diff --git a/configs/dex-templates/templates/header.html b/configs/dex-templates/templates/header.html
new file mode 100644
index 00000000..3634e231
--- /dev/null
+++ b/configs/dex-templates/templates/header.html
@@ -0,0 +1,23 @@
+
+
+
+
diff --git a/configs/dex-templates/templates/login.html b/configs/dex-templates/templates/login.html
new file mode 100644
index 00000000..5c64ccd4
--- /dev/null
+++ b/configs/dex-templates/templates/login.html
@@ -0,0 +1,21 @@
+{{ template "header.html" . }}
+
+
+
+ Bienvenue au challenge Forensic !
+
+
+ {{ range $c := .Connectors }}
+
+ {{ end }}
+
+
+
+{{ template "footer.html" . }}
diff --git a/configs/dex-templates/templates/password.html b/configs/dex-templates/templates/password.html
new file mode 100644
index 00000000..7f1c5239
--- /dev/null
+++ b/configs/dex-templates/templates/password.html
@@ -0,0 +1,58 @@
+{{ template "header.html" . }}
+
+
+
+ Bienvenue au challenge Forensic !
+
+
+ {{ if .BackLink }}
+
+ {{ end }}
+
+
+{{ template "footer.html" . }}
diff --git a/configs/dex-templates/theme/styles.css b/configs/dex-templates/theme/styles.css
new file mode 100644
index 00000000..72430367
--- /dev/null
+++ b/configs/dex-templates/theme/styles.css
@@ -0,0 +1,114 @@
+.theme-body {
+ background-color: white;
+ color: #272b30;
+ font-family: system-ui, -apple-system, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", "Liberation Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+}
+
+.theme-navbar {
+ background-color: #272b30;
+ border-bottom: 5px solid #4eaee6;
+ color: #333;
+ font-size: 13px;
+ font-weight: 100;
+ overflow: hidden;
+ padding: 0 10px;
+ display: flex;
+ align-items: center;
+ justify-content: space-around;
+}
+
+.theme-navbar__logo-wrap {
+ display: inline-block;
+ overflow: hidden;
+ padding: 10px 15px;
+ width: 300px;
+}
+
+.theme-navbar__logo {
+ height: 90px;
+ max-height: 12vh;
+}
+
+.theme-heading {
+ font-size: 20px;
+ font-weight: 500;
+ margin-bottom: 10px;
+ margin-top: 0;
+}
+
+.theme-panel {
+ background-color: #fff;
+ box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
+ padding: 30px;
+}
+
+.theme-btn-provider {
+ background-color: #fff;
+ color: #333;
+ min-width: 250px;
+}
+
+.theme-btn-provider:hover {
+ color: #999;
+}
+
+.theme-btn--primary {
+ background-color: #333;
+ border: none;
+ color: #fff;
+ min-width: 200px;
+ padding: 6px 12px;
+}
+
+.theme-btn--primary:hover {
+ background-color: #666;
+ color: #fff;
+}
+
+.theme-btn--success {
+ background-color: #2FC98E;
+ color: #fff;
+ width: 250px;
+}
+
+.theme-btn--success:hover {
+ background-color: #49E3A8;
+}
+
+.theme-form-row {
+ display: block;
+ margin: 20px auto;
+}
+
+.theme-form-input {
+ border-radius: 4px;
+ border: 1px solid #CCC;
+ box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+ color: #666;
+ display: block;
+ font-size: 14px;
+ height: 36px;
+ line-height: 1.42857143;
+ margin: auto;
+ padding: 6px 12px;
+ width: 250px;
+}
+
+.theme-form-input:focus,
+.theme-form-input:active {
+ border-color: #66AFE9;
+ outline: none;
+}
+
+.theme-form-label {
+ font-size: 13px;
+ font-weight: 600;
+ margin: 4px auto;
+ position: relative;
+ text-align: left;
+ width: 250px;
+}
+
+.theme-link-back {
+ margin-top: 4px;
+}
diff --git a/configs/dex.yaml b/configs/dex.yaml
new file mode 100644
index 00000000..9dcc9ba0
--- /dev/null
+++ b/configs/dex.yaml
@@ -0,0 +1,84 @@
+# The base path of Dex and the external name of the OpenID Connect service.
+# This is the canonical URL that all clients MUST use to refer to Dex. If a
+# path is provided, Dex's HTTP service will listen at a non-root URL.
+issuer: https://fic.srs.epita.fr
+
+# The storage configuration determines where dex stores its state. Supported
+# options include SQL flavors and Kubernetes third party resources.
+storage:
+ type: sqlite3
+ config:
+ file: /var/dex/dex.db
+
+# Configuration for the HTTP endpoints.
+web:
+ http: 0.0.0.0:5556
+ #allowedOrigins: ['*']
+
+# Configuration for dex appearance
+frontend:
+ issuer: Challenge forensic
+ logoURL: img/fic.png
+ dir: /srv/dex/web/
+# theme: light
+
+# Configuration for telemetry
+#telemetry:
+# http: 0.0.0.0:5558
+
+
+
+oauth2:
+ #responseTypes: ["code", "token", "id_token"]
+ skipApprovalScreen: true
+
+staticClients:
+- id: epita-challenge
+ name: Challenge Forensic
+ redirectURIs: ['https://fic.srs.epita.fr/challenge_access/auth']
+ secret: N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g
+
+
+enablePasswordDB: true
+
+staticPasswords:
+ - email: "team01"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team02"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team03"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team04"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team05"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team06"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team07"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team08"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team09"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team10"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team11"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team12"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team13"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team14"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team15"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team16"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team17"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team18"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team19"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+ - email: "team20"
+ hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
diff --git a/configs/hosts b/configs/hosts
index 0a03ea6c..869b1729 100644
--- a/configs/hosts
+++ b/configs/hosts
@@ -9,6 +9,7 @@
172.17.1.2 nginx
172.17.1.3 frontend
+172.17.1.4 auth
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
diff --git a/fickit-frontend.yml b/fickit-frontend.yml
index dd8be973..1a9b2a97 100644
--- a/fickit-frontend.yml
+++ b/fickit-frontend.yml
@@ -88,6 +88,17 @@ onboot:
- name: eth0
bindNS:
net: /run/netns/sshd
+ - name: auth-ip-setup
+ image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1
+ command: ["/bin/sh", "-c", "ip a add 172.17.1.4/24 dev vethin-auth; ip link set vethin-auth up;" ]
+ net: new
+ runtime:
+ interfaces:
+ - name: vethin-auth
+ add: veth
+ peer: veth-auth
+ bindNS:
+ net: /run/netns/auth
- name: bridge-setup
image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1
command: ["/bin/sh", "-c", "ip a add 172.17.1.1/24 dev br0; ip link set veth-nginx master br0; ip link set veth-frontend master br0; ip link set br0 up; ip link set veth-nginx up; ip link set veth-frontend up;" ]
@@ -223,6 +234,37 @@ services:
# - /etc/unbound/unbound.d:/etc/unbound/unbound.d:ro
# net: /run/netns/nginx
+ - name: dexidp
+ image: ghcr.io/dexidp/dex:v2.30.0
+ net: /run/netns/auth
+ binds:
+ - /etc/hosts:/etc/hosts:ro
+ - /var/lib/fic/pki/shared/dex-config.yaml:/etc/dex/config.docker.yaml:ro
+ - /var/lib/fic/dex:/var/dex
+ - /www/dex-templates/theme/styles.css:/srv/dex/web/themes/light/styles.css
+ - /www/dex-templates/templates/header.html:/srv/dex/web/templates/header.html
+ - /var/lib/fic/pki/shared/dex-password.tpl:/srv/dex/web/templates/password.html
+ - /www/htdocs-frontend/img/fic.png:/srv/dex/web/themes/light/favicon.png
+ runtime:
+ mkdir:
+ - /var/lib/fic/dex
+ - name: vouch-proxy
+ image: quay.io/vouch/vouch-proxy:alpine-0.34
+ env:
+ - VOUCH_ALLOWALLUSERS=true
+ - VOUCH_COOKIE_DOMAIN=fic.srs.epita.fr
+ - VOUCH_DOCUMENT_ROOT=/challenge_access
+ - VOUCH_LOGLEVEL=debug
+ - OAUTH_PROVIDER=oidc
+ - OAUTH_CLIENT_ID=epita-challenge
+ - OAUTH_CLIENT_SECRET=N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g
+ - OAUTH_CALLBACK_URL=https://fic.srs.epita.fr/challenge_access/auth
+ - OAUTH_AUTH_URL=https://fic.srs.epita.fr/auth
+ - OAUTH_TOKEN_URL=http://127.0.0.1:5556/token
+ - OAUTH_USER_INFO_URL=http://127.0.0.1:5556/userinfo
+ - OAUTH_SCOPES=openid,email
+ net: /run/netns/auth
+
files:
- path: etc/init.d/015-setup-sshd
@@ -231,8 +273,11 @@ files:
- path: etc/init.d/016-copy-dex-config
contents: |
#!/bin/sh
- [ -f /var/lib/fic/dex-config.yaml ] || {
- cp /etc/dex/config.auth.yaml /var/lib/fic/dex-config.yaml
+ [ -f /var/lib/fic/pki/shared/dex-config.yaml ] || {
+ cp /etc/dex/config.auth.yaml /var/lib/fic/pki/shared/dex-config.yaml
+ }
+ [ -f /var/lib/fic/pki/shared/dex-password.tpl ] || {
+ cp /www/dex-templates/templates/password.html /var/lib/fic/pki/shared/dex-password.tpl
}
mode: "0555"
@@ -273,6 +318,18 @@ files:
source: configs/nginx/get-team/oidc.conf
mode: "0400"
+ - path: etc/dex/config.auth.yaml
+ source: configs/dex.yaml
+ mode: "0400"
+ - path: www/dex-templates/theme/styles.css
+ source: configs/dex-templates/theme/styles.css
+ mode: "0444"
+ - path: www/dex-templates/templates/header.html
+ source: configs/dex-templates/templates/header.html
+ mode: "0444"
+ - path: www/dex-templates/templates/password.html
+ source: configs/dex-templates/templates/password.html
+ mode: "0444"
- path: usr/bin/iptables
source: configs/nsenter_iptables.sh
@@ -375,6 +432,8 @@ files:
[0:0] -A OUTPUT -o bond-frontal -p udp -m udp --sport domain -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
+ [0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 5556 -j ACCEPT
+ [0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9090 -j ACCEPT
[0:0] -A OUTPUT -o internet -j ACCEPT
[0:0] -A OUTPUT -j LOG
[0:0] -A OUTPUT -j REJECT