Migrate to checker-sdk-go v1.3.0 with standalone build tag
The SDK split the HTTP server scaffolding into the new checker-sdk-go/checker/server subpackage. Update main.go to import server and call server.New, and isolate the interactive form code behind the standalone build tag so plugin/builtin builds skip net/http entirely.
This commit is contained in:
parent
40a4cf285e
commit
47d71c8cde
9 changed files with 20 additions and 15 deletions
|
|
@ -6,7 +6,7 @@ WORKDIR /src
|
||||||
COPY go.mod go.sum ./
|
COPY go.mod go.sum ./
|
||||||
RUN go mod download
|
RUN go mod download
|
||||||
COPY . .
|
COPY . .
|
||||||
RUN CGO_ENABLED=0 go build -ldflags "-X main.Version=${CHECKER_VERSION}" -o /checker-kerberos .
|
RUN CGO_ENABLED=0 go build -tags standalone -ldflags "-X main.Version=${CHECKER_VERSION}" -o /checker-kerberos .
|
||||||
|
|
||||||
FROM scratch
|
FROM scratch
|
||||||
COPY --from=builder /checker-kerberos /checker-kerberos
|
COPY --from=builder /checker-kerberos /checker-kerberos
|
||||||
|
|
|
||||||
7
Makefile
7
Makefile
|
|
@ -6,12 +6,12 @@ CHECKER_SOURCES := main.go $(wildcard checker/*.go)
|
||||||
|
|
||||||
GO_LDFLAGS := -X main.Version=$(CHECKER_VERSION)
|
GO_LDFLAGS := -X main.Version=$(CHECKER_VERSION)
|
||||||
|
|
||||||
.PHONY: all plugin docker clean
|
.PHONY: all plugin docker test clean
|
||||||
|
|
||||||
all: $(CHECKER_NAME)
|
all: $(CHECKER_NAME)
|
||||||
|
|
||||||
$(CHECKER_NAME): $(CHECKER_SOURCES)
|
$(CHECKER_NAME): $(CHECKER_SOURCES)
|
||||||
go build -ldflags "$(GO_LDFLAGS)" -o $@ .
|
go build -tags standalone -ldflags "$(GO_LDFLAGS)" -o $@ .
|
||||||
|
|
||||||
plugin: $(CHECKER_NAME).so
|
plugin: $(CHECKER_NAME).so
|
||||||
|
|
||||||
|
|
@ -21,5 +21,8 @@ $(CHECKER_NAME).so: $(CHECKER_SOURCES) $(wildcard plugin/*.go)
|
||||||
docker:
|
docker:
|
||||||
docker build --build-arg CHECKER_VERSION=$(CHECKER_VERSION) -t $(CHECKER_IMAGE) .
|
docker build --build-arg CHECKER_VERSION=$(CHECKER_VERSION) -t $(CHECKER_IMAGE) .
|
||||||
|
|
||||||
|
test:
|
||||||
|
go test -tags standalone ./...
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
rm -f $(CHECKER_NAME) $(CHECKER_NAME).so
|
rm -f $(CHECKER_NAME) $(CHECKER_NAME).so
|
||||||
|
|
|
||||||
|
|
@ -4,13 +4,13 @@ happyDomain checker that audits a Kerberos realm from its DNS records.
|
||||||
|
|
||||||
Starting from the realm name (or from the SRV records grouped under the
|
Starting from the realm name (or from the SRV records grouped under the
|
||||||
`abstract.Kerberos` service), the checker performs a series of
|
`abstract.Kerberos` service), the checker performs a series of
|
||||||
**anonymous probes** — and an optional **authenticated round-trip** when
|
**anonymous probes**, and an optional **authenticated round-trip** when
|
||||||
credentials are supplied — to give a complete picture of the realm's
|
credentials are supplied, to give a complete picture of the realm's
|
||||||
availability and security posture.
|
availability and security posture.
|
||||||
|
|
||||||
## What gets checked
|
## What gets checked
|
||||||
|
|
||||||
- SRV layout — `_kerberos._tcp.`, `_kerberos._udp.`,
|
- SRV layout, `_kerberos._tcp.`, `_kerberos._udp.`,
|
||||||
`_kerberos-master._tcp.`, `_kerberos-adm._tcp.`, `_kpasswd._tcp.`,
|
`_kerberos-master._tcp.`, `_kerberos-adm._tcp.`, `_kpasswd._tcp.`,
|
||||||
`_kpasswd._udp.`.
|
`_kpasswd._udp.`.
|
||||||
- Forward resolution of every SRV target (A + AAAA).
|
- Forward resolution of every SRV target (A + AAAA).
|
||||||
|
|
|
||||||
|
|
@ -377,7 +377,7 @@ func buildProbeASReq(realm string) (messages.ASReq, error) {
|
||||||
|
|
||||||
// parseASResponse inspects the raw KDC reply and fills the ASProbeResult.
|
// parseASResponse inspects the raw KDC reply and fills the ASProbeResult.
|
||||||
// Expected replies: KRB-ERROR (PREAUTH_REQUIRED / C_PRINCIPAL_UNKNOWN) or,
|
// Expected replies: KRB-ERROR (PREAUTH_REQUIRED / C_PRINCIPAL_UNKNOWN) or,
|
||||||
// less commonly, an AS-REP (principal exists and doesn't require preauth —
|
// less commonly, an AS-REP (principal exists and doesn't require preauth .
|
||||||
// AS-REP roasting territory).
|
// AS-REP roasting territory).
|
||||||
func parseASResponse(raw []byte, out *ASProbeResult) {
|
func parseASResponse(raw []byte, out *ASProbeResult) {
|
||||||
// Try KRB-ERROR first.
|
// Try KRB-ERROR first.
|
||||||
|
|
@ -400,7 +400,7 @@ func parseASResponse(raw []byte, out *ASProbeResult) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Try AS-REP. If this succeeds, preauth wasn't required — surface it.
|
// Try AS-REP. If this succeeds, preauth wasn't required, surface it.
|
||||||
var asRep messages.ASRep
|
var asRep messages.ASRep
|
||||||
if err := asRep.Unmarshal(raw); err == nil {
|
if err := asRep.Unmarshal(raw); err == nil {
|
||||||
out.PrincipalFound = true
|
out.PrincipalFound = true
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,5 @@
|
||||||
|
//go:build standalone
|
||||||
|
|
||||||
package checker
|
package checker
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
|
|
||||||
|
|
@ -257,7 +257,7 @@ then rekey principals with <code>kadmin -q "cpw -randkey principal"</code> or eq
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// AS-REP without preauth — AS-REP roasting.
|
// AS-REP without preauth, AS-REP roasting.
|
||||||
if r.AS.Attempted && r.AS.PrincipalFound && !r.AS.PreauthReq {
|
if r.AS.Attempted && r.AS.PrincipalFound && !r.AS.PreauthReq {
|
||||||
out = append(out, remediation{
|
out = append(out, remediation{
|
||||||
Title: "Enable pre-authentication",
|
Title: "Enable pre-authentication",
|
||||||
|
|
|
||||||
2
go.mod
2
go.mod
|
|
@ -3,7 +3,7 @@ module git.happydns.org/checker-kerberos
|
||||||
go 1.25.0
|
go 1.25.0
|
||||||
|
|
||||||
require (
|
require (
|
||||||
git.happydns.org/checker-sdk-go v1.2.0
|
git.happydns.org/checker-sdk-go v1.3.0
|
||||||
github.com/jcmturner/gofork v1.7.6
|
github.com/jcmturner/gofork v1.7.6
|
||||||
github.com/jcmturner/gokrb5/v8 v8.4.4
|
github.com/jcmturner/gokrb5/v8 v8.4.4
|
||||||
)
|
)
|
||||||
|
|
|
||||||
4
go.sum
4
go.sum
|
|
@ -1,5 +1,5 @@
|
||||||
git.happydns.org/checker-sdk-go v1.2.0 h1:v4MpKAz0W3PwP+bxx3pya8w893sVH5xTD1of1cc0TV8=
|
git.happydns.org/checker-sdk-go v1.3.0 h1:FG2kIhlJCzI0m35EhxSgn4UWc9M4ha6aZTeoChu4l7A=
|
||||||
git.happydns.org/checker-sdk-go v1.2.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
|
git.happydns.org/checker-sdk-go v1.3.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
|
||||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
|
|
|
||||||
6
main.go
6
main.go
|
|
@ -5,7 +5,7 @@ import (
|
||||||
"log"
|
"log"
|
||||||
|
|
||||||
kerberos "git.happydns.org/checker-kerberos/checker"
|
kerberos "git.happydns.org/checker-kerberos/checker"
|
||||||
sdk "git.happydns.org/checker-sdk-go/checker"
|
"git.happydns.org/checker-sdk-go/checker/server"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Version is the standalone binary's version. It defaults to "custom-build"
|
// Version is the standalone binary's version. It defaults to "custom-build"
|
||||||
|
|
@ -21,8 +21,8 @@ func main() {
|
||||||
|
|
||||||
kerberos.Version = Version
|
kerberos.Version = Version
|
||||||
|
|
||||||
server := sdk.NewServer(kerberos.Provider())
|
srv := server.New(kerberos.Provider())
|
||||||
if err := server.ListenAndServe(*listenAddr); err != nil {
|
if err := srv.ListenAndServe(*listenAddr); err != nil {
|
||||||
log.Fatalf("server error: %v", err)
|
log.Fatalf("server error: %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue