/>
+  See https://marc.info/?l=openbsd-misc&m=139819485423701&w=2 for details.
+
+
+:warning: Duo Authproxy 2.4.18 resolves
+[DUO-PSA-2016-002](https://duo.com/labs/psa/duo-psa-2016-002).
+
+
+
 ### Network diagram
 
 ![Duo network diagram](https://duo.com/assets/img/documentation/authproxy/radius-network-diagram.png)

diff --git a/TESTING.md b/TESTING.md
@@ -52,21 +52,21 @@ Run the test harness on a single image:
 The test harness uses [BATS](https://github.com/sstephenson/bats).
 Output resembles:
 
-    ✓ radius auth via duo authproxy is allowed when 2fa succeeds
-    ✓ radius auth via duo authproxy is rejected when 2fa fails
-    ✓ There are no suid files
-    ✓ duo user exists
-    ✓ duo user is denied interactive login
-    ✓ duo is the only user account
-    ✓ duo is the only user account
-    ✓ duo group exists
-    ✓ duo is the only group account
-    ✓ duo is the only group account
-    ✓ bash is not installed
-    ✓ chown is available
-    ✓ chgrp is available
-    ✓ ln is available
-    ✓ chmod is available
-    ✓ ci-build-url label is present
+    ok radius auth via duo authproxy is allowed when 2fa succeeds
+    ok radius auth via duo authproxy is rejected when 2fa fails
+    ok There are no suid files
+    ok duo user exists
+    ok duo user is denied interactive login
+    ok duo is the only user account
+    ok duo is the only user account
+    ok duo group exists
+    ok duo is the only group account
+    ok duo is the only group account
+    ok bash is available
+    ok chown is available
+    ok chgrp is available
+    ok ln is available
+    ok chmod is available
+    ok ci-build-url label is present
 
     16 tests, 0 failures
diff --git a/builder/Dockerfile b/builder/Dockerfile
@@ -1,25 +1,26 @@
-FROM alpine:3.7
+FROM centos:7.5.1804
 
-RUN apk upgrade --update --available && \
-    apk add \
+RUN \
+    yum install -y \
       bash \
       curl \
       python \
       gcc \
-      gmp-dev \
-      libc-dev \
-      libffi-dev \
+      gmp-devel \
+      libc-devel \
+      libffi-devel \
       libgcc \
-      'libressl-dev>=2.6.3-r0' \
+      openssl-devel \
       linux-headers \
       make \
       patch \
+      procps \
       py-setuptools \
-      python-dev \
+      python-devel \
       tar \
-      zlib-dev \
-    && rm -f /var/cache/apk/* && \
-    adduser -D duo
+      zlib-devel \
+    && rm -fr /var/cache/yum && \
+    useradd duo
 
 ARG VERSION
 

diff --git a/ci/bootstrap.sh b/ci/bootstrap.sh
@@ -56,7 +56,7 @@ run_precommit() {
   echo '---> run pre-commit'
 
   # http://pre-commit.com/#pre-commit-run
-  readonly DEFAULT_PRECOMMIT_OPTS="--all-files --verbose --hook-stage manual"
+  readonly DEFAULT_PRECOMMIT_OPTS="--all-files --hook-stage manual"
 
   # Allow user to override our defaults by setting an env var.
   readonly PRECOMMIT_OPTS="${PRECOMMIT_OPTS:-$DEFAULT_PRECOMMIT_OPTS}"

diff --git a/ci/build.sh b/ci/build.sh
@@ -12,7 +12,7 @@ set -o pipefail
 
 cat >ci/vars <<EOF
 # shellcheck shell=bash
-declare -rx  VERSION=2.9.0
+declare -rx  VERSION=2.10.1
 declare -rx  BUILD_DATE=$(date +%Y%m%dT%H%M)
 declare -rx  VCS_REF=$(git describe --abbrev=7 --tags --always)
 declare -rx  TAG=\${VERSION}-\${BUILD_DATE}-git-\${VCS_REF}

diff --git a/ci/test.sh b/ci/test.sh
@@ -50,10 +50,17 @@ run_precommit
 
 echo
 echo Configure fixtures.
+if docker ps -a --format '{{.Names}}' --filter Name=src | grep -E '^src$' &>/dev/null; then
+  docker rm -fv src
+fi
+docker create --name=src duoauthproxy sh
+docker cp src:/opt/duoauthproxy/conf/ca-bundle.crt fixtures/
+cp -f fixtures/ca-bundle.crt fixtures/allow/
 cp -f fixtures/authproxy.cfg fixtures/allow/authproxy.cfg
 sed -i "s/API_HOST/${API_HOST}/g" fixtures/allow/authproxy.cfg
 sed -i "s/IKEY/${IKEY_ALLOW}/g" fixtures/allow/authproxy.cfg
 sed -i "s/SKEY/${SKEY_ALLOW}/g" fixtures/allow/authproxy.cfg
+cp -f fixtures/ca-bundle.crt fixtures/deny/
 cp -f fixtures/authproxy.cfg fixtures/deny/authproxy.cfg
 sed -i "s/API_HOST/${API_HOST}/g" fixtures/deny/authproxy.cfg
 sed -i "s/IKEY/${IKEY_DENY}/g" fixtures/deny/authproxy.cfg

diff --git a/fixtures/allow/Dockerfile b/fixtures/allow/Dockerfile
@@ -1,3 +1,4 @@
 FROM busybox
-COPY authproxy.cfg /etc/duoauthproxy/
-VOLUME /etc/duoauthproxy/
+COPY authproxy.cfg /opt/duoauthproxy/conf/
+COPY ca-bundle.crt /opt/duoauthproxy/conf/
+VOLUME /opt/duoauthproxy/conf/
diff --git a/fixtures/deny/Dockerfile b/fixtures/deny/Dockerfile
@@ -1,3 +1,4 @@
 FROM busybox
-COPY authproxy.cfg /etc/duoauthproxy/
-VOLUME /etc/duoauthproxy/
+COPY authproxy.cfg /opt/duoauthproxy/conf/
+COPY ca-bundle.crt /opt/duoauthproxy/conf/
+VOLUME /opt/duoauthproxy/conf/
diff --git a/runtime/Dockerfile b/runtime/Dockerfile
@@ -1,23 +1,27 @@
-FROM alpine:3.7
+FROM centos:7.5.1804
 
-RUN apk upgrade --update && \
-    apk add \
+RUN \
+    yum install -y \
       python \
-      'libressl2.6-libssl>=2.6.3-r0' \
+      openssl \
       && \
-    rm -f /var/cache/apk/* && \
-    adduser -D -s /sbin/nologin duo
+    rm -fr /var/cache/yum && \
+    useradd -s /sbin/nologin duo
 
 # Use ADD, not COPY, to keep image small.
 ADD duoauthproxy.tgz /
 
 COPY harden /usr/sbin/harden
 RUN /usr/sbin/harden
 
+RUN mkdir -p /opt/duoauthproxy/log; \
+    chown -R duo:duo /opt/duoauthproxy/log
+VOLUME /opt/duoauthproxy/log
+
 COPY authproxy.cfg /etc/duoauthproxy/authproxy.cfg
 USER duo
 ENTRYPOINT ["/opt/duoauthproxy/bin/authproxy"]
-CMD ["-c", "/etc/duoauthproxy/authproxy.cfg"]
+VOLUME /opt/duoauthproxy/conf/
 
 ARG CI_BUILD_URL
 ARG BUILD_DATE

diff --git a/runtime/harden b/runtime/harden
@@ -33,15 +33,15 @@ rm -fr /etc/crontabs
 rm -fr /etc/periodic
 
 # Remove all but a handful of admin commands.
-find /sbin /usr/sbin ! -type d \
+find /usr/sbin ! -type d \
   -a ! -name nologin \
   -delete
 
+# Centos 7.5 does not have /sbin.
 readonly sysdirs="
   /bin
   /etc
   /lib
-  /sbin
   /opt
   /usr
 "
@@ -52,10 +52,10 @@ readonly sysdirs="
 # Therefore restrict the find to sysdirs listed above.
 #
 # shellcheck disable=SC2086
-find ${sysdirs} -xdev -type d -perm +0002 -exec chmod o-w {} +
+find ${sysdirs} -xdev -type d -perm /0002 -exec chmod o-w {} +
 #
 # shellcheck disable=SC2086
-find ${sysdirs} -xdev -type f -perm +0002 -exec chmod o-w {} +
+find ${sysdirs} -xdev -type f -perm /0002 -exec chmod o-w {} +
 
 # Remove crufty...
 #   /etc/shadow-
@@ -75,7 +75,7 @@ find ${sysdirs} -xdev -type d \
 # Remove all suid files.
 #
 # shellcheck disable=SC2086
-find ${sysdirs} -xdev -type f -a -perm +4000 -delete
+find ${sysdirs} -xdev -type f -a -perm /4000 -delete
 
 # Remove init scripts since we do not use them.
 rm -fr /etc/init.d
@@ -108,4 +108,4 @@ sed -i -r '/^(duo)/!d' /etc/group
 sed -i -r '/^(duo)/!d' /etc/passwd
 
 # Remove interactive login shell for everybody but unprivileged user.
-sed -i -r '/^duo:/! s#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
+sed -i -r '/^duo:/! s#^(.*):[^:]*$#\1:/usr/sbin/nologin#' /etc/passwd
diff --git a/test/test_harden.bats b/test/test_harden.bats
@@ -44,18 +44,18 @@
   [[ ${groups} -eq 1 ]]
 }
 
-@test "bash is not installed" {
-  run docker run --rm --entrypoint ls duoauthproxy /bin/bash
-  [[ ${status} -ne 0 ]]
+@test "bash is available" {
+  run docker run --rm --entrypoint sh duoauthproxy -c "command -v bash"
+  [[ ${status} -eq 0 ]]
 }
 
 @test "chown is available" {
-  run docker run --rm --entrypoint chown duoauthproxy -h
+  run docker run --rm --entrypoint chown duoauthproxy --help
   [[ ${output} =~ "Usage: chown" ]]
 }
 
 @test "chgrp is available" {
-  run docker run --rm --entrypoint chgrp duoauthproxy -h
+  run docker run --rm --entrypoint chgrp duoauthproxy --help
   [[ ${output} =~ "Usage: chgrp" ]]
 }