Loading .gitlab-ci.yml +31 −2 Original line number Diff line number Diff line stages: - build include: - local: /server_side/.gitlab-ci.yml variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh - func_rse_docker_cleanup after_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh - func_rse_docker_cleanup - sudo chown -R gitlab-runner . docker-build: variables: IMAGE_PREFIX: "/$CI_COMMIT_REF_NAME" stage: build script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - if [$CI_COMMIT_REF_NAME == 'master']; then export IMAGE_PREFIX=""; fi - docker build -f server_side/Dockerfile -t no2fa --target no2fa ./server_side - docker build -f server_side/Dockerfile -t with2fa --target with2fa ./server_side - docker tag no2fa $NO2FA_URL$IMAGE_PREFIX:latest - docker tag with2fa $WITH2FA_URL$IMAGE_PREFIX:latest - docker push $NO2FA_URL$IMAGE_PREFIX:latest - docker push $WITH2FA_URL$IMAGE_PREFIX:latest tags: - rse-multi-builder server_side/.gitlab-ci.ymldeleted 100644 → 0 +0 −34 Original line number Diff line number Diff line variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh - func_rse_docker_cleanup after_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh - func_rse_docker_cleanup - sudo chown -R gitlab-runner . docker-build: variables: IMAGE_PREFIX: "/$CI_COMMIT_REF_NAME" rules: - if: $CI_COMMIT_REF_NAME == 'master' variables: IMAGE_PREFIX: "" stage: build script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - docker build -f server_side/Dockerfile -t no2fa --target no2fa ./server_side - docker build -f server_side/Dockerfile -t with2fa --target with2fa ./server_side - docker tag no2fa $NO2FA_URL$IMAGE_PREFIX:latest - docker tag with2fa $WITH2FA_URL$IMAGE_PREFIX:latest - docker push $NO2FA_URL$IMAGE_PREFIX:latest - docker push $WITH2FA_URL$IMAGE_PREFIX:latest tags: - rse-multi-builder server_side/Dockerfile +5 −2 Original line number Diff line number Diff line FROM ubuntu:22.04 AS package RUN apt-get update && apt-get install -y ssh cmake libpam0g-dev python3 RUN apt-get update && apt-get install -y cmake libpam0g-dev libcurl4-openssl-dev COPY c /src/c Loading @@ -9,13 +9,16 @@ RUN bash ./build.sh FROM package AS no2fa FROM ubuntu:22.04 AS no2fa RUN useradd test RUN mkhomedir_helper test RUN echo test:123 | chpasswd RUN mkdir /run/sshd /etc/security/oidc RUN apt-get update && apt-get install -y curl python3 ssh COPY --from=package /src/c/build/*.deb / RUN dpkg -i /oidc-pam-0.1.0-Linux.deb Loading server_side/c/CMakeLists.txt +6 −6 Original line number Diff line number Diff line Loading @@ -5,25 +5,25 @@ set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${CMAKE_SOURCE_DIR}/cmake/modules/") find_package(PAM REQUIRED) find_package(CURL REQUIRED) include_directories ( ${PAM_INCLUDE_DIR} ) add_library(oidc-pam SHARED oidc-pam.c config.c json/cJSON.c) add_library(oidc-pam SHARED oidc-pam.c config.c json/cJSON.c auth.c log.c) set_target_properties(oidc-pam PROPERTIES PREFIX "") target_link_libraries(oidc-pam ${PAM_LIBRARIES}) target_link_libraries(oidc-pam ${PAM_LIBRARIES} ${CURL_LIBRARIES}) install(TARGETS oidc-pam DESTINATION /usr/lib/security) SET(CPACK_GENERATOR "DEB") SET(CPACK_DEBIAN_PACKAGE_MAINTAINER "ORNL") #required SET(CPACK_DEBIAN_PACKAGE_MAINTAINER "ORNL") set(CPACK_PACKAGE_VERSION_MAJOR "0") set(CPACK_PACKAGE_VERSION_MINOR "1") set(CPACK_PACKAGE_VERSION_PATCH "0") INCLUDE(CPack) add_executable(oidc-pam-main main.c config.c json/cJSON.c) target_link_libraries(oidc-pam-main ${PAM_LIBRARIES}) add_executable(oidc-pam-main main.c config.c json/cJSON.c auth.c log.c) target_link_libraries(oidc-pam-main ${PAM_LIBRARIES} ${CURL_LIBRARIES}) server_side/c/auth.c 0 → 100644 +103 −0 Original line number Diff line number Diff line #include "auth.h" #include <stdio.h> #include <stdlib.h> #include <memory.h> #include <curl/curl.h> #include "json/cJSON.h" struct MemoryStruct { char *memory; size_t size; }; static size_t WriteMemoryCallback(void *contents, size_t size, size_t nmemb, void *userp) { size_t realsize = size * nmemb; struct MemoryStruct *mem = (struct MemoryStruct *) userp; char *ptr = realloc(mem->memory, mem->size + realsize + 1); if (!ptr) { /* out of memory! */ printf("not enough memory (realloc returned NULL)\n"); return 0; } mem->memory = ptr; memcpy(&(mem->memory[mem->size]), contents, realsize); mem->size += realsize; mem->memory[mem->size] = 0; return realsize; } int introspect_token(const char *token, oidc_token_content_t *token_info) { CURL *curl; CURLcode res; struct MemoryStruct chunk; char data[10000]; sprintf(data, "token=%s&client_id=%s&" "client_secret=%s", token, config.client_id, config.client_secret); chunk.memory = malloc(1); /* will be grown as needed by realloc above */ chunk.size = 0; /* no data at this point */ curl_global_init(CURL_GLOBAL_ALL); curl = curl_easy_init(); long http_code = 0; if (curl) { curl_easy_setopt(curl, CURLOPT_URL, config.introspection_url); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, WriteMemoryCallback); curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *) &chunk); curl_easy_setopt(curl, CURLOPT_USERAGENT, "libcurl-agent/1.0"); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data); curl_easy_setopt(curl, CURLOPT_FAILONERROR, 0); res = curl_easy_perform(curl); if (res != CURLE_OK) { fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res)); return 1; } else { curl_easy_getinfo (curl, CURLINFO_RESPONSE_CODE, &http_code); } curl_easy_cleanup(curl); } curl_global_cleanup(); if (http_code != 200) { free(chunk.memory); return 1; } cJSON *token_json = cJSON_Parse(chunk.memory); if (token_json == NULL) { const char *error_ptr = cJSON_GetErrorPtr(); if (error_ptr != NULL) { fprintf(stderr, "Error before: %s\n", error_ptr); } free(chunk.memory); return 1; } const cJSON *user = cJSON_GetObjectItemCaseSensitive(token_json, "preferred_username"); const cJSON *session_attribute = cJSON_GetObjectItemCaseSensitive(token_json, "session_attribute"); const cJSON *active = cJSON_GetObjectItemCaseSensitive(token_json, "active"); if (!cJSON_IsString(user) || (user->valuestring == NULL) || !cJSON_IsBool(active)) { free(chunk.memory); return 1; } if (!cJSON_IsString(session_attribute)) { token_info->session_attribute = NULL; } else { token_info->session_attribute = session_attribute->valuestring; } token_info->user = user->valuestring; token_info->active = cJSON_IsFalse(active) ? 0 : 1; token_info->parsed_object = token_json; free(chunk.memory); return 0; } No newline at end of file Loading
.gitlab-ci.yml +31 −2 Original line number Diff line number Diff line stages: - build include: - local: /server_side/.gitlab-ci.yml variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh - func_rse_docker_cleanup after_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh - func_rse_docker_cleanup - sudo chown -R gitlab-runner . docker-build: variables: IMAGE_PREFIX: "/$CI_COMMIT_REF_NAME" stage: build script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - if [$CI_COMMIT_REF_NAME == 'master']; then export IMAGE_PREFIX=""; fi - docker build -f server_side/Dockerfile -t no2fa --target no2fa ./server_side - docker build -f server_side/Dockerfile -t with2fa --target with2fa ./server_side - docker tag no2fa $NO2FA_URL$IMAGE_PREFIX:latest - docker tag with2fa $WITH2FA_URL$IMAGE_PREFIX:latest - docker push $NO2FA_URL$IMAGE_PREFIX:latest - docker push $WITH2FA_URL$IMAGE_PREFIX:latest tags: - rse-multi-builder
server_side/.gitlab-ci.ymldeleted 100644 → 0 +0 −34 Original line number Diff line number Diff line variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh - func_rse_docker_cleanup after_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh - func_rse_docker_cleanup - sudo chown -R gitlab-runner . docker-build: variables: IMAGE_PREFIX: "/$CI_COMMIT_REF_NAME" rules: - if: $CI_COMMIT_REF_NAME == 'master' variables: IMAGE_PREFIX: "" stage: build script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - docker build -f server_side/Dockerfile -t no2fa --target no2fa ./server_side - docker build -f server_side/Dockerfile -t with2fa --target with2fa ./server_side - docker tag no2fa $NO2FA_URL$IMAGE_PREFIX:latest - docker tag with2fa $WITH2FA_URL$IMAGE_PREFIX:latest - docker push $NO2FA_URL$IMAGE_PREFIX:latest - docker push $WITH2FA_URL$IMAGE_PREFIX:latest tags: - rse-multi-builder
server_side/Dockerfile +5 −2 Original line number Diff line number Diff line FROM ubuntu:22.04 AS package RUN apt-get update && apt-get install -y ssh cmake libpam0g-dev python3 RUN apt-get update && apt-get install -y cmake libpam0g-dev libcurl4-openssl-dev COPY c /src/c Loading @@ -9,13 +9,16 @@ RUN bash ./build.sh FROM package AS no2fa FROM ubuntu:22.04 AS no2fa RUN useradd test RUN mkhomedir_helper test RUN echo test:123 | chpasswd RUN mkdir /run/sshd /etc/security/oidc RUN apt-get update && apt-get install -y curl python3 ssh COPY --from=package /src/c/build/*.deb / RUN dpkg -i /oidc-pam-0.1.0-Linux.deb Loading
server_side/c/CMakeLists.txt +6 −6 Original line number Diff line number Diff line Loading @@ -5,25 +5,25 @@ set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${CMAKE_SOURCE_DIR}/cmake/modules/") find_package(PAM REQUIRED) find_package(CURL REQUIRED) include_directories ( ${PAM_INCLUDE_DIR} ) add_library(oidc-pam SHARED oidc-pam.c config.c json/cJSON.c) add_library(oidc-pam SHARED oidc-pam.c config.c json/cJSON.c auth.c log.c) set_target_properties(oidc-pam PROPERTIES PREFIX "") target_link_libraries(oidc-pam ${PAM_LIBRARIES}) target_link_libraries(oidc-pam ${PAM_LIBRARIES} ${CURL_LIBRARIES}) install(TARGETS oidc-pam DESTINATION /usr/lib/security) SET(CPACK_GENERATOR "DEB") SET(CPACK_DEBIAN_PACKAGE_MAINTAINER "ORNL") #required SET(CPACK_DEBIAN_PACKAGE_MAINTAINER "ORNL") set(CPACK_PACKAGE_VERSION_MAJOR "0") set(CPACK_PACKAGE_VERSION_MINOR "1") set(CPACK_PACKAGE_VERSION_PATCH "0") INCLUDE(CPack) add_executable(oidc-pam-main main.c config.c json/cJSON.c) target_link_libraries(oidc-pam-main ${PAM_LIBRARIES}) add_executable(oidc-pam-main main.c config.c json/cJSON.c auth.c log.c) target_link_libraries(oidc-pam-main ${PAM_LIBRARIES} ${CURL_LIBRARIES})
server_side/c/auth.c 0 → 100644 +103 −0 Original line number Diff line number Diff line #include "auth.h" #include <stdio.h> #include <stdlib.h> #include <memory.h> #include <curl/curl.h> #include "json/cJSON.h" struct MemoryStruct { char *memory; size_t size; }; static size_t WriteMemoryCallback(void *contents, size_t size, size_t nmemb, void *userp) { size_t realsize = size * nmemb; struct MemoryStruct *mem = (struct MemoryStruct *) userp; char *ptr = realloc(mem->memory, mem->size + realsize + 1); if (!ptr) { /* out of memory! */ printf("not enough memory (realloc returned NULL)\n"); return 0; } mem->memory = ptr; memcpy(&(mem->memory[mem->size]), contents, realsize); mem->size += realsize; mem->memory[mem->size] = 0; return realsize; } int introspect_token(const char *token, oidc_token_content_t *token_info) { CURL *curl; CURLcode res; struct MemoryStruct chunk; char data[10000]; sprintf(data, "token=%s&client_id=%s&" "client_secret=%s", token, config.client_id, config.client_secret); chunk.memory = malloc(1); /* will be grown as needed by realloc above */ chunk.size = 0; /* no data at this point */ curl_global_init(CURL_GLOBAL_ALL); curl = curl_easy_init(); long http_code = 0; if (curl) { curl_easy_setopt(curl, CURLOPT_URL, config.introspection_url); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, WriteMemoryCallback); curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *) &chunk); curl_easy_setopt(curl, CURLOPT_USERAGENT, "libcurl-agent/1.0"); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data); curl_easy_setopt(curl, CURLOPT_FAILONERROR, 0); res = curl_easy_perform(curl); if (res != CURLE_OK) { fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res)); return 1; } else { curl_easy_getinfo (curl, CURLINFO_RESPONSE_CODE, &http_code); } curl_easy_cleanup(curl); } curl_global_cleanup(); if (http_code != 200) { free(chunk.memory); return 1; } cJSON *token_json = cJSON_Parse(chunk.memory); if (token_json == NULL) { const char *error_ptr = cJSON_GetErrorPtr(); if (error_ptr != NULL) { fprintf(stderr, "Error before: %s\n", error_ptr); } free(chunk.memory); return 1; } const cJSON *user = cJSON_GetObjectItemCaseSensitive(token_json, "preferred_username"); const cJSON *session_attribute = cJSON_GetObjectItemCaseSensitive(token_json, "session_attribute"); const cJSON *active = cJSON_GetObjectItemCaseSensitive(token_json, "active"); if (!cJSON_IsString(user) || (user->valuestring == NULL) || !cJSON_IsBool(active)) { free(chunk.memory); return 1; } if (!cJSON_IsString(session_attribute)) { token_info->session_attribute = NULL; } else { token_info->session_attribute = session_attribute->valuestring; } token_info->user = user->valuestring; token_info->active = cJSON_IsFalse(active) ? 0 : 1; token_info->parsed_object = token_json; free(chunk.memory); return 0; } No newline at end of file
