DO NOT MERGE: Remove sub-modules

WARNING: This branch SHOULD NOT BE MERGED

Launchpad cannot clone submodules for some reason,
so I am including the contents of each here to get
it working. Further investigation is needed on
compiling deb packages via git using submodules.

Bug: #4

.bintray.json.in

@@ -0,0 +1,29 @@
+{
+  "package": {
+    "name": "openvpn-auth-aad",
+    "repo": "aad",
+    "subject": "jnchi"
+  },
+  "version": {
+    "name": "{{version}}",
+    "desc": "pre-release",
+    "gpgSign": true
+  },
+  "licenses": [
+    "GPL-3.0-or-later"
+  ],
+  "desc": "auto-generated debian package",
+  "files": [
+    {
+      "includePattern": "./(.[^/]*(\\.deb)$)",
+      "uploadPattern": "$1",
+      "matrixParams": {
+        "deb_distribution": "unstable",
+        "deb_component": "main",
+        "deb_architecture": "amd64"
+      }
+    }
+  ],
+  "publish": true,
+  "override": true
+}

.indent.pro

@@ -0,0 +1,3 @@
+/* K&R Coding Style */
+-kr
+-nut

.travis.yml

@@ -0,0 +1,18 @@
+language: c
+sudo: required
+services:
+- docker
+script:
+- "/bin/sh ./scripts/docker.sh"
+- docker run -v $(pwd):/usr/src/openvpn-auth-aad cyberninjas/openvpn-auth-aad:debian
+  /bin/sh -c "cp /usr/src/*.deb /usr/src/openvpn-auth-aad"
+deploy:
+  provider: bintray
+  file: bintray.json
+  user: jnchi
+  key:
+    secure: WqI4qNH5ln6B0StwBc0HlRt/TaHcO7GfA+2QijEhkveCoKkr9G1o5uA2bRk8JAMgIqPIakv7OiBMQQGA9ANnxbUFKkyHMu7CqIg4NowyE6PZTqnBoqzL69ty7lQeK9hS+EDFzhZSBxLrTVaJIXDHZ5i1hU+tCWa/JjSz3u38GD3AzW8jOLr3sTcI/nzddK6Kxxlwcl1WnxBbiZBO0u0Ok7uwgLCHnLF1f9872wWsqoSKSI6IdWhrKVtiz1NMWzMdDaGYnuxsVYJjaAbZt93Wg8DYIm2TSG4sx3V7N0pfRyElLUu+2ubn9o/L4IUZ007zbQohAcRnfepEUfnEx39EfMrCa05bAFkxA5B+y+aVGkYmDKQPOTO/fz1f0lO0L68Sp9d9ZSIT2H4nOh/uxUYYUut3GTNa5cZnSILiMXNaxGcNG3jmGRluNG9SIbVixNXP8gkuciyyclI+UhxvqgLcxntpEzGSmBEB9giLe01Up5GtIHdvZHMvoPpf+fZ+8kzR+LyGlLd85xji9/U4CjgWrnqeJId6C+5RHJhDPnI6COuaNDc5v4gIxrX509M8CrBlkiAfozyOFhqt4Wrn5RqGHgTRMS4GNM2urmk3NwcDWxzX9h8ZVoJXw4nII1w1RehaM/4JU43cc81G2hotTWwBrMqtuUFa/Rl1LRYee8zEUGM=
+  skip_cleanup: true
+  on:
+    tags: true
+

Makefile

@@ -0,0 +1,56 @@
+CC = gcc
+
+INDENT = indent
+
+INSTALL = /usr/bin/install
+INSTALL_PROGRAM = ${INSTALL}
+INSTALL_DATA = ${INSTALL} -m 644
+
+CFLAGS = -O2 -Wall -g -D_AAD_EXPORT
+LDFLAGS = -Wl,--strip-debug -Wl,--build-id=none
+LDFLAGS += -fPIC -fno-stack-protector -Wl,--export-dynamic
+LIBS = -lc -lcurl -ljansson -ljwt -lpam -lsds -luuid
+
+SRC_DIR = .
+
+OPENVPN_SRC_DIR = ${SRC_DIR}/openvpn
+PAM_AAD_SRC_DIR = ${SRC_DIR}/pam_aad
+
+SRC = ${SRC_DIR}/auth_aad.c
+SRC += ${PAM_AAD_SRC_DIR}/pam_aad.c
+SRC += ${OPENVPN_SRC_DIR}/src/plugins/auth-pam/utils.c
+
+INCLUDES = -I${OPENVPN_SRC_DIR}/include
+INCLUDES += -I${OPENVPN_SRC_DIR}/src/plugins/auth-pam
+
+SONAME = openvpn-auth-aad.so
+
+PREFIX = /usr/local
+LIB_DIR = ${PREFIX}/lib
+PLUGIN_DIR = ${LIBDIR}/openvpn/plugins
+
+all: ${SONAME}
+
+${SONAME}:
+	${CC} ${CFLAGS} ${LDFLAGS} -shared \
+		${SRC} ${INCLUDES} ${LIBS} \
+		-Wl,-soname,$@ -o $@
+
+install: ${SONAME}
+	${INSTALL_DATA} ${SONAME} ${PLUGIN_DIR}
+
+debug:
+	@LDFLAGS="${LDFLAGS} -ggdb" make
+
+reformat:
+	@VERSION_CONTROL=none $(INDENT) *.c
+
+clean:
+	@rm -rf ${SONAME}
+
+clean-all: clean
+	@make -C openvpn maintainer-clean
+	@cd openvpn && git reset --h && cd ..
+	@make -C pam_aad maintainer-clean
+	@cd pam_aad && git reset --h && cd ..
+

README.md

@@ -0,0 +1,33 @@
+# openvpn-auth-aad [![Build Status][travis-badge]][travis-url] [![GPL-2.0-only][gpl-badge]][gpl-license] [![Download](https://api.bintray.com/packages/jnchi/aad/openvpn-auth-aad/images/download.svg) ](https://bintray.com/jnchi/aad/openvpn-auth-aad/_latestVersion)
+
+_Azure Active Directory (AAD) OpenVPN Plugin_
+
+## Installation
+
+```terminal
+./bootstrap.sh
+make
+sudo make install
+```
+
+## Configuration
+
+Edit `/etc/openvpn/server.conf` and add the following lines:
+
+```txt
+plugin /usr/lib/openvpn/openvpn-auth-aad.so
+client-cert-not-required
+username-as-common-name
+```
+
+Note: A valid [pam_aad configuration file](https://github.com/CyberNinjas/pam_aad#configuration-file) is also required.
+
+## See also
+
+- https://github.com/fac/auth-script-openvpn
+- https://github.com/mozilla-it/openvpn_defer_auth
+
+[gpl-badge]: https://img.shields.io/badge/license-GPL-green.svg
+[gpl-license]: COPYING
+[travis-badge]: https://travis-ci.org/CyberNinjas/openvpn-auth-aad.svg?branch=master
+[travis-url]: https://travis-ci.org/CyberNinjas/openvpn-auth-aad

SECURITY.md

@@ -0,0 +1,12 @@
+# Security Policy
+
+## Supported Versions
+
+This OpenVPN Plugin is currently in pre-release, 
+therefore no versions are currently being supported.
+
+## Reporting a Vulnerability
+
+The developers should be contacted directly via [encrypted email](mailto:[email protected]).
+
+GPG Fingerprint: [DB0A E4BD 16FD E243 074A 7F8E 9F2E C496 B122 CD97](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9F2EC496B122CD97)

auth_aad.c

@@ -0,0 +1,158 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ *             over a single TCP/UDP port, with support for SSL/TLS-based
+ *             session authentication and key exchange,
+ *             packet encryption, packet authentication, and
+ *             packet compression.
+ *
+ *  Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
+ *  Copyright (C) 2019 CyberNinjas <[email protected]>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <sys/wait.h>
+
+#include "openvpn-plugin.h"
+#include "utils.h"              /* openvpn/src/plugins/auth-pam */
+
+#define OPENVPN_PLUGIN_VERSION_MIN 3    /* Require OpenVPN Plugin API v3 */
+#define OPENVPN_PLUGIN_STRUCTVER 4
+
+extern int azure_authenticator(const char *user);       /* pam_aad.c */
+
+struct plugin_context {
+    char *aad_auth;
+};
+
+void handle_sigchld(int sig)
+{
+    while (waitpid((pid_t) (-1), 0, WNOHANG) > 0) {
+        /* nonblocking wait (WNOHANG) for any child (-1) to come back */
+    }
+}
+
+static int put_auth_control(const char *path, const char *data)
+{
+    int ret = EXIT_FAILURE;
+    FILE *f = fopen(path, "w");
+    if (f) {
+        if (fprintf(f, "%s", data) == 0)
+            ret = EXIT_SUCCESS;
+        fclose(f);
+    }
+    return ret;
+}
+
+OPENVPN_EXPORT int openvpn_plugin_min_version_required_v1()
+{
+    return OPENVPN_PLUGIN_VERSION_MIN;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_open_v3(const int structver,
+                       struct openvpn_plugin_args_open_in const *args,
+                       struct openvpn_plugin_args_open_return *ret)
+{
+    struct plugin_context *context;
+
+    (void) args;                /* unused parameter */
+
+    /* OPENVPN_PLUGINv3_STRUCTVER defined in openvpn-plugin.h */
+    if (structver < OPENVPN_PLUGIN_STRUCTVER) {
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    /* Allocate the context */
+    context =
+        (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+
+    context->aad_auth = "1";      /* dummy value */
+
+    /* Intercept the --auth-user-pass-verify callback. */
+    ret->type_mask =
+        OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+
+    ret->handle = (openvpn_plugin_handle_t) context;
+
+    return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+static int azure_auth_handler(struct plugin_context *context,
+                              const char *argv[], const char *envp[])
+{
+    pid_t pid;
+    struct sigaction sa;        /* signal.h */
+
+    sigemptyset(&sa.sa_mask);
+    sa.sa_flags = SA_RESTART | SA_NOCLDSTOP;
+    sa.sa_handler = &handle_sigchld;
+
+    if (sigaction(SIGCHLD, &sa, NULL) == -1) {
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    pid = fork();
+
+    if (pid < 0) {
+        /* Fork failed, bail out. */
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    } else if (pid > 0) {
+        /* We're the parent. Tell openvpn we're deferring. */
+        return OPENVPN_PLUGIN_FUNC_DEFERRED;
+    } else {
+        const char *username = get_env("username", envp),
+            *auth_control_file = get_env("auth_control_file", envp);
+
+        if (azure_authenticator(username) == 0) {
+            if (put_auth_control
+                (auth_control_file, (char *) context->aad_auth) == 0)
+                exit(EXIT_SUCCESS);
+        }
+
+        exit(127);
+    }
+
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v3(const int structver,
+                       struct openvpn_plugin_args_func_in const *args,
+                       struct openvpn_plugin_args_func_return *ret)
+{
+    struct plugin_context *context =
+        (struct plugin_context *) args->handle;
+
+    /* Check API compatibility -- struct version or higher needed */
+    if (structver < OPENVPN_PLUGIN_STRUCTVER)
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+
+    switch (args->type) {
+    case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+        return azure_auth_handler(context, args->argv, args->envp);
+    default:
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+}
+
+OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
+{
+    struct plugin_context *context = (struct plugin_context *) handle;
+    free(context);
+}

bootstrap.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+git submodule update --init --recursive
+
+# Required for openvpn-plugin.h
+cd openvpn && \
+   autoreconf -fiv && \
+   ./configure && cd .. || exit 1
+
+cd pam_aad && \
+   ./bootstrap.sh && \
+   ./configure && cd .. || exit 1
+

contrib/client.conf

@@ -0,0 +1,14 @@
+# OpenVPN Client Configuration
+client
+dev tun
+proto udp
+remote 192.168.1.128 1194
+nobind
+;user nobody
+;group nobody
+persist-key
+persist-tun
+;mute-replay-warnings
+ca ca.crt # from server
+verb 5
+auth-user-pass