From d6487688ab7ef2a9d47cb9f67cdedc0c498ff3d3 Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Mon, 19 Oct 2020 08:11:26 +0300 Subject: [PATCH] Switch from dep to go mod. * Gopkg.lock: Remove. * Gopkg.toml: Remove. * go.mod: New file. * Makefile: New file. * README.md: Change instructions. --- .gitignore | 2 + Gopkg.lock | 184 ----------------------------------------------------- Gopkg.toml | 50 --------------- Makefile | 48 ++++++++++++++ README.md | 53 ++++++++++----- go.mod | 31 +++++++++ 6 files changed, 117 insertions(+), 251 deletions(-) delete mode 100644 Gopkg.lock delete mode 100644 Gopkg.toml create mode 100644 Makefile create mode 100644 go.mod diff --git a/.gitignore b/.gitignore index 791627d..44b66c5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,7 @@ .emacs* *~ sargon +go.sum +*.tar.gz /tmp/ /vendor/ diff --git a/Gopkg.lock b/Gopkg.lock deleted file mode 100644 index e253ed8..0000000 --- a/Gopkg.lock +++ /dev/null @@ -1,184 +0,0 @@ -# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. - - -[[projects]] - name = "github.com/Microsoft/go-winio" - packages = ["."] - revision = "1a8911d1ed007260465c3bfbbc785ac6915a0bb8" - version = "v0.4.12" - -[[projects]] - name = "github.com/coreos/go-systemd" - packages = ["activation"] - revision = "95778dfbb74eb7e4dbaf43bf7d71809650ef8076" - version = "v19" - -[[projects]] - name = "github.com/docker/distribution" - packages = ["registry/api/errcode"] - revision = "2461543d988979529609e8cb6fca9ca190dc48da" - version = "v2.7.1" - -[[projects]] - branch = "master" - name = "github.com/docker/docker" - packages = [ - "api/types", - "api/types/blkiodev", - "api/types/container", - "api/types/filters", - "api/types/mount", - "api/types/network", - "api/types/registry", - "api/types/strslice", - "api/types/swarm", - "api/types/swarm/runtime", - "api/types/versions", - "api/types/volume", - "errdefs" - ] - revision = "cf508036aacf08cc9fcf7f1101cae1a707548679" - -[[projects]] - branch = "master" - name = "github.com/docker/engine-api" - packages = [ - "types/blkiodev", - "types/container", - "types/mount", - "types/strslice" - ] - revision = "4290f40c056686fcaa5c9caf02eac1dde9315adf" - -[[projects]] - name = "github.com/docker/go-connections" - packages = [ - "nat", - "sockets" - ] - revision = "7395e3f8aa162843a74ed6d48e79627d9792ac55" - version = "v0.4.0" - -[[projects]] - branch = "master" - name = "github.com/docker/go-plugins-helpers" - packages = [ - "authorization", - "sdk" - ] - revision = "1e6269c305b8c75cfda1c8aa91349c38d7335814" - -[[projects]] - name = "github.com/docker/go-units" - packages = ["."] - revision = "47565b4f722fb6ceae66b95f853feed578a4a51c" - version = "v0.3.3" - -[[projects]] - name = "github.com/gogo/protobuf" - packages = ["proto"] - revision = "ba06b47c162d49f2af050fb4c75bcbc86a159d5c" - version = "v1.2.1" - -[[projects]] - name = "github.com/golang/protobuf" - packages = [ - "proto", - "ptypes", - "ptypes/any", - "ptypes/duration", - "ptypes/timestamp" - ] - revision = "b5d812f8a3706043e23a9cd5babf2e5423744d30" - version = "v1.3.1" - -[[projects]] - branch = "master" - name = "github.com/kardianos/osext" - packages = ["."] - revision = "2bc1f35cddc0cc527b4bc3dce8578fc2a6c11384" - -[[projects]] - name = "github.com/konsorten/go-windows-terminal-sequences" - packages = ["."] - revision = "f55edac94c9bbba5d6182a4be46d86a2c9b5b50e" - version = "v1.0.2" - -[[projects]] - name = "github.com/opencontainers/go-digest" - packages = ["."] - revision = "279bed98673dd5bef374d3b6e4b09e2af76183bf" - version = "v1.0.0-rc1" - -[[projects]] - name = "github.com/opencontainers/image-spec" - packages = [ - "specs-go", - "specs-go/v1" - ] - revision = "d60099175f88c47cd379c4738d158884749ed235" - version = "v1.0.1" - -[[projects]] - name = "github.com/sevlyar/go-daemon" - packages = ["."] - revision = "f9261e73885de99b1647d68bedadf2b9a99ad11f" - version = "v0.1.4" - -[[projects]] - name = "github.com/sirupsen/logrus" - packages = ["."] - revision = "8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f" - version = "v1.4.1" - -[[projects]] - branch = "master" - name = "golang.org/x/net" - packages = [ - "internal/socks", - "proxy" - ] - revision = "74de082e2cca95839e88aa0aeee5aadf6ce7710f" - -[[projects]] - branch = "master" - name = "golang.org/x/sys" - packages = [ - "unix", - "windows" - ] - revision = "baf5eb976a8cd65845293cd814ea151018552292" - -[[projects]] - branch = "master" - name = "google.golang.org/genproto" - packages = ["googleapis/rpc/status"] - revision = "f467c93bbac2133ff463e1f93d18d8f9f3f04451" - -[[projects]] - name = "google.golang.org/grpc" - packages = [ - "codes", - "status" - ] - revision = "3507fb8e1a5ad030303c106fef3a47c9fdad16ad" - version = "v1.19.1" - -[[projects]] - name = "gopkg.in/asn1-ber.v1" - packages = ["."] - revision = "f715ec2f112d1e4195b827ad68cf44017a3ef2b1" - version = "v1.3" - -[[projects]] - name = "gopkg.in/ldap.v2" - packages = ["."] - revision = "bb7a9ca6e4fbc2129e3db588a34bc970ffe811a9" - version = "v2.5.1" - -[solve-meta] - analyzer-name = "dep" - analyzer-version = 1 - inputs-digest = "17e1eb92d7419b702b76954bd2e3648df5ff45939c657ddf6a6623381418f900" - solver-name = "gps-cdcl" - solver-version = 1 diff --git a/Gopkg.toml b/Gopkg.toml deleted file mode 100644 index fcfbb3d..0000000 --- a/Gopkg.toml +++ /dev/null @@ -1,50 +0,0 @@ -# Gopkg.toml example -# -# Refer to https://golang.github.io/dep/docs/Gopkg.toml.html -# for detailed Gopkg.toml documentation. -# -# required = ["github.com/user/thing/cmd/thing"] -# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"] -# -# [[constraint]] -# name = "github.com/user/project" -# version = "1.0.0" -# -# [[constraint]] -# name = "github.com/user/project2" -# branch = "dev" -# source = "github.com/myfork/project2" -# -# [[override]] -# name = "github.com/x/y" -# version = "2.4.0" -# -# [prune] -# non-go = false -# go-tests = true -# unused-packages = true - - -[[constraint]] - name = "github.com/docker/docker" - branch = "master" - -[[constraint]] - branch = "master" - name = "github.com/docker/engine-api" - -[[constraint]] - branch = "master" - name = "github.com/docker/go-plugins-helpers" - -[[constraint]] - name = "github.com/sevlyar/go-daemon" - version = "0.1.4" - -[[constraint]] - name = "gopkg.in/ldap.v2" - version = "2.5.1" - -[prune] - go-tests = true - unused-packages = true diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..48996f6 --- /dev/null +++ b/Makefile @@ -0,0 +1,48 @@ +PACKAGE = sargon +VERSION = 1.0 + +PREFIX = /usr/local +BINDIR = $(PREFIX)/bin + +SOURCES = \ + main.go\ + access/access.go\ + auth/container_create.go\ + auth/volume_create.go\ + diag/diag.go\ + server/action.go\ + server/authz.go\ + server/ldap.go\ + server/netgroup.go\ + server/type.go + +all: + @go mod download + @go build + +clean: + @go clean + +install: sargon + @GOBIN=$(BINDIR) go install . + +DISTDIR = $(PACKAGE)-$(VERSION) +DISTFILES = go.mod $(SOURCES) $(MANPAGE) README.md LICENSE Makefile + +distdir: + @test -d $(DISTDIR) || mkdir $(DISTDIR) + @tar cf - $(DISTFILES) | tar Cxf $(DISTDIR) - + +dist: distdir + @tar zcf $(DISTDIR).tar.gz $(DISTDIR) + @rm -rf $(DISTDIR) + +distcheck: dist + @tar xfz $(DISTDIR).tar.gz + @if $(MAKE) -C $(DISTDIR) $(DISTCHECKFLAGS); then \ + echo "$(DISTDIR).tar.gz ready for distribution"; \ + rm -rf $(DISTDIR); \ + else \ + exit 2; \ + fi + diff --git a/README.md b/README.md index c55a025..e5eb261 100644 --- a/README.md +++ b/README.md @@ -14,10 +14,31 @@ User privileges are kept in LDAP. After cloning, change to the source directory and run ```text - dep ensure - go build + make ``` +To install the created binary, run (as root): + +```text + make install +``` + +By default, the *sargon* binary is installed to `/usr/local/bin`. To +select another installation directory, use the `BINDIR` or `PREFIX` +variable. The `BINDIR` variable specifies the directory to install +*sargon* to. E.g. to istall it to `/usr/bin`, do + +```text + make install BINDIR=/usr/bin +``` + +Alternatively, you may use the `PREFIX` variable, which specifies the +directory where `bin` is located, e.g.: + +```text + make install PREFIX=/usr +``` + ## Usage When started, the program reads its configuration file, disconnects itself @@ -235,7 +256,7 @@ with _(single)_, multiple attribute instances are allowed. date/time after which this entry ceases to be valid. Notice, that the timestamp must be in UTC. -To determine privileges of the requesting user, *sargon* uses the following +When verifying each incoming request, *sargon* uses the following algorithm: 1. Create LDAP filter with the user name and the names of the groups the @@ -274,36 +295,34 @@ algorithm: `sargonAllow` attribute, go to step 9. 7. Otherwise, if the object has one or more `sargonDeny` attributes and - if one of these contains the requested action or the meta-action `ALL`, - then go to step 16. + one of these contains the requested action or the meta-action `ALL`, + then deny the request. 8. Advance to the next object, and restart from step 6. -9. Unless the requested action is `ContainerCreate`, go to step 15. +9. Unless the requested action is `ContainerCreate`, authorize the request. -10. If privileges container creation is requested: - If `sargonAllowPrivileged` is `FALSE`, then go to 16. +10. If privileges container creation is requestedm and + `sargonAllowPrivileged` is `FALSE`, then deny the request. Otherwise, advance to the next step. 11. If any additional linux capabilities are requested, check if they are listed in `sargonAllowCapability` attributes. If any of them is - not, go to step 16. + not, deny the request. -12. Check requested binds and mounts. For each source directory, check - it against each `sargonMount` attribute. If it matches the attribute +12. Check requested binds and mounts. Check each source directory against + each `sargonMount` attribute. If the directory matches the attribute exactly, or if the attribute value ends with a `/*` and the source directory prefix matches the value, then the mount is allowed. - Otherwise, go to 16. + Otherwise, request is denied, 13. If the requested maximum memory is greater than the value of the - `sargonMaxMemory` attribute, go to 16. + `sargonMaxMemory` attribute, request is denied. 14. If the requested maximum kernel memory is greater than the value of the - `sargonMaxKernelMemory` attribute, go to 16. - -15. Success. Authorize the request. + `sargonMaxKernelMemory` attribute, request is denied. -16. Failure. Deny the request. +15. Otherwise, request is authorized. ## Actions diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..4c41123 --- /dev/null +++ b/go.mod @@ -0,0 +1,31 @@ +module sargon + +go 1.13 + +require ( + github.com/Microsoft/go-winio v0.4.12 // indirect + github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e // indirect + github.com/docker/distribution v2.7.1+incompatible // indirect + github.com/docker/docker v17.12.0-ce-rc1.0.20190403111212-cf508036aacf+incompatible + github.com/docker/engine-api v0.4.1-0.20160908232104-4290f40c0566 + github.com/docker/go-connections v0.4.0 // indirect + github.com/docker/go-plugins-helpers v0.0.0-20181025120712-1e6269c305b8 + github.com/docker/go-units v0.3.3 // indirect + github.com/gogo/protobuf v1.2.1 // indirect + github.com/golang/protobuf v1.3.1 // indirect + github.com/google/go-cmp v0.5.2 // indirect + github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect + github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect + github.com/opencontainers/go-digest v1.0.0-rc1 // indirect + github.com/opencontainers/image-spec v1.0.1 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/sevlyar/go-daemon v0.1.4 + github.com/sirupsen/logrus v1.4.1 // indirect + golang.org/x/net v0.0.0-20190328230028-74de082e2cca // indirect + golang.org/x/sys v0.0.0-20190402142545-baf5eb976a8c // indirect + google.golang.org/genproto v0.0.0-20190401181712-f467c93bbac2 // indirect + google.golang.org/grpc v1.19.1 // indirect + gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect + gopkg.in/ldap.v2 v2.5.1 + gotest.tools v2.2.0+incompatible // indirect +)