├── .gitignore
├── .gitmodules
├── Makefile
├── README.md
├── backend.go
├── config.go
├── filesystem.go
├── handle_certificate_generate.go
├── handle_listen.go
├── handle_ssh.go
├── handle_table_generate.go
├── handle_validator.go
├── main.go
├── mongodb.go
├── table.go
├── tests
    ├── run_tests
    ├── setup.sh
    ├── teardown.sh
    └── testcases
    │   ├── change-password-if-tokens-are-same-as-retrieved.test.sh
    │   ├── do-not-change-password-if-tokens-do-not-match.test.sh
    │   ├── fs
    │       ├── add-ssh-key-with-truncate.test.sh
    │       ├── add-ssh-key.test.sh
    │       ├── generate-hash-table.test.sh
    │       ├── list-tokens.test.sh
    │       ├── next-requests-for-hash-must-return-another-hash.test.sh
    │       ├── retrieve-hash-for-token.test.sh
    │       └── retrieve-ssh-keys-for-token.test.sh
    │   ├── mongodb
    │       ├── add-ssh-key-with-truncate.test.sh
    │       ├── add-ssh-key.test.sh
    │       ├── generate-hash-table.test.sh
    │       ├── list-tokens.test.sh
    │       ├── next-requests-for-hash-must-return-another-hash.test.sh
    │       ├── retrieve-hash-for-token.test.sh
    │       └── retrieve-ssh-keys-for-token.test.sh
    │   └── retrieve-ten-unique-salts-for-specified-token.test.sh
└── vendor
    └── .gitignore


/.gitignore:
--------------------------------------------------------------------------------
1 | /shadowd
2 | /shadowd.test
3 | .last-testcase
4 | 


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "vendor/github.com/reconquest/import.bash"]
2 | 	path = vendor/github.com/reconquest/import.bash
3 | 	url = https://github.com/reconquest/import.bash
4 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | BUILD_DATE=$(shell git log -1 --format="%cd" --date=short | sed s/-//g)
 2 | BUILD_NUM=$(shell  git rev-list --count HEAD)
 3 | BUILD_HASH=$(shell git rev-parse --short HEAD)
 4 | 
 5 | LDFLAGS="-X main.version=${BUILD_DATE}.${BUILD_NUM}_${BUILD_HASH}-1"
 6 | GCFLAGS="-trimpath ${GOPATH}/src"
 7 | 
 8 | build:
 9 | 	go build -x -ldflags=${LDFLAGS} -gcflags ${GCFLAGS} .
10 | 
11 | man:
12 | 	@ronn -r man.markdown
13 | 
14 | clean:
15 | 	@git clean -ffdx
16 | 
17 | test:
18 | 	tests/run_tests
19 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # shadowd
  2 | 
  3 | ![shadow horse](https://cloud.githubusercontent.com/assets/8445924/9289438/97f8a2e8-435f-11e5-853c-255a7fe22d08.png)
  4 | 
  5 | **shadowd** is the secure login distribution service, which consists of two
  6 | parts: server and client.
  7 | 
  8 | In a typical server configuration case you should manually update the
  9 | `/etc/shadow` and copy it on all servers (or via automatic configuration
 10 | system); afterwards each server will have same hash in the `/etc/shadow`.
 11 | Supposed that attacker successfully gained access to one of your servers and
 12 | found collision to that single hash *attacker actually got access to all
 13 | servers with that hash*.
 14 | 
 15 | **shadowd** is summoned to solve that obscure problem.
 16 | 
 17 | **shadowd solution** is to generate hash tables for specified passwords mixed
 18 | with random salt for specified users and guarantee that a client receive unique
 19 | hash.
 20 | 
 21 | One **shadowd** instance can be used for securely instanciate thousands of
 22 | servers with same root password for each one. Without any doubts about possible
 23 | break-in.
 24 | 
 25 | If attacker has user (non-root) access to the one server and try to repeat
 26 | request to shadowd server and get actual hash during the hash TTL period (one
 27 | day by default), then shadowd will give him another unique hash entry.
 28 | Actually, **shadowd** can give only two unique hash entries for hash TTL period
 29 | for one client, first hash entry may be received only for first request per
 30 | hash TTL period, all other requests will be served by another hash.
 31 | 
 32 | If attacker has root access to the one server and will try to brute-force
 33 | hash entry for root from `/etc/shadow`, it will not give him any access for
 34 | other servers with same password, because **shadowd** will give different
 35 | hashes for each server.
 36 | 
 37 | If attacker will gain root access to the **shadowd** server (worst-case
 38 | scenario), it's will be very time-consuming to brute-force thousands of hashes
 39 | without any knowledge about which server is using specific hash entry.
 40 | 
 41 | **shadowd** can act as SSH keys publisher too.
 42 | 
 43 | **shadowd** can also configure with passwords containers or any other type of
 44 | nodes in your infrastructure.
 45 | 
 46 | REST API is used for communication between server and client.
 47 | 
 48 | ![Plan](http://i.imgur.com/gfDy0a5.png)
 49 | 
 50 | ## FAQ
 51 | 
 52 | ### Why not LDAP/AD/SSSD/Whatever?
 53 | 
 54 | LDAP/AD/SSSD is monstrous software which requires massive configuration. It's
 55 | far from just installing package to make it work. LDAP by itself just ugly,
 56 | it's not so "lightweight" as it supposed to be from it's name.
 57 | 
 58 | **shadowd** is very easy to install and do not even have configuration file.
 59 | 
 60 | In comparison to LDAP, **shadowd** is not a remote authorisation provider, so
 61 | when network or shadowd host will go down, you still will be able to login on
 62 | concrete hosts configured with **shadowc**, because all shadow hashes stored
 63 | locally on concrete host.
 64 | 
 65 | ### Isn't attacker will brute-force actual password faster instead of finding a collision in SHA?
 66 | 
 67 | It is possible indeed, but having sufficiently long password like
 68 | `thecorrecthorsebatterystapleinspace` (https://xkcd.com/936/) will neglect this
 69 | probability.
 70 | 
 71 | ### What is actual use case for this?
 72 | 
 73 | Local authentication as well as password authentication should be always
 74 | possible for ops engineers. If something wrong goes with LDAP or any other
 75 | remote authentication agent, you will blame that day you integrated it into
 76 | your environment.
 77 | 
 78 | There is no way of configuring local root (like, available only through IPMI)
 79 | on the frontend load-balancing servers through remote authorisation agent.
 80 | 
 81 | **shadowd** can be safely used for setting root password even on load-balancing
 82 | servers.
 83 | 
 84 | ## shadowd configuration
 85 | 
 86 | 1. [Generate hash tables](#hash-tables)
 87 | 2. [Generate SSL certificates](#ssl-certificates)
 88 | 3. [Start shadowd](#start-shadowd)
 89 | 4. [Adding SSH keys](#adding-ssh-keys)
 90 | 5. [REST API](#rest-api)
 91 | 
 92 | ### Hash Tables
 93 | 
 94 | For generating hash table you should run:
 95 | ```
 96 | shadowd [options] -G <token> [-n <size>] [-a <algo>]
 97 | ```
 98 | **shadowd** will prompt for a password for specified user token, and after that
 99 | will generate hash table with 2048 hashed entries of specified password, hash
100 | table size can be specified via flag `-n <size>` `sha256` will be used as
101 | default hashing algorithm, but `sha512` can be used via `-a sha512` flag.
102 | 
103 | Actually, user token can be same as login, but if you want to use several
104 | passwords for same username on different servers, you should specify `<token>`
105 | as `<pool>/<login>` where `<pool>` it is name of role (`production` or `testing`
106 | for example).
107 | 
108 | Already running instance of **shadowd** do not require reload to serve newly
109 | generated hash-tables.
110 | 
111 | ![loading message](http://i.imgur.com/fbKYTMX.gif)
112 | 
113 | ### SSL certificates
114 | 
115 | Assume that attacker gained access to your servers, then he can wait for next
116 | password update and do man-in-the-middle attack, afterwards passwords on
117 | servers will be changed on his password and he will get more access to the
118 | servers.
119 | 
120 | For solving that problem one should use SSL certificates, which confirms
121 | authority of the login distribution server.
122 | 
123 | For generating SSL certificates you should have trusted host (shadowd server
124 | DNS name) or trusted ip address, if you will use localhost for shadowd
125 | server, you can skip this step and shadowd will automatically specify current
126 | hostname and ip address as trusted, in other cases you should pass options for
127 | setting trusted hosts/addresses of shadowd.
128 | 
129 | Possible Options:
130 | - `-h --host <host>` - set specified host as trusted. (default: current
131 |     hostname)
132 | - `-i --address <ip>` - set specified ip address as trusted. (default: current
133 |     ip address)
134 | - `-d --till <date>` - set time certicicate valid till (default: current
135 |     date plus one year).
136 | - `-b --bytes <length>` - set specified length of RSA key. (default: 2048)
137 | 
138 | And for all of this you should run one command:
139 | ```
140 | shadowd [options] -C [-h <host>...] [-i <ip>...] [-d <date>] [-b <length>]
141 | ```
142 | 
143 | Afterwards, `cert.pem` and `key.pem` will be stored in
144 | `/var/shadowd/cert/` directory, which location can be changed through flag
145 | `-c <cert_dir>`.
146 | 
147 | Since client needs certificate, you should copy `cert.pem` on
148 | server with client to `/etc/shadowc/cert.pem`.
149 | 
150 | **shadowd** will generate certificate with default parameters (can be seen in
151 | program usage) on it's first run.
152 | 
153 | ### Start shadowd
154 | 
155 | As mentioned earlier, shadowd uses REST API, by default listening on `:443`,
156 | but you can set specified address and port through passing argument
157 | `-L <listen>`:
158 | 
159 | ```
160 | shadowd [options] -L <listen> [-s <time>]
161 | ```
162 | 
163 | For setting hash TTL duration you should pass `-s <time>` argument, by
164 | default hash TTL is `24h`.
165 | 
166 | TTL is amount of time after which shadowd will serve different unique pair of
167 | hash entries to the same requesting client.
168 | 
169 | #### General options:
170 | 
171 | - `-c -certs <dir>` - use specified directory for storing and reading
172 |     certificates.
173 | - `-t --tables <dir>` - use specified directory for storing and reading
174 |     hash tables. (default: /var/shadowd/ht/)
175 | - `-k --keys <dir>` - use specified dir for reading ssh-keys.
176 |     (default: /var/shadowd/ssh/).
177 | 
178 | Success, you have configured server, but you need to configure client, for this
179 | you should see
180 | [documentation here](https://github.com/reconquest/shadowc).
181 | 
182 | ### Adding SSH keys
183 | 
184 | **shadowd** can act as public ssh keys distribution service. Keys can be added
185 | per token by using command:
186 | 
187 | ```
188 | shadowd -K <token>
189 | ```
190 | 
191 | After that command **shadowd** will wait for public SSH key to be entered on
192 | stdin.  Then, specified key will be added to keys list, which is stored under
193 | the directory, set by `-k` flag (`/var/shadowd/ssh/` by default).
194 | 
195 | Optionally, key file can be truncated by using flag `-r --truncate` to the
196 | standard `-K` invocation.
197 | 
198 | **shadowd** will serve that keys by HTTP, as mentioned in following section.
199 | 
200 | ### Scalability
201 | 
202 | **shadowd** can work in multiple instance mode, but it requires to use external
203 | storage &ndash; MongoDB.
204 | 
205 | **shadowd** will store/read shadow entries and public ssh key from mongodb, so
206 | all of your need is configure mongodb cluster, setup replication and place
207 | shadowd configuration file using following syntax:
208 | 
209 | ```
210 | [backend]
211 | use = "mongodb"
212 | dsn = "mongodb://[user[:password]@]host[,[user2[:password2]@]host2]/dbname"
213 | ```
214 | 
215 | **shadowd**'s' configuration file can be specified using `-f --config <path>`
216 | flag.
217 | 
218 | ### REST API
219 | 
220 | **shadowd** offers following REST API:
221 | 
222 | * `/t/<token>`, where token can be any string, possibly containing slashes.
223 |   Most common interpretation for `<token>` is `<pool>/<username>`, e.g.
224 |   `dev/v.pupkin`.
225 | 
226 |   `GET` on this URL will return unique hash for specified `<token>` from
227 |   pre-generated via `shadowd -G` hash-table. The first requested hash
228 |   guaranteed to be unique among different hosts, The second and later `GET`
229 |   requests will return same hash again and again until `<hash_ttl>` expires.
230 |   `<hash_ttl>` is configured on server by `-a` flag. Working in that way
231 |   **shadowd** offers secure way of transmitting one hash only once, and
232 |   legitimate client (e.g. **shadowc**) can always be sure that hash, obtained
233 |   from **shadowd**, has not been transferred to someone else on that host.
234 | 
235 | * `/ssh/<token>`, where `<token>` is same as above.
236 | 
237 |   `GET` on this URL will return SSH keys, that has been added by `shadowd -K`
238 |   command in `authorized_keys` format (e.g. key per line).
239 | 
240 |   No special security restrictions apply on that requests.
241 | 
242 | * `/v/<token>/<hash>`, where `<token>` is same as above, `<hash>` is
243 |     hash of a password, if `<token>` contains `/` (`<pool>/<username>`) then
244 |     the last part of URI will be used as `<hash>`.
245 |     i.e.
246 |     `dev/v.pupkin/$5$NqjWijImgEOapAJw$NL5K7g8SwMferONwiskz6bcluwlO7zbu3V/ZyLzavZD`
247 | 
248 |   `GET` on this URL will return HTTP status `200 OK` if specified hash exists
249 |   in hash table for specified token, in other case, `404 Not
250 |   Found` will be returned.
251 | 
252 |   No special security restrictions apply on that requests.
253 | 


--------------------------------------------------------------------------------
/backend.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | type Backend interface {
 4 | 	GetPublicKeys(token string) (string, error)
 5 | 	AddPublicKey(token string, key []byte, truncate bool) error
 6 | 	SetHashTable(token string, table []string) error
 7 | 	IsHashExists(token string, hash string) (bool, error)
 8 | 	GetHash(token string, number int64) (string, error)
 9 | 	IsRecentClient(identifier string) (bool, error)
10 | 	AddRecentClient(identifier string) error
11 | 	GetTableSize(token string) (int64, error)
12 | 	GetTokens(prefix string) ([]string, error)
13 | 
14 | 	Init() error
15 | }
16 | 


--------------------------------------------------------------------------------
/config.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import "github.com/kovetskiy/ko"
 4 | 
 5 | type config struct {
 6 | 	Backend struct {
 7 | 		Use string `toml:"use" required:"true"`
 8 | 		DSN string `toml:"dsn" required:"true"`
 9 | 	} `toml:"backend" required:"true"`
10 | }
11 | 
12 | func getConfig(path string) (*config, error) {
13 | 	config := &config{}
14 | 	err := ko.Load(path, config)
15 | 	if err != nil {
16 | 		return nil, err
17 | 	}
18 | 
19 | 	return config, nil
20 | }
21 | 


--------------------------------------------------------------------------------
/filesystem.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"io/ioutil"
  6 | 	"os"
  7 | 	"path/filepath"
  8 | 	"strings"
  9 | 	"sync"
 10 | 	"time"
 11 | 
 12 | 	"github.com/reconquest/hierr-go"
 13 | )
 14 | 
 15 | type filesystem struct {
 16 | 	hashTablesDir string
 17 | 	hashTTL       time.Duration
 18 | 	sshKeysDir    string
 19 | 	clients       map[string]time.Time
 20 | 	clientsLock   *sync.Mutex
 21 | }
 22 | 
 23 | func (fs *filesystem) Init() error {
 24 | 	stat, err := os.Stat(fs.hashTablesDir)
 25 | 	if err != nil {
 26 | 		return err
 27 | 	}
 28 | 
 29 | 	if stat.Mode()&0077 != 0 {
 30 | 		return fmt.Errorf(
 31 | 			"hash tables dir is too open: %s "+
 32 | 				"(should be accessible only by owner)",
 33 | 			stat.Mode())
 34 | 	}
 35 | 
 36 | 	go func() {
 37 | 		for range time.Tick(time.Minute) {
 38 | 			fs.cleanupRecentClients()
 39 | 		}
 40 | 	}()
 41 | 
 42 | 	return nil
 43 | }
 44 | 
 45 | func (fs *filesystem) SetHashTable(token string, table []string) error {
 46 | 	path := filepath.Join(fs.hashTablesDir, token)
 47 | 
 48 | 	dir := filepath.Dir(path)
 49 | 	if _, err := os.Stat(dir); os.IsNotExist(err) {
 50 | 		err = os.MkdirAll(dir, 0700)
 51 | 		if err != nil {
 52 | 			return hierr.Errorf(
 53 | 				err, "can't create directory %s", dir,
 54 | 			)
 55 | 		}
 56 | 	}
 57 | 
 58 | 	err := ioutil.WriteFile(
 59 | 		path,
 60 | 		[]byte(strings.Join(table, "\n")+"\n"),
 61 | 		0600,
 62 | 	)
 63 | 	if err != nil {
 64 | 		return hierr.Errorf(
 65 | 			err, "can't write file %s", path,
 66 | 		)
 67 | 	}
 68 | 
 69 | 	return nil
 70 | }
 71 | 
 72 | func (fs *filesystem) AddPublicKey(
 73 | 	token string, key []byte, truncate bool,
 74 | ) error {
 75 | 	path := filepath.Join(fs.sshKeysDir, token)
 76 | 
 77 | 	dir := filepath.Dir(path)
 78 | 	if _, err := os.Stat(dir); os.IsNotExist(err) {
 79 | 		err = os.MkdirAll(dir, 0700)
 80 | 		if err != nil {
 81 | 			return hierr.Errorf(
 82 | 				err, "can't create directory %s", dir,
 83 | 			)
 84 | 		}
 85 | 	}
 86 | 
 87 | 	openFlags := os.O_CREATE | os.O_WRONLY
 88 | 
 89 | 	if truncate {
 90 | 		openFlags |= os.O_TRUNC
 91 | 	} else {
 92 | 		openFlags |= os.O_APPEND
 93 | 	}
 94 | 
 95 | 	keyFile, err := os.OpenFile(path, openFlags, 0600)
 96 | 	if err != nil {
 97 | 		return hierr.Errorf(
 98 | 			err, "can't open file %s", path,
 99 | 		)
100 | 	}
101 | 
102 | 	defer keyFile.Close()
103 | 
104 | 	_, err = keyFile.Write(append(key, []byte("\n")...))
105 | 	if err != nil {
106 | 		return hierr.Errorf(
107 | 			err, "can't write key file %s", path,
108 | 		)
109 | 	}
110 | 
111 | 	return nil
112 | }
113 | 
114 | func (fs *filesystem) GetPublicKeys(token string) (string, error) {
115 | 	path := filepath.Join(fs.sshKeysDir, token)
116 | 
117 | 	data, err := ioutil.ReadFile(path)
118 | 	if err != nil {
119 | 		if os.IsNotExist(err) {
120 | 			return "", ErrNotFound
121 | 		}
122 | 
123 | 		return "", hierr.Errorf(
124 | 			err, "can't read key file %s", path,
125 | 		)
126 | 	}
127 | 
128 | 	return string(data), nil
129 | }
130 | 
131 | func (fs *filesystem) IsHashExists(token string, hash string) (bool, error) {
132 | 	table, err := openHashTable(filepath.Join(fs.hashTablesDir, token))
133 | 	if err != nil {
134 | 		return false, err
135 | 	}
136 | 
137 | 	return table.hashExists(hash)
138 | }
139 | 
140 | func (fs *filesystem) GetTableSize(token string) (int64, error) {
141 | 	table, err := openHashTable(filepath.Join(fs.hashTablesDir, token))
142 | 	if err != nil {
143 | 		return 0, err
144 | 	}
145 | 
146 | 	return table.getSize()
147 | }
148 | 
149 | func (fs *filesystem) IsRecentClient(identifier string) (bool, error) {
150 | 	fs.clientsLock.Lock()
151 | 	defer fs.clientsLock.Unlock()
152 | 
153 | 	if fs.clients == nil {
154 | 		fs.clients = map[string]time.Time{}
155 | 		return false, nil
156 | 	}
157 | 
158 | 	_, ok := fs.clients[identifier]
159 | 	return ok, nil
160 | }
161 | 
162 | func (fs *filesystem) AddRecentClient(identifier string) error {
163 | 	fs.clientsLock.Lock()
164 | 	defer fs.clientsLock.Unlock()
165 | 
166 | 	if fs.clients == nil {
167 | 		fs.clients = map[string]time.Time{}
168 | 	}
169 | 
170 | 	fs.clients[identifier] = time.Now()
171 | 
172 | 	return nil
173 | }
174 | 
175 | func (fs *filesystem) GetHash(token string, number int64) (string, error) {
176 | 	table, err := openHashTable(filepath.Join(fs.hashTablesDir, token))
177 | 	if err != nil {
178 | 		return "", err
179 | 	}
180 | 
181 | 	record, err := table.getRecord(number)
182 | 	if err != nil {
183 | 		return "", err
184 | 	}
185 | 
186 | 	return string(record), nil
187 | }
188 | 
189 | func (fs *filesystem) GetTokens(prefix string) ([]string, error) {
190 | 	directory := filepath.Join(fs.hashTablesDir, prefix)
191 | 
192 | 	stat, err := os.Stat(directory)
193 | 	if err != nil {
194 | 		if os.IsNotExist(err) {
195 | 			return nil, ErrNotFound
196 | 		}
197 | 
198 | 		return nil, err
199 | 	}
200 | 
201 | 	if !stat.IsDir() {
202 | 		return nil, fmt.Errorf(
203 | 			"%s is not a directory", directory,
204 | 		)
205 | 	}
206 | 
207 | 	tokens := []string{}
208 | 	err = filepath.Walk(
209 | 		directory,
210 | 		func(path string, info os.FileInfo, err error) error {
211 | 			if err != nil {
212 | 				return err
213 | 			}
214 | 
215 | 			// skip root dir
216 | 			if info.IsDir() && directory == path {
217 | 				return nil
218 | 			}
219 | 
220 | 			if info.IsDir() {
221 | 				return filepath.SkipDir
222 | 			}
223 | 
224 | 			tokens = append(
225 | 				tokens,
226 | 				strings.TrimPrefix(strings.TrimPrefix(path, directory), "/"),
227 | 			)
228 | 
229 | 			return nil
230 | 		},
231 | 	)
232 | 	if err != nil {
233 | 		return nil, err
234 | 	}
235 | 
236 | 	return tokens, nil
237 | }
238 | 
239 | func (fs *filesystem) cleanupRecentClients() {
240 | 	fs.clientsLock.Lock()
241 | 	defer fs.clientsLock.Unlock()
242 | 
243 | 	actual := map[string]time.Time{}
244 | 
245 | 	for identifier, requestTime := range fs.clients {
246 | 		if time.Now().Sub(requestTime) > fs.hashTTL {
247 | 			continue
248 | 		}
249 | 
250 | 		actual[identifier] = requestTime
251 | 	}
252 | 
253 | 	fs.clients = actual
254 | }
255 | 


--------------------------------------------------------------------------------
/handle_certificate_generate.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"crypto/rand"
  5 | 	"crypto/rsa"
  6 | 	"crypto/x509"
  7 | 	"crypto/x509/pkix"
  8 | 	"encoding/pem"
  9 | 	"fmt"
 10 | 	"math/big"
 11 | 	"net"
 12 | 	"os"
 13 | 	"path/filepath"
 14 | 	"strconv"
 15 | 	"time"
 16 | 
 17 | 	"github.com/reconquest/hierr-go"
 18 | )
 19 | 
 20 | func handleCertificateGenerate(
 21 | 	backend Backend, args map[string]interface{},
 22 | ) error {
 23 | 	var (
 24 | 		certsDir        = args["--certs"].(string)
 25 | 		rsaBlockSizeRaw = args["--bytes"].(string)
 26 | 		validTill       = args["--till"].(string)
 27 | 		hosts           = args["--host"].([]string)
 28 | 		addresses       = args["--address"].([]string)
 29 | 	)
 30 | 
 31 | 	rsaBlockSize, err := strconv.Atoi(rsaBlockSizeRaw)
 32 | 	if err != nil {
 33 | 		return err
 34 | 	}
 35 | 
 36 | 	if _, err := os.Stat(certsDir); os.IsNotExist(err) {
 37 | 		err = os.MkdirAll(certsDir, 0700)
 38 | 		if err != nil {
 39 | 			return err
 40 | 		}
 41 | 	}
 42 | 
 43 | 	privateKey, err := rsa.GenerateKey(rand.Reader, rsaBlockSize)
 44 | 	if err != nil {
 45 | 		return fmt.Errorf("failed to generate private key: %s", err)
 46 | 	}
 47 | 
 48 | 	invalidAfter, err := time.Parse("2006-02-01", validTill)
 49 | 	if err != nil {
 50 | 		return err
 51 | 	}
 52 | 
 53 | 	invalidBefore := time.Now()
 54 | 
 55 | 	serialNumberBlockSize := big.NewInt(0).Lsh(big.NewInt(1), 128)
 56 | 	serialNumber, err := rand.Int(rand.Reader, serialNumberBlockSize)
 57 | 	if err != nil {
 58 | 		return fmt.Errorf("failed to generate serial number: %s", err)
 59 | 	}
 60 | 
 61 | 	cert := x509.Certificate{
 62 | 		IsCA: true,
 63 | 
 64 | 		SerialNumber: serialNumber,
 65 | 
 66 | 		NotBefore: invalidBefore,
 67 | 		NotAfter:  invalidAfter,
 68 | 
 69 | 		BasicConstraintsValid: true,
 70 | 		KeyUsage: x509.KeyUsageKeyEncipherment |
 71 | 			x509.KeyUsageDigitalSignature |
 72 | 			x509.KeyUsageCertSign,
 73 | 		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 74 | 
 75 | 		DNSNames: hosts,
 76 | 
 77 | 		Subject: pkix.Name{
 78 | 			CommonName: "shadowd",
 79 | 		},
 80 | 	}
 81 | 
 82 | 	for _, address := range addresses {
 83 | 		if addr := net.ParseIP(address); addr != nil {
 84 | 			cert.IPAddresses = append(cert.IPAddresses, addr)
 85 | 		}
 86 | 
 87 | 	}
 88 | 
 89 | 	certData, err := x509.CreateCertificate(
 90 | 		rand.Reader, &cert, &cert, &privateKey.PublicKey, privateKey,
 91 | 	)
 92 | 	if err != nil {
 93 | 		return hierr.Errorf(
 94 | 			err, "can't create certificate",
 95 | 		)
 96 | 	}
 97 | 
 98 | 	certOutFd, err := os.Create(filepath.Join(certsDir, "cert.pem"))
 99 | 	if err != nil {
100 | 		return hierr.Errorf(
101 | 			err, "can't create certificate file",
102 | 		)
103 | 	}
104 | 
105 | 	err = pem.Encode(
106 | 		certOutFd,
107 | 		&pem.Block{
108 | 			Type:  "CERTIFICATE",
109 | 			Bytes: certData,
110 | 		},
111 | 	)
112 | 	if err != nil {
113 | 		return hierr.Errorf(
114 | 			err, "can't write PEM data to certificate file",
115 | 		)
116 | 	}
117 | 
118 | 	err = certOutFd.Close()
119 | 	if err != nil {
120 | 		return hierr.Errorf(
121 | 			err, "can't close certificate file",
122 | 		)
123 | 	}
124 | 
125 | 	keyOutFd, err := os.OpenFile(
126 | 		filepath.Join(certsDir, "key.pem"),
127 | 		os.O_WRONLY|os.O_CREATE|os.O_TRUNC,
128 | 		0600,
129 | 	)
130 | 	if err != nil {
131 | 		return hierr.Errorf(
132 | 			err, "can't open key file",
133 | 		)
134 | 	}
135 | 
136 | 	err = pem.Encode(
137 | 		keyOutFd,
138 | 		&pem.Block{
139 | 			Type:  "RSA PRIVATE KEY",
140 | 			Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
141 | 		},
142 | 	)
143 | 	if err != nil {
144 | 		return hierr.Errorf(
145 | 			err, "can't write PEM data to key file",
146 | 		)
147 | 	}
148 | 
149 | 	err = keyOutFd.Close()
150 | 	if err != nil {
151 | 		return hierr.Errorf(
152 | 			err, "can't close key file",
153 | 		)
154 | 	}
155 | 
156 | 	return nil
157 | }
158 | 


--------------------------------------------------------------------------------
/handle_listen.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"crypto/sha256"
  5 | 	"fmt"
  6 | 	"log"
  7 | 	"math/big"
  8 | 	"net/http"
  9 | 	"os"
 10 | 	"path/filepath"
 11 | 	"strings"
 12 | 	"time"
 13 | 
 14 | 	"github.com/reconquest/hierr-go"
 15 | )
 16 | 
 17 | const (
 18 | 	passwordChangeSaltAmount = 10
 19 | )
 20 | 
 21 | type Server struct {
 22 | 	backend Backend
 23 | 	hashTTL time.Duration
 24 | }
 25 | 
 26 | func (server *Server) HandleTokens(
 27 | 	writer http.ResponseWriter, request *http.Request,
 28 | ) {
 29 | 	// no need to validate token because net/http package will validate request
 30 | 	// uri and remove '../' statements.
 31 | 	token := strings.TrimPrefix(request.URL.Path, "/t/")
 32 | 
 33 | 	switch request.Method {
 34 | 	case "GET":
 35 | 		server.handleHashRetrieve(writer, request, token)
 36 | 	case "PUT":
 37 | 		server.handlePasswordChange(writer, request, token)
 38 | 	default:
 39 | 		writer.WriteHeader(http.StatusMethodNotAllowed)
 40 | 	}
 41 | }
 42 | 
 43 | func (server *Server) handleHashRetrieve(
 44 | 	writer http.ResponseWriter,
 45 | 	request *http.Request,
 46 | 	token string,
 47 | ) {
 48 | 	if strings.HasSuffix(token, "/") || token == "" {
 49 | 		tokens, err := server.backend.GetTokens(token)
 50 | 		if err != nil {
 51 | 			log.Println(
 52 | 				hierr.Errorf(
 53 | 					err,
 54 | 					"can't get tokens with prefix '%s'", token,
 55 | 				),
 56 | 			)
 57 | 
 58 | 			if err == ErrNotFound {
 59 | 				writer.WriteHeader(http.StatusNotFound)
 60 | 			} else {
 61 | 				writer.WriteHeader(http.StatusInternalServerError)
 62 | 			}
 63 | 
 64 | 			return
 65 | 		}
 66 | 
 67 | 		if len(tokens) == 0 {
 68 | 			writer.WriteHeader(http.StatusNoContent)
 69 | 			return
 70 | 		}
 71 | 
 72 | 		_, err = writer.Write([]byte(strings.Join(tokens, "\n")))
 73 | 		if err != nil {
 74 | 			log.Println(err)
 75 | 		}
 76 | 
 77 | 		return
 78 | 	}
 79 | 
 80 | 	tableSize, err := server.backend.GetTableSize(token)
 81 | 	if err != nil {
 82 | 		if err == ErrNotFound {
 83 | 			writer.WriteHeader(http.StatusNotFound)
 84 | 		} else {
 85 | 			log.Println(err)
 86 | 			writer.WriteHeader(http.StatusInternalServerError)
 87 | 		}
 88 | 		return
 89 | 	}
 90 | 
 91 | 	remote := request.RemoteAddr[:strings.LastIndex(request.RemoteAddr, ":")]
 92 | 	remote = remote + "-" + token
 93 | 
 94 | 	// in case of client requested shadow entry not too long ago,
 95 | 	// we should send different entry on further invocations
 96 | 	recent, err := server.backend.IsRecentClient(remote)
 97 | 	if err != nil {
 98 | 		log.Println(err)
 99 | 		writer.WriteHeader(http.StatusInternalServerError)
100 | 		return
101 | 	}
102 | 
103 | 	modifier := 1
104 | 	if !recent {
105 | 		modifier = 0
106 | 		err = server.backend.AddRecentClient(remote)
107 | 		if err != nil {
108 | 			log.Println(err)
109 | 			writer.WriteHeader(http.StatusInternalServerError)
110 | 			return
111 | 		}
112 | 	}
113 | 
114 | 	record, err := server.backend.GetHash(
115 | 		token,
116 | 		hashNumber(remote, tableSize, server.hashTTL, modifier),
117 | 	)
118 | 	if err != nil {
119 | 		writer.Write([]byte(err.Error()))
120 | 		writer.WriteHeader(http.StatusInternalServerError)
121 | 		return
122 | 	}
123 | 
124 | 	writer.Write([]byte(record))
125 | }
126 | 
127 | func (server *Server) handlePasswordChange(
128 | 	writer http.ResponseWriter,
129 | 	request *http.Request,
130 | 	token string,
131 | ) {
132 | 	tableSize, err := server.backend.GetTableSize(token)
133 | 	if err != nil {
134 | 		if err == ErrNotFound {
135 | 			writer.WriteHeader(http.StatusNotFound)
136 | 		} else {
137 | 			log.Println(err)
138 | 			writer.WriteHeader(http.StatusInternalServerError)
139 | 		}
140 | 
141 | 		return
142 | 	}
143 | 
144 | 	remote := request.RemoteAddr[:strings.LastIndex(request.RemoteAddr, ":")]
145 | 	remote += "-" + token + "-salt-"
146 | 
147 | 	salts := []string{}
148 | 	hashes := []string{}
149 | 	for i := 0; i < passwordChangeSaltAmount; i++ {
150 | 		hash, err := server.backend.GetHash(
151 | 			token,
152 | 			hashNumber(remote, tableSize, server.hashTTL, i),
153 | 		)
154 | 		if err != nil {
155 | 			log.Println(err)
156 | 			writer.WriteHeader(http.StatusInternalServerError)
157 | 			return
158 | 		}
159 | 
160 | 		parts := strings.Split(hash, "$")
161 | 		if len(parts) < 4 {
162 | 			log.Printf("invalid hash for %s found: '%s'", token, hash)
163 | 			writer.WriteHeader(http.StatusInternalServerError)
164 | 			return
165 | 		}
166 | 
167 | 		salts = append(salts, "$"+parts[1]+"$"+parts[2])
168 | 		hashes = append(hashes, hash)
169 | 	}
170 | 
171 | 	err = request.ParseForm()
172 | 	if err != nil {
173 | 		log.Println(err)
174 | 		writer.WriteHeader(http.StatusInternalServerError)
175 | 		return
176 | 	}
177 | 
178 | 	proofs, ok := request.Form["shadow[]"]
179 | 	if !ok || len(proofs) != passwordChangeSaltAmount {
180 | 		fmt.Fprintln(writer, strings.Join(salts, "\n"))
181 | 		return
182 | 	}
183 | 
184 | 	password := request.FormValue("password")
185 | 	if password == "" {
186 | 		writer.WriteHeader(http.StatusBadRequest)
187 | 		return
188 | 	}
189 | 
190 | 	for index, _ := range hashes {
191 | 		if proofs[index] != hashes[index] {
192 | 			log.Printf(
193 | 				"password change declined for %s, wrong hash: '%s'",
194 | 				token, proofs[index],
195 | 			)
196 | 			writer.WriteHeader(http.StatusBadRequest)
197 | 			return
198 | 		}
199 | 	}
200 | 
201 | 	log.Printf(
202 | 		"password change for %s accepted, generating new hash table...",
203 | 		token,
204 | 	)
205 | 
206 | 	table := []string{}
207 | 	for i := 0; i < int(tableSize); i++ {
208 | 		table = append(table, generateSHA512(password))
209 | 	}
210 | 
211 | 	err = server.backend.SetHashTable(token, table)
212 | 	if err != nil {
213 | 		log.Println(
214 | 			hierr.Errorf(
215 | 				err, "can't save generated hash table for %s", token,
216 | 			),
217 | 		)
218 | 		writer.WriteHeader(http.StatusInternalServerError)
219 | 		return
220 | 	}
221 | 
222 | 	log.Printf(
223 | 		"hash table %s with %d items successfully created",
224 | 		token, tableSize,
225 | 	)
226 | }
227 | 
228 | func hashNumber(
229 | 	source string, max int64, ttl time.Duration, modifier int,
230 | ) int64 {
231 | 	hash := sha256.Sum256([]byte(
232 | 		fmt.Sprintf(
233 | 			"%s%d",
234 | 			source, time.Now().Unix()/int64(ttl/time.Second),
235 | 		),
236 | 	))
237 | 
238 | 	var (
239 | 		hashMaxLength int64 = 1
240 | 		hashIndex     int64 = 0
241 | 	)
242 | 
243 | 	for _, hashByte := range hash {
244 | 		if hashMaxLength > max {
245 | 			break
246 | 		}
247 | 
248 | 		hashMaxLength <<= 8
249 | 		hashIndex += hashMaxLength * int64(hashByte)
250 | 	}
251 | 
252 | 	hashIndex += int64(modifier)
253 | 
254 | 	modMax := max
255 | 	if modMax%10 == 0 {
256 | 		modMax = max - 1
257 | 	}
258 | 
259 | 	number := big.NewInt(0).Mod(
260 | 		big.NewInt(hashIndex), big.NewInt(modMax),
261 | 	).Int64()
262 | 
263 | 	return number
264 | }
265 | 
266 | func handleListen(
267 | 	backend Backend,
268 | 	args map[string]interface{},
269 | 	hashTTL time.Duration,
270 | ) error {
271 | 	wood := &Server{
272 | 		backend: backend,
273 | 		hashTTL: hashTTL,
274 | 	}
275 | 
276 | 	http.HandleFunc("/v/", wood.HandleValidate)
277 | 	http.HandleFunc("/t/", wood.HandleTokens)
278 | 	http.HandleFunc("/ssh/", wood.HandleSSH)
279 | 
280 | 	var (
281 | 		certFile = filepath.Join(args["--certs"].(string), "cert.pem")
282 | 		keyFile  = filepath.Join(args["--certs"].(string), "key.pem")
283 | 	)
284 | 
285 | 	certExist := true
286 | 	if _, err := os.Stat(certFile); os.IsNotExist(err) {
287 | 		certExist = false
288 | 	}
289 | 
290 | 	if _, err := os.Stat(keyFile); os.IsNotExist(err) {
291 | 		certExist = false
292 | 	}
293 | 
294 | 	if !certExist {
295 | 		log.Println("no certificate found, generating with default settings")
296 | 
297 | 		err := handleCertificateGenerate(backend, args)
298 | 		if err != nil {
299 | 			return err
300 | 		}
301 | 	}
302 | 
303 | 	log.Println("starting listening on", args["--listen"].(string))
304 | 
305 | 	return http.ListenAndServeTLS(
306 | 		args["--listen"].(string), certFile, keyFile, nil,
307 | 	)
308 | }
309 | 


--------------------------------------------------------------------------------
/handle_ssh.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"fmt"
 6 | 	"io/ioutil"
 7 | 	"log"
 8 | 	"net/http"
 9 | 	"os"
10 | 	"strings"
11 | 
12 | 	"github.com/reconquest/hierr-go"
13 | 
14 | 	"golang.org/x/crypto/ssh"
15 | )
16 | 
17 | func (server *Server) HandleSSH(
18 | 	writer http.ResponseWriter, request *http.Request,
19 | ) {
20 | 	token := strings.TrimPrefix(request.URL.Path, "/ssh/")
21 | 
22 | 	keys, err := server.backend.GetPublicKeys(token)
23 | 	if err != nil {
24 | 		if err == ErrNotFound {
25 | 			writer.WriteHeader(http.StatusNotFound)
26 | 			return
27 | 		}
28 | 
29 | 		log.Println(err)
30 | 		writer.WriteHeader(http.StatusInternalServerError)
31 | 		return
32 | 	}
33 | 
34 | 	_, err = writer.Write([]byte(keys))
35 | 	if err != nil {
36 | 		log.Println(err)
37 | 	}
38 | }
39 | 
40 | func handleSSHKeyAppend(backend Backend, args map[string]interface{}) error {
41 | 	var (
42 | 		token    = args["<token>"].(string)
43 | 		truncate = args["--truncate"].(bool)
44 | 	)
45 | 
46 | 	key, err := ioutil.ReadAll(os.Stdin)
47 | 	if err != nil {
48 | 		return hierr.Errorf(
49 | 			err, "can't read stdin",
50 | 		)
51 | 	}
52 | 
53 | 	key = bytes.TrimSpace(key)
54 | 
55 | 	_, comment, _, _, err := ssh.ParseAuthorizedKey(key)
56 | 	if err != nil {
57 | 		return hierr.Errorf(
58 | 			err, "can't parse public ssh key",
59 | 		)
60 | 	}
61 | 
62 | 	err = backend.AddPublicKey(token, key, truncate)
63 | 	if err != nil {
64 | 		return hierr.Errorf(
65 | 			err, "can't add public key for %s", token,
66 | 		)
67 | 	}
68 | 
69 | 	fmt.Println("Added new key with comment:", comment)
70 | 
71 | 	return nil
72 | }
73 | 


--------------------------------------------------------------------------------
/handle_table_generate.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"bufio"
  5 | 	"errors"
  6 | 	"fmt"
  7 | 	"math/rand"
  8 | 	"os"
  9 | 	"os/exec"
 10 | 	"strconv"
 11 | 	"strings"
 12 | 	"time"
 13 | 
 14 | 	"github.com/kovetskiy/spinner-go"
 15 | 	"github.com/reconquest/hierr-go"
 16 | )
 17 | 
 18 | // #cgo LDFLAGS: -lcrypt
 19 | // #include <unistd.h>
 20 | // #include <crypt.h>
 21 | import "C"
 22 | 
 23 | var (
 24 | 	saltSymbols = []rune(
 25 | 		"qwertyuiopasdfghjklzxcvbnm" +
 26 | 			"QWERTYUIOPASDFGHJKLZXCVBNM" +
 27 | 			"0123456789" +
 28 | 			"./",
 29 | 	)
 30 | 	saltLength = 16
 31 | )
 32 | 
 33 | type AlgorithmImplementation func(token string) string
 34 | 
 35 | func handleTableGenerate(backend Backend, args map[string]interface{}) error {
 36 | 	var (
 37 | 		token     = args["<token>"].(string)
 38 | 		lengthRaw = args["--length"].(string)
 39 | 		algorithm = args["--algorithm"].(string)
 40 | 		quiet     = args["--quiet"].(bool)
 41 | 		noconfirm = args["--no-confirm"].(bool)
 42 | 	)
 43 | 
 44 | 	err := validateToken(token)
 45 | 	if err != nil {
 46 | 		return err
 47 | 	}
 48 | 
 49 | 	length, err := strconv.Atoi(lengthRaw)
 50 | 	if err != nil {
 51 | 		return err
 52 | 	}
 53 | 
 54 | 	password, err := getPassword("Enter password: ")
 55 | 	if err != nil {
 56 | 		return hierr.Errorf(
 57 | 			err, "can't get password",
 58 | 		)
 59 | 	}
 60 | 
 61 | 	if !noconfirm {
 62 | 		proofPassword, err := getPassword("Retype password: ")
 63 | 		if err != nil {
 64 | 			return hierr.Errorf(
 65 | 				err, "can't get password confirmation",
 66 | 			)
 67 | 		}
 68 | 
 69 | 		if password != proofPassword {
 70 | 			return fmt.Errorf("specified passwords do not match")
 71 | 		}
 72 | 	}
 73 | 
 74 | 	implementation := getAlgorithmImplementation(algorithm)
 75 | 	if implementation == nil {
 76 | 		return errors.New("specified algorithm is not available")
 77 | 	}
 78 | 
 79 | 	if !quiet {
 80 | 		spinner.Start()
 81 | 		spinner.SetInterval(time.Millisecond * 100)
 82 | 	}
 83 | 
 84 | 	table := []string{}
 85 | 	for i := 0; i < length; i++ {
 86 | 		if !quiet {
 87 | 			spinner.SetStatus(
 88 | 				fmt.Sprintf(
 89 | 					"Generating hash table... %d%% ",
 90 | 					(i+1)*100/length,
 91 | 				),
 92 | 			)
 93 | 		}
 94 | 
 95 | 		table = append(table, implementation(password))
 96 | 	}
 97 | 
 98 | 	if !quiet {
 99 | 		spinner.Stop()
100 | 	}
101 | 
102 | 	err = backend.SetHashTable(token, table)
103 | 	if err != nil {
104 | 		return hierr.Errorf(
105 | 			err, "can't save generated hash table",
106 | 		)
107 | 	}
108 | 
109 | 	fmt.Printf(
110 | 		"Hash table %s with %d items successfully created.\n",
111 | 		token, length,
112 | 	)
113 | 
114 | 	return nil
115 | }
116 | 
117 | func getAlgorithmImplementation(algorithm string) AlgorithmImplementation {
118 | 	switch algorithm {
119 | 	case "sha256":
120 | 		return generateSHA256
121 | 	case "sha512":
122 | 		return generateSHA512
123 | 	}
124 | 
125 | 	return nil
126 | }
127 | 
128 | func generateSHA256(password string) string {
129 | 	salt := fmt.Sprintf("$5$%s", generateSHASalt())
130 | 	return C.GoString(C.crypt(C.CString(password), C.CString(salt)))
131 | }
132 | 
133 | func generateSHA512(password string) string {
134 | 	salt := fmt.Sprintf("$6$%s", generateSHASalt())
135 | 	return C.GoString(C.crypt(C.CString(password), C.CString(salt)))
136 | }
137 | 
138 | func generateSHASalt() string {
139 | 	salt := make([]rune, saltLength)
140 | 	for i := 0; i < saltLength; i++ {
141 | 		salt[i] = saltSymbols[rand.Intn(len(saltSymbols))]
142 | 	}
143 | 
144 | 	return string(salt)
145 | }
146 | 
147 | func validateToken(token string) error {
148 | 	if strings.Contains(token, "../") {
149 | 		return fmt.Errorf(
150 | 			"specified token is not available, do not use '../' in token",
151 | 		)
152 | 	}
153 | 
154 | 	return nil
155 | }
156 | 
157 | func getPassword(prompt string) (string, error) {
158 | 	var (
159 | 		sttyEchoDisable = exec.Command("stty", "-F", "/dev/tty", "-echo")
160 | 		sttyEchoEnable  = exec.Command("stty", "-F", "/dev/tty", "echo")
161 | 	)
162 | 
163 | 	fmt.Print(prompt)
164 | 
165 | 	err := sttyEchoDisable.Run()
166 | 	if err != nil {
167 | 		return "", hierr.Errorf(
168 | 			err, "%q", sttyEchoDisable.Args,
169 | 		)
170 | 	}
171 | 
172 | 	defer func() {
173 | 		sttyEchoEnable.Run()
174 | 		fmt.Println()
175 | 	}()
176 | 
177 | 	stdin := bufio.NewReader(os.Stdin)
178 | 	password, err := stdin.ReadString('\n')
179 | 	if err != nil {
180 | 		return "", hierr.Errorf(
181 | 			err, "can't read stdin for password",
182 | 		)
183 | 	}
184 | 
185 | 	password = strings.TrimRight(password, "\n")
186 | 
187 | 	return password, nil
188 | }
189 | 


--------------------------------------------------------------------------------
/handle_validator.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"log"
 5 | 	"net/http"
 6 | 	"strings"
 7 | )
 8 | 
 9 | func (server *Server) HandleValidate(
10 | 	response http.ResponseWriter, request *http.Request,
11 | ) {
12 | 	path := strings.TrimPrefix(request.URL.Path, "/v/")
13 | 	path = strings.TrimRight(path, "/")
14 | 
15 | 	slash := strings.LastIndex(path, "/")
16 | 	if slash == -1 {
17 | 		log.Printf(
18 | 			"got bad request to hash table validator: %s", request.URL.Path,
19 | 		)
20 | 		response.WriteHeader(http.StatusBadRequest)
21 | 		return
22 | 	}
23 | 
24 | 	token, hash := path[:slash], path[slash+1:]
25 | 
26 | 	log.Printf(
27 | 		"got request to hash table validator, hash: '%s', token: '%s'",
28 | 		hash, token,
29 | 	)
30 | 
31 | 	exists, err := server.backend.IsHashExists(token, hash)
32 | 	if err != nil {
33 | 		log.Println(err)
34 | 		response.WriteHeader(http.StatusInternalServerError)
35 | 		return
36 | 	}
37 | 
38 | 	if exists {
39 | 		response.WriteHeader(http.StatusOK)
40 | 		return
41 | 	}
42 | 
43 | 	log.Printf("hash '%s' does not exists for '%s' token", hash, token)
44 | 	response.WriteHeader(http.StatusNotFound)
45 | }
46 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"errors"
  5 | 	"log"
  6 | 	"math/rand"
  7 | 	"net"
  8 | 	"os"
  9 | 	"strings"
 10 | 	"sync"
 11 | 	"time"
 12 | 
 13 | 	"github.com/docopt/docopt-go"
 14 | 	"github.com/reconquest/hierr-go"
 15 | )
 16 | 
 17 | var version = `3.0`
 18 | var usage = `shadowd, secure login distribution service
 19 | 
 20 | Usage:
 21 |   shadowd [options] -L <address> [-s <time>]
 22 |   shadowd [options] -G <token> [-n <size>] [-a <algo>]
 23 |   shadowd [options] -C [-h <host>...] [-i <ip>...] [-d <date>] [-b <length>]
 24 |   shadowd [options] -K <token> [-r]
 25 |   shadowd --help
 26 |   shadowd --version
 27 | 
 28 | Options:
 29 |   -G --generate            Generate and store hash-table for specified <token>.
 30 |                             Password will be read from stdin.
 31 |     -n --length <size>     Generate hash-table of specified length [default: 2048].
 32 |     -a --algorithm <algo>  Use specified algorithm [default: sha256].
 33 |     --no-confirm           Do not prompt confirmation for password.
 34 |   -C --certificate         Generate certificate pair for authenticating via HTTPS.
 35 |     -b --bytes <length>    Generate rsa key of specified length [default: 2048].
 36 |     -h --host <host>       Set specified host as trusted [default: $CERT_HOST].
 37 |     -i --address <ip>      Set specified ip address as trusted [default: $CERT_ADDR].
 38 |     -d --till <date>       Set time certificate valid till [default: $CERT_VALID].
 39 |   -L --listen <address>    Listen specified IP and port [default: :443].
 40 |     -s --ttl <time>        Use specified time duration as hash TTL [default: 24h].
 41 |   -K --key                 Wait for SSH-key to be entered on stdin and append it to file,
 42 |                             determined from <token>.
 43 |     -r --truncate          Truncate file for specified token, do not append.
 44 |   -t --tables <dir>        Use specified dir for storing and reading hash-tables
 45 |                             [default: /var/shadowd/ht/].
 46 |   -c --certs <dir>         Use specified dir for storing and reading certificates
 47 |                             [default: /var/shadowd/cert/].
 48 |   -k --keys <dir>          Use specified dir for reading public SSH keys.
 49 |                             [default: /var/shadowd/ssh/].
 50 |   -f --config <path>       Use specified configuration file.
 51 |   -q --quiet               Quiet mode, be less chatty.
 52 |   --help                   Show this screen.
 53 |   --version                Show program version.
 54 | `
 55 | 
 56 | var ErrNotFound = errors.New("not found")
 57 | 
 58 | func init() {
 59 | 	rand.Seed(time.Now().UTC().UnixNano())
 60 | }
 61 | 
 62 | func main() {
 63 | 	args, _ := docopt.Parse(
 64 | 		replaceDefaults(usage), nil, true, "shadowd "+version, false,
 65 | 	)
 66 | 
 67 | 	hashTTL, err := time.ParseDuration(args["--ttl"].(string))
 68 | 	if err != nil {
 69 | 		hierr.Fatalf(
 70 | 			err, "can't parse ttl time",
 71 | 		)
 72 | 	}
 73 | 
 74 | 	var (
 75 | 		backendUse string
 76 | 		backendDSN string
 77 | 		backend    Backend
 78 | 	)
 79 | 
 80 | 	if path, ok := args["--config"].(string); ok {
 81 | 		config, err := getConfig(path)
 82 | 		if err != nil {
 83 | 			hierr.Fatalf(
 84 | 				err, "can't parse configuration file",
 85 | 			)
 86 | 		}
 87 | 
 88 | 		backendUse = config.Backend.Use
 89 | 		backendDSN = config.Backend.DSN
 90 | 	}
 91 | 
 92 | 	switch backendUse {
 93 | 	case "", "filesystem":
 94 | 		backend = &filesystem{
 95 | 			hashTablesDir: args["--tables"].(string),
 96 | 			sshKeysDir:    args["--keys"].(string),
 97 | 			hashTTL:       hashTTL,
 98 | 			clients:       map[string]time.Time{},
 99 | 			clientsLock:   &sync.Mutex{},
100 | 		}
101 | 	case "mongodb":
102 | 		backend = &mongodb{
103 | 			dsn:     backendDSN,
104 | 			hashTTL: hashTTL,
105 | 		}
106 | 
107 | 	default:
108 | 		hierr.Fatalf(
109 | 			errors.New(backendUse), "unknown backend",
110 | 		)
111 | 
112 | 	}
113 | 
114 | 	err = backend.Init()
115 | 	if err != nil {
116 | 		hierr.Fatalf(
117 | 			err, "can't initialize shadowd backend",
118 | 		)
119 | 	}
120 | 
121 | 	switch {
122 | 	case args["--generate"]:
123 | 		err = handleTableGenerate(backend, args)
124 | 
125 | 	case args["--key"]:
126 | 		err = handleSSHKeyAppend(backend, args)
127 | 
128 | 	case args["--certificate"]:
129 | 		err = handleCertificateGenerate(backend, args)
130 | 
131 | 	default:
132 | 		err = handleListen(backend, args, hashTTL)
133 | 	}
134 | 
135 | 	if err != nil {
136 | 		log.Fatal(err)
137 | 	}
138 | }
139 | 
140 | func replaceDefaultCertHost(usage string) string {
141 | 	hostname, err := os.Hostname()
142 | 	if err != nil {
143 | 		panic(err)
144 | 	}
145 | 
146 | 	return strings.Replace(usage, "$CERT_HOST", hostname, -1)
147 | }
148 | 
149 | func replaceDefaultCertAddr(usage string) string {
150 | 	return strings.Replace(usage, "$CERT_ADDR", getLocalIP(), -1)
151 | }
152 | 
153 | func replaceDefaultCertValidTill(usage string) string {
154 | 	return strings.Replace(
155 | 		usage, "$CERT_VALID",
156 | 		time.Now().AddDate(1, 0, 0).Format("2006-02-01"),
157 | 		-1,
158 | 	)
159 | }
160 | 
161 | func replaceDefaults(usage string) string {
162 | 	usage = replaceDefaultCertHost(usage)
163 | 	usage = replaceDefaultCertAddr(usage)
164 | 	usage = replaceDefaultCertValidTill(usage)
165 | 
166 | 	return usage
167 | }
168 | 
169 | func getLocalIP() string {
170 | 	interfaces, err := net.Interfaces()
171 | 	if err != nil {
172 | 		panic(err)
173 | 	}
174 | 
175 | 	for _, netInterface := range interfaces {
176 | 		adresses, err := netInterface.Addrs()
177 | 		if err != nil {
178 | 			panic(err)
179 | 		}
180 | 
181 | 		for _, address := range adresses {
182 | 			switch addr := address.(type) {
183 | 			case *net.IPNet:
184 | 				ipString := addr.IP.String()
185 | 				if strings.HasPrefix(ipString, "127.") || ipString == "::1" {
186 | 					continue
187 | 				} else {
188 | 					return ipString
189 | 				}
190 | 			}
191 | 		}
192 | 
193 | 	}
194 | 
195 | 	return "127.0.0.1"
196 | }
197 | 


--------------------------------------------------------------------------------
/mongodb.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"log"
  5 | 	"regexp"
  6 | 	"sort"
  7 | 	"strings"
  8 | 	"time"
  9 | 
 10 | 	"github.com/reconquest/hierr-go"
 11 | 
 12 | 	"gopkg.in/mgo.v2"
 13 | 	"gopkg.in/mgo.v2/bson"
 14 | )
 15 | 
 16 | type mongodb struct {
 17 | 	dsn      string
 18 | 	hashTTL  time.Duration
 19 | 	session  *mgo.Session
 20 | 	database *mgo.Database
 21 | 	shadows  *mgo.Collection
 22 | 	keys     *mgo.Collection
 23 | 	clients  *mgo.Collection
 24 | }
 25 | 
 26 | func (db *mongodb) GetPublicKeys(token string) (string, error) {
 27 | 	var docs []map[string]interface{}
 28 | 	err := db.keys.Find(bson.M{"token": token}).All(&docs)
 29 | 	if err != nil {
 30 | 		return "", hierr.Errorf(
 31 | 			err, "can't obtain public keys from database",
 32 | 		)
 33 | 	}
 34 | 
 35 | 	keys := []string{}
 36 | 	for _, doc := range docs {
 37 | 		keys = append(keys, doc["key"].(string))
 38 | 	}
 39 | 
 40 | 	return strings.Join(keys, "\n"), nil
 41 | }
 42 | 
 43 | func (db *mongodb) AddPublicKey(
 44 | 	token string, key []byte, truncate bool,
 45 | ) error {
 46 | 	if truncate {
 47 | 		_, err := db.keys.RemoveAll(bson.M{"token": token})
 48 | 		if err != nil {
 49 | 			return hierr.Errorf(
 50 | 				err, "can't remove public keys",
 51 | 			)
 52 | 		}
 53 | 	}
 54 | 
 55 | 	err := db.keys.Insert(bson.M{"token": token, "key": string(key)})
 56 | 	if err != nil {
 57 | 		return hierr.Errorf(
 58 | 			err, "can't add key to database",
 59 | 		)
 60 | 	}
 61 | 
 62 | 	return nil
 63 | }
 64 | 
 65 | func (db *mongodb) SetHashTable(token string, table []string) error {
 66 | 	_, err := db.shadows.RemoveAll(bson.M{"token": token})
 67 | 	if err != nil {
 68 | 		return hierr.Errorf(
 69 | 			err, "can't remove existing hash table",
 70 | 		)
 71 | 	}
 72 | 
 73 | 	docs := []interface{}{}
 74 | 	for _, hash := range table {
 75 | 		docs = append(docs, bson.M{
 76 | 			"token": token,
 77 | 			"hash":  hash,
 78 | 		})
 79 | 	}
 80 | 
 81 | 	err = db.shadows.Insert(docs...)
 82 | 	if err != nil {
 83 | 		return hierr.Errorf(
 84 | 			err, "can't insert table hash to database",
 85 | 		)
 86 | 	}
 87 | 
 88 | 	return nil
 89 | }
 90 | 
 91 | func (db *mongodb) IsHashExists(token string, hash string) (bool, error) {
 92 | 	var doc map[string]interface{}
 93 | 	err := db.shadows.Find(bson.M{"token": token, "hash": hash}).One(&doc)
 94 | 	if err != nil {
 95 | 		if err == mgo.ErrNotFound {
 96 | 			return false, nil
 97 | 		}
 98 | 
 99 | 		return false, err
100 | 	}
101 | 
102 | 	return true, nil
103 | }
104 | 
105 | func (db *mongodb) GetHash(token string, number int64) (string, error) {
106 | 	var doc map[string]interface{}
107 | 	err := db.shadows.Find(
108 | 		bson.M{"token": token},
109 | 	).Skip(int(number - int64(1))).Limit(1).One(&doc)
110 | 	if err != nil {
111 | 		if err == mgo.ErrNotFound {
112 | 			return "", ErrNotFound
113 | 		}
114 | 
115 | 		return "", err
116 | 	}
117 | 
118 | 	return doc["hash"].(string), nil
119 | }
120 | 
121 | func (db *mongodb) IsRecentClient(identifier string) (bool, error) {
122 | 	var doc map[string]interface{}
123 | 	err := db.clients.Find(bson.M{"client": identifier}).One(&doc)
124 | 	if err != nil {
125 | 		if err == mgo.ErrNotFound {
126 | 			return false, nil
127 | 		}
128 | 
129 | 		return false, err
130 | 	}
131 | 
132 | 	return true, nil
133 | }
134 | 
135 | func (db *mongodb) AddRecentClient(identifier string) error {
136 | 	err := db.clients.Insert(
137 | 		bson.M{"client": identifier, "create_date": time.Now().Unix()},
138 | 	)
139 | 	if err != nil {
140 | 		return hierr.Errorf(
141 | 			err, "can't add recent client to database",
142 | 		)
143 | 	}
144 | 
145 | 	return nil
146 | }
147 | 
148 | func (db *mongodb) GetTableSize(token string) (int64, error) {
149 | 	count, err := db.shadows.Find(bson.M{"token": token}).Count()
150 | 	if err != nil {
151 | 		return 0, hierr.Errorf(
152 | 			err, "can't obtain table size from database",
153 | 		)
154 | 	}
155 | 
156 | 	if count == 0 {
157 | 		return 0, ErrNotFound
158 | 	}
159 | 
160 | 	return int64(count), nil
161 | }
162 | 
163 | func (db *mongodb) GetTokens(prefix string) ([]string, error) {
164 | 	var docs []string
165 | 	err := db.shadows.Find(
166 | 		bson.M{
167 | 			"token": bson.M{"$regex": "^" + regexp.QuoteMeta(prefix) + ".*"},
168 | 		},
169 | 	).Select(bson.M{"token": 1}).Distinct("token", &docs)
170 | 	if err != nil {
171 | 		return nil, hierr.Errorf(
172 | 			err, "can't obtain tokens from database",
173 | 		)
174 | 	}
175 | 
176 | 	for i, doc := range docs {
177 | 		docs[i] = strings.TrimPrefix(doc, prefix)
178 | 	}
179 | 
180 | 	sort.Strings(docs)
181 | 
182 | 	return docs, nil
183 | }
184 | 
185 | func (db *mongodb) Init() error {
186 | 	err := db.connect()
187 | 	if err != nil {
188 | 		return hierr.Errorf(
189 | 			err, "can't establish database connection",
190 | 		)
191 | 	}
192 | 
193 | 	go func() {
194 | 		for range time.Tick(time.Minute) {
195 | 			db.cleanupRecentClients()
196 | 		}
197 | 	}()
198 | 
199 | 	go func() {
200 | 		for range time.Tick(time.Second * 5) {
201 | 			db.ensureConnection()
202 | 		}
203 | 	}()
204 | 
205 | 	return nil
206 | }
207 | 
208 | func (db *mongodb) connect() error {
209 | 	session, err := mgo.Dial(db.dsn)
210 | 	if err != nil {
211 | 		return err
212 | 	}
213 | 
214 | 	db.session = session
215 | 
216 | 	db.database = db.session.DB("")
217 | 	db.shadows = db.database.C("shadows")
218 | 	db.keys = db.database.C("keys")
219 | 	db.clients = db.database.C("clients")
220 | 
221 | 	return nil
222 | }
223 | 
224 | func (db *mongodb) ensureConnection() {
225 | 	err := db.session.Ping()
226 | 	if err == nil {
227 | 		return
228 | 	}
229 | 
230 | 	log.Println(
231 | 		"database connection has gone away, " +
232 | 			"trying to reestablish database connection...",
233 | 	)
234 | 
235 | 	err = db.connect()
236 | 	if err != nil {
237 | 		log.Printf("can't establish database connection: %s", err)
238 | 		return
239 | 	}
240 | 
241 | 	log.Println("database connection established")
242 | }
243 | 
244 | func (db *mongodb) cleanupRecentClients() {
245 | 	_, err := db.clients.RemoveAll(
246 | 		bson.M{
247 | 			"create_date": bson.M{
248 | 				"$lt": time.Now().Unix() - int64(db.hashTTL),
249 | 			},
250 | 		},
251 | 	)
252 | 	if err != nil {
253 | 		log.Println(
254 | 			hierr.Errorf(err, "can't cleanup recent clients"),
255 | 		)
256 | 	}
257 | }
258 | 


--------------------------------------------------------------------------------
/table.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"bufio"
  5 | 	"errors"
  6 | 	"fmt"
  7 | 	"os"
  8 | 
  9 | 	"github.com/reconquest/hierr-go"
 10 | )
 11 | 
 12 | type hashTable struct {
 13 | 	size       int64
 14 | 	recordSize int
 15 | 	file       *os.File
 16 | 	path       string
 17 | }
 18 | 
 19 | func openHashTable(path string) (*hashTable, error) {
 20 | 	file, err := os.Open(path)
 21 | 	if err != nil {
 22 | 		return nil, err
 23 | 	}
 24 | 
 25 | 	table := &hashTable{
 26 | 		file: file,
 27 | 		path: path,
 28 | 	}
 29 | 
 30 | 	return table, nil
 31 | }
 32 | 
 33 | func (table *hashTable) getRecord(number int64) ([]byte, error) {
 34 | 	recordSize, err := table.getRecordSize()
 35 | 	if err != nil {
 36 | 		return nil, hierr.Errorf(
 37 | 			err, "can't get table record size",
 38 | 		)
 39 | 	}
 40 | 
 41 | 	tableSize, err := table.getSize()
 42 | 	if err != nil {
 43 | 		return nil, hierr.Errorf(
 44 | 			err, "can't get table size",
 45 | 		)
 46 | 	}
 47 | 
 48 | 	if number >= tableSize {
 49 | 		return nil, errors.New("record number is out of range")
 50 | 	}
 51 | 
 52 | 	var (
 53 | 		// +1 for new line
 54 | 		offset = number * int64(recordSize+1)
 55 | 		record = make([]byte, recordSize)
 56 | 	)
 57 | 
 58 | 	readLength, err := table.file.ReadAt(record, offset)
 59 | 	if err != nil {
 60 | 		return nil, err
 61 | 	}
 62 | 
 63 | 	if readLength != recordSize {
 64 | 		return nil, errors.New("read bytes are less than required record size")
 65 | 	}
 66 | 
 67 | 	return record, nil
 68 | }
 69 | 
 70 | func (table *hashTable) hashExists(hash string) (bool, error) {
 71 | 	defer table.file.Seek(0, 0)
 72 | 
 73 | 	scanner := bufio.NewScanner(table.file)
 74 | 	for scanner.Scan() {
 75 | 		if scanner.Text() == hash {
 76 | 			return true, nil
 77 | 		}
 78 | 	}
 79 | 
 80 | 	return false, scanner.Err()
 81 | }
 82 | 
 83 | func (table *hashTable) getRecordSize() (int, error) {
 84 | 	if table.recordSize != 0 {
 85 | 		return table.recordSize, nil
 86 | 	}
 87 | 
 88 | 	var line string
 89 | 	_, err := fmt.Fscanln(table.file, &line)
 90 | 	if err != nil {
 91 | 		return 0, err
 92 | 	}
 93 | 
 94 | 	_, err = table.file.Seek(0, 0)
 95 | 	if err != nil {
 96 | 		return 0, err
 97 | 	}
 98 | 
 99 | 	table.recordSize = len(line)
100 | 
101 | 	return table.recordSize, nil
102 | }
103 | 
104 | func (table *hashTable) getSize() (int64, error) {
105 | 	if table.size != 0 {
106 | 		return table.size, nil
107 | 	}
108 | 
109 | 	recordSize, err := table.getRecordSize()
110 | 	if err != nil {
111 | 		return 0, hierr.Errorf(
112 | 			err, "can't get table record size",
113 | 		)
114 | 	}
115 | 
116 | 	stat, err := os.Stat(table.path)
117 | 	if err != nil {
118 | 		return 0, hierr.Errorf(
119 | 			err, "can't stat table file",
120 | 		)
121 | 	}
122 | 
123 | 	table.size = stat.Size() / int64(recordSize)
124 | 
125 | 	return table.size, nil
126 | }
127 | 


--------------------------------------------------------------------------------
/tests/run_tests:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -euo pipefail
 4 | 
 5 | cd "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
 6 | source ../vendor/github.com/reconquest/import.bash/import.bash
 7 | 
 8 | import:use "github.com/reconquest/test-runner.bash"
 9 | 
10 | :main() {
11 |     trap :cleanup EXIT
12 |     :cleanup() {
13 |         :
14 |     }
15 | 
16 |     GOBIN=$(dirname $(pwd)) go install ../
17 |     mv ../shadowd ../shadowd.test
18 | 
19 |     test-runner:set-local-setup setup.sh
20 |     test-runner:set-local-teardown teardown.sh
21 |     test-runner:set-testcases-dir testcases
22 |     test-runner:run "${@}"
23 | }
24 | 
25 | :main "${@}"
26 | 


--------------------------------------------------------------------------------
/tests/setup.sh:
--------------------------------------------------------------------------------
 1 | if ! which mongod &>/dev/null; then
 2 |     echo "fatal: dependency mongod is missing"
 3 |     exit 1
 4 | fi
 5 | 
 6 | tests:clone ../shadowd.test bin
 7 | 
 8 | _mongod="127.0.0.1:64999"
 9 | _shadowd_args=""
10 | 
11 | :shadowd-prepare() {
12 |     tests:make-tmp-dir tables
13 |     tests:ensure chmod 0700 tables
14 |     tests:make-tmp-dir ssh
15 |     tests:make-tmp-dir certs
16 | }
17 | 
18 | :shadowd() {
19 |     :shadowd-prepare
20 | 
21 |     tests:eval shadowd.test \
22 |         --tables $(tests:get-tmp-dir)/tables/ \
23 |         --keys $(tests:get-tmp-dir)/ssh/ \
24 |         --certs $(tests:get-tmp-dir)/certs/ \
25 |         ${_shadowd_args[@]} "$@"
26 | 
27 |     cat $(tests:get-stdout-file)
28 |     cat $(tests:get-stderr-file) >&2
29 | 
30 |     return $(tests:get-exitcode)
31 | }
32 | 
33 | :shadowd-listen() {
34 |     :shadowd-prepare
35 | 
36 |     tests:ensure :shadowd -C --bytes 1024
37 | 
38 |     tests:run-background _shadowd shadowd.test \
39 |         --tables $(tests:get-tmp-dir)/tables/ \
40 |         --keys $(tests:get-tmp-dir)/ssh/ \
41 |         --certs $(tests:get-tmp-dir)/certs/ \
42 |         ${_shadowd_args[@]} -L "$@"
43 | }
44 | 
45 | :mongod() {
46 |     tests:make-tmp-dir db
47 |     tests:run-background mongod_background \
48 |         mongod --dbpath $(tests:get-tmp-dir)/db --port 64999
49 | }
50 | 
51 | :shadowd-mongodb-config() {
52 |     tests:put config <<CONF
53 | [backend]
54 | use = "mongodb"
55 | dsn = "mongodb://$_mongod/shadowd"
56 | CONF
57 |     _shadowd_args=("--config" "$(tests:get-tmp-dir)/config")
58 | }
59 | 
60 | :mongo() {
61 |     tests:eval mongo --quiet $_mongod/shadowd --eval "$@"
62 | 
63 |     cat $(tests:get-stdout-file)
64 |     cat $(tests:get-stderr-file) >&2
65 | 
66 |     return $(tests:get-exitcode)
67 | }
68 | 


--------------------------------------------------------------------------------
/tests/teardown.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/reconquest/shadowd/9872369969f77c0831613bf34c8a8c673a6babb8/tests/teardown.sh


--------------------------------------------------------------------------------
/tests/testcases/change-password-if-tokens-are-same-as-retrieved.test.sh:
--------------------------------------------------------------------------------
 1 | :shadowd-listen "127.0.0.1:60002"
 2 | 
 3 | tests:ensure :shadowd -G --no-confirm --length 100 a/b/c/d '<<<' 'old'
 4 | 
 5 | tests:ensure curl -X PUT -k "https://127.0.0.1:60002/t/a/b/c/d"
 6 | 
 7 | salts=($(cat $(tests:get-stdout-file)))
 8 | 
 9 | payload="password=new"
10 | for salt in "${salts[@]}"; do
11 |     tests:ensure python -c "import crypt; print(crypt.crypt('old', '\$salt'))"
12 |     payload="$payload&shadow[]=$(cat $(tests:get-stdout-file))"
13 | done
14 | 
15 | tests:ensure curl -v -X PUT -d "\$payload" -k "https://127.0.0.1:60002/t/a/b/c/d"
16 | tests:assert-stderr-re '200 OK|HTTP/2 200'
17 | 
18 | tests:ensure curl -v -k "https://127.0.0.1:60002/t/a/b/c/d"
19 | 
20 | new=$(cat $(tests:get-stdout-file))
21 | salt=$(head -c 19 <<< "$new")
22 | 
23 | tests:ensure python -c "import crypt; print(crypt.crypt('new', '\$salt'))"
24 | tests:assert-no-diff stdout <<< "$new"
25 | 


--------------------------------------------------------------------------------
/tests/testcases/do-not-change-password-if-tokens-do-not-match.test.sh:
--------------------------------------------------------------------------------
 1 | :shadowd-listen "127.0.0.1:60002"
 2 | 
 3 | tests:ensure :shadowd -G --no-confirm --length 100 a/b/c/d '<<<' 'old'
 4 | 
 5 | tests:ensure curl -X PUT -k "https://127.0.0.1:60002/t/a/b/c/d"
 6 | 
 7 | salts=($(cat $(tests:get-stdout-file)))
 8 | 
 9 | payload="password=new"
10 | for salt in "${salts[@]}"; do
11 |     tests:ensure python -c "import crypt; print(crypt.crypt('BAD', '\$salt'))"
12 |     payload="$payload&shadow[]=$(cat $(tests:get-stdout-file))"
13 | done
14 | 
15 | tests:ensure curl -v -X PUT -d "\$payload" -k "https://127.0.0.1:60002/t/a/b/c/d"
16 | tests:assert-stderr-re '400 Bad Request|HTTP/2 400'
17 | 


--------------------------------------------------------------------------------
/tests/testcases/fs/add-ssh-key-with-truncate.test.sh:
--------------------------------------------------------------------------------
 1 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa
 2 | tests:ensure :shadowd -K blah/token '<' id_rsa.pub
 3 | 
 4 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa_2
 5 | tests:ensure :shadowd --truncate -K blah/token '<' id_rsa_2.pub
 6 | 
 7 | tests:assert-no-diff $(tests:get-tmp-dir)/ssh/blah/token <<KEYS
 8 | $(cat id_rsa_2.pub)
 9 | KEYS
10 | 


--------------------------------------------------------------------------------
/tests/testcases/fs/add-ssh-key.test.sh:
--------------------------------------------------------------------------------
 1 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa
 2 | tests:ensure :shadowd -K blah/token '<' id_rsa.pub
 3 | 
 4 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa_2
 5 | tests:ensure :shadowd -K blah/token '<' id_rsa_2.pub
 6 | 
 7 | tests:assert-no-diff $(tests:get-tmp-dir)/ssh/blah/token <<KEYS
 8 | $(cat id_rsa.pub)
 9 | $(cat id_rsa_2.pub)
10 | KEYS
11 | 


--------------------------------------------------------------------------------
/tests/testcases/fs/generate-hash-table.test.sh:
--------------------------------------------------------------------------------
 1 | tests:ensure \
 2 |     :shadowd --no-confirm --length 100 -G pool/token '<<<' "password"
 3 | 
 4 | tests:assert-stdout \
 5 |     'Hash table pool/token with 100 items successfully created'
 6 | 
 7 | tests:assert-test -f $(tests:get-tmp-dir)/tables/pool/token
 8 | 
 9 | tests:ensure wc -l '<' $(tests:get-tmp-dir)/tables/pool/token
10 | tests:assert-stdout-re '^100$'
11 | 


--------------------------------------------------------------------------------
/tests/testcases/fs/list-tokens.test.sh:
--------------------------------------------------------------------------------
 1 | :shadowd-listen 127.0.0.1:60002
 2 | 
 3 | tests:ensure \
 4 |     :shadowd --no-confirm --length 100 -G pool/token '<<<' "password"
 5 | 
 6 | tests:ensure \
 7 |     :shadowd --no-confirm --length 100 -G pool/token2 '<<<' "password"
 8 | 
 9 | tests:ensure \
10 |     :shadowd --no-confirm --length 100 -G pool2/token3 '<<<' "password"
11 | 
12 | tests:ensure curl -k "https://127.0.0.1:60002/t/pool/"
13 | tests:assert-no-diff stdout <<TOKENS
14 | token
15 | token2
16 | TOKENS
17 | 


--------------------------------------------------------------------------------
/tests/testcases/fs/next-requests-for-hash-must-return-another-hash.test.sh:
--------------------------------------------------------------------------------
 1 | :shadowd-listen "127.0.0.1:60002"
 2 | 
 3 | tests:ensure :shadowd -G --no-confirm --length 100 a/b/c/d '<<<' 'password'
 4 | 
 5 | tests:ensure curl -k "https://127.0.0.1:60002/t/a/b/c/d"
 6 | tests:assert-stdout-re '^.{63}$'
 7 | 
 8 | tests:value secret cat $(tests:get-stdout-file)
 9 | 
10 | tests:describe "secret: $secret"
11 | 
12 | tests:ensure curl -k "https://127.0.0.1:60002/t/a/b/c/d"
13 | tests:not tests:assert-stdout "$secret"
14 | 
15 | tests:value stub cat $(tests:get-stdout-file)
16 | 
17 | tests:ensure curl -k "https://127.0.0.1:60002/t/a/b/c/d"
18 | tests:assert-no-diff stdout <<< "$stub"
19 | 


--------------------------------------------------------------------------------
/tests/testcases/fs/retrieve-hash-for-token.test.sh:
--------------------------------------------------------------------------------
1 | :shadowd-listen "127.0.0.1:60002"
2 | 
3 | tests:ensure :shadowd -G --no-confirm --length 100 a/b/c/d '<<<' 'password'
4 | 
5 | tests:ensure curl -k "https://127.0.0.1:60002/t/a/b/c/d"
6 | tests:assert-stdout-re '^.{63}$'
7 | 


--------------------------------------------------------------------------------
/tests/testcases/fs/retrieve-ssh-keys-for-token.test.sh:
--------------------------------------------------------------------------------
1 | :shadowd-listen "127.0.0.1:60002"
2 | 
3 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa
4 | tests:ensure :shadowd -K blah/token '<' id_rsa.pub
5 | 
6 | tests:ensure curl -k "https://127.0.0.1:60002/ssh/blah/token"
7 | tests:assert-no-diff stdout < id_rsa.pub
8 | 


--------------------------------------------------------------------------------
/tests/testcases/mongodb/add-ssh-key-with-truncate.test.sh:
--------------------------------------------------------------------------------
 1 | :mongod
 2 | :shadowd-mongodb-config
 3 | 
 4 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa
 5 | tests:ensure :shadowd -K blah/token '<' id_rsa.pub
 6 | 
 7 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa_2
 8 | tests:ensure :shadowd --truncate -K blah/token '<' id_rsa_2.pub
 9 | 
10 | tests:ensure :mongo "db.keys.find({}, {key:1,_id:0}).pretty()"
11 | tests:assert-no-diff stdout <<KEYS
12 | {
13 | 	"key" : "$(cat id_rsa_2.pub)"
14 | }
15 | KEYS
16 | 


--------------------------------------------------------------------------------
/tests/testcases/mongodb/add-ssh-key.test.sh:
--------------------------------------------------------------------------------
 1 | :mongod
 2 | :shadowd-mongodb-config
 3 | 
 4 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa
 5 | tests:ensure :shadowd -K blah/token '<' id_rsa.pub
 6 | 
 7 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa_2
 8 | tests:ensure :shadowd -K blah/token '<' id_rsa_2.pub
 9 | 
10 | tests:ensure :mongo "db.keys.find({}, {key:1,_id:0}).pretty()"
11 | tests:assert-no-diff stdout <<KEYS
12 | {
13 | 	"key" : "$(cat id_rsa.pub)"
14 | }
15 | {
16 | 	"key" : "$(cat id_rsa_2.pub)"
17 | }
18 | KEYS
19 | 


--------------------------------------------------------------------------------
/tests/testcases/mongodb/generate-hash-table.test.sh:
--------------------------------------------------------------------------------
 1 | :mongod
 2 | :shadowd-mongodb-config
 3 | 
 4 | tests:ensure \
 5 |     :shadowd --no-confirm --length 100 -G pool/token '<<<' "password"
 6 | 
 7 | tests:assert-stdout \
 8 |     'Hash table pool/token with 100 items successfully created'
 9 | 
10 | tests:ensure :mongo "db.shadows.find({}).count()"
11 | tests:assert-stdout-re '^100$'
12 | 


--------------------------------------------------------------------------------
/tests/testcases/mongodb/list-tokens.test.sh:
--------------------------------------------------------------------------------
 1 | :mongod
 2 | :shadowd-mongodb-config
 3 | 
 4 | :shadowd-listen 127.0.0.1:60002
 5 | 
 6 | tests:ensure \
 7 |     :shadowd --no-confirm --length 100 -G pool/token '<<<' "password"
 8 | 
 9 | tests:ensure \
10 |     :shadowd --no-confirm --length 100 -G pool/token2 '<<<' "password"
11 | 
12 | tests:ensure \
13 |     :shadowd --no-confirm --length 100 -G pool2/token3 '<<<' "password"
14 | 
15 | tests:ensure curl -k "https://127.0.0.1:60002/t/pool/"
16 | tests:assert-no-diff stdout <<TOKENS
17 | token
18 | token2
19 | TOKENS
20 | 


--------------------------------------------------------------------------------
/tests/testcases/mongodb/next-requests-for-hash-must-return-another-hash.test.sh:
--------------------------------------------------------------------------------
 1 | :shadowd-listen "127.0.0.1:60002"
 2 | 
 3 | tests:ensure :shadowd -G --no-confirm --length 100 a/b/c/d '<<<' 'password'
 4 | 
 5 | tests:ensure curl -k "https://127.0.0.1:60002/t/a/b/c/d"
 6 | tests:assert-stdout-re '^.{63}$'
 7 | 
 8 | tests:value secret cat $(tests:get-stdout-file)
 9 | 
10 | tests:describe "secret: $secret"
11 | 
12 | tests:ensure curl -k "https://127.0.0.1:60002/t/a/b/c/d"
13 | tests:not tests:assert-stdout "$secret"
14 | 
15 | tests:value stub cat $(tests:get-stdout-file)
16 | 
17 | tests:ensure curl -k "https://127.0.0.1:60002/t/a/b/c/d"
18 | tests:assert-no-diff stdout <<< "$stub"
19 | 


--------------------------------------------------------------------------------
/tests/testcases/mongodb/retrieve-hash-for-token.test.sh:
--------------------------------------------------------------------------------
 1 | :mongod
 2 | :shadowd-mongodb-config
 3 | 
 4 | :shadowd-listen "127.0.0.1:60002"
 5 | 
 6 | tests:ensure :shadowd -G --no-confirm --length 100 a/b/c/d '<<<' 'password'
 7 | 
 8 | tests:ensure curl -k "https://127.0.0.1:60002/t/a/b/c/d"
 9 | tests:assert-stdout-re '^.{63}$'
10 | 


--------------------------------------------------------------------------------
/tests/testcases/mongodb/retrieve-ssh-keys-for-token.test.sh:
--------------------------------------------------------------------------------
 1 | :mongod
 2 | :shadowd-mongodb-config
 3 | 
 4 | :shadowd-listen "127.0.0.1:60002"
 5 | 
 6 | tests:ensure ssh-keygen -t rsa -b 1024 -f id_rsa
 7 | tests:ensure :shadowd -K blah/token '<' id_rsa.pub
 8 | 
 9 | tests:ensure curl -k "https://127.0.0.1:60002/ssh/blah/token"
10 | tests:assert-no-diff stdout < id_rsa.pub
11 | 


--------------------------------------------------------------------------------
/tests/testcases/retrieve-ten-unique-salts-for-specified-token.test.sh:
--------------------------------------------------------------------------------
 1 | :shadowd-listen "127.0.0.1:60002"
 2 | 
 3 | tests:ensure :shadowd -G --no-confirm --length 100 a/b/c/d '<<<' 'old'
 4 | 
 5 | tests:ensure curl -X PUT -k "https://127.0.0.1:60002/t/a/b/c/d"
 6 | 
 7 | salts=$(cat $(tests:get-stdout-file))
 8 | 
 9 | tests:ensure curl -X PUT -k "https://127.0.0.1:60002/t/a/b/c/d"
10 | tests:assert-no-diff stdout <<SALTS
11 | $salts
12 | SALTS
13 | 
14 | tests:ensure sort \| uniq \| wc -l <<< "$salts"
15 | tests:assert-stdout-re '^10$'
16 | 


--------------------------------------------------------------------------------
/vendor/.gitignore:
--------------------------------------------------------------------------------
1 | /github.com/reconquest/tests.sh
2 | /github.com/reconquest/test-runner.bash
3 | /github.com/reconquest/types.bash
4 | /github.com/reconquest/opts.bash
5 | 


--------------------------------------------------------------------------------