From d6487688ab7ef2a9d47cb9f67cdedc0c498ff3d3 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Mon, 19 Oct 2020 08:11:26 +0300
Subject: [PATCH] Switch from dep to go mod.
* Gopkg.lock: Remove.
* Gopkg.toml: Remove.
* go.mod: New file.
* Makefile: New file.
* README.md: Change instructions.
---
.gitignore | 2 +
Gopkg.lock | 184 -----------------------------------------------------
Gopkg.toml | 50 ---------------
Makefile | 48 ++++++++++++++
README.md | 53 ++++++++++-----
go.mod | 31 +++++++++
6 files changed, 117 insertions(+), 251 deletions(-)
delete mode 100644 Gopkg.lock
delete mode 100644 Gopkg.toml
create mode 100644 Makefile
create mode 100644 go.mod
diff --git a/.gitignore b/.gitignore
index 791627d..44b66c5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,7 @@
.emacs*
*~
sargon
+go.sum
+*.tar.gz
/tmp/
/vendor/
diff --git a/Gopkg.lock b/Gopkg.lock
deleted file mode 100644
index e253ed8..0000000
--- a/Gopkg.lock
+++ /dev/null
@@ -1,184 +0,0 @@
-# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
-
-
-[[projects]]
- name = "github.com/Microsoft/go-winio"
- packages = ["."]
- revision = "1a8911d1ed007260465c3bfbbc785ac6915a0bb8"
- version = "v0.4.12"
-
-[[projects]]
- name = "github.com/coreos/go-systemd"
- packages = ["activation"]
- revision = "95778dfbb74eb7e4dbaf43bf7d71809650ef8076"
- version = "v19"
-
-[[projects]]
- name = "github.com/docker/distribution"
- packages = ["registry/api/errcode"]
- revision = "2461543d988979529609e8cb6fca9ca190dc48da"
- version = "v2.7.1"
-
-[[projects]]
- branch = "master"
- name = "github.com/docker/docker"
- packages = [
- "api/types",
- "api/types/blkiodev",
- "api/types/container",
- "api/types/filters",
- "api/types/mount",
- "api/types/network",
- "api/types/registry",
- "api/types/strslice",
- "api/types/swarm",
- "api/types/swarm/runtime",
- "api/types/versions",
- "api/types/volume",
- "errdefs"
- ]
- revision = "cf508036aacf08cc9fcf7f1101cae1a707548679"
-
-[[projects]]
- branch = "master"
- name = "github.com/docker/engine-api"
- packages = [
- "types/blkiodev",
- "types/container",
- "types/mount",
- "types/strslice"
- ]
- revision = "4290f40c056686fcaa5c9caf02eac1dde9315adf"
-
-[[projects]]
- name = "github.com/docker/go-connections"
- packages = [
- "nat",
- "sockets"
- ]
- revision = "7395e3f8aa162843a74ed6d48e79627d9792ac55"
- version = "v0.4.0"
-
-[[projects]]
- branch = "master"
- name = "github.com/docker/go-plugins-helpers"
- packages = [
- "authorization",
- "sdk"
- ]
- revision = "1e6269c305b8c75cfda1c8aa91349c38d7335814"
-
-[[projects]]
- name = "github.com/docker/go-units"
- packages = ["."]
- revision = "47565b4f722fb6ceae66b95f853feed578a4a51c"
- version = "v0.3.3"
-
-[[projects]]
- name = "github.com/gogo/protobuf"
- packages = ["proto"]
- revision = "ba06b47c162d49f2af050fb4c75bcbc86a159d5c"
- version = "v1.2.1"
-
-[[projects]]
- name = "github.com/golang/protobuf"
- packages = [
- "proto",
- "ptypes",
- "ptypes/any",
- "ptypes/duration",
- "ptypes/timestamp"
- ]
- revision = "b5d812f8a3706043e23a9cd5babf2e5423744d30"
- version = "v1.3.1"
-
-[[projects]]
- branch = "master"
- name = "github.com/kardianos/osext"
- packages = ["."]
- revision = "2bc1f35cddc0cc527b4bc3dce8578fc2a6c11384"
-
-[[projects]]
- name = "github.com/konsorten/go-windows-terminal-sequences"
- packages = ["."]
- revision = "f55edac94c9bbba5d6182a4be46d86a2c9b5b50e"
- version = "v1.0.2"
-
-[[projects]]
- name = "github.com/opencontainers/go-digest"
- packages = ["."]
- revision = "279bed98673dd5bef374d3b6e4b09e2af76183bf"
- version = "v1.0.0-rc1"
-
-[[projects]]
- name = "github.com/opencontainers/image-spec"
- packages = [
- "specs-go",
- "specs-go/v1"
- ]
- revision = "d60099175f88c47cd379c4738d158884749ed235"
- version = "v1.0.1"
-
-[[projects]]
- name = "github.com/sevlyar/go-daemon"
- packages = ["."]
- revision = "f9261e73885de99b1647d68bedadf2b9a99ad11f"
- version = "v0.1.4"
-
-[[projects]]
- name = "github.com/sirupsen/logrus"
- packages = ["."]
- revision = "8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f"
- version = "v1.4.1"
-
-[[projects]]
- branch = "master"
- name = "golang.org/x/net"
- packages = [
- "internal/socks",
- "proxy"
- ]
- revision = "74de082e2cca95839e88aa0aeee5aadf6ce7710f"
-
-[[projects]]
- branch = "master"
- name = "golang.org/x/sys"
- packages = [
- "unix",
- "windows"
- ]
- revision = "baf5eb976a8cd65845293cd814ea151018552292"
-
-[[projects]]
- branch = "master"
- name = "google.golang.org/genproto"
- packages = ["googleapis/rpc/status"]
- revision = "f467c93bbac2133ff463e1f93d18d8f9f3f04451"
-
-[[projects]]
- name = "google.golang.org/grpc"
- packages = [
- "codes",
- "status"
- ]
- revision = "3507fb8e1a5ad030303c106fef3a47c9fdad16ad"
- version = "v1.19.1"
-
-[[projects]]
- name = "gopkg.in/asn1-ber.v1"
- packages = ["."]
- revision = "f715ec2f112d1e4195b827ad68cf44017a3ef2b1"
- version = "v1.3"
-
-[[projects]]
- name = "gopkg.in/ldap.v2"
- packages = ["."]
- revision = "bb7a9ca6e4fbc2129e3db588a34bc970ffe811a9"
- version = "v2.5.1"
-
-[solve-meta]
- analyzer-name = "dep"
- analyzer-version = 1
- inputs-digest = "17e1eb92d7419b702b76954bd2e3648df5ff45939c657ddf6a6623381418f900"
- solver-name = "gps-cdcl"
- solver-version = 1
diff --git a/Gopkg.toml b/Gopkg.toml
deleted file mode 100644
index fcfbb3d..0000000
--- a/Gopkg.toml
+++ /dev/null
@@ -1,50 +0,0 @@
-# Gopkg.toml example
-#
-# Refer to https://golang.github.io/dep/docs/Gopkg.toml.html
-# for detailed Gopkg.toml documentation.
-#
-# required = ["github.com/user/thing/cmd/thing"]
-# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
-#
-# [[constraint]]
-# name = "github.com/user/project"
-# version = "1.0.0"
-#
-# [[constraint]]
-# name = "github.com/user/project2"
-# branch = "dev"
-# source = "github.com/myfork/project2"
-#
-# [[override]]
-# name = "github.com/x/y"
-# version = "2.4.0"
-#
-# [prune]
-# non-go = false
-# go-tests = true
-# unused-packages = true
-
-
-[[constraint]]
- name = "github.com/docker/docker"
- branch = "master"
-
-[[constraint]]
- branch = "master"
- name = "github.com/docker/engine-api"
-
-[[constraint]]
- branch = "master"
- name = "github.com/docker/go-plugins-helpers"
-
-[[constraint]]
- name = "github.com/sevlyar/go-daemon"
- version = "0.1.4"
-
-[[constraint]]
- name = "gopkg.in/ldap.v2"
- version = "2.5.1"
-
-[prune]
- go-tests = true
- unused-packages = true
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..48996f6
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,48 @@
+PACKAGE = sargon
+VERSION = 1.0
+
+PREFIX = /usr/local
+BINDIR = $(PREFIX)/bin
+
+SOURCES = \
+ main.go\
+ access/access.go\
+ auth/container_create.go\
+ auth/volume_create.go\
+ diag/diag.go\
+ server/action.go\
+ server/authz.go\
+ server/ldap.go\
+ server/netgroup.go\
+ server/type.go
+
+all:
+ @go mod download
+ @go build
+
+clean:
+ @go clean
+
+install: sargon
+ @GOBIN=$(BINDIR) go install .
+
+DISTDIR = $(PACKAGE)-$(VERSION)
+DISTFILES = go.mod $(SOURCES) $(MANPAGE) README.md LICENSE Makefile
+
+distdir:
+ @test -d $(DISTDIR) || mkdir $(DISTDIR)
+ @tar cf - $(DISTFILES) | tar Cxf $(DISTDIR) -
+
+dist: distdir
+ @tar zcf $(DISTDIR).tar.gz $(DISTDIR)
+ @rm -rf $(DISTDIR)
+
+distcheck: dist
+ @tar xfz $(DISTDIR).tar.gz
+ @if $(MAKE) -C $(DISTDIR) $(DISTCHECKFLAGS); then \
+ echo "$(DISTDIR).tar.gz ready for distribution"; \
+ rm -rf $(DISTDIR); \
+ else \
+ exit 2; \
+ fi
+
diff --git a/README.md b/README.md
index c55a025..e5eb261 100644
--- a/README.md
+++ b/README.md
@@ -14,10 +14,31 @@ User privileges are kept in LDAP.
After cloning, change to the source directory and run
```text
- dep ensure
- go build
+ make
```
+To install the created binary, run (as root):
+
+```text
+ make install
+```
+
+By default, the *sargon* binary is installed to `/usr/local/bin`. To
+select another installation directory, use the `BINDIR` or `PREFIX`
+variable. The `BINDIR` variable specifies the directory to install
+*sargon* to. E.g. to istall it to `/usr/bin`, do
+
+```text
+ make install BINDIR=/usr/bin
+```
+
+Alternatively, you may use the `PREFIX` variable, which specifies the
+directory where `bin` is located, e.g.:
+
+```text
+ make install PREFIX=/usr
+```
+
## Usage
When started, the program reads its configuration file, disconnects itself
@@ -235,7 +256,7 @@ with _(single)_, multiple attribute instances are allowed.
date/time after which this entry ceases to be valid. Notice, that the
timestamp must be in UTC.
-To determine privileges of the requesting user, *sargon* uses the following
+When verifying each incoming request, *sargon* uses the following
algorithm:
1. Create LDAP filter with the user name and the names of the groups the
@@ -274,36 +295,34 @@ algorithm:
`sargonAllow` attribute, go to step 9.
7. Otherwise, if the object has one or more `sargonDeny` attributes and
- if one of these contains the requested action or the meta-action `ALL`,
- then go to step 16.
+ one of these contains the requested action or the meta-action `ALL`,
+ then deny the request.
8. Advance to the next object, and restart from step 6.
-9. Unless the requested action is `ContainerCreate`, go to step 15.
+9. Unless the requested action is `ContainerCreate`, authorize the request.
-10. If privileges container creation is requested:
- If `sargonAllowPrivileged` is `FALSE`, then go to 16.
+10. If privileges container creation is requestedm and
+ `sargonAllowPrivileged` is `FALSE`, then deny the request.
Otherwise, advance to the next step.
11. If any additional linux capabilities are requested, check if they
are listed in `sargonAllowCapability` attributes. If any of them is
- not, go to step 16.
+ not, deny the request.
-12. Check requested binds and mounts. For each source directory, check
- it against each `sargonMount` attribute. If it matches the attribute
+12. Check requested binds and mounts. Check each source directory against
+ each `sargonMount` attribute. If the directory matches the attribute
exactly, or if the attribute value ends with a `/*` and the source
directory prefix matches the value, then the mount is allowed.
- Otherwise, go to 16.
+ Otherwise, request is denied,
13. If the requested maximum memory is greater than the value of the
- `sargonMaxMemory` attribute, go to 16.
+ `sargonMaxMemory` attribute, request is denied.
14. If the requested maximum kernel memory is greater than the value of the
- `sargonMaxKernelMemory` attribute, go to 16.
-
-15. Success. Authorize the request.
+ `sargonMaxKernelMemory` attribute, request is denied.
-16. Failure. Deny the request.
+15. Otherwise, request is authorized.
## Actions
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..4c41123
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,31 @@
+module sargon
+
+go 1.13
+
+require (
+ github.com/Microsoft/go-winio v0.4.12 // indirect
+ github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e // indirect
+ github.com/docker/distribution v2.7.1+incompatible // indirect
+ github.com/docker/docker v17.12.0-ce-rc1.0.20190403111212-cf508036aacf+incompatible
+ github.com/docker/engine-api v0.4.1-0.20160908232104-4290f40c0566
+ github.com/docker/go-connections v0.4.0 // indirect
+ github.com/docker/go-plugins-helpers v0.0.0-20181025120712-1e6269c305b8
+ github.com/docker/go-units v0.3.3 // indirect
+ github.com/gogo/protobuf v1.2.1 // indirect
+ github.com/golang/protobuf v1.3.1 // indirect
+ github.com/google/go-cmp v0.5.2 // indirect
+ github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
+ github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
+ github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
+ github.com/opencontainers/image-spec v1.0.1 // indirect
+ github.com/pkg/errors v0.9.1 // indirect
+ github.com/sevlyar/go-daemon v0.1.4
+ github.com/sirupsen/logrus v1.4.1 // indirect
+ golang.org/x/net v0.0.0-20190328230028-74de082e2cca // indirect
+ golang.org/x/sys v0.0.0-20190402142545-baf5eb976a8c // indirect
+ google.golang.org/genproto v0.0.0-20190401181712-f467c93bbac2 // indirect
+ google.golang.org/grpc v1.19.1 // indirect
+ gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
+ gopkg.in/ldap.v2 v2.5.1
+ gotest.tools v2.2.0+incompatible // indirect
+)