Fix deployment (in and out of docker)

Don't rebuild file paths all over the place
Move docker-compose.yml to readme

Author: Trolldemorted

.dockerignore

@@ -1,4 +1,10 @@
 .dockerignore
-*.yml
+.gitignore
+Dockerfile
+
 .git
 target
+data
+
+*.code-workspace
+*.yml

.gitignore

@@ -3,6 +3,9 @@
 *.raw
 *.storage
 *.cache
+*.code-workspace
+/data
+*.yml
 
 # Cargo
 /target

Dockerfile

@@ -26,7 +26,7 @@ WORKDIR /enokey
 RUN mkdir keyfiles
 
 RUN apt-get update \
-    && apt-get install -y libssl1.1 ca-certificates --no-install-recommends \
+    && apt-get install -y libssl1.1 ca-certificates openssh-client --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 COPY --from=build /service/enokey/target/debug/enokey .
@@ -36,4 +36,7 @@ COPY ./Rocket.toml ./Rocket.toml
 ENV ROCKET_ENV production
 ENV ROCKET_TEMPLATE_DIR static
 
-ENTRYPOINT "./enokey"
+RUN adduser --disabled-password --gecos '' enokey
+RUN chown -R enokey .
+USER enokey
+ENTRYPOINT "./enokey"

README.md

@@ -4,59 +4,28 @@
 [![](https://tokei.rs/b1/github/ENOFLAG/ENOKEY)](https://github.com/ENOFLAG/ENOKEY)
 
 
-This is the ENOKEY project for handling ssh keys. It contains the following tools:
+# Docker
 
-* enokey - Collect, Generate and Distribute an authorized_keys from user input over a webservice
-
-
-# Usage
-```
-$ ./enokey --help
-Usage: target/debug/enokey [options]
-
-Options:
-    -s, --storage ENOKEYS.storage
-                        The output ENOKEYS storage file
-    -o, --authorized_keys authorized_keys
-                        The output authorized_keys file
-    -n, --dry-run       Do not write to cfg file
-    -h, --help          Print this help menu
-```
-
-# Configuration Files
-
-The configuration files declare which keys are to be included into the output file of authorized keys. There are three commands supported to include keys:
-
-* provider:username - use the SSH keys stored on a well-known provider (currently GitHub and Gitlab)
-* pubkey:actual-key - just include this key, formatted like usual in authorized key files
-* include:file - include another config file
-
-An example is given in [example-config](example-config):
-
-```
-# Comments and empty lines are ignored
-
-# Use the scheme <provier>:<username> to scrape the keys there
-github:torvalds
-gitlab:stallman
-
-# Just add a single key
-pubkey:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyiWjcfZ2QN2aigzjvvAMmLJ70lXbN92IGyuY3tQOrA162Jtn6OSDIUNcR3q8as6LrGlX2LJZAygndB59Mb12Zddv2nB/UuanD3x1R47fMA2iliMjanQSjDbtEgtDi6u/cArvb1PA4P9FUjxUx7RdNKd4RuYrFyOVMmPpbqD7x5QBHZT7y43mrHCYAoYEoOZdVrXcMVxnit2iN9oA3f+h5GmVRgciIXxgqBbdvRmADBrR9jkeQGFPOVdRfVGLxpFMeM+abm3+JmJIMxneiLcO2hxx+47MvMuALrLzoSztkks+HeiRkiv1bXOuXdUMFcrHNuwaJ/f5lqJtp8fdJ1+riQ== randomuser@machine
-
-# Include a config file
-#include:another-config
-```
-
-This is converted to the following:
-
-```
-###
-# Config: example-config
-###
-# Keys from torvalds@github
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoQ9S7V+CufAgwoehnf2TqsJ9LTsu8pUA3FgpS2mdVwcMcTs++8P5sQcXHLtDmNLpWN4k7NQgxaY1oXy5e25x/4VhXaJXWEt3luSw+Phv/PB2+aGLvqCUirsLTAD2r7ieMhd/pcVf/HlhNUQgnO1mupdbDyqZoGD/uCcJiYav8i/V7nJWJouHA8yq31XS2yqXp9m3VC7UZZHzUsVJA9Us5YqF0hKYeaGruIHR2bwoDF9ZFMss5t6/pzxMljU/ccYwvvRDdI7WX4o4+zLuZ6RWvsU6LGbbb0pQdB72tlV41fSefwFsk4JRdKbyV3Xjf25pV4IXOTcqhy+4JTB/jXxrF torvalds@github (1)
-# Keys from stallman@gitlab
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfu9PhGt4+RcGdxpHnbu129OBNhXZhUEpVVWTXeOwq68+CgdE25hjW3qyJkNDe/3uno9ogCg/FXa083r6bQt5YJU65o22yYBFXe+m1OcT4Uw56nkcT9hjJqJxHg1+DWKlheNhth5VQOVueyN8SPTKU6ezelcpWiOXfRBu5DOhGKkooT98f4HiujmrSkCD/1WIjAA4m0rBYF8PmXLW0qFiiw4mPxAAVXRu+lF6tPTqT9gSwUTgKcJ/LTd79caU0H0jsqsF9S/+s7/dMqR3TRGVnAUUQJlKyizA9mg2mJ91bBVGVSE/Aiyo3788vZekBqM7mWI74ZgePwf+EgT7yRlf1  stallman@gitlab (1)
-# Keys from pubkey
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyiWjcfZ2QN2aigzjvvAMmLJ70lXbN92IGyuY3tQOrA162Jtn6OSDIUNcR3q8as6LrGlX2LJZAygndB59Mb12Zddv2nB/UuanD3x1R47fMA2iliMjanQSjDbtEgtDi6u/cArvb1PA4P9FUjxUx7RdNKd4RuYrFyOVMmPpbqD7x5QBHZT7y43mrHCYAoYEoOZdVrXcMVxnit2iN9oA3f+h5GmVRgciIXxgqBbdvRmADBrR9jkeQGFPOVdRfVGLxpFMeM+abm3+JmJIMxneiLcO2hxx+47MvMuALrLzoSztkks+HeiRkiv1bXOuXdUMFcrHNuwaJ/f5lqJtp8fdJ1+riQ== randomuser@machine pubkey (1)
+ENOKEY is configured with environment variables. Here is an example using docker-compose.yml:
 ```
+version: '3'
+
+services:
+  enokey:
+    build: .
+    volumes:
+      - ./data:/enokey/data
+    restart: on-failure
+    ports:
+      - "80:8000"
+    environment:
+      - ROCKET_PORT=8000
+      - ROCKET_ENV=production
+      - ROCKET_LOG=normal
+      - ROCKET_SECRET_KEY=whs/vijJnEoWN9Xgf25oJDn2yUtvsNuhm0eMNxZe6CI=
+      - [email protected]:8022
+      - PSK_ADMIN=HIGHLYSECRET
+      - [email protected]
+      - PSK_USER=NOTSOSECRET
+      - RUST_BACKTRACE=1
+```

docker-compose.yml

@@ -1,25 +1,17 @@
-use std::net::TcpStream;
-use ssh2::Session;
-use std::path::Path;
-use std::io::Write;
-use std::io::Read;
-use std::fs::File;
+use std::process::Command;
 
 use Destination;
 use EnokeysError;
 
 
 pub fn deploy(destinations: &[Destination]) -> Result<(), EnokeysError> {
     for destination in destinations {
-        let file_name = format!("keyfiles/{}.authorized_keys",destination.destination_name);
-        let mut content = vec!();
-        File::open(file_name)?.read_to_end(&mut content)?;
-        let tcp = TcpStream::connect(&destination.address)?;
-        let mut sess = Session::new().unwrap();
-        sess.handshake(&tcp)?;
-        sess.userauth_agent(&destination.userauth_agent)?;
-        let mut remote_file = sess.scp_send(Path::new("~/.ssh/authorized_keys"), 0o644, content.len() as u64, None)?;
-        remote_file.write_all(&content)?;
+        Command::new("scp")
+            .args(&["-i", "./data/id_ed25519",
+                "-P", &format!("{}", destination.port),
+                "-o", "StrictHostKeyChecking=no",
+                &destination.authorized_keys_file_name.to_str().unwrap().to_string(), &format!("{}@{}:/home/{}/.ssh/authorized_keys", &destination.userauth_agent, &destination.address, &destination.userauth_agent)])
+            .status()?;
     }
     Ok(())
 }

src/deploy.rs

@@ -2,6 +2,7 @@
 pub enum EnokeysError {
     IOError(std::io::Error),
     InvalidEnvironmentError,
+    InvalidIntegerError,
     ReqwestError(reqwest::Error),
     Ssh2Error(ssh2::Error),
     InvalidData(String),
@@ -26,3 +27,9 @@ impl From<std::io::Error> for EnokeysError {
         EnokeysError::IOError(error)
     }
 }
+
+impl From<std::num::ParseIntError> for EnokeysError {
+    fn from(_error: std::num::ParseIntError) -> Self {
+        EnokeysError::InvalidIntegerError
+    }
+}

src/error.rs

@@ -52,7 +52,11 @@ lazy_static! {
 pub struct Destination {
     address: String,
     userauth_agent: String,
-    destination_name: String
+    destination_name: String,
+    authorized_keys_file_name: PathBuf,
+    raw_storage_file_name: PathBuf,
+    providers_storage_file_name: PathBuf,
+    port: u16
 }
 
 pub struct Context {
@@ -170,10 +174,10 @@ fn deploy_get() -> Template {
     let config = &*CONFIG.lock().unwrap();
     storage::generate_authorized_key_files(&config.admin_destinations).unwrap();
     let mut context = HashMap::new();
-    let dest_names: Vec<String> = config.admin_destinations
+    let destinations: Vec<String> = config.admin_destinations
         .iter()
-        .map(|a| a.destination_name.to_string()).collect();
-    context.insert("dest_names", dest_names);
+        .map(|a| a.authorized_keys_file_name.to_str().unwrap().to_string()).collect();
+    context.insert("destinations", destinations);
     Template::render("deploy", &context)
 }
 
@@ -275,9 +279,9 @@ fn main() {
             println!("Warning: PSK_ADMIN not set. {:?}",e);
             "default".to_string()
         });
-    }
-
 
+        storage::load_deploy_keypair().unwrap();
+    }
 
     rocket::ignite()
         .mount("/", routes![static_files, index_post, index_get, deploy_get, deploy_post, favicon, key_files])
@@ -286,7 +290,10 @@ fn main() {
 }
 
 fn parse_destinations(input: &str) -> Result<Vec<Destination>, EnokeysError> {
-    let entries : Vec<&str> = input.split(',').collect();
+    if input == "" {
+        return Ok(vec!())
+    }
+    let entries : Vec<&str> = input.split(",").collect();
     println!("{:?}",&entries);
     let mut destinations = vec!();
     for entry in entries {
@@ -295,11 +302,25 @@ fn parse_destinations(input: &str) -> Result<Vec<Destination>, EnokeysError> {
             2 => (split[0], split[1]),
             _ => return Err(EnokeysError::InvalidEnvironmentError)
         };
-        destinations.push(Destination{
+        let port = parse_port(address)?;
+        let address = address.split(":").collect::<Vec<&str>>()[0];
+        destinations.push(Destination {
             address: address.to_string(),
             userauth_agent: userauth_agent.to_string(),
-            destination_name: entry.to_string()
+            destination_name: format!("{}@{}:{}", &userauth_agent, &address, port),
+            authorized_keys_file_name: PathBuf::from(format!("./keyfiles/{}@{}_{}.authorized_keys", &userauth_agent, &address, port)),
+            raw_storage_file_name: PathBuf::from(format!("./keyfiles/{}@{}_{}.authorized_keys.raw", &userauth_agent, &address, port)),
+            providers_storage_file_name: PathBuf::from(format!("./keyfiles/{}@{}_{}.authorized_keys.providers", &userauth_agent, &address, port)),
+            port: port
         })
     }
     Ok(destinations)
-}
+}
+
+fn parse_port(address: &str) -> Result<u16, EnokeysError> {
+    let split = address.split(":").collect::<Vec<&str>>();
+    if split.len() == 1 {
+        return Ok(22);
+    }
+    return Ok(split[split.len()-1].parse::<u16>()?);
+}

src/main.rs

@@ -19,7 +19,7 @@ pub fn handle_raw_submission(name: &str, pub_key: &str, destinations: &[Destinat
             .write(true)
             .create(true)
             .append(true)
-            .open(format!("./data/{}.storage.raw", destination.destination_name))?;
+            .open(&destination.raw_storage_file_name)?;
         writeln!(&raw_storage_file, "{} {}@raw", &pub_key, &name)?;
     }
     Ok(())
@@ -36,7 +36,7 @@ pub fn handle_submission(provider: &str, user_name: &str, name: &str, destinatio
             .write(true)
             .create(true)
             .append(true)
-            .open(format!("./data/{}.storage", &destination.destination_name))?;
+            .open(&destination.providers_storage_file_name)?;
         let line = format!("# {} \n{}:{}\n", &name, provider, &user_name);
         println!("Adding entry:\n{}", &line);
         write!(storage_file, "{}", &line)?;
@@ -46,20 +46,27 @@ pub fn handle_submission(provider: &str, user_name: &str, name: &str, destinatio
 
 pub fn generate_authorized_key_files(destinations: &[Destination]) -> Result<(), EnokeysError> {
     for destination in destinations {
-        let mut authorized_keys_file = File::create(format!("./keyfiles/{}.authorized_keys", &destination.destination_name))?;
-        let mut authorized_keys_file_content = String::new();
+        let mut authorized_keys_file = File::create(&destination.authorized_keys_file_name)?;
         let mut storage_file = OpenOptions::new()
             .read(true)
             .write(true)
             .create(true)
-            .open(format!("./data/{}.storage", destination.destination_name))?;
+            .open(&destination.providers_storage_file_name)?;
         let mut storage_file_content = String::new();
 
+        // append deploy key
+        let mut deploy_key = String::new();
+        // TODO: User-configable ssh key
+        if let Ok(mut deploy_key_file) = File::open("./data/id_ed25519.pub") {
+            deploy_key_file.read_to_string(&mut deploy_key)?;
+            write!(authorized_keys_file, "{}", &deploy_key)?
+        }
+
+
         // append raw keys
         let mut raw_keys = String::new();
-        if let Ok(mut raw_keys_file) = File::open(format!("./data/{}.storage.raw", destination.destination_name)) {
+        if let Ok(mut raw_keys_file) = File::open(&destination.raw_storage_file_name) {
             raw_keys_file.read_to_string(&mut raw_keys)?;
-            authorized_keys_file_content.push_str(&raw_keys);
             write!(authorized_keys_file, "{}", &raw_keys)?
         }
 
@@ -76,7 +83,6 @@ pub fn generate_authorized_key_files(destinations: &[Destination]) -> Result<(),
                             Some(ref comment) => {
                                 let comment = USERNAME_REGEX.replace_all(&comment, " ");
                                 let line = format!("{} {} {}\n", key.keytype(), base64::encode(&key.data()), &comment[0..min(comment.len(), 100)]);
-                                authorized_keys_file_content.push_str(&line);
                                 write!(authorized_keys_file, "{}", &line)?
                             },
                             None => writeln!(authorized_keys_file, "{} {}", key.keytype(), base64::encode(&key.data()))?
@@ -89,3 +95,11 @@ pub fn generate_authorized_key_files(destinations: &[Destination]) -> Result<(),
     }
     Ok(())
 }
+
+pub fn load_deploy_keypair() -> Result<(), EnokeysError> {
+    // TODO: User-configable ssh key
+    match File::open("./data/id_ed25519") {
+        Ok(_) => Ok(()),
+        Err(e) => Err(EnokeysError::IOError(e))
+    }
+}

src/storage.rs

@@ -14,8 +14,8 @@
     <nav class="navbar navbar-expand-lg navbar-light bg-light">
       <a class="navbar-brand" href="/">ENOKEYS - SSH PublicKey Self-Service Center</a>
     </nav>
-    {{#each dest_names}}
-        <div><a href="../keyfiles/{{this}}.authorized_keys">{{this}}.authorized_keys</a></div>
+    {{#each destinations}}
+        <div><a href="../{{this}}">{{this}}</a></div>
     {{/each}}
     <div class="container">
         <div class="row">