Initial commit

.gitignore

@@ -0,0 +1 @@
+.idea

.gitlab-ci.yml

@@ -0,0 +1,35 @@
+workflow:
+  rules:
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+image: docker
+
+stages:
+  - check
+  - decide
+
+cache:
+  key: dap_${CI_COMMIT_REF_NAME}
+  paths:
+    - EXISTING
+
+check:
+  stage: check
+  image: alpine
+  artifacts:
+    paths:
+      - build.yml
+    expire_in: 3 hours
+  before_script:
+    - apk add bash
+    - mv noop.template.yml build.yml
+  script:
+    - ./check.sh
+
+decide:
+  stage: decide
+  trigger:
+    include:
+      - artifact: build.yml
+        job: check
+    strategy: depend

Dockerfile

@@ -0,0 +1,29 @@
+FROM alpine:edge AS builder
+
+ARG VERSION
+ARG CHECKSUM
+
+ARG PYTHON_VERSION=3.11
+
+RUN apk add --no-cache build-base libffi-dev perl zlib-dev diffutils libstdc++ gcompat \
+                       bash wget py3-cffi py3-zope-interface
+RUN wget -O duoauthproxy.tgz https://dl.duosecurity.com/duoauthproxy-${VERSION}-src.tgz
+RUN echo "${CHECKSUM} duoauthproxy.tgz" | sha256sum -c
+RUN tar xzf duoauthproxy.tgz
+WORKDIR duoauthproxy-${VERSION}-src
+RUN mkdir -p duoauthproxy-build/usr/local/lib/python${PYTHON_VERSION}/
+RUN cp -R /usr/lib/python3.11/site-packages duoauthproxy-build/usr/local/lib/python${PYTHON_VERSION}/
+RUN sed -i '/$(CFFI) \\/d' Makefile
+RUN sed -i '/$(ZOPE_INTERFACE) \\/d' Makefile
+RUN make
+RUN LD_PRELOAD=libgcompat.so.0 duoauthproxy-build/install --install-dir /app --service-user nobody --log-group nobody --create-init-script no --enable-selinux=no
+RUN rm -rf /app/usr/local/lib/python${PYTHON_VERSION}/test
+RUN chown -R nobody:nobody /app/conf
+
+FROM alpine:edge
+WORKDIR /app
+RUN apk add --no-cache libgcc libffi-dev gcompat su-exec
+USER 0:0
+COPY --from=builder /app /app
+COPY entrypoint.sh /app/entrypoint.sh
+ENTRYPOINT ["/app/entrypoint.sh"]

README.md

@@ -0,0 +1,27 @@
+![](https://images.microbadger.com/badges/version/jarylc/duoauthproxy.svg) ![](https://images.microbadger.com/badges/image/jarylc/duoauthproxy.svg) ![](https://img.shields.io/docker/stars/jarylc/duoauthproxy.svg) ![](https://img.shields.io/docker/pulls/jarylc/duoauthproxy.svg)
+
+# Volumes
+- /app/conf/authproxy.cfg - configuration file (https://duo.com/docs/authproxy_reference)
+
+# Deploying
+## Terminal
+```bash
+docker run -d \
+    --name duoauthproxy \
+    -v /path/to/authproxy.cfg:/app/conf/authproxy.cfg \
+    --restart unless-stopped \
+    minimages/duoauthproxy
+```
+## Docker-compose
+```yml
+duoauthproxy:
+    image: minimages/duoauthproxy
+    ports:
+        - "1812:1812"
+    volumes:
+        - /path/to/authproxy.cfg:/app/conf/authproxy.cfg
+    restart: unless-stopped
+```
+
+## Examples
+You can visit the [examples folder in this repository](examples) for example deployments.

build.sh

@@ -0,0 +1,24 @@
+#!/bin/ash
+
+apk add curl jq
+
+RUNNER_ARCH=$(arch)
+RUNNER_ARCH=${RUNNER_ARCH/x86_/amd}
+RUNNER_ARCH=${RUNNER_ARCH/aarch/arm}
+BUILDX_VER=$(curl -ks https://api.github.com/repos/docker/buildx/releases/latest | jq -r '.name')
+mkdir -p "$HOME/.docker/cli-plugins/"
+wget -O "$HOME/.docker/cli-plugins/docker-buildx" "https://github.com/docker/buildx/releases/download/${BUILDX_VER}/buildx-${BUILDX_VER}.linux-${RUNNER_ARCH}"
+chmod a+x "$HOME/.docker/cli-plugins/docker-buildx"
+echo -e '{\n  "experimental": "enabled"\n}' | tee "$HOME/.docker/config.json"
+
+if [[ ${RUNNER_ARCH} != ${ARCH} ]]; then
+  docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+fi
+
+docker buildx create --use --name builder
+docker buildx inspect --bootstrap builder
+docker buildx install
+
+docker buildx build --cache-to=type=local,dest=cache,mode=max --build-arg VERSION --build-arg CHECKSUM --platform "linux/${ARCH}" -t "${REGISTRY_IMAGE}:${ARCH/\//}" .
+echo "${TOKEN}" | docker login -u "${USERNAME}" --password-stdin ${REGISTRY}
+docker buildx build --push --cache-from=type=local,src=cache --build-arg VERSION --build-arg CHECKSUM --platform "linux/${ARCH}" -t "${REGISTRY_IMAGE}:${ARCH/\//}" .

build.template.yml

@@ -0,0 +1,52 @@
+image: docker
+
+stages:
+  - build
+  - deploy
+
+cache:
+  key: dap_${CI_COMMIT_REF_NAME}
+  paths:
+    - EXISTING
+
+variables:
+  DOCKER_HOST: tcp://docker:2375
+  DOCKER_TLS_CERTDIR: ""
+  DOCKER_DRIVER: overlay2
+  DOCKER_BUILDKIT: 1
+  DOCKER_CLI_EXPERIMENTAL: enabled
+
+.build-template:
+  stage: build
+  services:
+    - name: docker:dind
+      command: ["--experimental"]
+  script:
+    - VERSION=$LATEST CHECKSUM=$CHECKSUM ./build.sh
+
+build:amd64:
+  extends: .build-template
+  variables:
+    ARCH: amd64
+build:arm/v7:
+  extends: .build-template
+  variables:
+    ARCH: arm/v7
+  tags:
+    - arm
+build:arm64:
+  extends: .build-template
+  variables:
+    ARCH: arm64
+  tags:
+    - arm
+
+deploy:
+  stage: deploy
+  services:
+    - name: docker:dind
+      command: [ "--experimental" ]
+  script:
+    - ./manifest.sh $(echo '$LATEST' | sed 's/v//g')
+  after_script:
+    - echo '$LATEST' > EXISTING

check.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+apk add curl jq
+
+[[ ! -f EXISTING ]] || touch EXISTING
+EXISTING=$(cat EXISTING)
+echo "Existing: ${EXISTING}"
+
+if [[ -n $OVERWRITE ]]; then
+  echo "Overwriting: $OVERWRITE"
+  LATEST=$OVERWRITE
+else
+  INFO=$(curl https://duo.com/docs/checksums | grep 'https://dl.duosecurity.com/duoauthproxy' | grep 'src.tgz' | rev | cut -d'>' -f1 | rev)
+  CHECKSUM=$(echo "$INFO" | cut -d' ' -f1)
+  LATEST=$(echo "$INFO" | cut -d'-' -f2)
+  echo "Latest: ${LATEST}"
+fi
+
+if [[ (-n "${LATEST}" && "${LATEST}" != "${EXISTING}") ]]; then
+  mv build.template.yml build.yml
+  sed -i "s \$CHECKSUM ${CHECKSUM} g" 'build.yml'
+  sed -i "s \$LATEST ${LATEST} g" 'build.yml'
+  echo "Building..."
+fi

entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/ash
+set -e
+export LD_PRELOAD=libgcompat.so.0
+su-exec 0:0 /app/bin/authproxy_connectivity_tool
+su-exec 0:0 /app/bin/authproxy

examples/lldap/conf/authproxy.cfg

@@ -0,0 +1,24 @@
+; Complete documentation about the Duo Auth Proxy can be found here:
+; https://duo.com/docs/authproxy_reference
+
+[main]
+log_stdout=true
+
+[ad_client]
+host=lldap
+port=3890
+auth_type=plain
+bind_dn=uid=admin,ou=people,dc=example,dc=com
+service_account_username=admin
+service_account_password=password
+search_dn=ou=people,dc=example,dc=com
+username_attribute=uid
+at_attribute=mail
+
+[ldap_server_auto]
+ikey=DIXXXXXXXXXXXXXXXXXX
+skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+api_host=api-XXXXXXXX.duosecurity.com
+failmode=secure
+client=ad_client
+port=1812

examples/lldap/docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  lldap:
+    image: lldap/lldap:stable
+    ports:
+      - "3890:3890"
+    environment:
+      - LLDAP_JWT_SECRET=SAMPLE_JWT_SECRET
+      - LLDAP_KEY_SEED=SAMPLE_KEY_SEED
+      - LLDAP_LDAP_BASE_DN=dc=example,dc=com
+  duoauthproxy:
+    image: jarylc/duoauthproxy:latest
+    ports:
+        - "1812:1812"
+    volumes:
+        - ./conf/authproxy.cfg:/app/conf/authproxy.cfg
+    depends_on:
+      - lldap

manifest.sh

@@ -0,0 +1,34 @@
+#!/bin/ash
+
+RUNNER_ARCH=$(arch)
+RUNNER_ARCH=${RUNNER_ARCH/x86_/amd}
+RUNNER_ARCH=${RUNNER_ARCH/aarch/arm}
+BUILDX_VER=$(curl -ks https://api.github.com/repos/docker/buildx/releases/latest | jq -r '.name')
+mkdir -p "$HOME/.docker/cli-plugins/"
+wget -O "$HOME/.docker/cli-plugins/docker-buildx" "https://github.com/docker/buildx/releases/download/${BUILDX_VER}/buildx-${BUILDX_VER}.linux-${RUNNER_ARCH}"
+chmod a+x "$HOME/.docker/cli-plugins/docker-buildx"
+echo -e '{\n  "experimental": "enabled"\n}' | tee "$HOME/.docker/config.json"
+
+echo "${TOKEN}" | docker login -u "${USERNAME}" --password-stdin ${REGISTRY}
+
+docker buildx imagetools create \
+  -t "${REGISTRY_IMAGE}:${1}" \
+  "${REGISTRY_IMAGE}:amd64" \
+  "${REGISTRY_IMAGE}:armv7" \
+  "${REGISTRY_IMAGE}:arm64"
+docker buildx imagetools create \
+  -t "${REGISTRY_IMAGE}:latest" \
+  "${REGISTRY_IMAGE}:amd64" \
+  "${REGISTRY_IMAGE}:armv7" \
+  "${REGISTRY_IMAGE}:arm64"
+
+docker buildx imagetools create \
+  -t "${REGISTRY_IMAGE2}:${1}" \
+  "${REGISTRY_IMAGE}:amd64" \
+  "${REGISTRY_IMAGE}:armv7" \
+  "${REGISTRY_IMAGE}:arm64"
+docker buildx imagetools create \
+  -t "${REGISTRY_IMAGE2}:latest" \
+  "${REGISTRY_IMAGE}:amd64" \
+  "${REGISTRY_IMAGE}:armv7" \
+  "${REGISTRY_IMAGE}:arm64"

noop.template.yml

@@ -0,0 +1,4 @@
+noop:
+  stage: build
+  script:
+      - exit 0