Merge pull request #10 from alan-turing-institute/9-fix-architecture-builds

Fix architecture builds

Author: jemrobinson

.github/workflows/build-release.yml

@@ -12,27 +12,35 @@ jobs:
   releases-matrix:
     name: Create release-artifacts
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        # build and publish in parallel
-        goos: [linux]
-        goarch: ["386", "amd64", "arm", "arm64"]
     steps:
       - name: Check out the repository
         uses: actions/checkout@v2
 
-      - name: Setup golang version
+      - name: Setup Go build tools
         uses: actions/setup-go@v2
         with:
           go-version: '^1.18'
 
-      - name: Install dependencies
-        run: sudo apt-get install -y libpam-dev
+      - name: Update package repositories
+        run: sudo apt update
+
+      - name: Setup C++ build tools
+        run: sudo apt install -y gcc make
+
+      - name: Install build dependencies
+        run: sudo apt install -y libcurl4-openssl-dev libjansson-dev libpam-dev unzip
 
       - name: Generate the artifacts
         run: |
+          # Build pam_aad_oidc.so
+          make
+
+          # Build libnss
+          wget https://github.com/hmeiland/linuxaad/archive/refs/tags/v0.3.1.zip
+          unzip v0.3.1.zip
+          cd linuxaad-0.3.1/libnss_aad/
           make
-          mv pam_aad_oidc.so pam_aad_oidc.${{ matrix.goarch }}.so
+          mv .libs/libnss_aad.so.2.0 ../../libnss_aad.so
 
       - name: Upload the artifacts
         uses: skx/github-action-publish-binaries@master

README.md

@@ -28,7 +28,9 @@ This code is based on code from [`pam-keycloak-oidc`](https://github.com/zhaow-d
    - You must **record the value** of this secret at creation time, as it will not be visible later.
 
 3. Under `API permissions`:
-   - Ensure that `Microsoft Graph > User.Read` is enabled
+   - Ensure that the following permissions are enabled
+      - `Microsoft Graph > User.Read.All` (delegated)
+      - `Microsoft Graph > GroupMember.Read.All` (delegated)
    - Select this and click the `Grant admin consent` button (otherwise manual consent is needed from each user)
 
 ## Configure local client
@@ -49,24 +51,41 @@ This code is based on code from [`pam-keycloak-oidc`](https://github.com/zhaow-d
    # The (time-limited) client secret generated for this application above
    client-secret="jbi58~72en43pqpdvwg6enb8r0ml3-hq-0ip2s9c"
 
-   # Microsoft.Graph scope to be requested. Unless there is a particular reason not to, use 'user.read'.
-   scope="user.read"
-
    # Name of AAD group that authenticated users must belong to
    group-name="Allowed PAM users"
 
    # Default domain for AAD users. This will be appended to any users not in `username@domain` format.
    domain="mydomain.onmicrosoft.com"
    ```
 
-4. Add configuration lines to the relevant PAM module, referencing the `TOML` file you wrote above.
-   For example, for testing purposes you can add the following to `/etc/pam.d/test`
+4. Create a PAM config file at `/usr/share/pam-configs/aad_oidc` referencing the `TOML` file you wrote above:
+   ```none
+   Name: Allow AzureAD login
+   Default: no
+   Priority: 129
+   Auth-Type: Primary
+   Auth:
+      [success=end default=ignore]	pam_aad_oidc.so config=/etc/pam-aad-oidc.toml
+   Auth-Initial:
+      [success=end default=ignore]	pam_aad_oidc.so config=/etc/pam-aad-oidc.toml
+   ```
+
+4. Install the module with the following command
+
+   ```bash
+   > pam-auth-update --enable aad_oidc
+   ```
+
+## Testing local client
+You can test the module with a dummy PAM entry point.
+
+1. For testing purposes you can add the following to `/etc/pam.d/test`, referencing the `TOML` file you wrote above
 
    ```none
    auth    required     pam_aad_oidc.so config=/etc/pam-aad-oidc.toml
    ```
 
-5. Install `pamtester` in order to test the module.
+2. Install `pamtester` in order to test the module.
 
    ```shell
    # With the password for `myusername` in the file `password.secret`

azuread.go

@@ -18,7 +18,6 @@ type Config struct {
 	TenantID     string `toml:"tenant-id"`
 	ClientId     string `toml:"client-id"`
 	ClientSecret string `toml:"client-secret"`
-	Scope        string `toml:"scope"`
 	GroupName    string `toml:"group-name"`
 	Domain       string `toml:"domain"`
 }
@@ -67,7 +66,7 @@ func ValidateCredentials(configPath string, username string, password string) in
 			TokenURL: "https://login.microsoftonline.com/" + config.TenantID + "/oauth2/v2.0/token",
 		},
 		RedirectURL: "urn:ietf:wg:oauth:2.0:oob", // this is the "no redirect" URL
-		Scopes:      []string{config.Scope},
+		Scopes:      []string{"https://graph.microsoft.com/.default"}, // use the default scopes registered with the application
 	}
 
 	// If there is no suffix then use the default domain

pam.c

@@ -7,7 +7,7 @@
 #include <security/pam_ext.h>
 
 // Local includes
-#include <pam.h>
+#include "pam.h"
 
 
 // Retrieve a username from a PAM handle

pam.go

@@ -9,7 +9,7 @@ import (
 #cgo CFLAGS: -Wall
 #include <security/pam_appl.h>
 #include <stdlib.h>
-#include <pam.h>
+#include "pam.h"
 */
 import "C"