Merge pull request #17 from nikogura/pubkey-auth

Enable JWT Pubkey auth

.circleci/config.yml

@@ -5,15 +5,15 @@ version: 2
 jobs:
   build:
     docker:
-      - image: circleci/golang:1.12.5
-
-    environment: GO111MODULE=on
+      - image: circleci/golang:latest
 
     working_directory: /go/src/github.com/nikogura/dbt
     steps:
       - checkout
-
-      # specify any bash command here prefixed with `run: `
+      - run: echo "${TEST_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa.test
+      - run: chmod 700 ~/.ssh/id_rsa.test
+      - run: echo "${TEST_PUBLIC_KEY}" | base64 -d > ~/.ssh/id_rsa.test.pub
+      - run: ssh-add ~/.ssh/id_rsa.test
       - run: gpg-agent --daemon
       - run: go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...
       - run: bash <(curl -s https://codecov.io/bash)

README.md

@@ -291,7 +291,13 @@ Output:
 
 An http repository server.  It serves up the various dbt tools and components from a file location on disk. 
 
-At present, the repo server supports basic auth via _htpasswd_ file.  Other auth options will be available as time allows.
+At present, the repo server supports basic auth via _htpasswd_ file and public key auth from an ssh-agent via JWT.  Other auth options will be available as time allows.
+
+Separate IDP (Identity Provider) files can be provided to provide privilege separation between tool use (GET) and tool publishing (PUT).  Likewise separate auth methods can be used for GET and PUT.
+
+Why did I make it possible to have split auth methods?  Flexibility.  Passwordless ssh-key auth for a user is good UX.  It's secure, and easy for the users.  It's kind of a pain for CI systems and other automated uses.  Sometimes just sticking a password in the environment is the best way for these use cases.  Hey, do what you want.  I'm just trying to help.
+
+The PublicKey Auth IDP file contains sections for both GET and PUT, so a single file can be used for both.  Obviously if you do use separate files, only the appropriate portion of each file will be read.
 
 ### Reposerver Config
 
@@ -301,13 +307,38 @@ A JSON file of the form:
 	    "address": "my-hostname.com",
         "port": 443,
         "serverRoot": "/path/to/where/you/store/tools",
-        "authType": "basic-htpasswd",
+        "authTypeGet": "basic-htpasswd",
+        "authTypePut": "basic-htpasswd",
         "authGets": false,
-        "authOpts": {
-            "idpFile": "/path/to/htpasswd/file"
-        }
+        "authOptsGet": {
+            "idpFile": "/path/to/htpasswd/file/for/gets"
+        },
+        "authOptsPutt": {
+            "idpFile": "/path/to/htpasswd/file/for/puts"
+        },
     }
 
+### Reposerver IDP File
+
+The reposerver takes an IDP file.  In the case of http basic auth, this is a standard htpasswd file.
+
+In the case of Public Key JWT Auth, it looks like so:
+
+      {
+         "getUsers": [
+            {
+               "username": "foo",
+               "publickey": "ssh-rsa ...... [email protected]"
+            }
+         ],
+         "putUsers": [
+            {
+               "username": "bar",
+               "publickey": "ssh-rsa ...... [email protected]"
+            }
+         ]
+      }
+
 ### Running the Reposerver
 
 Command: `dbt reposerver -f /path/to/config`

metadata.json

@@ -1,5 +1,5 @@
 {
-  "version": "3.1.3",
+  "version": "3.2.0",
   "package": "github.com/nikogura/dbt",
   "description": "Dynamic Binary Toolkit - A framework for running self-updating signed binaries from a central, trusted repository.",
   "repository": "http://localhost:8081/artifactory/dbt",

pkg/dbt/dbt.go

@@ -579,7 +579,7 @@ func (dbt *DBT) runExec(homedir string, args []string) (err error) {
 	return err
 }
 
-// VerboseOutput Covenience function so I don't have to write 'if verbose {...}' all the time.
+// VerboseOutput Convenience function so I don't have to write 'if verbose {...}' all the time.
 func (dbt *DBT) VerboseOutput(message string, args ...interface{}) {
 	if dbt.Verbose {
 		if len(args) == 0 {