From a38113ce80e59843f92e2ab0c34427554ce6e29b Mon Sep 17 00:00:00 2001 From: Paul Morgan Date: Thu, 20 Sep 2018 02:30:33 +0000 Subject: [PATCH] upgrade to duoauthproxy 2.10.1 and resolve breaking changes Upstream authproxy has new dependencies: * Add `procps` package since install script now requires `ps -p`. Upstream authproxy introduced breaking changes since 2.9: * Authproxy now absolutely needs to write to a logfile. * Authproxy no longer has the `-c CONFIG` option. The path to config is now hard-coded. Rebase on Centos instead of Alpine. * Authproxy now requires `FIPS_mode` that is not in LibreSSL. https://marc.info/?l=openbsd-misc&m=139819485423701&w=2 On Alpine (which has LibreSSL instead of OpenSSL), authproxy fails with: ``` Traceback (most recent call last): File "/opt/duoauthproxy/bin/authproxy", line 21, in application = proxy.create_application(args=sys.argv) File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/proxy.py", line 186, in create_application fips_mode = fips_manager.status() File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/fips_manager.py", line 42, in status return OPENSSL_LIB.FIPS_mode() AttributeError: 'module' object has no attribute 'FIPS_mode' ``` --- .gitignore | 1 + .gitlint | 2 +- README.md | 25 ++++++++++++++++++++++--- TESTING.md | 2 +- builder/Dockerfile | 23 ++++++++++++----------- ci/build.sh | 2 +- ci/test.sh | 7 +++++++ fixtures/allow/Dockerfile | 5 +++-- fixtures/deny/Dockerfile | 5 +++-- runtime/Dockerfile | 18 +++++++++++------- runtime/harden | 12 ++++++------ test/test_harden.bats | 10 +++++----- 12 files changed, 73 insertions(+), 39 deletions(-) diff --git a/.gitignore b/.gitignore index 3ee8619..be0fd89 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ runtime/duoauthproxy.tgz environment ci/vars fixtures/*/authproxy.cfg +fixtures/**/ca-bundle.crt diff --git a/.gitlint b/.gitlint index bfd1b6b..47b4feb 100644 --- a/.gitlint +++ b/.gitlint @@ -1,6 +1,6 @@ # http://jorisroovers.github.io/gitlint/configuration/ [general] -ignore=body-is-missing +ignore=body-is-missing,body-max-line-length [title-max-length] line-length=72 diff --git a/README.md b/README.md index 29154ae..85244f2 100644 --- a/README.md +++ b/README.md @@ -12,15 +12,14 @@ Docker hub: [https://registry.hub.docker.com/u/jumanjiman/duoauthproxy/](https:/
Image metadata: [https://microbadger.com/#/images/jumanjiman/duoauthproxy](https://microbadger.com/#/images/jumanjiman/duoauthproxy)
-Current version: Duo Authproxy 2.9.0 +Current version: Duo Authproxy 2.10.1 ([release notes](https://duo.com/support/documentation/authproxy-notes)) -:warning: Duo Authproxy 2.4.18 resolves -[DUO-PSA-2016-002](https://duo.com/labs/psa/duo-psa-2016-002). **Table of Contents** - [Overview](#overview) + - [Warnings](#warnings) - [Network diagram](#network-diagram) - [References](#references) - [Build integrity](#build-integrity) @@ -48,6 +47,26 @@ This repo provides a way to build Duo Authentication Proxy into a docker image and run it as a container. +### Warnings + +:warning: Upstream authproxy introduced breaking changes effective 2.10.0: + +* Authproxy absolutely needs to write to a logfile.
+ The image declares `/opt/duoauthproxy/log` as a volume. + +* Authproxy no longer has the `-c CONFIG` option.
+ The path to config is hard-coded. + +* Authproxy requires `FIPS_mode` that is not in LibreSSL.
+ Therefore the image is based on Centos, not Alpine.
+ See https://marc.info/?l=openbsd-misc&m=139819485423701&w=2 for details. + + +:warning: Duo Authproxy 2.4.18 resolves +[DUO-PSA-2016-002](https://duo.com/labs/psa/duo-psa-2016-002). + + + ### Network diagram ![Duo network diagram](https://duo.com/assets/img/documentation/authproxy/radius-network-diagram.png) diff --git a/TESTING.md b/TESTING.md index 3bd7b91..f01050a 100644 --- a/TESTING.md +++ b/TESTING.md @@ -62,7 +62,7 @@ Output resembles: ok duo group exists ok duo is the only group account ok duo is the only group account - ok bash is not installed + ok bash is available ok chown is available ok chgrp is available ok ln is available diff --git a/builder/Dockerfile b/builder/Dockerfile index ec99ec4..576cb19 100644 --- a/builder/Dockerfile +++ b/builder/Dockerfile @@ -1,25 +1,26 @@ -FROM alpine:3.7 +FROM centos:7.5.1804 -RUN apk upgrade --update --available && \ - apk add \ +RUN \ + yum install -y \ bash \ curl \ python \ gcc \ - gmp-dev \ - libc-dev \ - libffi-dev \ + gmp-devel \ + libc-devel \ + libffi-devel \ libgcc \ - 'libressl-dev>=2.6.3-r0' \ + openssl-devel \ linux-headers \ make \ patch \ + procps \ py-setuptools \ - python-dev \ + python-devel \ tar \ - zlib-dev \ - && rm -f /var/cache/apk/* && \ - adduser -D duo + zlib-devel \ + && rm -fr /var/cache/yum && \ + useradd duo ARG VERSION diff --git a/ci/build.sh b/ci/build.sh index 1722549..3f2caff 100755 --- a/ci/build.sh +++ b/ci/build.sh @@ -12,7 +12,7 @@ set -o pipefail cat >ci/vars </dev/null; then + docker rm -fv src +fi +docker create --name=src duoauthproxy sh +docker cp src:/opt/duoauthproxy/conf/ca-bundle.crt fixtures/ +cp -f fixtures/ca-bundle.crt fixtures/allow/ cp -f fixtures/authproxy.cfg fixtures/allow/authproxy.cfg sed -i "s/API_HOST/${API_HOST}/g" fixtures/allow/authproxy.cfg sed -i "s/IKEY/${IKEY_ALLOW}/g" fixtures/allow/authproxy.cfg sed -i "s/SKEY/${SKEY_ALLOW}/g" fixtures/allow/authproxy.cfg +cp -f fixtures/ca-bundle.crt fixtures/deny/ cp -f fixtures/authproxy.cfg fixtures/deny/authproxy.cfg sed -i "s/API_HOST/${API_HOST}/g" fixtures/deny/authproxy.cfg sed -i "s/IKEY/${IKEY_DENY}/g" fixtures/deny/authproxy.cfg diff --git a/fixtures/allow/Dockerfile b/fixtures/allow/Dockerfile index c54f610..fed8554 100644 --- a/fixtures/allow/Dockerfile +++ b/fixtures/allow/Dockerfile @@ -1,3 +1,4 @@ FROM busybox -COPY authproxy.cfg /etc/duoauthproxy/ -VOLUME /etc/duoauthproxy/ +COPY authproxy.cfg /opt/duoauthproxy/conf/ +COPY ca-bundle.crt /opt/duoauthproxy/conf/ +VOLUME /opt/duoauthproxy/conf/ diff --git a/fixtures/deny/Dockerfile b/fixtures/deny/Dockerfile index c54f610..fed8554 100644 --- a/fixtures/deny/Dockerfile +++ b/fixtures/deny/Dockerfile @@ -1,3 +1,4 @@ FROM busybox -COPY authproxy.cfg /etc/duoauthproxy/ -VOLUME /etc/duoauthproxy/ +COPY authproxy.cfg /opt/duoauthproxy/conf/ +COPY ca-bundle.crt /opt/duoauthproxy/conf/ +VOLUME /opt/duoauthproxy/conf/ diff --git a/runtime/Dockerfile b/runtime/Dockerfile index 3a3fead..d51a6cb 100644 --- a/runtime/Dockerfile +++ b/runtime/Dockerfile @@ -1,12 +1,12 @@ -FROM alpine:3.7 +FROM centos:7.5.1804 -RUN apk upgrade --update && \ - apk add \ +RUN \ + yum install -y \ python \ - 'libressl2.6-libssl>=2.6.3-r0' \ + openssl \ && \ - rm -f /var/cache/apk/* && \ - adduser -D -s /sbin/nologin duo + rm -fr /var/cache/yum && \ + useradd -s /sbin/nologin duo # Use ADD, not COPY, to keep image small. ADD duoauthproxy.tgz / @@ -14,10 +14,14 @@ ADD duoauthproxy.tgz / COPY harden /usr/sbin/harden RUN /usr/sbin/harden +RUN mkdir -p /opt/duoauthproxy/log; \ + chown -R duo:duo /opt/duoauthproxy/log +VOLUME /opt/duoauthproxy/log + COPY authproxy.cfg /etc/duoauthproxy/authproxy.cfg USER duo ENTRYPOINT ["/opt/duoauthproxy/bin/authproxy"] -CMD ["-c", "/etc/duoauthproxy/authproxy.cfg"] +VOLUME /opt/duoauthproxy/conf/ ARG CI_BUILD_URL ARG BUILD_DATE diff --git a/runtime/harden b/runtime/harden index 1754477..880eadb 100755 --- a/runtime/harden +++ b/runtime/harden @@ -33,15 +33,15 @@ rm -fr /etc/crontabs rm -fr /etc/periodic # Remove all but a handful of admin commands. -find /sbin /usr/sbin ! -type d \ +find /usr/sbin ! -type d \ -a ! -name nologin \ -delete +# Centos 7.5 does not have /sbin. readonly sysdirs=" /bin /etc /lib - /sbin /opt /usr " @@ -52,10 +52,10 @@ readonly sysdirs=" # Therefore restrict the find to sysdirs listed above. # # shellcheck disable=SC2086 -find ${sysdirs} -xdev -type d -perm +0002 -exec chmod o-w {} + +find ${sysdirs} -xdev -type d -perm /0002 -exec chmod o-w {} + # # shellcheck disable=SC2086 -find ${sysdirs} -xdev -type f -perm +0002 -exec chmod o-w {} + +find ${sysdirs} -xdev -type f -perm /0002 -exec chmod o-w {} + # Remove crufty... # /etc/shadow- @@ -75,7 +75,7 @@ find ${sysdirs} -xdev -type d \ # Remove all suid files. # # shellcheck disable=SC2086 -find ${sysdirs} -xdev -type f -a -perm +4000 -delete +find ${sysdirs} -xdev -type f -a -perm /4000 -delete # Remove init scripts since we do not use them. rm -fr /etc/init.d @@ -108,4 +108,4 @@ sed -i -r '/^(duo)/!d' /etc/group sed -i -r '/^(duo)/!d' /etc/passwd # Remove interactive login shell for everybody but unprivileged user. -sed -i -r '/^duo:/! s#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd +sed -i -r '/^duo:/! s#^(.*):[^:]*$#\1:/usr/sbin/nologin#' /etc/passwd diff --git a/test/test_harden.bats b/test/test_harden.bats index d61644e..7b37cb5 100644 --- a/test/test_harden.bats +++ b/test/test_harden.bats @@ -44,18 +44,18 @@ [[ ${groups} -eq 1 ]] } -@test "bash is not installed" { - run docker run --rm --entrypoint ls duoauthproxy /bin/bash - [[ ${status} -ne 0 ]] +@test "bash is available" { + run docker run --rm --entrypoint sh duoauthproxy -c "command -v bash" + [[ ${status} -eq 0 ]] } @test "chown is available" { - run docker run --rm --entrypoint chown duoauthproxy -h + run docker run --rm --entrypoint chown duoauthproxy --help [[ ${output} =~ "Usage: chown" ]] } @test "chgrp is available" { - run docker run --rm --entrypoint chgrp duoauthproxy -h + run docker run --rm --entrypoint chgrp duoauthproxy --help [[ ${output} =~ "Usage: chgrp" ]] }