Add Docker support for easier deployments + uppercase REALM

alfonsrv · alfonsrv · commit dce35abdcf6a · 2024-06-16T12:54:29.000+02:00
Author:    alfonsrv &lt;alfonsrv@protonmail.com&gt;

Developer Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or

(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me.

(c) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.

Signed-off-by: github/alfonsrv &lt;alfonsrv@protonmail.com&gt;
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -0,0 +1,32 @@
+FROM python:3.11-slim
+LABEL maintainer="github/alfonsrv <alfonsrv@protonmail.com>"
+
+ENV APACHE_CONFDIR=/etc/apache2
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends git \
+    apache2 libapache2-mod-wsgi-py3 \
+    krb5-k5tls \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+RUN a2enmod wsgi \
+    && a2enmod ssl \
+    && a2enmod headers \
+    && a2enmod setenvif
+
+RUN ln -sf /proc/self/fd/1 /var/log/apache2/access.log && \
+    ln -sf /proc/self/fd/1 /var/log/apache2/error.log
+
+COPY config/kdc-wsgi.conf ${APACHE_CONFDIR}/sites-available/
+
+# Download + install kdcproxy and get install path to replace in apache config
+RUN git clone https://github.com/latchset/kdcproxy.git /tmp/kdcproxy \
+    && pip install /tmp/kdcproxy \
+    && KDC_PROXY_PATH=$(python -c "import site; print(site.getsitepackages()[0])")/kdcproxy \
+    && sed -ri -e "s!KDC_PROXY_PATH!${KDC_PROXY_PATH}!g" /etc/apache2/sites-available/*.conf \
+    && sed -ri -e "s!SERVER_NAME!${SERVER_NAME}!g" /etc/apache2/sites-available/*.conf
+
+RUN a2dissite 000-default.conf \
+    && a2ensite kdc-wsgi.conf
+
+CMD ["apachectl", "-D",  "FOREGROUND"]
diff --git a/docker/README.md b/docker/README.md
@@ -0,0 +1,7 @@
+# KDC Proxy Docker Container 🐋
+
+* Rename `config/sample-kdcproxy.conf` to `config/kdcproxy.conf`
+* Configure Domain Controller IP addresses via `extra_hosts` in `docker-compose.yml` 
+* Configure Realm and Domain Controller DNS Names in `config/kdcproxy.conf`
+* Run `docker-compose up` and configure to run as service
+* Run either behind reverse proxy or as a directly exposed server (bring your own certificates)
diff --git a/docker/certs/.gitkeep b/docker/certs/.gitkeep
diff --git a/docker/config/kdc-wsgi.conf b/docker/config/kdc-wsgi.conf
@@ -0,0 +1,41 @@
+<VirtualHost *:443>
+    ServerName              SERVER_NAME
+    ErrorLog                ${APACHE_LOG_DIR}/error.log
+    CustomLog               ${APACHE_LOG_DIR}/access.log combined
+
+    SSLEngine               on
+    SSLCertificateFile      /certs/cert.crt
+    SSLCertificateKeyFile   /certs/cert.key
+
+    # Prevent showing the default Apache2 website
+    RedirectMatch ^/(?!(?i:KdcProxy))(.*)$ https://opensource.org/
+
+    # Python WSGI KDC Proxy setup
+    WSGIDaemonProcess       kdcproxy \
+                            processes=2 \
+                            threads=15 \
+                            maximum-requests=1000 \
+                            display-name=%{GROUP}
+    WSGIImportScript        KDC_PROXY_PATH/__init__.py \
+                            process-group=kdcproxy \
+                            application-group=kdcproxy
+    WSGIScriptAliasMatch    "(?i)^/KdcProxy" \
+                            KDC_PROXY_PATH/__init__.py
+    WSGIScriptReloading     Off
+
+    # Set headers if available
+    <IfModule mod_setenvif.c>
+        SetEnvIf X-Forwarded-Host (.*) REAL_HOST_HEADER=$1
+        <IfModule mod_headers.c>
+            RequestHeader set Host "%{REAL_HOST_HEADER}e"
+        </IfModule>
+    </IfModule>
+
+    <LocationMatch "(?i)^/KdcProxy">
+        Satisfy Any
+        Order Deny,Allow
+        Allow from all
+        WSGIProcessGroup     kdcproxy
+        WSGIApplicationGroup kdcproxy
+    </LocationMatch>
+</VirtualHost>
diff --git a/docker/config/sample-kdcproxy.conf b/docker/config/sample-kdcproxy.conf
@@ -0,0 +1,24 @@
+[global]
+# Use default libkrb5 configuration; if you load the mit config module in the master configuration file, 
+# kdcproxy will also read the config using libkrb5 (usually /etc/krb5.conf). If this module is used, kdcproxy 
+# will respect the DNS settings from the [libdefaults] section and the realm configuration from the [realms] section.
+# For more information, see the documentation for MIT's krb5.conf.
+configs = mit
+
+# Use DNS SRV lookup to automatically resolve domain
+use_dns = False
+
+[CONTOSO.LOC]
+# The realm configuration parameters may list multiple servers separated by a space. 
+# The order the realms are specified in will be respected by kdcproxy when forwarding requests. The port number is optional.
+# 
+# Possible schemes are:
+# * kerberos://
+# * kerberos+tcp://
+# * kerberos+udp://
+# * kpasswd://
+# * kpasswd+tcp://
+# * kpasswd+udp://
+
+kerberos = kerberos+tcp://test-dc1.contoso.loc:88
+kpasswd = kpasswd+tcp://test-dc1.contoso.loc:464
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -0,0 +1,45 @@
+---
+version: '3'
+services:
+  kdcproxy:
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+    container_name: kdcproxy-apache
+    restart: unless-stopped
+    ports:
+      - "443:443"
+    environment:
+      - KDCPROXY_CONFIG=/config/kdcproxy.conf
+      - SERVER_NAME=${SERVER_NAME:-selfsign.rausys.de}
+    volumes:
+      - config:/config:ro
+      - certs:/certs:ro
+    extra_hosts:
+      - "test-dc1.contoso.loc:10.10.10.10"
+
+  omgwtfssl:
+    image: paulczar/omgwtfssl
+    container_name: kdcproxy-ssl
+    restart: "no"
+    volumes:
+      - certs:/certs
+    environment:
+      - SSL_SUBJECT=${SERVER_NAME:-selfsign.rausys.de}
+      - SSL_KEY=/certs/cert.key
+      - SSL_CSR=/certs/cert.csr
+      - SSL_CERT=/certs/cert.crt
+
+volumes:
+  config:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: ./config
+  certs:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: ./certs
diff --git a/kdcproxy/parse_pyasn1.py b/kdcproxy/parse_pyasn1.py
@@ -100,6 +100,7 @@ def decode_proxymessage(data):
             realm = str(realm, "utf-8")
         except TypeError:  # Python 2.x
             realm = str(realm)
+        realm = realm.upper()
     else:
         realm = None
     flags = req.getComponentByName('flags')
