From 75d288000f37d44582eaa51b5f5fde7b1e9cca97 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Sun, 5 Sep 2021 12:39:36 +0200 Subject: [PATCH] fickit: Add dexidp on frontend --- configs/dex-templates/templates/header.html | 23 ++++ configs/dex-templates/templates/login.html | 21 ++++ configs/dex-templates/templates/password.html | 58 +++++++++ configs/dex-templates/theme/styles.css | 114 ++++++++++++++++++ configs/dex.yaml | 84 +++++++++++++ configs/hosts | 1 + fickit-frontend.yml | 63 +++++++++- 7 files changed, 362 insertions(+), 2 deletions(-) create mode 100644 configs/dex-templates/templates/header.html create mode 100644 configs/dex-templates/templates/login.html create mode 100644 configs/dex-templates/templates/password.html create mode 100644 configs/dex-templates/theme/styles.css create mode 100644 configs/dex.yaml diff --git a/configs/dex-templates/templates/header.html b/configs/dex-templates/templates/header.html new file mode 100644 index 00000000..3634e231 --- /dev/null +++ b/configs/dex-templates/templates/header.html @@ -0,0 +1,23 @@ + + + + + + {{ issuer }} + + + + + + + +
+
+ +
+
+ +
+
+ +
diff --git a/configs/dex-templates/templates/login.html b/configs/dex-templates/templates/login.html new file mode 100644 index 00000000..5c64ccd4 --- /dev/null +++ b/configs/dex-templates/templates/login.html @@ -0,0 +1,21 @@ +{{ template "header.html" . }} + +
+

+ Bienvenue au challenge Forensic ! +

+
+ {{ range $c := .Connectors }} +
+ + + +
+ {{ end }} +
+
+ +{{ template "footer.html" . }} diff --git a/configs/dex-templates/templates/password.html b/configs/dex-templates/templates/password.html new file mode 100644 index 00000000..7f1c5239 --- /dev/null +++ b/configs/dex-templates/templates/password.html @@ -0,0 +1,58 @@ +{{ template "header.html" . }} + +
+

+ Bienvenue au challenge Forensic ! +

+
+
+
+ +
+ +
+
+
+ +
+ +
+ + {{ if .Invalid }} +
+ Identifiants incorrects. +
+ {{ end }} + + + +
+ {{ if .BackLink }} +
+ Sélectionner une autre méthode d'authentification. +
+ {{ end }} +
+ +{{ template "footer.html" . }} diff --git a/configs/dex-templates/theme/styles.css b/configs/dex-templates/theme/styles.css new file mode 100644 index 00000000..72430367 --- /dev/null +++ b/configs/dex-templates/theme/styles.css @@ -0,0 +1,114 @@ +.theme-body { + background-color: white; + color: #272b30; + font-family: system-ui, -apple-system, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", "Liberation Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; +} + +.theme-navbar { + background-color: #272b30; + border-bottom: 5px solid #4eaee6; + color: #333; + font-size: 13px; + font-weight: 100; + overflow: hidden; + padding: 0 10px; + display: flex; + align-items: center; + justify-content: space-around; +} + +.theme-navbar__logo-wrap { + display: inline-block; + overflow: hidden; + padding: 10px 15px; + width: 300px; +} + +.theme-navbar__logo { + height: 90px; + max-height: 12vh; +} + +.theme-heading { + font-size: 20px; + font-weight: 500; + margin-bottom: 10px; + margin-top: 0; +} + +.theme-panel { + background-color: #fff; + box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); + padding: 30px; +} + +.theme-btn-provider { + background-color: #fff; + color: #333; + min-width: 250px; +} + +.theme-btn-provider:hover { + color: #999; +} + +.theme-btn--primary { + background-color: #333; + border: none; + color: #fff; + min-width: 200px; + padding: 6px 12px; +} + +.theme-btn--primary:hover { + background-color: #666; + color: #fff; +} + +.theme-btn--success { + background-color: #2FC98E; + color: #fff; + width: 250px; +} + +.theme-btn--success:hover { + background-color: #49E3A8; +} + +.theme-form-row { + display: block; + margin: 20px auto; +} + +.theme-form-input { + border-radius: 4px; + border: 1px solid #CCC; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + color: #666; + display: block; + font-size: 14px; + height: 36px; + line-height: 1.42857143; + margin: auto; + padding: 6px 12px; + width: 250px; +} + +.theme-form-input:focus, +.theme-form-input:active { + border-color: #66AFE9; + outline: none; +} + +.theme-form-label { + font-size: 13px; + font-weight: 600; + margin: 4px auto; + position: relative; + text-align: left; + width: 250px; +} + +.theme-link-back { + margin-top: 4px; +} diff --git a/configs/dex.yaml b/configs/dex.yaml new file mode 100644 index 00000000..9dcc9ba0 --- /dev/null +++ b/configs/dex.yaml @@ -0,0 +1,84 @@ +# The base path of Dex and the external name of the OpenID Connect service. +# This is the canonical URL that all clients MUST use to refer to Dex. If a +# path is provided, Dex's HTTP service will listen at a non-root URL. +issuer: https://fic.srs.epita.fr + +# The storage configuration determines where dex stores its state. Supported +# options include SQL flavors and Kubernetes third party resources. +storage: + type: sqlite3 + config: + file: /var/dex/dex.db + +# Configuration for the HTTP endpoints. +web: + http: 0.0.0.0:5556 + #allowedOrigins: ['*'] + +# Configuration for dex appearance +frontend: + issuer: Challenge forensic + logoURL: img/fic.png + dir: /srv/dex/web/ +# theme: light + +# Configuration for telemetry +#telemetry: +# http: 0.0.0.0:5558 + + + +oauth2: + #responseTypes: ["code", "token", "id_token"] + skipApprovalScreen: true + +staticClients: +- id: epita-challenge + name: Challenge Forensic + redirectURIs: ['https://fic.srs.epita.fr/challenge_access/auth'] + secret: N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g + + +enablePasswordDB: true + +staticPasswords: + - email: "team01" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team02" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team03" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team04" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team05" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team06" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team07" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team08" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team09" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team10" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team11" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team12" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team13" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team14" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team15" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team16" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team17" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team18" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team19" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "team20" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" diff --git a/configs/hosts b/configs/hosts index 0a03ea6c..869b1729 100644 --- a/configs/hosts +++ b/configs/hosts @@ -9,6 +9,7 @@ 172.17.1.2 nginx 172.17.1.3 frontend +172.17.1.4 auth 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback diff --git a/fickit-frontend.yml b/fickit-frontend.yml index dd8be973..1a9b2a97 100644 --- a/fickit-frontend.yml +++ b/fickit-frontend.yml @@ -88,6 +88,17 @@ onboot: - name: eth0 bindNS: net: /run/netns/sshd + - name: auth-ip-setup + image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1 + command: ["/bin/sh", "-c", "ip a add 172.17.1.4/24 dev vethin-auth; ip link set vethin-auth up;" ] + net: new + runtime: + interfaces: + - name: vethin-auth + add: veth + peer: veth-auth + bindNS: + net: /run/netns/auth - name: bridge-setup image: linuxkit/ip:b98c32fab9c8997c5d05677af979f05dfcd8b3f1 command: ["/bin/sh", "-c", "ip a add 172.17.1.1/24 dev br0; ip link set veth-nginx master br0; ip link set veth-frontend master br0; ip link set br0 up; ip link set veth-nginx up; ip link set veth-frontend up;" ] @@ -223,6 +234,37 @@ services: # - /etc/unbound/unbound.d:/etc/unbound/unbound.d:ro # net: /run/netns/nginx + - name: dexidp + image: ghcr.io/dexidp/dex:v2.30.0 + net: /run/netns/auth + binds: + - /etc/hosts:/etc/hosts:ro + - /var/lib/fic/pki/shared/dex-config.yaml:/etc/dex/config.docker.yaml:ro + - /var/lib/fic/dex:/var/dex + - /www/dex-templates/theme/styles.css:/srv/dex/web/themes/light/styles.css + - /www/dex-templates/templates/header.html:/srv/dex/web/templates/header.html + - /var/lib/fic/pki/shared/dex-password.tpl:/srv/dex/web/templates/password.html + - /www/htdocs-frontend/img/fic.png:/srv/dex/web/themes/light/favicon.png + runtime: + mkdir: + - /var/lib/fic/dex + - name: vouch-proxy + image: quay.io/vouch/vouch-proxy:alpine-0.34 + env: + - VOUCH_ALLOWALLUSERS=true + - VOUCH_COOKIE_DOMAIN=fic.srs.epita.fr + - VOUCH_DOCUMENT_ROOT=/challenge_access + - VOUCH_LOGLEVEL=debug + - OAUTH_PROVIDER=oidc + - OAUTH_CLIENT_ID=epita-challenge + - OAUTH_CLIENT_SECRET=N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g + - OAUTH_CALLBACK_URL=https://fic.srs.epita.fr/challenge_access/auth + - OAUTH_AUTH_URL=https://fic.srs.epita.fr/auth + - OAUTH_TOKEN_URL=http://127.0.0.1:5556/token + - OAUTH_USER_INFO_URL=http://127.0.0.1:5556/userinfo + - OAUTH_SCOPES=openid,email + net: /run/netns/auth + files: - path: etc/init.d/015-setup-sshd @@ -231,8 +273,11 @@ files: - path: etc/init.d/016-copy-dex-config contents: | #!/bin/sh - [ -f /var/lib/fic/dex-config.yaml ] || { - cp /etc/dex/config.auth.yaml /var/lib/fic/dex-config.yaml + [ -f /var/lib/fic/pki/shared/dex-config.yaml ] || { + cp /etc/dex/config.auth.yaml /var/lib/fic/pki/shared/dex-config.yaml + } + [ -f /var/lib/fic/pki/shared/dex-password.tpl ] || { + cp /www/dex-templates/templates/password.html /var/lib/fic/pki/shared/dex-password.tpl } mode: "0555" @@ -273,6 +318,18 @@ files: source: configs/nginx/get-team/oidc.conf mode: "0400" + - path: etc/dex/config.auth.yaml + source: configs/dex.yaml + mode: "0400" + - path: www/dex-templates/theme/styles.css + source: configs/dex-templates/theme/styles.css + mode: "0444" + - path: www/dex-templates/templates/header.html + source: configs/dex-templates/templates/header.html + mode: "0444" + - path: www/dex-templates/templates/password.html + source: configs/dex-templates/templates/password.html + mode: "0444" - path: usr/bin/iptables source: configs/nsenter_iptables.sh @@ -375,6 +432,8 @@ files: [0:0] -A OUTPUT -o bond-frontal -p udp -m udp --sport domain -j ACCEPT [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT + [0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 5556 -j ACCEPT + [0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9090 -j ACCEPT [0:0] -A OUTPUT -o internet -j ACCEPT [0:0] -A OUTPUT -j LOG [0:0] -A OUTPUT -j REJECT