Added the key database to the system to support sign in with SSH keys.

files/auth/auth.service

 [Unit]
-Description=Exam System Message Broker
+Description=Exam System Authentication Service
 After=network.target
 
 [Service]
@@ -11,7 +11,7 @@ Restart=on-failure
 RestartSec=10
 
 # No limit. We won't overload the system anyway.
-StartLimitIntervalSec=0
+StartLimitInterval=0
 
 [Install]
 WantedBy=multi-user.target

files/auth/config.json

@@ -4,8 +4,8 @@
 // These are in place to make it easy to strip the comments without knowledge of JSON before passing
 // it to the JSON parser.
 {
-    // Timeout for all authentications, in minutes
-    "timeout" : 1,
+    // Timeout for all authentications, in seconds
+    "timeout" : 30,
 
     // All groups known to the system, and what permissions we assign each group.
     "groups" : {
@@ -18,6 +18,18 @@
 	    "groups" : [ "TEST" ]
 	},
 
+	// SSH key database.
+	"KDB" : {
+	    "message_size" : 102400,
+	    "groups" : [ "KMGR", "AUTH" ]
+	},
+
+	// SSH key manager.
+	"KMGR" : {
+	    "message_size" : 102400,
+	    "groups" : [ "KDB" ]
+	},
+
 	// Admin clients.
 	"ADMC" : {
 	    "message_size" : 1024000,
@@ -27,7 +39,7 @@
 	// Examiner clients.
 	"EC" : {
 	    "message_size" : 1024000,
-	    "groups" : [ "", "MS" ]
+	    "groups" : [ "", "MS", "EC" ]
 	},
 
 	// Student clients.
@@ -50,6 +62,29 @@
 	}
     },
 
+    // How should the system tie acquired identity strings to system IDs? The information here is
+    // used by all authentication systems that figure out some kind of identity and need to tie that
+    // to some kind of database ID.
+    "identity" : {
+	// Address of the server that holds all identities.
+	"server" : {
+	    "group" : "DB",
+	    "id" : 1
+	},
+
+	// Mapping from group names to one or more categories that users in that group may belong
+	// to. This lets the system know which tables to examine in a query, and roughly what
+	// permissions are required for the different groups.
+	"groups" : {
+	    "SC" : [ "student" ],
+	    "EC" : [ "staff", "admin" ],
+	    "ADMC" : [ "admin" ],
+	    // Note: This might not be a good idea in the long run. We should at least
+	    // put "admin" here instead of "staff".
+	    "KMGR" : [ "staff" ]
+	}
+    },
+
     // All authentication methods the auth server is going to support. Each method may appear multiple
     // times with different configuration if different groups are to be guarded with different levels
     // of security.
@@ -57,7 +92,7 @@
 	{
 	    // A list of groups that we allow authenticating using this method. This is mandatory
 	    // for all elements in here.
-	    "allow" : [ "TEST" ],
+	    "allow" : [ "TEST", "EC", "SC", "MS" ],
 
 	    // The debug auth is the simplest. It just allows whatever the connected client
 	    // claimed. It is not good to use in production, and is always disabled unless the
@@ -65,7 +100,7 @@
 	    "type" : "debug"
 	},
 	{
-	    "allow" : [ "DB", "MS" ],
+	    "allow" : [ "DB", "MS", "KDB" ],
 
 	    // File system authentication. This works for clients on the same system as the
 	    // authentication server (e.g. DB, ARLA, etc.), and relies on UNIX permissions. This
@@ -79,11 +114,11 @@
 	    "permissions" : "0770",
 
 	    // Group of the file. If not present or null, we won't change the group.
-	    "group" : null
+	    "group" : "aes_local_auth"
 	},
 	{
-	    // Slightly different requirements for ADMC.
-	    "allow" : [ "ADMC" ],
+	    // Slightly different requirements for ADMC and the Key manager.
+	    "allow" : [ "ADMC", "KMGR" ],
 	    "type" : "fs",
 	    "path" : "/tmp",
 	    "permissions" : "0777",
@@ -98,29 +133,19 @@
 	    "group" : null
 	},
 	{
-	    // Allow authenticating EC with Kerberos.
-	    "allow" : [ "EC" ],
-	    "type" : "kerberos",
-
-	    // What is the address of the database server we shall query for information?
-	    "db" : {
-		"group" : "DB",
-		"id" : 1
-	    },
-
-	    "user_type" : "staff"
+	    // Allow authenticating SC, EC and AdmC with Kerberos.
+	    "allow" : [ "EC", "SC", "ADMC" ],
+	    "type" : "kerberos"
 	},
 	{
-	    // Allow authenticating SC with Kerberos.
-	    "allow" : [ "SC" ],
-	    "type" : "kerberos",
+	    // Allow TEST, EC, SC, and KMGR with SSH.
+	    "allow" : [ "TEST", "EC", "SC", "KMGR" ],
+	    "type" : "ssh",
 
-	    "db" : {
-		"group" : "DB",
+	    "identity_db" : {
+		"group" : "KDB",
 		"id" : 1
-	    },
-
-	    "user_type" : "student"
+	    }
 	}
     ]
 }

files/auth/keydb.service

+[Unit]
+Description=Exam System SSH Key Storage
+After=network.target
+
+[Service]
+Type=simple
+User=auth_keydb
+WorkingDirectory=/srv/auth_keydb/
+ExecStart=/usr/bin/env python3 /srv/auth_keydb/src/keydb/keydb.py localhost 31337
+Restart=on-failure
+RestartSec=10
+
+# No limit. We won't overload the system anyway.
+StartLimitInterval=0
+
+[Install]
+WantedBy=multi-user.target

files/auth/on_update.sh

@@ -10,6 +10,7 @@ make
 
 cd
 mkdir -p bin/
+rm -f bin/auth
 cp src/auth/auth bin/
 EOF
 )
@@ -18,5 +19,5 @@ EOF
 sudo --user auth --group auth --set-home -- bash -c "$run_as_broker"
 
 # Then, we can restart the services.
-systemctl service restart aes_auth.service
+systemctl restart aes_auth.service
 

files/auth/on_update_keydb.sh

+#!/bin/bash
+
+systemctl restart aes_auth_keydb.service
+systemctl restart aes_temp_userdb.service

files/auth/temp_userdb.service

+[Unit]
+Description=Exam System Temporary User Database
+After=network.target
+
+[Service]
+Type=simple
+User=auth_keydb
+WorkingDirectory=/srv/auth_keydb/
+ExecStart=/usr/bin/env python3 /srv/auth_keydb/src/temporary_userdb/userdb.py localhost 31337
+Restart=on-failure
+RestartSec=10
+
+# No limit. We won't overload the system anyway.
+StartLimitIntervalSec=0
+
+[Install]
+WantedBy=multi-user.target

files/broker/broker.service

@@ -11,7 +11,7 @@ Restart=on-failure
 RestartSec=10
 
 # No limit. We won't overload the system anyway.
-StartLimitIntervalSec=0
+StartLimitInterval=0
 
 [Install]
 WantedBy=multi-user.target

files/broker/on_update.sh

@@ -10,6 +10,7 @@ make
 
 cd
 mkdir -p bin/
+rm -f bin/broker
 cp src/broker/broker bin/
 EOF
 )
@@ -18,5 +19,5 @@ EOF
 sudo --user broker --group broker --set-home -- bash -c "$run_as_broker"
 
 # Then, we can restart the services.
-systemctl service restart aes_broker.service
+systemctl restart aes_broker.service
 

manifests/auth.pp

@@ -12,16 +12,24 @@ class aes::auth {
     [
 	'krb5-libs',
 	'krb5-devel',
+	'openssl-devel',
     ]:
       ensure => installed,
   }
 
+  # Group for local authentication. All accounts that are members
+  # of this group are considered trusted by the authentication system.
+  group { "aes_local_auth" :
+    ensure => present
+  }
+
   user { "${auth_user}" :
     ensure => present,
     home => "${auth_home}",
     comment => 'Authentication server for AES',
     managehome => false,
     membership => inclusive,
+    groups => [ "aes_local_auth" ],
     system => true,
     shell => '/sbin/nologin',
   }
@@ -51,16 +59,16 @@ class aes::auth {
 
   file { "${auth_home}/config.json" :
     ensure => present,
-    owner  => auth,
-    group  => auth,
+    owner  => "${auth_user}",
+    group  => "${auth_group}",
     mode   => '0644',
     source => "puppet:///modules/${module_name}/auth/config.json",
   }
 
   file { "${auth_home}/start.sh" :
     ensure => present,
-    owner  => auth,
-    group  => auth,
+    owner  => "${auth_user}",
+    group  => "${auth_group}",
     mode   => '0755',
     source => "puppet:///modules/${module_name}/auth/start.sh",
   }

manifests/auth_keydb.pp

+class aes::auth_keydb {
+
+  $keydb_user = auth_keydb
+  $keydb_group = "${keydb_user}"
+  $keydb_home = "/srv/${keydb_user}"
+  $keydb_service = "aes_auth_keydb"
+
+  user { "${keydb_user}" :
+    ensure => present,
+    home => "${keydb_home}",
+    comment => 'Authentication server for AES',
+    managehome => false,
+    membership => inclusive,
+    groups => [ "aes_local_auth" ],
+    system => true,
+    shell => '/sbin/nologin',
+  }
+
+  file { "${keydb_home}" :
+    ensure => directory,
+    owner => "${keydb_user}",
+    group => "${keydb_group}",
+    mode => '0755',
+  }
+
+  file { "/etc/systemd/system/${keydb_service}.service" :
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => '0644',
+    source => "puppet:///modules/${module_name}/auth/keydb.service",
+  }
+
+  file { "${keydb_home}/on_update.sh" :
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => '0700',
+    source => "puppet:///modules/${module_name}/auth/on_update_keydb.sh",
+  }
+
+  exec { 'update-keydb-repo' :
+    command => "/opt/utils/update_repo.sh ${keydb_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
+    environment => [ "REPO_USER=${keydb_user}", "REPO_GROUP=${keydb_group}", "REPO_ON_UPDATE=${keydb_home}/on_update.sh" ],
+    # This command will need to run "on_update" as root in order to restart the service.
+    user => root,
+    group => root,
+    cwd => "${keydb_home}",
+    require => File["${keydb_home}/on_update.sh"],
+  }
+
+  service { "${keydb_service}" : 
+    ensure => "running",
+  }
+
+  # These are temporary until the AdmC database is up and running.
+
+  file { "/etc/systemd/system/aes_temp_userdb.service" :
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => '0644',
+    source => "puppet:///modules/${module_name}/auth/temp_userdb.service",
+  }
+
+  service { "aes_temp_userdb" :
+    ensure => "running",
+  }
+}
\ No newline at end of file

manifests/init.pp

@@ -6,6 +6,7 @@ class aes {
   include aes::latex
   include aes::broker
   include aes::auth
+  include aes::auth_keydb
   include ::liurepo::centos_sclo_rh
 
   package {