upgrade to duoauthproxy 2.10.1 and resolve breaking changes

Upstream authproxy has new dependencies: * Add `procps` package since install script now requires `ps -p`. Upstream authproxy introduced breaking changes since 2.9: * Authproxy now absolutely needs to write to a logfile. * Authproxy no longer has the `-c CONFIG` option. The path to config is now hard-coded. Rebase on Centos instead of Alpine. * Authproxy now requires `FIPS_mode` that is not in LibreSSL. https://marc.info/?l=openbsd-misc&m=139819485423701&w=2 On Alpine (which has LibreSSL instead of OpenSSL), authproxy fails with: ``` Traceback (most recent call last): File "/opt/duoauthproxy/bin/authproxy", line 21, in <module> application = proxy.create_application(args=sys.argv) File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/proxy.py", line 186, in create_application fips_mode = fips_manager.status() File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/fips_manager.py", line 42, in status return OPENSSL_LIB.FIPS_mode() AttributeError: 'module' object has no attribute 'FIPS_mode' ```
oliverbr · Oct 8, 2018 · a38113c · a38113c
1 parent cfbb038
commit a38113c
Show file tree

Hide file tree

Showing 12 changed files with 73 additions and 39 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@ runtime/duoauthproxy.tgz
 environment
 ci/vars
 fixtures/*/authproxy.cfg
+fixtures/**/ca-bundle.crt
diff --git a/.gitlint b/.gitlint
@@ -1,6 +1,6 @@
 # http://jorisroovers.github.io/gitlint/configuration/
 [general]
-ignore=body-is-missing
+ignore=body-is-missing,body-max-line-length
 
 [title-max-length]
 line-length=72
diff --git a/README.md b/README.md
@@ -12,15 +12,14 @@ Docker hub: [https://registry.hub.docker.com/u/jumanjiman/duoauthproxy/](https:/
 <br />
 Image metadata: [https://microbadger.com/#/images/jumanjiman/duoauthproxy](https://microbadger.com/#/images/jumanjiman/duoauthproxy)
 <br />
-Current version: Duo Authproxy 2.9.0
+Current version: Duo Authproxy 2.10.1
 ([release notes](https://duo.com/support/documentation/authproxy-notes))
 
-:warning: Duo Authproxy 2.4.18 resolves
-[DUO-PSA-2016-002](https://duo.com/labs/psa/duo-psa-2016-002).
 
 **Table of Contents**
 
 - [Overview](#overview)
+  - [Warnings](#warnings)
   - [Network diagram](#network-diagram)
   - [References](#references)
   - [Build integrity](#build-integrity)
@@ -48,6 +47,26 @@ This repo provides a way to build Duo Authentication Proxy into
 a docker image and run it as a container.
 
 
+### Warnings
+
+:warning: Upstream authproxy introduced breaking changes effective 2.10.0:
+
+* Authproxy absolutely needs to write to a logfile.<br/>
+  The image declares `/opt/duoauthproxy/log` as a volume.
+
+* Authproxy no longer has the `-c CONFIG` option.<br/>
+  The path to config is hard-coded.
+
+* Authproxy requires `FIPS_mode` that is not in LibreSSL.<br/>
+  Therefore the image is based on Centos, not Alpine.<br/>
+  See https://marc.info/?l=openbsd-misc&m=139819485423701&w=2 for details.
+
+
+:warning: Duo Authproxy 2.4.18 resolves
+[DUO-PSA-2016-002](https://duo.com/labs/psa/duo-psa-2016-002).
+
+
+
 ### Network diagram
 
 ![Duo network diagram](https://duo.com/assets/img/documentation/authproxy/radius-network-diagram.png)

diff --git a/TESTING.md b/TESTING.md
@@ -62,7 +62,7 @@ Output resembles:
     ok duo group exists
     ok duo is the only group account
     ok duo is the only group account
-    ok bash is not installed
+    ok bash is available
     ok chown is available
     ok chgrp is available
     ok ln is available

diff --git a/builder/Dockerfile b/builder/Dockerfile
@@ -1,25 +1,26 @@
-FROM alpine:3.7
+FROM centos:7.5.1804
 
-RUN apk upgrade --update --available && \
-    apk add \
+RUN \
+    yum install -y \
       bash \
       curl \
       python \
       gcc \
-      gmp-dev \
-      libc-dev \
-      libffi-dev \
+      gmp-devel \
+      libc-devel \
+      libffi-devel \
       libgcc \
-      'libressl-dev>=2.6.3-r0' \
+      openssl-devel \
       linux-headers \
       make \
       patch \
+      procps \
       py-setuptools \
-      python-dev \
+      python-devel \
       tar \
-      zlib-dev \
-    && rm -f /var/cache/apk/* && \
-    adduser -D duo
+      zlib-devel \
+    && rm -fr /var/cache/yum && \
+    useradd duo
 
 ARG VERSION
 

diff --git a/ci/build.sh b/ci/build.sh
@@ -12,7 +12,7 @@ set -o pipefail
 
 cat >ci/vars <<EOF
 # shellcheck shell=bash
-declare -rx  VERSION=2.9.0
+declare -rx  VERSION=2.10.1
 declare -rx  BUILD_DATE=$(date +%Y%m%dT%H%M)
 declare -rx  VCS_REF=$(git describe --abbrev=7 --tags --always)
 declare -rx  TAG=\${VERSION}-\${BUILD_DATE}-git-\${VCS_REF}

diff --git a/ci/test.sh b/ci/test.sh
@@ -50,10 +50,17 @@ run_precommit
 
 echo
 echo Configure fixtures.
+if docker ps -a --format '{{.Names}}' --filter Name=src | grep -E '^src$' &>/dev/null; then
+  docker rm -fv src
+fi
+docker create --name=src duoauthproxy sh
+docker cp src:/opt/duoauthproxy/conf/ca-bundle.crt fixtures/
+cp -f fixtures/ca-bundle.crt fixtures/allow/
 cp -f fixtures/authproxy.cfg fixtures/allow/authproxy.cfg
 sed -i "s/API_HOST/${API_HOST}/g" fixtures/allow/authproxy.cfg
 sed -i "s/IKEY/${IKEY_ALLOW}/g" fixtures/allow/authproxy.cfg
 sed -i "s/SKEY/${SKEY_ALLOW}/g" fixtures/allow/authproxy.cfg
+cp -f fixtures/ca-bundle.crt fixtures/deny/
 cp -f fixtures/authproxy.cfg fixtures/deny/authproxy.cfg
 sed -i "s/API_HOST/${API_HOST}/g" fixtures/deny/authproxy.cfg
 sed -i "s/IKEY/${IKEY_DENY}/g" fixtures/deny/authproxy.cfg

diff --git a/fixtures/allow/Dockerfile b/fixtures/allow/Dockerfile
@@ -1,3 +1,4 @@
 FROM busybox
-COPY authproxy.cfg /etc/duoauthproxy/
-VOLUME /etc/duoauthproxy/
+COPY authproxy.cfg /opt/duoauthproxy/conf/
+COPY ca-bundle.crt /opt/duoauthproxy/conf/
+VOLUME /opt/duoauthproxy/conf/
diff --git a/fixtures/deny/Dockerfile b/fixtures/deny/Dockerfile
@@ -1,3 +1,4 @@
 FROM busybox
-COPY authproxy.cfg /etc/duoauthproxy/
-VOLUME /etc/duoauthproxy/
+COPY authproxy.cfg /opt/duoauthproxy/conf/
+COPY ca-bundle.crt /opt/duoauthproxy/conf/
+VOLUME /opt/duoauthproxy/conf/
diff --git a/runtime/Dockerfile b/runtime/Dockerfile
@@ -1,23 +1,27 @@
-FROM alpine:3.7
+FROM centos:7.5.1804
 
-RUN apk upgrade --update && \
-    apk add \
+RUN \
+    yum install -y \
       python \
-      'libressl2.6-libssl>=2.6.3-r0' \
+      openssl \
       && \
-    rm -f /var/cache/apk/* && \
-    adduser -D -s /sbin/nologin duo
+    rm -fr /var/cache/yum && \
+    useradd -s /sbin/nologin duo
 
 # Use ADD, not COPY, to keep image small.
 ADD duoauthproxy.tgz /
 
 COPY harden /usr/sbin/harden
 RUN /usr/sbin/harden
 
+RUN mkdir -p /opt/duoauthproxy/log; \
+    chown -R duo:duo /opt/duoauthproxy/log
+VOLUME /opt/duoauthproxy/log
+
 COPY authproxy.cfg /etc/duoauthproxy/authproxy.cfg
 USER duo
 ENTRYPOINT ["/opt/duoauthproxy/bin/authproxy"]
-CMD ["-c", "/etc/duoauthproxy/authproxy.cfg"]
+VOLUME /opt/duoauthproxy/conf/
 
 ARG CI_BUILD_URL
 ARG BUILD_DATE

diff --git a/runtime/harden b/runtime/harden
@@ -33,15 +33,15 @@ rm -fr /etc/crontabs
 rm -fr /etc/periodic
 
 # Remove all but a handful of admin commands.
-find /sbin /usr/sbin ! -type d \
+find /usr/sbin ! -type d \
   -a ! -name nologin \
   -delete
 
+# Centos 7.5 does not have /sbin.
 readonly sysdirs="
   /bin
   /etc
   /lib
-  /sbin
   /opt
   /usr
 "
@@ -52,10 +52,10 @@ readonly sysdirs="
 # Therefore restrict the find to sysdirs listed above.
 #
 # shellcheck disable=SC2086
-find ${sysdirs} -xdev -type d -perm +0002 -exec chmod o-w {} +
+find ${sysdirs} -xdev -type d -perm /0002 -exec chmod o-w {} +
 #
 # shellcheck disable=SC2086
-find ${sysdirs} -xdev -type f -perm +0002 -exec chmod o-w {} +
+find ${sysdirs} -xdev -type f -perm /0002 -exec chmod o-w {} +
 
 # Remove crufty...
 #   /etc/shadow-
@@ -75,7 +75,7 @@ find ${sysdirs} -xdev -type d \
 # Remove all suid files.
 #
 # shellcheck disable=SC2086
-find ${sysdirs} -xdev -type f -a -perm +4000 -delete
+find ${sysdirs} -xdev -type f -a -perm /4000 -delete
 
 # Remove init scripts since we do not use them.
 rm -fr /etc/init.d
@@ -108,4 +108,4 @@ sed -i -r '/^(duo)/!d' /etc/group
 sed -i -r '/^(duo)/!d' /etc/passwd
 
 # Remove interactive login shell for everybody but unprivileged user.
-sed -i -r '/^duo:/! s#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
+sed -i -r '/^duo:/! s#^(.*):[^:]*$#\1:/usr/sbin/nologin#' /etc/passwd
diff --git a/test/test_harden.bats b/test/test_harden.bats
@@ -44,18 +44,18 @@
   [[ ${groups} -eq 1 ]]
 }
 
-@test "bash is not installed" {
-  run docker run --rm --entrypoint ls duoauthproxy /bin/bash
-  [[ ${status} -ne 0 ]]
+@test "bash is available" {
+  run docker run --rm --entrypoint sh duoauthproxy -c "command -v bash"
+  [[ ${status} -eq 0 ]]
 }
 
 @test "chown is available" {
-  run docker run --rm --entrypoint chown duoauthproxy -h
+  run docker run --rm --entrypoint chown duoauthproxy --help
   [[ ${output} =~ "Usage: chown" ]]
 }
 
 @test "chgrp is available" {
-  run docker run --rm --entrypoint chgrp duoauthproxy -h
+  run docker run --rm --entrypoint chgrp duoauthproxy --help
   [[ ${output} =~ "Usage: chgrp" ]]
 }