fic
/
server
2
0
Fork 0
Code Issues Pull Requests 10 Releases Wiki Activity

fickit: Add dexidp on frontend

This commit is contained in:
nemunaire 2021-09-05 12:39:36 +02:00
parent e48ee589e5
commit 75d288000f
7 changed files with 362 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
configs/dex-templates/templates/header.html Normal file
View File

@ -0,0 +1,23 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>{{ issuer }}</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="{{ url .ReqPath "static/main.css" }}" rel="stylesheet">
<link href="{{ url .ReqPath "theme/styles.css" }}" rel="stylesheet">
<link rel="icon" href="{{ url .ReqPath "theme/favicon.png" }}">
</head>
<body class="theme-body">
<div class="theme-navbar">
<div class="theme-navbar__logo-wrap">
<img class="theme-navbar__logo" src="{{ url .ReqPath logo }}">
</div>
<div class="theme-navbar__logo-wrap" style="text-align:right">
<img class="theme-navbar__logo" src="../../img/epita.png">
</div>
</div>
<div class="dex-container">

21
configs/dex-templates/templates/login.html Normal file
View File

@ -0,0 +1,21 @@
{{ template "header.html" . }}
<div class="theme-panel">
<h2 class="theme-heading">
Bienvenue au challenge Forensic&nbsp;!
</h2>
<div>
{{ range $c := .Connectors }}
<div class="theme-form-row">
<a href="{{ $c.URL }}" target="_self">
<button class="dex-btn theme-btn-provider">
<span class="dex-btn-icon dex-btn-icon--{{ $c.Type }}"></span>
<span class="dex-btn-text">Log in with {{ $c.Name }}</span>
</button>
</a>
</div>
{{ end }}
</div>
</div>
{{ template "footer.html" . }}

58
configs/dex-templates/templates/password.html Normal file
View File

@ -0,0 +1,58 @@
{{ template "header.html" . }}
<div class="theme-panel">
<h2 class="theme-heading">
Bienvenue au challenge Forensic&nbsp;!
</h2>
<form method="post" action="{{ .PostURL }}">
<div class="theme-form-row">
<div class="theme-form-label">
<label for="userid">Votre équipe</label>
</div>
<select tabindex="1" required id="login" name="login" class="theme-form-input" autofocus>
<option value="team01">0verfl0wl</option>
<option value="team02">TeamDLS</option>
<option value="team03">ESNArcotrafiquants</option>
<option value="team04">Ingénieur Cyberdéfense</option>
<option value="team05">StrawHats</option>
<option value="team06">PoC INNOVATION</option>
<option value="team07">root42</option>
<option value="team08">Les Pires Hat</option>
<option value="team09">Esaip</option>
<option value="team10">Hack In Provence</option>
<option value="team11">Sogeti Aces of spades</option>
<option value="team12">DéfendonsEnsemble</option>
<option value="team13">Linkbynet Cybersecurity</option>
<option value="team14">Evil-Minded</option>
<option value="team15">ID-IoT</option>
<option value="team16">199</option>
<option value="team17">Équipe supplémentaire 1</option>
<option value="team18">Équipe supplémentaire 2</option>
<option value="team19">Équipe supplémentaire 3</option>
<option value="team20">Équipe supplémentaire 4</option>
</select>
</div>
<div class="theme-form-row">
<div class="theme-form-label">
<label for="password">Mot de passe</label>
</div>
<input tabindex="2" required id="password" name="password" type="password" class="theme-form-input" placeholder="mot de passe" {{ if .Invalid }} autofocus {{ end }}/>
</div>
{{ if .Invalid }}
<div id="login-error" class="dex-error-box">
Identifiants incorrects.
</div>
{{ end }}
<button tabindex="3" id="submit-login" type="submit" class="dex-btn theme-btn--primary">C'est parti&nbsp;!</button>
</form>
{{ if .BackLink }}
<div class="theme-link-back">
<a class="dex-subtle-text" href="{{ .BackLink }}">Sélectionner une autre méthode d'authentification.</a>
</div>
{{ end }}
</div>
{{ template "footer.html" . }}

114
configs/dex-templates/theme/styles.css Normal file
View File

@ -0,0 +1,114 @@
.theme-body {
background-color: white;
color: #272b30;
font-family: system-ui, -apple-system, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", "Liberation Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
}
.theme-navbar {
background-color: #272b30;
border-bottom: 5px solid #4eaee6;
color: #333;
font-size: 13px;
font-weight: 100;
overflow: hidden;
padding: 0 10px;
display: flex;
align-items: center;
justify-content: space-around;
}
.theme-navbar__logo-wrap {
display: inline-block;
overflow: hidden;
padding: 10px 15px;
width: 300px;
}
.theme-navbar__logo {
height: 90px;
max-height: 12vh;
}
.theme-heading {
font-size: 20px;
font-weight: 500;
margin-bottom: 10px;
margin-top: 0;
}
.theme-panel {
background-color: #fff;
box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
padding: 30px;
}
.theme-btn-provider {
background-color: #fff;
color: #333;
min-width: 250px;
}
.theme-btn-provider:hover {
color: #999;
}
.theme-btn--primary {
background-color: #333;
border: none;
color: #fff;
min-width: 200px;
padding: 6px 12px;
}
.theme-btn--primary:hover {
background-color: #666;
color: #fff;
}
.theme-btn--success {
background-color: #2FC98E;
color: #fff;
width: 250px;
}
.theme-btn--success:hover {
background-color: #49E3A8;
}
.theme-form-row {
display: block;
margin: 20px auto;
}
.theme-form-input {
border-radius: 4px;
border: 1px solid #CCC;
box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
color: #666;
display: block;
font-size: 14px;
height: 36px;
line-height: 1.42857143;
margin: auto;
padding: 6px 12px;
width: 250px;
}
.theme-form-input:focus,
.theme-form-input:active {
border-color: #66AFE9;
outline: none;
}
.theme-form-label {
font-size: 13px;
font-weight: 600;
margin: 4px auto;
position: relative;
text-align: left;
width: 250px;
}
.theme-link-back {
margin-top: 4px;
}

84
configs/dex.yaml Normal file
View File

@ -0,0 +1,84 @@
# The base path of Dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to Dex. If a
# path is provided, Dex's HTTP service will listen at a non-root URL.
issuer: https://fic.srs.epita.fr
# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
storage:
type: sqlite3
config:
file: /var/dex/dex.db
# Configuration for the HTTP endpoints.
web:
http: 0.0.0.0:5556
#allowedOrigins: ['*']
# Configuration for dex appearance
frontend:
issuer: Challenge forensic
logoURL: img/fic.png
dir: /srv/dex/web/
# theme: light
# Configuration for telemetry
#telemetry:
# http: 0.0.0.0:5558
oauth2:
#responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
staticClients:
- id: epita-challenge
name: Challenge Forensic
redirectURIs: ['https://fic.srs.epita.fr/challenge_access/auth']
secret: N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g
enablePasswordDB: true
staticPasswords:
- email: "team01"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team02"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team03"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team04"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team05"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team06"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team07"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team08"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team09"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team10"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team11"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team12"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team13"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team14"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team15"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team16"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team17"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team18"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team19"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- email: "team20"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"

1
configs/hosts
View File

@ -9,6 +9,7 @@
172.17.1.2 nginx
172.17.1.3 frontend
172.17.1.4 auth
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback

63
fickit-frontend.yml
View File

@ -88,6 +88,17 @@ onboot:
- name: eth0
bindNS:
net: /run/netns/sshd
- name: auth-ip-setup
image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1
command: ["/bin/sh", "-c", "ip a add 172.17.1.4/24 dev vethin-auth; ip link set vethin-auth up;" ]
net: new
runtime:
interfaces:
- name: vethin-auth
add: veth
peer: veth-auth
bindNS:
net: /run/netns/auth
- name: bridge-setup
image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1
command: ["/bin/sh", "-c", "ip a add 172.17.1.1/24 dev br0; ip link set veth-nginx master br0; ip link set veth-frontend master br0; ip link set br0 up; ip link set veth-nginx up; ip link set veth-frontend up;" ]
@ -223,6 +234,37 @@ services:
# - /etc/unbound/unbound.d:/etc/unbound/unbound.d:ro
# net: /run/netns/nginx
- name: dexidp
image: ghcr.io/dexidp/dex:v2.30.0
net: /run/netns/auth
binds:
- /etc/hosts:/etc/hosts:ro
- /var/lib/fic/pki/shared/dex-config.yaml:/etc/dex/config.docker.yaml:ro
- /var/lib/fic/dex:/var/dex
- /www/dex-templates/theme/styles.css:/srv/dex/web/themes/light/styles.css
- /www/dex-templates/templates/header.html:/srv/dex/web/templates/header.html
- /var/lib/fic/pki/shared/dex-password.tpl:/srv/dex/web/templates/password.html
- /www/htdocs-frontend/img/fic.png:/srv/dex/web/themes/light/favicon.png
runtime:
mkdir:
- /var/lib/fic/dex
- name: vouch-proxy
image: quay.io/vouch/vouch-proxy:alpine-0.34
env:
- VOUCH_ALLOWALLUSERS=true
- VOUCH_COOKIE_DOMAIN=fic.srs.epita.fr
- VOUCH_DOCUMENT_ROOT=/challenge_access
- VOUCH_LOGLEVEL=debug
- OAUTH_PROVIDER=oidc
- OAUTH_CLIENT_ID=epita-challenge
- OAUTH_CLIENT_SECRET=N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g
- OAUTH_CALLBACK_URL=https://fic.srs.epita.fr/challenge_access/auth
- OAUTH_AUTH_URL=https://fic.srs.epita.fr/auth
- OAUTH_TOKEN_URL=http://127.0.0.1:5556/token
- OAUTH_USER_INFO_URL=http://127.0.0.1:5556/userinfo
- OAUTH_SCOPES=openid,email
net: /run/netns/auth
files:
- path: etc/init.d/015-setup-sshd
@ -231,8 +273,11 @@ files:
- path: etc/init.d/016-copy-dex-config
contents: |
#!/bin/sh
[ -f /var/lib/fic/dex-config.yaml ] || {
cp /etc/dex/config.auth.yaml /var/lib/fic/dex-config.yaml
[ -f /var/lib/fic/pki/shared/dex-config.yaml ] || {
cp /etc/dex/config.auth.yaml /var/lib/fic/pki/shared/dex-config.yaml
}
[ -f /var/lib/fic/pki/shared/dex-password.tpl ] || {
cp /www/dex-templates/templates/password.html /var/lib/fic/pki/shared/dex-password.tpl
}
mode: "0555"
@ -273,6 +318,18 @@ files:
source: configs/nginx/get-team/oidc.conf
mode: "0400"
- path: etc/dex/config.auth.yaml
source: configs/dex.yaml
mode: "0400"
- path: www/dex-templates/theme/styles.css
source: configs/dex-templates/theme/styles.css
mode: "0444"
- path: www/dex-templates/templates/header.html
source: configs/dex-templates/templates/header.html
mode: "0444"
- path: www/dex-templates/templates/password.html
source: configs/dex-templates/templates/password.html
mode: "0444"
- path: usr/bin/iptables
source: configs/nsenter_iptables.sh
@ -375,6 +432,8 @@ files:
[0:0] -A OUTPUT -o bond-frontal -p udp -m udp --sport domain -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 5556 -j ACCEPT
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9090 -j ACCEPT
[0:0] -A OUTPUT -o internet -j ACCEPT
[0:0] -A OUTPUT -j LOG
[0:0] -A OUTPUT -j REJECT