Add SSH Key Management
This commit is contained in:
Tom Wiesing
parent
ef76844922
commit
bcd1805001
62 changed files with 1004 additions and 188 deletions
|
|
@ -1,6 +1,5 @@
|
|||
DATA_PATH=${DATA_PATH}
|
||||
RUNTIME_DIR=${RUNTIME_DIR}
|
||||
GLOBAL_AUTHORIZED_KEYS_FILE=${GLOBAL_AUTHORIZED_KEYS_FILE}
|
||||
|
||||
SLUG=${SLUG}
|
||||
VIRTUAL_HOST=${VIRTUAL_HOST}
|
||||
|
|
|
|||
|
|
@ -20,7 +20,3 @@ type Barrel struct {
|
|||
func (barrel *Barrel) DataPath() string {
|
||||
return filepath.Join(barrel.FilesystemBase, "data")
|
||||
}
|
||||
|
||||
func (barrel *Barrel) AuthorizedKeysPath() string {
|
||||
return filepath.Join(barrel.DataPath(), "authorized_keys")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,9 +8,6 @@ services:
|
|||
|
||||
# label it with the current slug
|
||||
labels:
|
||||
- "eu.wiss-ki.barrel.slug=${SLUG}"
|
||||
- "eu.wiss-ki.barrel.authfile=/var/www/.ssh/authorized_keys,/var/www/.ssh/global_authorized_keys"
|
||||
|
||||
- "traefik.enable=True"
|
||||
- "eu.wiss-ki.barrel.distillery=${DOCKER_NETWORK_NAME}"
|
||||
|
||||
|
|
@ -21,12 +18,10 @@ services:
|
|||
|
||||
# volumes that are mounted
|
||||
volumes:
|
||||
- ${GLOBAL_AUTHORIZED_KEYS_FILE}:/var/www/.ssh/global_authorized_keys:ro
|
||||
- ${DATA_PATH}/.composer:/var/www/.composer
|
||||
- ${DATA_PATH}/data:/var/www/data
|
||||
- ${DATA_PATH}/home:/var/www/
|
||||
- ${DATA_PATH}/hostkeys:/ssh/hostkeys:rw
|
||||
- ${DATA_PATH}/authorized_keys:/var/www/.ssh/authorized_keys
|
||||
- ${RUNTIME_DIR}:/runtime:ro
|
||||
|
||||
networks:
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
#!/bin/bash
|
||||
|
||||
cat /var/www/.ssh/authorized_keys /var/www/.ssh/global_authorized_keys 2> /dev/null || exit 0
|
||||
curl -H "Host:$(hostname -f)" http://dis:9999/authorized_keys
|
||||
|
|
|
|||
|
|
@ -1,13 +1,11 @@
|
|||
package ssh
|
||||
|
||||
import (
|
||||
"io"
|
||||
"context"
|
||||
|
||||
"github.com/FAU-CDI/wisski-distillery/internal/status"
|
||||
"github.com/FAU-CDI/wisski-distillery/internal/wisski/ingredient"
|
||||
"github.com/FAU-CDI/wisski-distillery/internal/wisski/ingredient/barrel"
|
||||
"github.com/FAU-CDI/wisski-distillery/pkg/environment"
|
||||
"github.com/FAU-CDI/wisski-distillery/pkg/sshx"
|
||||
"github.com/gliderlabs/ssh"
|
||||
gossh "golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
|
@ -23,28 +21,57 @@ var (
|
|||
_ ingredient.WissKIFetcher = (*SSH)(nil)
|
||||
)
|
||||
|
||||
func (ssh *SSH) Keys() ([]ssh.PublicKey, error) {
|
||||
file, err := ssh.Environment.Open(ssh.Dependencies.Barrel.AuthorizedKeysPath())
|
||||
if environment.IsNotExist(err) {
|
||||
return nil, nil
|
||||
}
|
||||
func (ssh *SSH) Keys(ctx context.Context) (keys []ssh.PublicKey, err error) {
|
||||
grants, err := ssh.Liquid.Policy.Instance(ctx, ssh.Slug)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
bytes, err := io.ReadAll(file)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
// iterate over enabled distillery admin users
|
||||
for _, grant := range grants {
|
||||
if !grant.DrupalAdminRole {
|
||||
continue
|
||||
}
|
||||
ukeys, err := ssh.Liquid.Keys.Keys(ctx, grant.User)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
for _, ukey := range ukeys {
|
||||
if pk := ukey.PublicKey(); pk != nil {
|
||||
keys = append(keys, pk)
|
||||
}
|
||||
}
|
||||
}
|
||||
return sshx.ParseAllKeys(bytes), nil
|
||||
|
||||
// and return the keys!
|
||||
return keys, nil
|
||||
}
|
||||
|
||||
func (sshx *SSH) Fetch(flags ingredient.FetcherFlags, info *status.WissKI) error {
|
||||
// AllKeys returns the keys specifically registered to this instance and all the globally registered keys.
|
||||
func (ssh *SSH) AllKeys(ctx context.Context) (keys []ssh.PublicKey, err error) {
|
||||
lkeys, err := ssh.Keys(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
gkeys, err := ssh.Liquid.Keys.Admin(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
keys = append(keys, lkeys...)
|
||||
keys = append(keys, gkeys...)
|
||||
|
||||
return keys, nil
|
||||
}
|
||||
|
||||
func (ssh *SSH) Fetch(flags ingredient.FetcherFlags, info *status.WissKI) error {
|
||||
if flags.Quick {
|
||||
return nil
|
||||
}
|
||||
|
||||
keys, err := sshx.Keys()
|
||||
// add the instance keys
|
||||
keys, err := ssh.AllKeys(flags.Context)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -53,5 +80,6 @@ func (sshx *SSH) Fetch(flags ingredient.FetcherFlags, info *status.WissKI) error
|
|||
for i, key := range keys {
|
||||
info.SSHKeys[i] = string(gossh.MarshalAuthorizedKey(key))
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,15 +29,10 @@ func (barrel *Barrel) Stack() component.StackWithResources {
|
|||
"VIRTUAL_HOST": barrel.Domain(),
|
||||
"HTTPS_ENABLED": barrel.Malt.Config.HTTPSEnabledEnv(),
|
||||
|
||||
"DATA_PATH": filepath.Join(barrel.FilesystemBase, "data"),
|
||||
"RUNTIME_DIR": barrel.Malt.Config.RuntimeDir(),
|
||||
"GLOBAL_AUTHORIZED_KEYS_FILE": barrel.Malt.Config.GlobalAuthorizedKeysFile,
|
||||
"DATA_PATH": filepath.Join(barrel.FilesystemBase, "data"),
|
||||
"RUNTIME_DIR": barrel.Malt.Config.RuntimeDir(),
|
||||
},
|
||||
|
||||
MakeDirs: []string{"data", ".composer"},
|
||||
|
||||
TouchFiles: []string{
|
||||
filepath.Join("data", "authorized_keys"),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,13 +1,12 @@
|
|||
package liquid
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/url"
|
||||
)
|
||||
|
||||
// Domain returns the full domain name of this WissKI
|
||||
func (liquid *Liquid) Domain() string {
|
||||
return fmt.Sprintf("%s.%s", liquid.Slug, liquid.Malt.Config.DefaultDomain)
|
||||
return liquid.Config.HostFromSlug(liquid.Slug)
|
||||
}
|
||||
|
||||
// URL returns the public URL of this instance
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue