Merge pull request #14 from ST2Projects/tk/post-prod-deploy-fixes

Tk/post prod deploy fixes

Author: neo1908

.gitignore

@@ -172,3 +172,4 @@ fabric.properties
 resources
 dist/
 ssh-sentinel-server
+prod-http-tests.http

.goreleaser.yml

@@ -8,7 +8,6 @@ before:
     - go generate ./...
 builds:
   - env:
-      - CGO_ENABLED=0
     goos:
       - linux
 archives:

helper/sanitizer.go

@@ -0,0 +1,13 @@
+package helper
+
+import "strings"
+
+func Sanitize(s string) string {
+	return strings.Replace(s, "\n", "", -1)
+}
+
+func SanitizeStringSlice(ss []string) {
+	for i, x := range ss {
+		ss[i] = Sanitize(x)
+	}
+}

helper/sanitizer_test.go

@@ -0,0 +1,47 @@
+package helper
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestSanitize(t *testing.T) {
+	ours := "abc"
+	theirs := Sanitize("abc\n\n\n")
+
+	if ours != theirs {
+		t.Errorf("Got %s but wanted %s", theirs, ours)
+	}
+}
+
+func TestSanitizeWithNoNewLines(t *testing.T) {
+	ours := "abc"
+	theirs := Sanitize("abc")
+
+	if ours != theirs {
+		t.Errorf("Got %s but wanted %s", theirs, ours)
+	}
+}
+
+func TestSliceSanitize(t *testing.T) {
+	ours := strings.Split("abc aaa def", " ")
+
+	theirs := strings.Split("abc aaa\n def\n\n", " ")
+	SanitizeStringSlice(theirs)
+
+	if !reflect.DeepEqual(ours, theirs) {
+		t.Errorf("Got %v but wanted %v", theirs, ours)
+	}
+}
+
+func TestSliceWithNoNewLinesSanitize(t *testing.T) {
+	ours := strings.Split("abc aaa def", " ")
+
+	theirs := strings.Split("abc aaa def", " ")
+	SanitizeStringSlice(theirs)
+
+	if !reflect.DeepEqual(ours, theirs) {
+		t.Errorf("Got %v but wanted %v", theirs, ours)
+	}
+}

server/handlers.go

@@ -9,7 +9,7 @@ import (
 	"github.com/st2projects/ssh-sentinel-server/crypto"
 	"github.com/st2projects/ssh-sentinel-server/helper"
 	"github.com/st2projects/ssh-sentinel-server/sql"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"time"
 )
@@ -18,41 +18,56 @@ func AuthenticationHandler(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set(contentTypeKey, jsonContentType)
 
-		body, err := ioutil.ReadAll(r.Body)
+		body, err := io.ReadAll(r.Body)
 
 		if err != nil {
 			panic(helper.NewError("Failed to marshall request %s", err))
 		}
 
 		signRequest, err := MarshallSigningRequest(bytes.NewReader(body))
 
-		r.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+		r.Body = io.NopCloser(bytes.NewBuffer(body))
 
 		if err != nil {
 			panic(helper.NewError("Failed to marshall request %s", err))
 		}
 
-		user := sql.GetUserByUsername(signRequest.Username)
+		user, err := sql.GetUserByUsername(signRequest.Username)
+
+		if err != nil {
+			authorisationFailed(w, "No such user %s", helper.Sanitize(signRequest.Username))
+		}
 
 		hasValidAPIKey, err := crypto.Validate(signRequest.APIKey, user.APIKey.Key)
 
 		if !hasValidAPIKey {
-			w.WriteHeader(http.StatusUnauthorized)
-			panic(helper.NewError("Unauthorised key"))
+			authorisationFailed(w, "Invalid API key for user %s", helper.Sanitize(signRequest.Username))
 		}
 
 		hasValidPrincipals := CheckPrincipals(user.Principals, signRequest.Principals)
 
 		if !hasValidPrincipals {
-			panic(helper.NewError("One or more unauthorised principals requested %v", signRequest.Principals))
+			// Sanitize the principals for logging
+			helper.SanitizeStringSlice(signRequest.Principals)
+			authorisationFailed(w, "One or more unauthorised principals requested %v", signRequest.Principals)
 		}
 
+		log.Infof("User %s is authenticated", helper.Sanitize(signRequest.Username))
+
 		next.ServeHTTP(w, r)
 	}
 
 	return http.HandlerFunc(fn)
 }
 
+func authorisationFailed(w http.ResponseWriter, msg string, args ...any) {
+	w.WriteHeader(http.StatusUnauthorized)
+
+	log.Errorf(msg, args...)
+
+	panic(helper.NewError("Authentication failed"))
+}
+
 func LoggingHandler(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		t1 := time.Now()

server/server.go

@@ -118,8 +118,8 @@ func GetCAKey() (caPriv ssh.Signer) {
 	return privKey
 }
 
-func Version(response http.ResponseWriter, r *http.Request) {
-	io.WriteString(response, "Version: 0.0.0.1")
+func Ping(response http.ResponseWriter, r *http.Request) {
+	io.WriteString(response, fmt.Sprintf("Pong\n Time now is %s", time.Now().Format("2006-01-02 15:04:05")))
 }
 
 func Serve(httpConfig *cmd_model.HTTPConfig) {
@@ -137,7 +137,7 @@ func Serve(httpConfig *cmd_model.HTTPConfig) {
 		// a simple constructor for a http.Server with our Handler
 		makeServer = func() *http.Server {
 			return &http.Server{
-				Addr:      fmt.Sprintf(":%d", httpConfig.HttpsPort),
+				Addr:      fmt.Sprintf("0.0.0.0:%d", httpConfig.HttpsPort),
 				Handler:   makeRouter(),
 				TLSConfig: tlsConf,
 			}
@@ -184,10 +184,10 @@ func Serve(httpConfig *cmd_model.HTTPConfig) {
 	}
 
 	// Redirect 80 -> 443
-	go http.ListenAndServe(fmt.Sprintf(":%d", httpConfig.HttpPort), http.HandlerFunc(simplecert.Redirect))
+	go http.ListenAndServe(fmt.Sprintf("0.0.0.0:%d", httpConfig.HttpPort), http.HandlerFunc(simplecert.Redirect))
 
 	tlsConf.GetCertificate = certReloader.GetCertificateFunc()
-	log.Infof("Serving at https://%s", configuredTls.CertDomains[0])
+	log.Infof("Serving at https://%s:%d", configuredTls.CertDomains[0], httpConfig.HttpsPort)
 	serve(ctx, srv)
 	<-make(chan bool)
 }
@@ -197,8 +197,8 @@ func makeRouter() *mux.Router {
 
 	router := mux.NewRouter()
 
-	router.HandleFunc("/", Version)
-	router.HandleFunc("/version", Version)
+	router.HandleFunc("/", Ping)
+	router.HandleFunc("/ping", Ping)
 	router.Handle("/ssh", commonHandlers.ThenFunc(KeySignHandler))
 
 	return router

sql/SqlDb.go

@@ -3,6 +3,7 @@ package sql
 import (
 	log "github.com/sirupsen/logrus"
 	"github.com/st2projects/ssh-sentinel-server/config"
+	"github.com/st2projects/ssh-sentinel-server/helper"
 	"github.com/st2projects/ssh-sentinel-server/model/db"
 	_ "gorm.io/driver/sqlite" // Import sqlite3 driver
 	"gorm.io/gorm"
@@ -37,10 +38,12 @@ func NewUser(user *db.User) {
 	dbConnection.Create(user)
 }
 
-func GetUserByUsername(username string) db.User {
+func GetUserByUsername(username string) (db.User, error) {
 
 	var user = db.User{}
-	dbConnection.First(&user, "user_name = ? ", username)
+	if dbc := dbConnection.First(&user, "user_name = ? ", username); dbc.Error != nil {
+		return db.User{}, helper.NewError("No user with username %s found", username)
+	}
 
 	var principals []db.Principal
 	dbConnection.Find(&principals, "user_id = ?", user.ID)
@@ -50,7 +53,7 @@ func GetUserByUsername(username string) db.User {
 	dbConnection.Find(&apiKey, "user_id = ?", user.ID)
 	user.APIKey = apiKey
 
-	return user
+	return user, nil
 }
 
 func GetUserByID(id uint) db.User {