diff --git a/.gitignore b/.gitignore
index 3ee8619..be0fd89 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ runtime/duoauthproxy.tgz
environment
ci/vars
fixtures/*/authproxy.cfg
+fixtures/**/ca-bundle.crt
diff --git a/.gitlint b/.gitlint
index bfd1b6b..47b4feb 100644
--- a/.gitlint
+++ b/.gitlint
@@ -1,6 +1,6 @@
# http://jorisroovers.github.io/gitlint/configuration/
[general]
-ignore=body-is-missing
+ignore=body-is-missing,body-max-line-length
[title-max-length]
line-length=72
diff --git a/README.md b/README.md
index 29154ae..85244f2 100644
--- a/README.md
+++ b/README.md
@@ -12,15 +12,14 @@ Docker hub: [https://registry.hub.docker.com/u/jumanjiman/duoauthproxy/](https:/
Image metadata: [https://microbadger.com/#/images/jumanjiman/duoauthproxy](https://microbadger.com/#/images/jumanjiman/duoauthproxy)
-Current version: Duo Authproxy 2.9.0
+Current version: Duo Authproxy 2.10.1
([release notes](https://duo.com/support/documentation/authproxy-notes))
-:warning: Duo Authproxy 2.4.18 resolves
-[DUO-PSA-2016-002](https://duo.com/labs/psa/duo-psa-2016-002).
**Table of Contents**
- [Overview](#overview)
+ - [Warnings](#warnings)
- [Network diagram](#network-diagram)
- [References](#references)
- [Build integrity](#build-integrity)
@@ -48,6 +47,26 @@ This repo provides a way to build Duo Authentication Proxy into
a docker image and run it as a container.
+### Warnings
+
+:warning: Upstream authproxy introduced breaking changes effective 2.10.0:
+
+* Authproxy absolutely needs to write to a logfile.
+ The image declares `/opt/duoauthproxy/log` as a volume.
+
+* Authproxy no longer has the `-c CONFIG` option.
+ The path to config is hard-coded.
+
+* Authproxy requires `FIPS_mode` that is not in LibreSSL.
+ Therefore the image is based on Centos, not Alpine.
+ See https://marc.info/?l=openbsd-misc&m=139819485423701&w=2 for details.
+
+
+:warning: Duo Authproxy 2.4.18 resolves
+[DUO-PSA-2016-002](https://duo.com/labs/psa/duo-psa-2016-002).
+
+
+
### Network diagram
diff --git a/TESTING.md b/TESTING.md
index 3bd7b91..f01050a 100644
--- a/TESTING.md
+++ b/TESTING.md
@@ -62,7 +62,7 @@ Output resembles:
ok duo group exists
ok duo is the only group account
ok duo is the only group account
- ok bash is not installed
+ ok bash is available
ok chown is available
ok chgrp is available
ok ln is available
diff --git a/builder/Dockerfile b/builder/Dockerfile
index ec99ec4..576cb19 100644
--- a/builder/Dockerfile
+++ b/builder/Dockerfile
@@ -1,25 +1,26 @@
-FROM alpine:3.7
+FROM centos:7.5.1804
-RUN apk upgrade --update --available && \
- apk add \
+RUN \
+ yum install -y \
bash \
curl \
python \
gcc \
- gmp-dev \
- libc-dev \
- libffi-dev \
+ gmp-devel \
+ libc-devel \
+ libffi-devel \
libgcc \
- 'libressl-dev>=2.6.3-r0' \
+ openssl-devel \
linux-headers \
make \
patch \
+ procps \
py-setuptools \
- python-dev \
+ python-devel \
tar \
- zlib-dev \
- && rm -f /var/cache/apk/* && \
- adduser -D duo
+ zlib-devel \
+ && rm -fr /var/cache/yum && \
+ useradd duo
ARG VERSION
diff --git a/ci/build.sh b/ci/build.sh
index 1722549..3f2caff 100755
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -12,7 +12,7 @@ set -o pipefail
cat >ci/vars </dev/null; then
+ docker rm -fv src
+fi
+docker create --name=src duoauthproxy sh
+docker cp src:/opt/duoauthproxy/conf/ca-bundle.crt fixtures/
+cp -f fixtures/ca-bundle.crt fixtures/allow/
cp -f fixtures/authproxy.cfg fixtures/allow/authproxy.cfg
sed -i "s/API_HOST/${API_HOST}/g" fixtures/allow/authproxy.cfg
sed -i "s/IKEY/${IKEY_ALLOW}/g" fixtures/allow/authproxy.cfg
sed -i "s/SKEY/${SKEY_ALLOW}/g" fixtures/allow/authproxy.cfg
+cp -f fixtures/ca-bundle.crt fixtures/deny/
cp -f fixtures/authproxy.cfg fixtures/deny/authproxy.cfg
sed -i "s/API_HOST/${API_HOST}/g" fixtures/deny/authproxy.cfg
sed -i "s/IKEY/${IKEY_DENY}/g" fixtures/deny/authproxy.cfg
diff --git a/fixtures/allow/Dockerfile b/fixtures/allow/Dockerfile
index c54f610..fed8554 100644
--- a/fixtures/allow/Dockerfile
+++ b/fixtures/allow/Dockerfile
@@ -1,3 +1,4 @@
FROM busybox
-COPY authproxy.cfg /etc/duoauthproxy/
-VOLUME /etc/duoauthproxy/
+COPY authproxy.cfg /opt/duoauthproxy/conf/
+COPY ca-bundle.crt /opt/duoauthproxy/conf/
+VOLUME /opt/duoauthproxy/conf/
diff --git a/fixtures/deny/Dockerfile b/fixtures/deny/Dockerfile
index c54f610..fed8554 100644
--- a/fixtures/deny/Dockerfile
+++ b/fixtures/deny/Dockerfile
@@ -1,3 +1,4 @@
FROM busybox
-COPY authproxy.cfg /etc/duoauthproxy/
-VOLUME /etc/duoauthproxy/
+COPY authproxy.cfg /opt/duoauthproxy/conf/
+COPY ca-bundle.crt /opt/duoauthproxy/conf/
+VOLUME /opt/duoauthproxy/conf/
diff --git a/runtime/Dockerfile b/runtime/Dockerfile
index 3a3fead..d51a6cb 100644
--- a/runtime/Dockerfile
+++ b/runtime/Dockerfile
@@ -1,12 +1,12 @@
-FROM alpine:3.7
+FROM centos:7.5.1804
-RUN apk upgrade --update && \
- apk add \
+RUN \
+ yum install -y \
python \
- 'libressl2.6-libssl>=2.6.3-r0' \
+ openssl \
&& \
- rm -f /var/cache/apk/* && \
- adduser -D -s /sbin/nologin duo
+ rm -fr /var/cache/yum && \
+ useradd -s /sbin/nologin duo
# Use ADD, not COPY, to keep image small.
ADD duoauthproxy.tgz /
@@ -14,10 +14,14 @@ ADD duoauthproxy.tgz /
COPY harden /usr/sbin/harden
RUN /usr/sbin/harden
+RUN mkdir -p /opt/duoauthproxy/log; \
+ chown -R duo:duo /opt/duoauthproxy/log
+VOLUME /opt/duoauthproxy/log
+
COPY authproxy.cfg /etc/duoauthproxy/authproxy.cfg
USER duo
ENTRYPOINT ["/opt/duoauthproxy/bin/authproxy"]
-CMD ["-c", "/etc/duoauthproxy/authproxy.cfg"]
+VOLUME /opt/duoauthproxy/conf/
ARG CI_BUILD_URL
ARG BUILD_DATE
diff --git a/runtime/harden b/runtime/harden
index 1754477..880eadb 100755
--- a/runtime/harden
+++ b/runtime/harden
@@ -33,15 +33,15 @@ rm -fr /etc/crontabs
rm -fr /etc/periodic
# Remove all but a handful of admin commands.
-find /sbin /usr/sbin ! -type d \
+find /usr/sbin ! -type d \
-a ! -name nologin \
-delete
+# Centos 7.5 does not have /sbin.
readonly sysdirs="
/bin
/etc
/lib
- /sbin
/opt
/usr
"
@@ -52,10 +52,10 @@ readonly sysdirs="
# Therefore restrict the find to sysdirs listed above.
#
# shellcheck disable=SC2086
-find ${sysdirs} -xdev -type d -perm +0002 -exec chmod o-w {} +
+find ${sysdirs} -xdev -type d -perm /0002 -exec chmod o-w {} +
#
# shellcheck disable=SC2086
-find ${sysdirs} -xdev -type f -perm +0002 -exec chmod o-w {} +
+find ${sysdirs} -xdev -type f -perm /0002 -exec chmod o-w {} +
# Remove crufty...
# /etc/shadow-
@@ -75,7 +75,7 @@ find ${sysdirs} -xdev -type d \
# Remove all suid files.
#
# shellcheck disable=SC2086
-find ${sysdirs} -xdev -type f -a -perm +4000 -delete
+find ${sysdirs} -xdev -type f -a -perm /4000 -delete
# Remove init scripts since we do not use them.
rm -fr /etc/init.d
@@ -108,4 +108,4 @@ sed -i -r '/^(duo)/!d' /etc/group
sed -i -r '/^(duo)/!d' /etc/passwd
# Remove interactive login shell for everybody but unprivileged user.
-sed -i -r '/^duo:/! s#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
+sed -i -r '/^duo:/! s#^(.*):[^:]*$#\1:/usr/sbin/nologin#' /etc/passwd
diff --git a/test/test_harden.bats b/test/test_harden.bats
index d61644e..7b37cb5 100644
--- a/test/test_harden.bats
+++ b/test/test_harden.bats
@@ -44,18 +44,18 @@
[[ ${groups} -eq 1 ]]
}
-@test "bash is not installed" {
- run docker run --rm --entrypoint ls duoauthproxy /bin/bash
- [[ ${status} -ne 0 ]]
+@test "bash is available" {
+ run docker run --rm --entrypoint sh duoauthproxy -c "command -v bash"
+ [[ ${status} -eq 0 ]]
}
@test "chown is available" {
- run docker run --rm --entrypoint chown duoauthproxy -h
+ run docker run --rm --entrypoint chown duoauthproxy --help
[[ ${output} =~ "Usage: chown" ]]
}
@test "chgrp is available" {
- run docker run --rm --entrypoint chgrp duoauthproxy -h
+ run docker run --rm --entrypoint chgrp duoauthproxy --help
[[ ${output} =~ "Usage: chgrp" ]]
}