fickit: Add dexidp on frontend
This commit is contained in:
parent
e48ee589e5
commit
75d288000f
|
@ -0,0 +1,23 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|
||||
<title>{{ issuer }}</title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<link href="{{ url .ReqPath "static/main.css" }}" rel="stylesheet">
|
||||
<link href="{{ url .ReqPath "theme/styles.css" }}" rel="stylesheet">
|
||||
<link rel="icon" href="{{ url .ReqPath "theme/favicon.png" }}">
|
||||
</head>
|
||||
|
||||
<body class="theme-body">
|
||||
<div class="theme-navbar">
|
||||
<div class="theme-navbar__logo-wrap">
|
||||
<img class="theme-navbar__logo" src="{{ url .ReqPath logo }}">
|
||||
</div>
|
||||
<div class="theme-navbar__logo-wrap" style="text-align:right">
|
||||
<img class="theme-navbar__logo" src="../../img/epita.png">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="dex-container">
|
|
@ -0,0 +1,21 @@
|
|||
{{ template "header.html" . }}
|
||||
|
||||
<div class="theme-panel">
|
||||
<h2 class="theme-heading">
|
||||
Bienvenue au challenge Forensic !
|
||||
</h2>
|
||||
<div>
|
||||
{{ range $c := .Connectors }}
|
||||
<div class="theme-form-row">
|
||||
<a href="{{ $c.URL }}" target="_self">
|
||||
<button class="dex-btn theme-btn-provider">
|
||||
<span class="dex-btn-icon dex-btn-icon--{{ $c.Type }}"></span>
|
||||
<span class="dex-btn-text">Log in with {{ $c.Name }}</span>
|
||||
</button>
|
||||
</a>
|
||||
</div>
|
||||
{{ end }}
|
||||
</div>
|
||||
</div>
|
||||
|
||||
{{ template "footer.html" . }}
|
|
@ -0,0 +1,58 @@
|
|||
{{ template "header.html" . }}
|
||||
|
||||
<div class="theme-panel">
|
||||
<h2 class="theme-heading">
|
||||
Bienvenue au challenge Forensic !
|
||||
</h2>
|
||||
<form method="post" action="{{ .PostURL }}">
|
||||
<div class="theme-form-row">
|
||||
<div class="theme-form-label">
|
||||
<label for="userid">Votre équipe</label>
|
||||
</div>
|
||||
<select tabindex="1" required id="login" name="login" class="theme-form-input" autofocus>
|
||||
<option value="team01">0verfl0wl</option>
|
||||
<option value="team02">TeamDLS</option>
|
||||
<option value="team03">ESNArcotrafiquants</option>
|
||||
<option value="team04">Ingénieur Cyberdéfense</option>
|
||||
<option value="team05">StrawHats</option>
|
||||
<option value="team06">PoC INNOVATION</option>
|
||||
<option value="team07">root42</option>
|
||||
<option value="team08">Les Pires Hat</option>
|
||||
<option value="team09">Esaip</option>
|
||||
<option value="team10">Hack In Provence</option>
|
||||
<option value="team11">Sogeti Aces of spades</option>
|
||||
<option value="team12">DéfendonsEnsemble</option>
|
||||
<option value="team13">Linkbynet Cybersecurity</option>
|
||||
<option value="team14">Evil-Minded</option>
|
||||
<option value="team15">ID-IoT</option>
|
||||
<option value="team16">199</option>
|
||||
<option value="team17">Équipe supplémentaire 1</option>
|
||||
<option value="team18">Équipe supplémentaire 2</option>
|
||||
<option value="team19">Équipe supplémentaire 3</option>
|
||||
<option value="team20">Équipe supplémentaire 4</option>
|
||||
</select>
|
||||
</div>
|
||||
<div class="theme-form-row">
|
||||
<div class="theme-form-label">
|
||||
<label for="password">Mot de passe</label>
|
||||
</div>
|
||||
<input tabindex="2" required id="password" name="password" type="password" class="theme-form-input" placeholder="mot de passe" {{ if .Invalid }} autofocus {{ end }}/>
|
||||
</div>
|
||||
|
||||
{{ if .Invalid }}
|
||||
<div id="login-error" class="dex-error-box">
|
||||
Identifiants incorrects.
|
||||
</div>
|
||||
{{ end }}
|
||||
|
||||
<button tabindex="3" id="submit-login" type="submit" class="dex-btn theme-btn--primary">C'est parti !</button>
|
||||
|
||||
</form>
|
||||
{{ if .BackLink }}
|
||||
<div class="theme-link-back">
|
||||
<a class="dex-subtle-text" href="{{ .BackLink }}">Sélectionner une autre méthode d'authentification.</a>
|
||||
</div>
|
||||
{{ end }}
|
||||
</div>
|
||||
|
||||
{{ template "footer.html" . }}
|
|
@ -0,0 +1,114 @@
|
|||
.theme-body {
|
||||
background-color: white;
|
||||
color: #272b30;
|
||||
font-family: system-ui, -apple-system, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", "Liberation Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
|
||||
}
|
||||
|
||||
.theme-navbar {
|
||||
background-color: #272b30;
|
||||
border-bottom: 5px solid #4eaee6;
|
||||
color: #333;
|
||||
font-size: 13px;
|
||||
font-weight: 100;
|
||||
overflow: hidden;
|
||||
padding: 0 10px;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
justify-content: space-around;
|
||||
}
|
||||
|
||||
.theme-navbar__logo-wrap {
|
||||
display: inline-block;
|
||||
overflow: hidden;
|
||||
padding: 10px 15px;
|
||||
width: 300px;
|
||||
}
|
||||
|
||||
.theme-navbar__logo {
|
||||
height: 90px;
|
||||
max-height: 12vh;
|
||||
}
|
||||
|
||||
.theme-heading {
|
||||
font-size: 20px;
|
||||
font-weight: 500;
|
||||
margin-bottom: 10px;
|
||||
margin-top: 0;
|
||||
}
|
||||
|
||||
.theme-panel {
|
||||
background-color: #fff;
|
||||
box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
|
||||
padding: 30px;
|
||||
}
|
||||
|
||||
.theme-btn-provider {
|
||||
background-color: #fff;
|
||||
color: #333;
|
||||
min-width: 250px;
|
||||
}
|
||||
|
||||
.theme-btn-provider:hover {
|
||||
color: #999;
|
||||
}
|
||||
|
||||
.theme-btn--primary {
|
||||
background-color: #333;
|
||||
border: none;
|
||||
color: #fff;
|
||||
min-width: 200px;
|
||||
padding: 6px 12px;
|
||||
}
|
||||
|
||||
.theme-btn--primary:hover {
|
||||
background-color: #666;
|
||||
color: #fff;
|
||||
}
|
||||
|
||||
.theme-btn--success {
|
||||
background-color: #2FC98E;
|
||||
color: #fff;
|
||||
width: 250px;
|
||||
}
|
||||
|
||||
.theme-btn--success:hover {
|
||||
background-color: #49E3A8;
|
||||
}
|
||||
|
||||
.theme-form-row {
|
||||
display: block;
|
||||
margin: 20px auto;
|
||||
}
|
||||
|
||||
.theme-form-input {
|
||||
border-radius: 4px;
|
||||
border: 1px solid #CCC;
|
||||
box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
|
||||
color: #666;
|
||||
display: block;
|
||||
font-size: 14px;
|
||||
height: 36px;
|
||||
line-height: 1.42857143;
|
||||
margin: auto;
|
||||
padding: 6px 12px;
|
||||
width: 250px;
|
||||
}
|
||||
|
||||
.theme-form-input:focus,
|
||||
.theme-form-input:active {
|
||||
border-color: #66AFE9;
|
||||
outline: none;
|
||||
}
|
||||
|
||||
.theme-form-label {
|
||||
font-size: 13px;
|
||||
font-weight: 600;
|
||||
margin: 4px auto;
|
||||
position: relative;
|
||||
text-align: left;
|
||||
width: 250px;
|
||||
}
|
||||
|
||||
.theme-link-back {
|
||||
margin-top: 4px;
|
||||
}
|
|
@ -0,0 +1,84 @@
|
|||
# The base path of Dex and the external name of the OpenID Connect service.
|
||||
# This is the canonical URL that all clients MUST use to refer to Dex. If a
|
||||
# path is provided, Dex's HTTP service will listen at a non-root URL.
|
||||
issuer: https://fic.srs.epita.fr
|
||||
|
||||
# The storage configuration determines where dex stores its state. Supported
|
||||
# options include SQL flavors and Kubernetes third party resources.
|
||||
storage:
|
||||
type: sqlite3
|
||||
config:
|
||||
file: /var/dex/dex.db
|
||||
|
||||
# Configuration for the HTTP endpoints.
|
||||
web:
|
||||
http: 0.0.0.0:5556
|
||||
#allowedOrigins: ['*']
|
||||
|
||||
# Configuration for dex appearance
|
||||
frontend:
|
||||
issuer: Challenge forensic
|
||||
logoURL: img/fic.png
|
||||
dir: /srv/dex/web/
|
||||
# theme: light
|
||||
|
||||
# Configuration for telemetry
|
||||
#telemetry:
|
||||
# http: 0.0.0.0:5558
|
||||
|
||||
|
||||
|
||||
oauth2:
|
||||
#responseTypes: ["code", "token", "id_token"]
|
||||
skipApprovalScreen: true
|
||||
|
||||
staticClients:
|
||||
- id: epita-challenge
|
||||
name: Challenge Forensic
|
||||
redirectURIs: ['https://fic.srs.epita.fr/challenge_access/auth']
|
||||
secret: N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g
|
||||
|
||||
|
||||
enablePasswordDB: true
|
||||
|
||||
staticPasswords:
|
||||
- email: "team01"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team02"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team03"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team04"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team05"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team06"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team07"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team08"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team09"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team10"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team11"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team12"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team13"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team14"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team15"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team16"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team17"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team18"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team19"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
||||
- email: "team20"
|
||||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
|
@ -9,6 +9,7 @@
|
|||
|
||||
172.17.1.2 nginx
|
||||
172.17.1.3 frontend
|
||||
172.17.1.4 auth
|
||||
|
||||
127.0.0.1 localhost
|
||||
::1 localhost ip6-localhost ip6-loopback
|
||||
|
|
|
@ -88,6 +88,17 @@ onboot:
|
|||
- name: eth0
|
||||
bindNS:
|
||||
net: /run/netns/sshd
|
||||
- name: auth-ip-setup
|
||||
image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1
|
||||
command: ["/bin/sh", "-c", "ip a add 172.17.1.4/24 dev vethin-auth; ip link set vethin-auth up;" ]
|
||||
net: new
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: vethin-auth
|
||||
add: veth
|
||||
peer: veth-auth
|
||||
bindNS:
|
||||
net: /run/netns/auth
|
||||
- name: bridge-setup
|
||||
image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1
|
||||
command: ["/bin/sh", "-c", "ip a add 172.17.1.1/24 dev br0; ip link set veth-nginx master br0; ip link set veth-frontend master br0; ip link set br0 up; ip link set veth-nginx up; ip link set veth-frontend up;" ]
|
||||
|
@ -223,6 +234,37 @@ services:
|
|||
# - /etc/unbound/unbound.d:/etc/unbound/unbound.d:ro
|
||||
# net: /run/netns/nginx
|
||||
|
||||
- name: dexidp
|
||||
image: ghcr.io/dexidp/dex:v2.30.0
|
||||
net: /run/netns/auth
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /var/lib/fic/pki/shared/dex-config.yaml:/etc/dex/config.docker.yaml:ro
|
||||
- /var/lib/fic/dex:/var/dex
|
||||
- /www/dex-templates/theme/styles.css:/srv/dex/web/themes/light/styles.css
|
||||
- /www/dex-templates/templates/header.html:/srv/dex/web/templates/header.html
|
||||
- /var/lib/fic/pki/shared/dex-password.tpl:/srv/dex/web/templates/password.html
|
||||
- /www/htdocs-frontend/img/fic.png:/srv/dex/web/themes/light/favicon.png
|
||||
runtime:
|
||||
mkdir:
|
||||
- /var/lib/fic/dex
|
||||
- name: vouch-proxy
|
||||
image: quay.io/vouch/vouch-proxy:alpine-0.34
|
||||
env:
|
||||
- VOUCH_ALLOWALLUSERS=true
|
||||
- VOUCH_COOKIE_DOMAIN=fic.srs.epita.fr
|
||||
- VOUCH_DOCUMENT_ROOT=/challenge_access
|
||||
- VOUCH_LOGLEVEL=debug
|
||||
- OAUTH_PROVIDER=oidc
|
||||
- OAUTH_CLIENT_ID=epita-challenge
|
||||
- OAUTH_CLIENT_SECRET=N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g
|
||||
- OAUTH_CALLBACK_URL=https://fic.srs.epita.fr/challenge_access/auth
|
||||
- OAUTH_AUTH_URL=https://fic.srs.epita.fr/auth
|
||||
- OAUTH_TOKEN_URL=http://127.0.0.1:5556/token
|
||||
- OAUTH_USER_INFO_URL=http://127.0.0.1:5556/userinfo
|
||||
- OAUTH_SCOPES=openid,email
|
||||
net: /run/netns/auth
|
||||
|
||||
|
||||
files:
|
||||
- path: etc/init.d/015-setup-sshd
|
||||
|
@ -231,8 +273,11 @@ files:
|
|||
- path: etc/init.d/016-copy-dex-config
|
||||
contents: |
|
||||
#!/bin/sh
|
||||
[ -f /var/lib/fic/dex-config.yaml ] || {
|
||||
cp /etc/dex/config.auth.yaml /var/lib/fic/dex-config.yaml
|
||||
[ -f /var/lib/fic/pki/shared/dex-config.yaml ] || {
|
||||
cp /etc/dex/config.auth.yaml /var/lib/fic/pki/shared/dex-config.yaml
|
||||
}
|
||||
[ -f /var/lib/fic/pki/shared/dex-password.tpl ] || {
|
||||
cp /www/dex-templates/templates/password.html /var/lib/fic/pki/shared/dex-password.tpl
|
||||
}
|
||||
mode: "0555"
|
||||
|
||||
|
@ -273,6 +318,18 @@ files:
|
|||
source: configs/nginx/get-team/oidc.conf
|
||||
mode: "0400"
|
||||
|
||||
- path: etc/dex/config.auth.yaml
|
||||
source: configs/dex.yaml
|
||||
mode: "0400"
|
||||
- path: www/dex-templates/theme/styles.css
|
||||
source: configs/dex-templates/theme/styles.css
|
||||
mode: "0444"
|
||||
- path: www/dex-templates/templates/header.html
|
||||
source: configs/dex-templates/templates/header.html
|
||||
mode: "0444"
|
||||
- path: www/dex-templates/templates/password.html
|
||||
source: configs/dex-templates/templates/password.html
|
||||
mode: "0444"
|
||||
|
||||
- path: usr/bin/iptables
|
||||
source: configs/nsenter_iptables.sh
|
||||
|
@ -375,6 +432,8 @@ files:
|
|||
[0:0] -A OUTPUT -o bond-frontal -p udp -m udp --sport domain -j ACCEPT
|
||||
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
|
||||
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 5556 -j ACCEPT
|
||||
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9090 -j ACCEPT
|
||||
[0:0] -A OUTPUT -o internet -j ACCEPT
|
||||
[0:0] -A OUTPUT -j LOG
|
||||
[0:0] -A OUTPUT -j REJECT
|
||||
|
|
Loading…
Reference in New Issue