Merge pull request #37 from linagora/sprint-2

Sprint 2: SSH bastion

Author: guimard

.github/workflows/ci.yml

@@ -6,10 +6,16 @@ on:
   pull_request:
     branches: [ main ]
 
+# Restrict GITHUB_TOKEN permissions to read-only by default
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and Test (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
 
     strategy:
       matrix:
@@ -54,6 +60,8 @@ jobs:
   build-debug:
     name: Build Debug with Sanitizers
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
     - name: Checkout code
@@ -89,6 +97,8 @@ jobs:
     name: Build Debian Package
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: read
 
     steps:
     - name: Checkout code
@@ -125,6 +135,8 @@ jobs:
     name: Build RPM (Rocky Linux ${{ matrix.version }})
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: read
     container: rockylinux:${{ matrix.version }}
 
     strategy:
@@ -168,6 +180,8 @@ jobs:
   shellcheck:
     name: ShellCheck
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
     - name: Checkout code

CMakeLists.txt

@@ -37,6 +37,7 @@ set(PAM_MODULE_SOURCES
     src/token_manager.c
     src/notify.c
     src/secret_store.c
+    src/auth_cache.c
 )
 
 if(ENABLE_CACHE)

include/auth_cache.h

@@ -0,0 +1,105 @@
+/*
+ * auth_cache.h - Authorization cache for offline mode
+ *
+ * Caches authorization responses from LLNG server for offline use.
+ * Uses AES-256-GCM encryption with machine-id derived key.
+ *
+ * Copyright (C) 2024 Linagora
+ * License: AGPL-3.0
+ */
+
+#ifndef AUTH_CACHE_H
+#define AUTH_CACHE_H
+
+#include <stdbool.h>
+#include <time.h>
+
+/* Authorization cache entry */
+typedef struct {
+    int version;            /* Cache format version (3) */
+    time_t expires_at;      /* Expiration timestamp */
+    char *user;             /* Username */
+    bool authorized;        /* Authorization result */
+    char **groups;          /* User groups */
+    size_t groups_count;    /* Number of groups */
+    bool sudo_allowed;      /* Sudo permission */
+    bool sudo_nopasswd;     /* Sudo without password */
+    char *gecos;            /* Full name / GECOS */
+    char *shell;            /* Login shell */
+    char *home;             /* Home directory */
+} auth_cache_entry_t;
+
+/* Authorization cache handle */
+typedef struct auth_cache auth_cache_t;
+
+/*
+ * Initialize authorization cache
+ * cache_dir: Directory for cache files
+ * Returns NULL on failure
+ */
+auth_cache_t *auth_cache_init(const char *cache_dir);
+
+/*
+ * Destroy cache and free resources
+ */
+void auth_cache_destroy(auth_cache_t *cache);
+
+/*
+ * Look up cached authorization for a user
+ * user: Username to look up
+ * server_group: Server group (for cache key)
+ * host: Hostname (for cache key binding)
+ * entry: Output parameter for cached entry (caller must free with auth_cache_entry_free)
+ * Returns true if valid cache entry found, false otherwise
+ */
+bool auth_cache_lookup(auth_cache_t *cache,
+                       const char *user,
+                       const char *server_group,
+                       const char *host,
+                       auth_cache_entry_t *entry);
+
+/*
+ * Store authorization result in cache
+ * user: Username
+ * server_group: Server group (for cache key)
+ * host: Hostname (for cache key binding)
+ * entry: Entry to store
+ * ttl: Time-to-live in seconds
+ * Returns 0 on success, -1 on error
+ */
+int auth_cache_store(auth_cache_t *cache,
+                     const char *user,
+                     const char *server_group,
+                     const char *host,
+                     const auth_cache_entry_t *entry,
+                     int ttl);
+
+/*
+ * Invalidate cache entry for a user
+ */
+void auth_cache_invalidate(auth_cache_t *cache,
+                           const char *user,
+                           const char *server_group,
+                           const char *host);
+
+/*
+ * Check if force-online file exists
+ * If file contains usernames, returns true only if user is listed
+ * force_online_file: Path to force-online file
+ * user: Username to check
+ * Returns true if user should skip cache
+ */
+bool auth_cache_force_online(const char *force_online_file, const char *user);
+
+/*
+ * Free cache entry contents
+ */
+void auth_cache_entry_free(auth_cache_entry_t *entry);
+
+/*
+ * Clean up expired entries
+ * Returns number of entries removed
+ */
+int auth_cache_cleanup(auth_cache_t *cache);
+
+#endif /* AUTH_CACHE_H */

include/config.h

@@ -28,7 +28,7 @@ typedef struct {
     int min_tls_version;     /* Minimum TLS version: 12=1.2, 13=1.3 (default: 13) */
     char *cert_pin;          /* Certificate pin (sha256//base64 format, optional) */
 
-    /* Cache settings */
+    /* Cache settings (for token cache) */
     bool cache_enabled;      /* Enable token caching (default: true) */
     char *cache_dir;         /* Cache directory (default: /var/cache/pam_llng) */
     int cache_ttl;           /* Cache TTL in seconds (default: 300) */
@@ -37,6 +37,11 @@ typedef struct {
     bool cache_encrypted;    /* Encrypt cache files with AES-256-GCM (default: true) */
     bool cache_invalidate_on_logout; /* Invalidate cache when session closes (default: true) */
 
+    /* Authorization cache settings (for offline mode) */
+    bool auth_cache_enabled;        /* Enable authorization caching (default: true) */
+    char *auth_cache_dir;           /* Auth cache directory (default: /var/cache/pam_llng/auth) */
+    char *auth_cache_force_online;  /* Force-online trigger file (default: /etc/security/pam_llng.force_online) */
+
     /* Authorization mode */
     bool authorize_only;     /* Only check authorization, no password (for SSH keys) */
 

include/llng_client.h

@@ -11,6 +11,27 @@
 #include <stdbool.h>
 #include <stddef.h>
 
+/* Permissions structure from /pam/authorize response */
+typedef struct {
+    bool sudo_allowed;      /* User is allowed to use sudo */
+    bool sudo_nopasswd;     /* Sudo without password (future use) */
+} llng_permissions_t;
+
+/* Offline settings from /pam/authorize response */
+typedef struct {
+    bool enabled;           /* Offline mode allowed for this user */
+    int ttl;                /* Cache TTL in seconds (0 = no caching) */
+} llng_offline_settings_t;
+
+/* SSH certificate info extracted from environment */
+typedef struct {
+    char *key_id;           /* Certificate key ID */
+    char *serial;           /* Certificate serial number */
+    char *principals;       /* Comma-separated principals */
+    char *ca_fingerprint;   /* CA key fingerprint */
+    bool valid;             /* Certificate was validated */
+} llng_ssh_cert_info_t;
+
 /* Response structure from LLNG server */
 typedef struct {
     bool authorized;
@@ -26,6 +47,14 @@ typedef struct {
     char *gecos;      /* Full name / GECOS field */
     char *shell;      /* Login shell */
     char *home;       /* Home directory */
+
+    /* Permissions from /pam/authorize */
+    llng_permissions_t permissions;
+    bool has_permissions;   /* True if permissions object was present */
+
+    /* Offline settings from /pam/authorize */
+    llng_offline_settings_t offline;
+    bool has_offline;       /* True if offline object was present */
 } llng_response_t;
 
 /* Client configuration */
@@ -87,6 +116,28 @@ int llng_authorize_user(llng_client_t *client,
                         const char *service,
                         llng_response_t *response);
 
+/*
+ * Check user authorization with SSH certificate info via /pam/authorize
+ * Same as llng_authorize_user but includes SSH certificate details
+ * Returns 0 on success, -1 on error
+ */
+int llng_authorize_user_with_cert(llng_client_t *client,
+                                   const char *user,
+                                   const char *host,
+                                   const char *service,
+                                   const llng_ssh_cert_info_t *ssh_cert,
+                                   llng_response_t *response);
+
+/*
+ * Free SSH certificate info structure contents
+ */
+void llng_ssh_cert_info_free(llng_ssh_cert_info_t *cert_info);
+
+/*
+ * Initialize response structure to safe defaults (all zeros)
+ */
+void llng_response_init(llng_response_t *response);
+
 /*
  * Free response structure contents
  */