rnsrk/wisski-cloud-distillery
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add SSH Key Management

Browse source
This commit is contained in:
Tom Wiesing 2023-01-15 13:41:56 +01:00
parent ef76844922
commit bcd1805001
No known key found for this signature in database
62 changed files with 1004 additions and 188 deletions
Download patch file Download diff file Expand all files Collapse all files

18
internal/dis/component/auth/panel/panel.go
View file

@ -10,6 +10,7 @@ import (
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth/policy"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static/custom"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/instances"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/ssh2/sshkeys"
"github.com/FAU-CDI/wisski-distillery/internal/models"
"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
"github.com/julienschmidt/httprouter"
@ -23,6 +24,7 @@ type UserPanel struct {
Policy *policy.Policy
Instances *instances.Instances
Next *next.Next
Keys *sshkeys.SSHKeys
}
}
@ -73,6 +75,22 @@ func (panel *UserPanel) HandleRoute(ctx context.Context, route string) (http.Han
router.Handler(http.MethodPost, route+"totp/disable", totpdisable)
}
{
ssh := panel.sshRoute(ctx)
router.Handler(http.MethodGet, route+"ssh", ssh)
}
{
add := panel.sshAddRoute(ctx)
router.Handler(http.MethodGet, route+"ssh/add", add)
router.Handler(http.MethodPost, route+"ssh/add", add)
}
{
delete := panel.sshDeleteRoute(ctx)
router.Handler(http.MethodPost, route+"ssh/delete", delete)
}
// ensure that the user is logged in!
return panel.Dependencies.Auth.Protect(router, nil), nil
}

193
internal/dis/component/auth/panel/ssh.go Normal file
View file

@ -0,0 +1,193 @@
package panel
import (
"context"
"errors"
"net/http"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static/custom"
"github.com/FAU-CDI/wisski-distillery/internal/models"
"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
"github.com/FAU-CDI/wisski-distillery/pkg/httpx/field"
"github.com/gliderlabs/ssh"
"github.com/rs/zerolog"
gossh "golang.org/x/crypto/ssh"
_ "embed"
)
//go:embed "templates/ssh.html"
var sshTemplateStr string
var sshTemplate = static.AssetsUser.MustParseShared("ssh.html", sshTemplateStr)
type SSHTemplateContext struct {
custom.BaseContext
Keys []models.Keys
Domain string // domain name of the distillery
Port uint16 // public port of the distillery ssh servers
Slug string // slug of the wisski
Hostname string // hostname of an example wisski
}
func (panel *UserPanel) sshRoute(ctx context.Context) http.Handler {
sshTemplate := panel.Dependencies.Custom.Template(sshTemplate)
gaps := custom.BaseContextGaps{
Crumbs: []component.MenuItem{
{Title: "User", Path: "/user/"},
{Title: "SSH Keys", Path: "/user/ssh/"},
},
Actions: []component.MenuItem{
{Title: "Add New Key", Path: "/user/ssh/add/"},
},
}
return httpx.HTMLHandler[SSHTemplateContext]{
Handler: func(r *http.Request) (sc SSHTemplateContext, err error) {
panel.Dependencies.Custom.Update(&sc, r, gaps)
user, err := panel.Dependencies.Auth.UserOf(r)
if err != nil {
return sc, err
}
sc.Domain = panel.Config.DefaultDomain
sc.Port = panel.Config.PublicSSHPort
// pick the first domain that the user has access to as an example
grants, err := panel.Dependencies.Policy.User(r.Context(), user.User.User)
if err != nil && len(grants) > 0 {
sc.Slug = grants[0].Slug
} else {
sc.Slug = "example"
}
sc.Hostname = panel.Config.HostFromSlug(sc.Slug)
sc.Keys, err = panel.Dependencies.Keys.Keys(r.Context(), user.User.User)
if err != nil {
return sc, err
}
return sc, nil
},
Template: sshTemplate,
}
}
//go:embed "templates/ssh_add.html"
var sshAddTemplateStr string
var sshAddTemplate = static.AssetsUser.MustParseShared("ssh_add.html", sshAddTemplateStr)
type addKeyResult struct {
User *auth.AuthUser
Comment string
Key ssh.PublicKey
}
var (
errInvalidUser = errors.New("invalid user")
errKeyParse = errors.New("unable to parse ssh key")
errAddKey = errors.New("unable to add key")
)
func (panel *UserPanel) sshDeleteRoute(ctx context.Context) http.Handler {
logger := zerolog.Ctx(ctx)
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if err := r.ParseForm(); err != nil {
logger.Err(err).Str("action", "delete ssh key").Msg("failed to parse form")
httpx.HTMLInterceptor.Fallback.ServeHTTP(w, r)
return
}
user, err := panel.Dependencies.Auth.UserOf(r)
if err != nil {
logger.Err(err).Str("action", "delete ssh key").Msg("failed to get current user")
httpx.HTMLInterceptor.Fallback.ServeHTTP(w, r)
return
}
key, _ := parseKey(r.PostFormValue("signature"))
if key == nil {
logger.Err(err).Str("action", "delete ssh key").Msg("failed to parse signature")
httpx.HTMLInterceptor.Fallback.ServeHTTP(w, r)
return
}
if err := panel.Dependencies.Keys.Remove(r.Context(), user.User.User, key); err != nil {
logger.Err(err).Str("action", "delete ssh key").Msg("failed to delete key")
httpx.HTMLInterceptor.Fallback.ServeHTTP(w, r)
return
}
http.Redirect(w, r, "/user/ssh/", http.StatusSeeOther)
})
}
func (panel *UserPanel) sshAddRoute(ctx context.Context) http.Handler {
sshAddTemplate := panel.Dependencies.Custom.Template(sshAddTemplate)
gaps := custom.BaseContextGaps{
Crumbs: []component.MenuItem{
{Title: "User", Path: "/user/"},
{Title: "SSH Keys", Path: "/user/ssh/"},
{Title: "Add New Key", Path: "/user/ssh/add/"},
},
}
return &httpx.Form[addKeyResult]{
Fields: []field.Field{
{Name: "comment", Type: field.Text, Label: "Comment"},
{Name: "key", Type: field.Textarea, Label: "Key in authorized_keys format"}, // has hacked css!
},
FieldTemplate: field.PureCSSFieldTemplate,
RenderTemplate: sshAddTemplate,
RenderTemplateContext: func(ctx httpx.FormContext, r *http.Request) any {
return panel.Dependencies.Custom.NewForm(ctx, r, gaps)
},
Validate: func(r *http.Request, values map[string]string) (ak addKeyResult, err error) {
ak.User, err = panel.Dependencies.Auth.UserOf(r)
if err != nil || ak.User == nil {
return ak, errInvalidUser
}
// parse key and comment
var key, comment string
ak.Comment, key = values["comment"], values["key"]
ak.Key, comment = parseKey(key)
if ak.Key == nil {
return ak, errKeyParse
}
// set the comment if the user didn't provide one!
if ak.Comment == "" && comment != "" {
ak.Comment = comment
}
return ak, nil
},
RenderSuccess: func(ak addKeyResult, values map[string]string, w http.ResponseWriter, r *http.Request) error {
// add the key to the user
if err := panel.Dependencies.Keys.Add(r.Context(), ak.User.User.User, ak.Comment, ak.Key); err != nil {
return errAddKey
}
// everything went fine, redirect the user back to the user page!
http.Redirect(w, r, "/user/ssh/", http.StatusSeeOther)
return nil
},
}
}
func parseKey(authorized_keys string) (out gossh.PublicKey, comment string) {
var err error
out, comment, _, _, err = gossh.ParseAuthorizedKey([]byte(authorized_keys))
if err != nil || out == nil {
return nil, ""
}
return out, comment
}

104
internal/dis/component/auth/panel/templates/ssh.html Normal file
View file

@ -0,0 +1,104 @@
{{ template "_base.html" . }}
{{ define "title" }}SSH Keys{{ end }}
{{ define "content" }}
<div class="pure-u-1">
<p>
This page allows you to add, view and remove ssh keys to and from your distillery account.
</p>
</div>
<div class="pure-u-1">
<p>
This table shows ssh keys currently associated with your account.
To add a new key, use the <em>Add New Key</em> button above.
To remove an ssh key from your account, simply click the <em>Delete</em> button.
</p>
<div class="padding">
<div class="overflow">
<table class="pure-table pure-table-bordered">
<thead>
<tr>
<th>
Comment
</th>
<th>
Signature
</th>
<th>
Actions
</th>
</tr>
</thead>
<tbody>
{{ $csrf := .CSRF }}
{{ range .Keys }}
{{ $sig := .SignatureString }}
<tr>
<td>
{{ .Comment }}
</td>
<td>
<code>
{{ $sig }}
</code>
</td>
<td>
<div class="pure-button-group" role="group">
<form action="/user/ssh/delete" method="POST" class="pure-form-group">
<input type="hidden" name="signature" value="{{ $sig }}">
<input type="submit" class="pure-button pure-button-danger" value="Delete">
{{ $csrf }}
</form>
</div>
</td>
</tr>
{{ end }}
</tbody>
</table>
</div>
</div>
</div>
<div class="pure-u-1">
<p>
You can use these ssh keys to connect to the distillery via ssh.
You can only connect to instances for which you appear as an <em>Administrator</em> on your user page.
</p>
<p>
In the following we will provide instructions on how to connect to your WissKI instance via the distillery server.
In the following we will assume <code>{{ .Slug }}</code> is the name of the WissKI you want to you want to connect to.
</p>
<p>
From a Linux (or Mac, or Windows 11) command line you may use:
</p>
<code class="copy">
ssh -J {{ .Domain }}:{{ .Port }} www-data@{{ .Hostname }}
</code>
<p>
You may also place the following into your <code>$HOME/.ssh/config</code> file:
</p>
<code class="copy">
<pre>Host *.{{ .Domain }}
ProxyJump {{ .Domain }}.proxy
User www-data
Host {{ .Domain }}.proxy
User www-data
Hostname {{ .Domain }}
Port {{ .Port }}
</pre>
</code>
<p>
and then connect simply via:
</p>
<code>
ssh {{ .Hostname }}
</code>
</div>
</div>
{{ end }}

11
internal/dis/component/auth/panel/templates/ssh_add.html Normal file
View file

@ -0,0 +1,11 @@
{{ template "_form.html" . }}
{{ define "form/title" }}Add SSH Key{{ end }}
{{ define "form/button" }}Add{{ end }}
{{ define "form/inside" }}
<div>
<p>
Use this form to add a new <em>SSH Key</em> to your account.
</p>
</div>
{{ end }}

13
internal/dis/component/auth/panel/user.go
View file

@ -41,13 +41,14 @@ func (panel *UserPanel) routeUser(ctx context.Context) http.Handler {
{Title: "User", Path: "/user/"},
},
Actions: []component.MenuItem{
{Title: "Change Password", Path: "/user/password"},
{Title: "Change Password", Path: "/user/password/"},
{Title: "*to be replaced*", Path: ""},
{Title: "SSH Keys", Path: "/user/ssh/"},
},
}
return &httpx.HTMLHandler[routeUserContext]{
Handler: func(r *http.Request) (ruc routeUserContext, err error) {
// find the user
ruc.AuthUser, err = panel.Dependencies.Auth.UserOf(r)
if err != nil || ruc.AuthUser == nil {
@ -57,15 +58,15 @@ func (panel *UserPanel) routeUser(ctx context.Context) http.Handler {
// build the gaps
gaps := gaps.Clone()
if ruc.AuthUser.IsTOTPEnabled() {
gaps.Actions = append(gaps.Actions, component.MenuItem{
gaps.Actions[1] = component.MenuItem{
Title: "Disable Passcode (TOTP)",
Path: "/user/totp/disable/",
})
}
} else {
gaps.Actions = append(gaps.Actions, component.MenuItem{
gaps.Actions[1] = component.MenuItem{
Title: "Enable Passcode (TOTP)",
Path: "/user/totp/enable/",
})
}
}
panel.Dependencies.Custom.Update(&ruc, r, gaps)

8
internal/dis/component/control/admin/html/index.html
View file

@ -134,14 +134,6 @@
<code>{{.Config.ConfigPath}}</code>
</td>
</tr>
<tr>
<td>
<code>authorized_keys</code>
</td>
<td>
<code>{{.Config.GlobalAuthorizedKeysFile}}</code>
</td>
</tr>
</tbody>
</table>
</div>

6
internal/dis/component/control/admin/users.go
View file

@ -37,6 +37,9 @@ func (admin *Admin) users(r *http.Request) (uc userContext, err error) {
{Title: "Admin", Path: "/admin/"},
{Title: "Users", Path: "/admin/users/"},
},
Actions: []component.MenuItem{
{Title: "Create New", Path: "/admin/users/create/"},
},
})
uc.Error = r.URL.Query().Get("error")
@ -70,9 +73,6 @@ func (admin *Admin) createUser(ctx context.Context) http.Handler {
{Title: "Users", Path: "/admin/users"},
{Title: "Create", Path: "/admin/users/create"},
},
Actions: []component.MenuItem{
{Title: "Create New", Path: "/admin/users/create/"},
},
}
return &httpx.Form[createUserResult]{

1
internal/dis/component/control/control.env
View file

@ -2,7 +2,6 @@ HOST_RULE=${HOST_RULE}
CONFIG_PATH=${CONFIG_PATH}
DEPLOY_ROOT=${DEPLOY_ROOT}
GLOBAL_AUTHORIZED_KEYS_FILE=${GLOBAL_AUTHORIZED_KEYS_FILE}
SELF_OVERRIDES_FILE=${SELF_OVERRIDES_FILE}
SELF_RESOLVER_BLOCK_FILE=${SELF_RESOLVER_BLOCK_FILE}

5
internal/dis/component/control/control.go
View file

@ -49,9 +49,8 @@ func (control *Control) Stack(env environment.Environment) component.StackWithRe
"CONFIG_PATH": control.Config.ConfigPath,
"DEPLOY_ROOT": control.Config.DeployRoot,
"GLOBAL_AUTHORIZED_KEYS_FILE": control.Config.GlobalAuthorizedKeysFile,
"SELF_OVERRIDES_FILE": control.Config.SelfOverridesFile,
"SELF_RESOLVER_BLOCK_FILE": control.Config.SelfResolverBlockFile,
"SELF_OVERRIDES_FILE": control.Config.SelfOverridesFile,
"SELF_RESOLVER_BLOCK_FILE": control.Config.SelfResolverBlockFile,
"CUSTOM_ASSETS_PATH": control.Dependencies.Custom.CustomAssetsPath(),
},

2
internal/dis/component/control/control/Dockerfile
View file

@ -2,4 +2,4 @@ FROM docker.io/library/docker:20.10-cli
COPY wdcli /wdcli
EXPOSE 8888
CMD ["/wdcli","--internal-in-docker","server","--bind","0.0.0.0:8888"]
CMD ["/wdcli","--internal-in-docker","server","--bind","0.0.0.0:8888", "--internal-bind", "0.0.0.0:9999"]

1
internal/dis/component/control/control/docker-compose.yml
View file

@ -25,7 +25,6 @@ services:
- "/var/run/docker.sock:/var/run/docker.sock"
- "${CONFIG_PATH}:${CONFIG_PATH}:ro"
- "${DEPLOY_ROOT}:${DEPLOY_ROOT}:rw"
- "${GLOBAL_AUTHORIZED_KEYS_FILE}:${GLOBAL_AUTHORIZED_KEYS_FILE}:ro"
- "${SELF_OVERRIDES_FILE}:${SELF_OVERRIDES_FILE}:ro"
- "${SELF_RESOLVER_BLOCK_FILE}:${SELF_RESOLVER_BLOCK_FILE}:ro"
- "${CUSTOM_ASSETS_PATH}:${CUSTOM_ASSETS_PATH}:ro"

9
internal/dis/component/control/news/NEWS/2023-01-15-news.md Normal file
View file

@ -0,0 +1,9 @@
---
title: Reworked SSH key support
date: 2023-01-15
---
- reworked and added ssh key management to the server
- users can now add and remove ssh keys to their account
- each user with an admin grant for a specific instance has ssh access via their keys
- distillery administrators have implicit access to all instances

29
internal/dis/component/control/server.go
View file

@ -18,17 +18,17 @@ import (
// The server may spawn background tasks, but these should be terminated once context closes.
//
// Logging messages are directed to progress
func (control *Control) Server(ctx context.Context, progress io.Writer) (http.Handler, error) {
func (control *Control) Server(ctx context.Context, progress io.Writer) (public http.Handler, internal http.Handler, err error) {
logger := zerolog.Ctx(ctx)
var mux mux.Mux[component.RouteContext]
mux.Context = func(r *http.Request) component.RouteContext {
var publicM, internalM mux.Mux[component.RouteContext]
publicM.Context = func(r *http.Request) component.RouteContext {
slug, ok := control.Still.Config.SlugFromHost(r.Host)
return component.RouteContext{
DefaultDomain: slug == "" && ok,
}
}
mux.Panic = func(panic any, w http.ResponseWriter, r *http.Request) {
publicM.Panic = func(panic any, w http.ResponseWriter, r *http.Request) {
// log the panic
logger.Error().
Str("panic", fmt.Sprint(panic)).
@ -39,6 +39,10 @@ func (control *Control) Server(ctx context.Context, progress io.Writer) (http.Ha
httpx.TextInterceptor.Fallback.ServeHTTP(w, r)
}
// setup the internal server identically
internalM.Panic = publicM.Panic
internalM.Context = publicM.Context
// create a csrf protector
csrfProtector := control.CSRF()
@ -52,6 +56,7 @@ func (control *Control) Server(ctx context.Context, progress io.Writer) (http.Ha
Bool("Exact", routes.Exact).
Bool("CSRF", routes.CSRF).
Bool("Decorator", routes.Decorator != nil).
Bool("Internal", routes.Internal).
Bool("MatchAllDomains", routes.MatchAllDomains).
Msg("mounting route")
@ -69,19 +74,23 @@ func (control *Control) Server(ctx context.Context, progress io.Writer) (http.Ha
handler = routes.Decorate(handler, csrfProtector)
// determine the predicate
predicate := routes.Predicate(mux.ContextOf)
predicate := routes.Predicate(publicM.ContextOf)
// and add all the prefixes
for _, prefix := range append([]string{routes.Prefix}, routes.Aliases...) {
mux.Add(prefix, predicate, routes.Exact, handler)
if routes.Internal {
internalM.Add(prefix, predicate, routes.Exact, handler)
} else {
publicM.Add(prefix, predicate, routes.Exact, handler)
}
}
}
// apply the given context function
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
r = r.WithContext(cancel.ValuesOf(r.Context(), ctx))
mux.ServeHTTP(w, r)
}), nil
public = httpx.WithContextWrapper(&publicM, func(rcontext context.Context) context.Context { return cancel.ValuesOf(rcontext, ctx) })
internal = httpx.WithContextWrapper(&internalM, func(rcontext context.Context) context.Context { return cancel.ValuesOf(rcontext, ctx) })
err = nil
return
}
// CSRF returns a CSRF handler for the given function

8
internal/dis/component/control/static/assets_dist.go
View file

@ -15,12 +15,12 @@ var AssetsDefault = Assets{
// AssetsUser contains assets for the 'User' entrypoint.
var AssetsUser = Assets{
Scripts: `<script type="module" src="/static/Default.38d394c2.js"></script><script src="/static/Default.38d394c2.js" nomodule="" defer></script><script type="module" src="/static/User.4197014b.js"></script><script src="/static/User.30d54198.js" nomodule="" defer></script>`,
Styles: `<link rel="stylesheet" href="/static/Default.db26a303.css"><link rel="stylesheet" href="/static/User.38d394c2.css">`,
Scripts: `<script type="module" src="/static/Default.38d394c2.js"></script><script src="/static/Default.38d394c2.js" nomodule="" defer></script><script type="module" src="/static/User.e0367d79.js"></script><script src="/static/User.b2f9a57c.js" nomodule="" defer></script>`,
Styles: `<link rel="stylesheet" href="/static/Default.db26a303.css"><link rel="stylesheet" href="/static/User.68febbf8.css"><link rel="stylesheet" href="/static/User.840de3b4.css">`,
}
// AssetsAdmin contains assets for the 'Admin' entrypoint.
var AssetsAdmin = Assets{
Scripts: `<script nomodule="" defer src="/static/User.30d54198.js"></script><script type="module" src="/static/User.4197014b.js"></script><script type="module" src="/static/Default.38d394c2.js"></script><script src="/static/Default.38d394c2.js" nomodule="" defer></script><script type="module" src="/static/Admin.4ca3cb6f.js"></script><script src="/static/Admin.9750ba9c.js" nomodule="" defer></script>`,
Styles: `<link rel="stylesheet" href="/static/Default.db26a303.css"><link rel="stylesheet" href="/static/Admin.6d59e220.css"><link rel="stylesheet" href="/static/User.38d394c2.css"><link rel="stylesheet" href="/static/Admin.6d2ae968.css">`,
Scripts: `<script nomodule="" defer src="/static/User.b2f9a57c.js"></script><script type="module" src="/static/User.e0367d79.js"></script><script type="module" src="/static/Default.38d394c2.js"></script><script src="/static/Default.38d394c2.js" nomodule="" defer></script><script type="module" src="/static/Admin.4ca3cb6f.js"></script><script src="/static/Admin.9750ba9c.js" nomodule="" defer></script>`,
Styles: `<link rel="stylesheet" href="/static/Default.db26a303.css"><link rel="stylesheet" href="/static/Admin.6d59e220.css"><link rel="stylesheet" href="/static/User.840de3b4.css"><link rel="stylesheet" href="/static/User.68febbf8.css"><link rel="stylesheet" href="/static/Admin.6d2ae968.css">`,
}

1
internal/dis/component/control/static/dist/User.30d54198.js vendored
View file

@ -1 +0,0 @@
!function(){var e="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:"undefined"!=typeof window?window:"undefined"!=typeof global?global:{},n={},r={},o=e.parcelRequireafa4;null==o&&((o=function(e){if(e in n)return n[e].exports;if(e in r){var o=r[e];delete r[e];var i={id:e,exports:{}};return n[e]=i,o.call(i.exports,i,i.exports),i.exports}var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}).register=function(e,n){r[e]=n},e.parcelRequireafa4=o),o.register("kEAtK",(function(e,n){})),o("kEAtK")}();

0
internal/dis/component/control/static/dist/User.38d394c2.css vendored
View file

1
internal/dis/component/control/static/dist/User.4197014b.js vendored
View file

@ -1 +0,0 @@
var e="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:"undefined"!=typeof window?window:"undefined"!=typeof global?global:{},n={},r={},o=e.parcelRequireafa4;null==o&&((o=function(e){if(e in n)return n[e].exports;if(e in r){var o=r[e];delete r[e];var i={id:e,exports:{}};return n[e]=i,o.call(i.exports,i,i.exports),i.exports}var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}).register=function(e,n){r[e]=n},e.parcelRequireafa4=o),o.register("gkpdw",(function(e,n){})),o("gkpdw");

1
internal/dis/component/control/static/dist/User.68febbf8.css vendored Normal file
View file

@ -0,0 +1 @@
.copy{-webkit-user-select:all;user-select:all}

1
internal/dis/component/control/static/dist/User.840de3b4.css vendored Normal file
View file

@ -0,0 +1 @@
textarea#key{width:50%;height:10em;resize:both}

1
internal/dis/component/control/static/dist/User.b2f9a57c.js vendored Normal file
View file

@ -0,0 +1 @@
!function(){var e="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:"undefined"!=typeof window?window:"undefined"!=typeof global?global:{},r={},n={},o=e.parcelRequireafa4;null==o&&((o=function(e){if(e in r)return r[e].exports;if(e in n){var o=n[e];delete n[e];var t={id:e,exports:{}};return r[e]=t,o.call(t.exports,t,t.exports),t.exports}var i=new Error("Cannot find module '"+e+"'");throw i.code="MODULE_NOT_FOUND",i}).register=function(e,r){n[e]=r},e.parcelRequireafa4=o),o.register("kEAtK",(function(e,r){o("15EWx")})),o.register("15EWx",(function(e,r){document.querySelectorAll(".copy").forEach((e=>{e.addEventListener("click",(()=>{navigator.clipboard&&navigator.clipboard.writeText(e.innerText)}))}))})),o("kEAtK")}();

1
internal/dis/component/control/static/dist/User.e0367d79.js vendored Normal file
View file

@ -0,0 +1 @@
var e="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:"undefined"!=typeof window?window:"undefined"!=typeof global?global:{},r={},n={},o=e.parcelRequireafa4;null==o&&((o=function(e){if(e in r)return r[e].exports;if(e in n){var o=n[e];delete n[e];var i={id:e,exports:{}};return r[e]=i,o.call(i.exports,i,i.exports),i.exports}var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}).register=function(e,r){n[e]=r},e.parcelRequireafa4=o),o.register("gkpdw",(function(e,r){o("hZNgY")})),o.register("hZNgY",(function(e,r){document.querySelectorAll(".copy").forEach((e=>{e.addEventListener("click",(()=>{navigator.clipboard&&navigator.clipboard.writeText(e.innerText)}))}))})),o("gkpdw");

7
internal/dis/component/control/static/src/entry/User/index.css
View file

@ -1 +1,6 @@
/* nothing for now */
/* textarea on the /user/ssh/add form */
textarea#key {
width: 50%;
height: 10em;
resize: both;
}

2
internal/dis/component/control/static/src/entry/User/index.ts
View file

@ -1 +1 @@
// nothing for now
import "~/src/lib/copy"

3
internal/dis/component/control/static/src/lib/copy/index.css Normal file
View file

@ -0,0 +1,3 @@
.copy {
user-select: all;
}

8
internal/dis/component/control/static/src/lib/copy/index.ts Normal file
View file

@ -0,0 +1,8 @@
import "./index.css"
document.querySelectorAll('.copy').forEach((elem: Element) => {
elem.addEventListener('click', () => {
if (!navigator.clipboard) return;
navigator.clipboard.writeText((elem as HTMLElement).innerText);
})
})

1
internal/dis/component/exporter/extras_config.go
View file

@ -41,6 +41,5 @@ func (control *Config) backupFiles() []string {
control.Config.ExecutablePath(),
control.Config.SelfOverridesFile,
control.Config.SelfResolverBlockFile,
control.Config.GlobalAuthorizedKeysFile,
}
}

3
internal/dis/component/instances/malt/malt.go
View file

@ -6,6 +6,7 @@ import (
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/exporter/logger"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/meta"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/sql"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/ssh2/sshkeys"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/triplestore"
)
@ -21,4 +22,6 @@ type Malt struct {
Meta *meta.Meta `auto:"true"`
ExporterLog *logger.Logger `auto:"true"`
Policy *policy.Policy `auto:"true"`
Keys *sshkeys.SSHKeys `auto:"true"`
}

6
internal/dis/component/server.go
View file

@ -26,6 +26,10 @@ type Routes struct {
// MatchAllDomains indicates that all domains, even the non-default domain, should be matched
MatchAllDomains bool
// Internal indicates that this route should only answer on the internal server.
// Internal implies MatchAllDomains.
Internal bool
// MenuTitle and MenuPriority return the priority and title of this menu item
MenuTitle string
MenuPriority MenuPriority
@ -52,7 +56,7 @@ type RouteContext struct {
// Predicate returns the predicate corresponding to the given route
func (routes Routes) Predicate(context func(*http.Request) RouteContext) mux.Predicate {
if routes.MatchAllDomains {
if routes.MatchAllDomains || routes.Internal {
return nil
}

58
internal/dis/component/ssh2/api.go Normal file
View file

@ -0,0 +1,58 @@
package ssh2
import (
"context"
"net/http"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
gossh "golang.org/x/crypto/ssh"
)
func (ssh2 *SSH2) Routes() component.Routes {
return component.Routes{
Prefix: "/authorized_keys/",
Exact: true,
Internal: true,
}
}
func (ssh2 *SSH2) HandleRoute(ctx context.Context, path string) (http.Handler, error) {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// fetch the global keys
gkeys, err := ssh2.Dependencies.Keys.Admin(r.Context())
if err != nil {
httpx.TextInterceptor.Intercept(w, r, err)
return
}
// find the host
slug, ok := ssh2.Config.SlugFromHost(r.Host)
if slug == "" || !ok {
httpx.TextInterceptor.Intercept(w, r, httpx.ErrNotFound)
return
}
// fetch the instance
instance, err := ssh2.Dependencies.Instances.WissKI(r.Context(), slug)
if err != nil {
httpx.TextInterceptor.Intercept(w, r, httpx.ErrNotFound)
return
}
// fetch the instance keys
keys, err := instance.SSH().Keys(r.Context())
if err != nil {
httpx.TextInterceptor.Intercept(w, r, err)
return
}
// marshal out everything!
for _, key := range gkeys {
w.Write(gossh.MarshalAuthorizedKey(key))
}
for _, key := range keys {
w.Write(gossh.MarshalAuthorizedKey(key))
}
}), nil
}

39
internal/dis/component/ssh2/server_auth.go
View file

@ -1,8 +1,7 @@
package ssh2
import (
"time"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/ssh2/sshkeys"
"github.com/gliderlabs/ssh"
)
@ -47,19 +46,17 @@ func getAnyPermission(context ssh.Context) (string, bool) {
return "", (false || value[""])
}
const authDelay = time.Second / 10
func (ssh2 *SSH2) handleAuth(ctx ssh.Context, key ssh.PublicKey) bool {
return slowdown(func() (ok bool) {
return sshkeys.Slowdown(func() (ok bool) {
permissions := make(map[string]bool)
// grab the global permissions
{
globalKeys, err := ssh2.GlobalKeys()
globalKeys, err := ssh2.Dependencies.Keys.Admin(ctx)
if err != nil {
return false
}
permissions[""] = isKey(globalKeys, key)
permissions[""] = sshkeys.KeyOneOf(globalKeys, key)
ok = permissions[""]
}
@ -71,11 +68,11 @@ func (ssh2 *SSH2) handleAuth(ctx ssh.Context, key ssh.PublicKey) bool {
}
for _, instance := range instances {
ikeys, err := instance.SSH().Keys()
ikeys, err := instance.SSH().Keys(ctx)
if err != nil {
continue
}
access := isKey(ikeys, key)
access := sshkeys.KeyOneOf(ikeys, key)
permissions[instance.Slug] = access || permissions[""]
ok = ok || access
@ -84,27 +81,5 @@ func (ssh2 *SSH2) handleAuth(ctx ssh.Context, key ssh.PublicKey) bool {
setPermissions(ctx, permissions)
return
}, authDelay)
}
// slowdown invokes f immediatly, but only returns the result to the caller after at least duration.
// It can be used to prevent timing attacks
func slowdown[T any](f func() T, duration time.Duration) T {
result := make(chan T, 1)
go func() {
result <- f()
}()
time.Sleep(duration)
return <-result
}
// isKey checks if keys contains key in O(len(keys))
func isKey(keys []ssh.PublicKey, key ssh.PublicKey) bool {
var res bool
for _, ak := range keys {
if ssh.KeysEqual(ak, key) {
res = true
}
}
return res
})
}

1
internal/dis/component/ssh2/ssh2.env
View file

@ -2,7 +2,6 @@ HOST_RULE=${HOST_RULE}
CONFIG_PATH=${CONFIG_PATH}
DEPLOY_ROOT=${DEPLOY_ROOT}
GLOBAL_AUTHORIZED_KEYS_FILE=${GLOBAL_AUTHORIZED_KEYS_FILE}
SELF_OVERRIDES_FILE=${SELF_OVERRIDES_FILE}
SELF_RESOLVER_BLOCK_FILE=${SELF_RESOLVER_BLOCK_FILE}

24
internal/dis/component/ssh2/ssh2.go
View file

@ -1,34 +1,24 @@
package ssh2
import (
"io"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/instances"
"github.com/FAU-CDI/wisski-distillery/pkg/sshx"
"github.com/gliderlabs/ssh"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/sql"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/ssh2/sshkeys"
)
type SSH2 struct {
component.Base
Dependencies struct {
SQL *sql.SQL
Instances *instances.Instances
Auth *auth.Auth
Keys *sshkeys.SSHKeys
}
}
var (
_ component.Installable = (*SSH2)(nil)
_ component.Routeable = (*SSH2)(nil)
)
// GlobalKeys returns the global authorized keys
func (s *SSH2) GlobalKeys() ([]ssh.PublicKey, error) {
file, err := s.Environment.Open(s.Config.GlobalAuthorizedKeysFile)
if err != nil {
return nil, err
}
bytes, err := io.ReadAll(file)
if err != nil {
return nil, err
}
return sshx.ParseAllKeys(bytes), nil
}

1
internal/dis/component/ssh2/ssh2/docker-compose.yml
View file

@ -12,7 +12,6 @@ services:
- "/var/run/docker.sock:/var/run/docker.sock"
- "${CONFIG_PATH}:${CONFIG_PATH}:ro"
- "${DEPLOY_ROOT}:${DEPLOY_ROOT}:rw"
- "${GLOBAL_AUTHORIZED_KEYS_FILE}:${GLOBAL_AUTHORIZED_KEYS_FILE}:ro"
- "${SELF_OVERRIDES_FILE}:${SELF_OVERRIDES_FILE}:ro"
- "${SELF_RESOLVER_BLOCK_FILE}:${SELF_RESOLVER_BLOCK_FILE}:ro"
- "./data/:/data/"

51
internal/dis/component/ssh2/sshkeys/sshkeys.go Normal file
View file

@ -0,0 +1,51 @@
package sshkeys
import (
"context"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/sql"
"github.com/gliderlabs/ssh"
)
type SSHKeys struct {
component.Base
Dependencies struct {
SQL *sql.SQL
Auth *auth.Auth
}
}
var (
_ component.Table = (*SSHKeys)(nil)
_ component.UserDeleteHook = (*SSHKeys)(nil)
)
// Admin returns the set of administrative ssh keys.
// These are ssh keys associated to distillery admin users.
func (k *SSHKeys) Admin(ctx context.Context) (keys []ssh.PublicKey, err error) {
users, err := k.Dependencies.Auth.Users(ctx)
if err != nil {
return nil, err
}
// iterate over enabled distillery admin users
for _, user := range users {
if !user.IsEnabled() || !user.IsAdmin() {
continue
}
ukeys, err := k.Keys(ctx, user.User.User)
if err != nil {
return nil, err
}
for _, ukey := range ukeys {
if pk := ukey.PublicKey(); pk != nil {
keys = append(keys, pk)
}
}
}
// and return the keys!
return keys, nil
}

55
internal/dis/component/ssh2/sshkeys/subtle.go Normal file
View file

@ -0,0 +1,55 @@
package sshkeys
import (
"crypto/rand"
"math/big"
"time"
"github.com/gliderlabs/ssh"
)
// KeyOneOf checks if keys is one of the given set of keys.
func KeyOneOf(keys []ssh.PublicKey, key ssh.PublicKey) bool {
return len(KeyIndexes(keys, key)) > 0
}
// KeyIndexes returns a slice of ints that contain the indexes of the given key.
func KeyIndexes(keys []ssh.PublicKey, key ssh.PublicKey) []int {
indexes := make([]int, 0, len(keys))
for i, cey := range keys {
if ssh.KeysEqual(key, cey) {
indexes = append(indexes, i)
}
}
return indexes
}
const (
slowdownMinDelay = time.Second / 10
slowdownJitter = time.Second / 10
)
// slowdown invokes f immediatly, but introduces a random delay to prevent timing attacks.
// the delay is also introduced if f() panics.
func Slowdown[T any](f func() T) T {
start := time.Now()
defer func() {
// sleep the minimum remaining time
remain := time.Since(start) - slowdownMinDelay
if remain > 0 {
time.Sleep(remain)
}
// find a second random delay
delay, err := rand.Int(rand.Reader, big.NewInt(int64(slowdownJitter)))
if err != nil {
return
}
// and wait that long
time.Sleep(time.Duration(delay.Int64()))
}()
return f()
}

128
internal/dis/component/ssh2/sshkeys/table.go Normal file
View file

@ -0,0 +1,128 @@
package sshkeys
import (
"context"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
"github.com/FAU-CDI/wisski-distillery/internal/models"
"github.com/gliderlabs/ssh"
"github.com/tkw1536/goprogram/lib/reflectx"
)
func (ssh2 *SSHKeys) TableInfo() component.TableInfo {
return component.TableInfo{
Model: reflectx.TypeOf[models.Keys](),
Name: models.KeysTable,
}
}
// Keys returns a list of keys for the given user
func (ssh2 *SSHKeys) Keys(ctx context.Context, user string) ([]models.Keys, error) {
// the empty user has no key
if user == "" {
return nil, nil
}
// get the table
table, err := ssh2.Dependencies.SQL.QueryTable(ctx, ssh2)
if err != nil {
return nil, err
}
var keys []models.Keys
// make a query to find all keys (in the underlying model)
query := table.Find(&keys, &models.Keys{User: user})
if query.Error != nil {
return nil, query.Error
}
return keys, nil
}
// Add adds a new key to the given user, unless it already exists
func (ssh2 *SSHKeys) Add(ctx context.Context, user string, comment string, key ssh.PublicKey) error {
// check that the given user exists
{
_, err := ssh2.Dependencies.Auth.User(ctx, user)
if err != nil {
return err
}
}
// fetch all the keys
keys, err := ssh2.Keys(ctx, user)
if err != nil {
return err
}
pks := make([]ssh.PublicKey, 0, len(keys))
for _, key := range keys {
if pk := key.PublicKey(); pk != nil {
pks = append(pks, pk)
}
}
// key already exists
if KeyOneOf(pks, key) {
return nil
}
// create a new key with the given comment
mk := models.Keys{
User: user,
Comment: comment,
}
mk.SetPublicKey(key)
// get the table
table, err := ssh2.Dependencies.SQL.QueryTable(ctx, ssh2)
if err != nil {
return err
}
// create the key instance
return table.Create(&mk).Error
}
// Remove removes a given publuc key from a user.
func (ssh2 *SSHKeys) Remove(ctx context.Context, user string, key ssh.PublicKey) error {
// find all the keys for the given user
keys, err := ssh2.Keys(ctx, user)
if err != nil {
return err
}
// iterate and find all the public keys
var pks []uint
for _, candidate := range keys {
if ssh.KeysEqual(candidate.PublicKey(), key) {
pks = append(pks, candidate.Pk)
}
}
// nothing to delete
if len(pks) == 0 {
return nil
}
// query the table again
table, err := ssh2.Dependencies.SQL.QueryTable(ctx, ssh2)
if err != nil {
return nil
}
// and do the delete
return table.Where("pk in ?", pks).Delete(&models.Keys{}).Error
}
func (ssh2 *SSHKeys) OnUserDelete(ctx context.Context, user *models.User) error {
// get the table
table, err := ssh2.Dependencies.SQL.QueryTable(ctx, ssh2)
if err != nil {
return err
}
// delete all keys for the user
return table.Delete(&models.Keys{}, &models.Keys{User: user.User}).Error
}

5
internal/dis/component/ssh2/stack.go
View file

@ -31,9 +31,8 @@ func (ssh *SSH2) Stack(env environment.Environment) component.StackWithResources
"CONFIG_PATH": ssh.Config.ConfigPath,
"DEPLOY_ROOT": ssh.Config.DeployRoot,
"GLOBAL_AUTHORIZED_KEYS_FILE": ssh.Config.GlobalAuthorizedKeysFile,
"SELF_OVERRIDES_FILE": ssh.Config.SelfOverridesFile,
"SELF_RESOLVER_BLOCK_FILE": ssh.Config.SelfResolverBlockFile,
"SELF_OVERRIDES_FILE": ssh.Config.SelfOverridesFile,
"SELF_RESOLVER_BLOCK_FILE": ssh.Config.SelfResolverBlockFile,
"SSH_PORT": strconv.FormatUint(uint64(ssh.Config.PublicSSHPort), 10),
},

5
internal/dis/distillery.go
View file

@ -28,6 +28,7 @@ import (
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/solr"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/sql"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/ssh2"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/ssh2/sshkeys"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/triplestore"
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/web"
"github.com/FAU-CDI/wisski-distillery/pkg/lazy"
@ -81,6 +82,9 @@ func (dis *Distillery) SSH() *ssh2.SSH2 {
func (dis *Distillery) Auth() *auth.Auth {
return export[*auth.Auth](dis)
}
func (dis *Distillery) Keys() *sshkeys.SSHKeys {
return export[*sshkeys.SSHKeys](dis)
}
func (dis *Distillery) Cron() *cron.Cron {
return export[*cron.Cron](dis)
@ -162,6 +166,7 @@ func (dis *Distillery) allComponents() []initFunc {
// ssh server
auto[*ssh2.SSH2],
auto[*sshkeys.SSHKeys],
// Control server
auto[*control.Control],