Dockerize, readme update

This commit is contained in:
Erin Shepherd 2023-07-10 02:10:04 +02:00
parent 15eece9f46
commit 80c9892b0b
3 changed files with 64 additions and 3 deletions

17
Dockerfile Normal file
View file

@ -0,0 +1,17 @@
ARG ALPINE=3.18
FROM golang:1.20-alpine${ALPINE} AS build
WORKDIR /app
COPY go.mod go.sum .
RUN go mod download
ADD . /app
RUN go build -o ./authentricity-webui ./cmd/authentricity-webui
RUN go build -o ./authentricity-admin ./cmd/authentricity-admin
FROM alpine:${ALPINE}
WORKDIR /bin
COPY --from=build /app/authentricity-webui /app/authentricity-admin .
WORKDIR /
CMD ["/bin/authentricity-webui"]

View file

@ -17,8 +17,52 @@ Unix logins. This component implements the systemd
[User/Group Varlink API](https://systemd.io/USER_GROUP_API/) to support user and group
lookups.
It is intended to be deployed as a systemd service. See [module.nix](./module.nix), which
can be used to deploy this on NixOS for details
For both performance and resilience resaons, user information is cached locally:
* Information less than 60s old is considered up-to-date and Consul is not re-queried for it,
speeding up user information requests and reducing Consul load, and
* In cases where Consul is unable to service requests, then the cache will be considered valid
indefinitely
A future version may limit the amount of time locally cached information is considered valid.
TODO: Provide raw systemd unit files
#### authentricity-webui
SSO portal and user administration UI
This implements
* A login system, and single-domain shared cookie SSO system
* A portal which lets users add & remove SSH keys, change their password, etc,
and
* A UI which lets users explore other users and groups, and which lets admins manage
users and groups
* A UI which lets admins manipulate users and groups
This can be deployed as either
* A systemd service (see [module.nix](./module.nix)), or
* A [container](https://git.shinra.systems/authentricity/-/packages/container/authentricity/)
TODO: Provide raw systemd unit files
TODO: Provide example Kubernetes manifests/Kustomize chart?
#### authentricity-admin
Command line administation tool (performing direct database accesses)
Command line administation tool (performing direct database accesses)
### Future Components
* Radius server
* Likely minimal feature set at first (PAP, no EAP, etc)
* TACACS+ server
* For networking appliances
* Separate cookie used for the Web UI from the auth proxy
* We can then domain scope the Web UI cookie down to just the UI itself,
protecting better against Cookie theft attacks
* We can use asymmetric crypto for the domain-wide cookie and distribute the public
keys to auth proxies via Consul
* JWT/OAuth 2.0/OpenID Connect issuer
* Integration of tokens into the Unix auth flow
* Return something like a Kerberos TGT that can be exchanged for service JWTs?
* Minimal authentication proxy without the Web UI?

2
go.mod
View file

@ -1,6 +1,6 @@
module go.e43.eu/authentricity
go 1.17
go 1.20
require (
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962