feat: testing with docker-compose sshopk config

florianow · florianow · commit 9203691346fb · 2025-11-25T14:18:13.000+01:00
diff --git a/Caddyfile b/Caddyfile
@@ -1,5 +1,6 @@
 {
     order coraza_waf first
+    auto_https disable_redirects
 }
 
 # --- WAF for MinIO UI (port 8080) ---
@@ -60,7 +61,7 @@
     }
 }
 
-# --- Keycloak Proxy (port 8082) ---
+# --- Keycloak Proxy HTTP (port 8082) ---
 :8082 {
     reverse_proxy keycloak:8080 {
         header_up Host localhost:8082
@@ -77,6 +78,25 @@
     }
 }
 
+# --- Keycloak Proxy HTTPS (port 8443) ---
+localhost:8443 {
+    tls internal
+
+    reverse_proxy keycloak:8080 {
+        header_up Host localhost:8443
+        header_up X-Real-IP {remote}
+        header_up X-Forwarded-Proto https
+        header_up X-Forwarded-Host localhost:8443
+        header_up X-Forwarded-Port 8443
+    }
+
+    log {
+        output stdout
+        format json
+        level INFO
+    }
+}
+
 # --- WAF for MinIO API (port 8081) ---
 :8081 {
     handle /health {
diff --git a/Dockerfile b/Dockerfile
@@ -25,8 +25,8 @@ RUN addgroup -g 1001 -S caddy && \
     adduser -u 1001 -S caddy -G caddy
 
 # Create directories with proper permissions
-RUN mkdir -p /etc/caddy /var/lib/caddy /var/log/caddy && \
-    chown -R caddy:caddy /etc/caddy /var/lib/caddy /var/log/caddy
+RUN mkdir -p /etc/caddy /var/lib/caddy /var/log/caddy /data/caddy && \
+    chown -R caddy:caddy /etc/caddy /var/lib/caddy /var/log/caddy /data/caddy
 
 # Copy Caddyfile template
 COPY Caddyfile /etc/caddy/Caddyfile
diff --git a/Dockerfile.ssh-server b/Dockerfile.ssh-server
@@ -5,6 +5,7 @@ RUN apt-get update && apt-get install -y \
     wget \
     curl \
     ca-certificates \
+    socat \
     && rm -rf /var/lib/apt/lists/*
 
 RUN wget -qO /usr/local/bin/opkssh https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-linux-amd64 && \
@@ -25,6 +26,14 @@ RUN mkdir -p /etc/opk /home/testuser/.opk && \
     chown testuser:testuser /home/testuser/.opk && \
     chmod 700 /home/testuser/.opk
 
+RUN echo '# Issuer Client-ID expiration-policy\nhttps://localhost:8443/realms/minio_realm opkssh-client 24h' > /etc/opk/providers && \
+    echo '# principal email/sub issuer\ntestuser test@test.com https://localhost:8443/realms/minio_realm' > /etc/opk/auth_id && \
+    chown opksshuser:opksshuser /etc/opk/providers /etc/opk/auth_id && \
+    chmod 640 /etc/opk/providers /etc/opk/auth_id
+
 EXPOSE 2222
 
-CMD ["/usr/sbin/sshd", "-D", "-p", "2222"]
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/TESTING-OPKSSH.md b/TESTING-OPKSSH.md
@@ -2,6 +2,42 @@
 
 This guide shows you how to test SSH authentication using OpenID Connect (OIDC) via Keycloak.
 
+## ⚠️ Important: HTTPS Requirement
+
+**opkssh requires HTTPS for the OIDC issuer.** The current setup uses HTTP for local testing which is not compatible with opkssh v0.10.0+.
+
+### Options:
+
+1. **Use a cloud Keycloak instance with HTTPS** (Recommended for real testing)
+2. **Wait for HTTP support** in future opkssh versions
+3. **Use an HTTPS proxy/tunnel** like ngrok or Cloudflare Tunnel
+
+## Current Status
+
+The setup is configured but **cannot be tested locally** due to the HTTPS requirement. The following files are ready:
+
+- ✅ Keycloak OIDC client (`opkssh-client`) configured
+- ✅ SSH test server with opkssh installed
+- ✅ Authorization rules configured
+- ❌ HTTPS endpoint (required by opkssh)
+
+## Alternative: Test with External SSH Server
+
+If you have an external SSH server with a public IP, you can install opkssh there and use your local Keycloak with an HTTPS tunnel.
+
+### Using ngrok (Quick Setup)
+
+```bash
+# Install ngrok
+brew install ngrok  # macOS
+# or download from https://ngrok.com/
+
+# Create HTTPS tunnel to Keycloak
+ngrok http 8082
+```
+
+Copy the HTTPS URL (e.g., `https://abc123.ngrok.io`) and use it as your issuer.
+
 ## What is opkssh?
 
 opkssh enables SSH authentication using OpenID Connect identities (like `test@test.com`) instead of traditional SSH keys. Your OIDC identity token is embedded in a temporary SSH certificate that expires after 24 hours.
@@ -61,19 +97,16 @@ docker-compose ps
 
 ### Step 1: Login with opkssh
 
-Run this command to authenticate with Keycloak:
+**Note:** This step currently fails due to HTTPS requirement. Example command:
 
 ```bash
-opkssh login --provider="http://localhost:8082/realms/minio_realm,opkssh-client"
+opkssh login --provider="https://your-keycloak-with-https.com/realms/minio_realm,opkssh-client"
 ```
 
-**What happens:**
-1. Your browser opens to Keycloak login page
-2. Login with:
-   - **Username:** `testuser`
-   - **Password:** `password`
-3. opkssh generates an SSH certificate at `~/.ssh/id_ecdsa`
-4. The certificate contains your OIDC identity token from Keycloak
+Error you'll see with HTTP:
+```
+Error: invalid provider issuer value. Expected issuer to start with 'https://'
+```
 
 ### Step 2: SSH to the Test Server
 
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -69,12 +69,15 @@ services:
   coraza-waf:
     image: coraza-waf-local:latest
     container_name: coraza-waf
+    user: root
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile
+      - caddy-data:/data
     ports:
       - "8080:8080"
       - "8081:8081"
       - "8082:8082"
+      - "8443:8443"
     depends_on:
       - minio
       - keycloak
@@ -88,9 +91,10 @@ services:
     container_name: ssh-test-server
     ports:
       - "2222:2222"
+    extra_hosts:
+      - "localhost:host-gateway"
     volumes:
-      - ./opk-providers:/etc/opk/providers:ro
-      - ./opk-auth_id:/etc/opk/auth_id:ro
+      - caddy-data:/caddy-data:ro
     depends_on:
       - keycloak
       - coraza-waf
@@ -101,6 +105,7 @@ volumes:
   minio-data:
   postgres_data:
   keycloak-data:
+  caddy-data:
 
 networks:
   minio-net:
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Wait for Caddy CA certificate and install it
+echo "Waiting for Caddy CA certificate..."
+for i in {1..30}; do
+    if [ -f /caddy-data/caddy/pki/authorities/local/root.crt ]; then
+        cp /caddy-data/caddy/pki/authorities/local/root.crt /usr/local/share/ca-certificates/caddy-root.crt
+        update-ca-certificates
+        echo "Caddy CA certificate installed"
+        break
+    fi
+    sleep 1
+done
+
+# Start socat to proxy localhost:8443 to coraza-waf:8443
+socat TCP-LISTEN:8443,bind=127.0.0.1,fork,reuseaddr TCP:coraza-waf:8443 &
+
+# Start SSH daemon
+exec /usr/sbin/sshd -D -p 2222
diff --git a/opk-auth_id b/opk-auth_id
diff --git a/opk-providers b/opk-providers
