feat: hardened authelia binaries (#2410)

* feat: hardened authelia binaries

This change ensures that all Authelia binaries which are compiled and distributed are hardened with the following standards:

* RELRO
* Stack canary
* NX
* PIE/ASLR
* Stripped RPATH AND RUNPATH
* Stripped Symbols
* Fortify

The musl variants currently [do not support Fortify](https://wiki.musl-libc.org/future-ideas.html#Fortify).

* refactor: docker pull for authelia/crossbuild in background
This commit is contained in:
Amir Zarrinkafsh 2021-09-26 12:08:47 +10:00 committed by GitHub
parent bbd85bd558
commit bd6a8e3ea2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 71 additions and 21 deletions

View File

@ -5,6 +5,8 @@
<dd> <dd>
<a href="artifact://authelia-linux-amd64.tar.gz">authelia-linux-amd64.tar.gz</a><br> <a href="artifact://authelia-linux-amd64.tar.gz">authelia-linux-amd64.tar.gz</a><br>
<a href="artifact://authelia-linux-amd64.tar.gz.sha256">authelia-linux-amd64.tar.gz.sha256</a><br> <a href="artifact://authelia-linux-amd64.tar.gz.sha256">authelia-linux-amd64.tar.gz.sha256</a><br>
<a href="artifact://authelia-linux-amd64-musl.tar.gz">authelia-linux-amd64-musl.tar.gz</a><br>
<a href="artifact://authelia-linux-amd64-musl.tar.gz.sha256">authelia-linux-amd64-musl.tar.gz.sha256</a><br>
<a href="artifact://authelia-freebsd-amd64.tar.gz">authelia-freebsd-amd64.tar.gz</a><br> <a href="artifact://authelia-freebsd-amd64.tar.gz">authelia-freebsd-amd64.tar.gz</a><br>
<a href="artifact://authelia-freebsd-amd64.tar.gz.sha256">authelia-freebsd-amd64.tar.gz.sha256</a><br> <a href="artifact://authelia-freebsd-amd64.tar.gz.sha256">authelia-freebsd-amd64.tar.gz.sha256</a><br>
<a href="artifact://authelia_amd64.deb">authelia_amd64.deb</a><br> <a href="artifact://authelia_amd64.deb">authelia_amd64.deb</a><br>
@ -16,6 +18,8 @@
<dd> <dd>
<a href="artifact://authelia-linux-arm.tar.gz">authelia-linux-arm.tar.gz</a><br> <a href="artifact://authelia-linux-arm.tar.gz">authelia-linux-arm.tar.gz</a><br>
<a href="artifact://authelia-linux-arm.tar.gz.sha256">authelia-linux-arm.tar.gz.sha256</a><br> <a href="artifact://authelia-linux-arm.tar.gz.sha256">authelia-linux-arm.tar.gz.sha256</a><br>
<a href="artifact://authelia-linux-arm-musl.tar.gz">authelia-linux-arm-musl.tar.gz</a><br>
<a href="artifact://authelia-linux-arm-musl.tar.gz.sha256">authelia-linux-arm-musl.tar.gz.sha256</a><br>
<a href="artifact://authelia_armhf.deb">authelia_armhf.deb</a><br> <a href="artifact://authelia_armhf.deb">authelia_armhf.deb</a><br>
<a href="artifact://authelia_armhf.deb.sha256">authelia_armhf.deb.sha256</a> <a href="artifact://authelia_armhf.deb.sha256">authelia_armhf.deb.sha256</a>
</dd> </dd>
@ -25,6 +29,8 @@
<dd> <dd>
<a href="artifact://authelia-linux-arm64.tar.gz">authelia-linux-arm64.tar.gz</a><br> <a href="artifact://authelia-linux-arm64.tar.gz">authelia-linux-arm64.tar.gz</a><br>
<a href="artifact://authelia-linux-arm64.tar.gz.sha256">authelia-linux-arm64.tar.gz.sha256</a><br> <a href="artifact://authelia-linux-arm64.tar.gz.sha256">authelia-linux-arm64.tar.gz.sha256</a><br>
<a href="artifact://authelia-linux-arm64-musl.tar.gz">authelia-linux-arm64-musl.tar.gz</a><br>
<a href="artifact://authelia-linux-arm64-musl.tar.gz.sha256">authelia-linux-arm64-musl.tar.gz.sha256</a><br>
<a href="artifact://authelia_arm64.deb">authelia_arm64.deb</a><br> <a href="artifact://authelia_arm64.deb">authelia_arm64.deb</a><br>
<a href="artifact://authelia_arm64.deb.sha256">authelia_arm64.deb.sha256</a> <a href="artifact://authelia_arm64.deb.sha256">authelia_arm64.deb.sha256</a>
</dd> </dd>

View File

@ -2,7 +2,7 @@
set +u set +u
declare -A BUILDS=(["linux"]="amd64 arm arm64" ["freebsd"]="amd64") declare -A BUILDS=(["linux"]="amd64 arm arm64 amd64-musl arm-musl arm64-musl" ["freebsd"]="amd64")
DOCKER_IMAGE=authelia/authelia DOCKER_IMAGE=authelia/authelia
if [[ "${BUILDKITE_LABEL}" == ":hammer_and_wrench: Unit Test" ]]; then if [[ "${BUILDKITE_LABEL}" == ":hammer_and_wrench: Unit Test" ]]; then

View File

@ -18,15 +18,10 @@ if [[ "${BUILDKITE_LABEL}" =~ ":debian: Build Package" ]]; then
buildkite-agent artifact download "authelia-linux-${ARCH}.tar.gz" . buildkite-agent artifact download "authelia-linux-${ARCH}.tar.gz" .
fi fi
if [[ "${BUILDKITE_LABEL}" =~ ":docker: Deploy Image" ]]; then
buildkite-agent artifact download "authelia-image-${ARCH}*" .
zstdcat "authelia-image-${ARCH}.tar.zst" | docker load
fi
if [[ "${BUILDKITE_LABEL}" == ":docker: Deploy Manifest" ]]; then if [[ "${BUILDKITE_LABEL}" == ":docker: Deploy Manifest" ]]; then
echo "--- :go: :react: :swagger: Extract pre-built binary" echo "--- :go: :react: :swagger: Extract pre-built binary"
buildkite-agent artifact download "authelia-linux-*.tar.gz" . buildkite-agent artifact download "authelia-linux-*-musl.tar.gz" .
for archive in authelia-linux-*.tar.gz; do tar xzf ${archive} --wildcards "authelia-linux-*"; done for archive in authelia-linux-*-musl.tar.gz; do tar xzf ${archive} --wildcards "authelia-linux-*"; done
fi fi
if [[ "${BUILDKITE_LABEL}" == ":github: Deploy Artifacts" ]]; then if [[ "${BUILDKITE_LABEL}" == ":github: Deploy Artifacts" ]]; then

View File

@ -7,6 +7,9 @@ for FILE in \
authelia-linux-amd64.tar.gz authelia-linux-amd64.tar.gz.sha256 \ authelia-linux-amd64.tar.gz authelia-linux-amd64.tar.gz.sha256 \
authelia-linux-arm.tar.gz authelia-linux-arm.tar.gz.sha256 \ authelia-linux-arm.tar.gz authelia-linux-arm.tar.gz.sha256 \
authelia-linux-arm64.tar.gz authelia-linux-arm64.tar.gz.sha256 \ authelia-linux-arm64.tar.gz authelia-linux-arm64.tar.gz.sha256 \
authelia-linux-amd64-musl.tar.gz authelia-linux-amd64-musl.tar.gz.sha256 \
authelia-linux-arm-musl.tar.gz authelia-linux-arm-musl.tar.gz.sha256 \
authelia-linux-arm64-musl.tar.gz authelia-linux-arm64-musl.tar.gz.sha256 \
authelia-freebsd-amd64.tar.gz authelia-freebsd-amd64.tar.gz.sha256 \ authelia-freebsd-amd64.tar.gz authelia-freebsd-amd64.tar.gz.sha256 \
authelia-public_html.tar.gz authelia-public_html.tar.gz.sha256; authelia-public_html.tar.gz authelia-public_html.tar.gz.sha256;
do do

View File

@ -21,7 +21,7 @@ COPY LICENSE .healthcheck.env entrypoint.sh healthcheck.sh ./
RUN \ RUN \
chmod 0666 /app/.healthcheck.env chmod 0666 /app/.healthcheck.env
COPY authelia-${TARGETOS}-${TARGETARCH} ./authelia COPY authelia-${TARGETOS}-${TARGETARCH}-musl ./authelia
EXPOSE 9091 EXPOSE 9091

View File

@ -3,6 +3,8 @@ package main
import ( import (
"os" "os"
"strings" "strings"
"sync"
"time"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"github.com/spf13/cobra" "github.com/spf13/cobra"
@ -11,22 +13,56 @@ import (
) )
func buildAutheliaBinary(xflags []string, buildkite bool) { func buildAutheliaBinary(xflags []string, buildkite bool) {
cmd := utils.CommandWithStdout("go", "build", "-tags", "netgo", "-trimpath", "-o", OutputDir+"/authelia", "-ldflags", "-s -w "+strings.Join(xflags, " "), "./cmd/authelia/")
cmd.Env = append(os.Environ(),
"CGO_ENABLED=0")
if buildkite { if buildkite {
cmd = utils.CommandWithStdout("gox", "-tags=netgo", "-output={{.Dir}}-{{.OS}}-{{.Arch}}", "-ldflags=-s -w "+strings.Join(xflags, " "), "-osarch=linux/amd64 linux/arm linux/arm64 freebsd/amd64", "./cmd/authelia/") var wg sync.WaitGroup
s := time.Now()
wg.Add(2)
go func() {
defer wg.Done()
cmd := utils.CommandWithStdout("gox", "-output={{.Dir}}-{{.OS}}-{{.Arch}}-musl", "-buildmode=pie", "-trimpath", "-cgo", "-ldflags=-linkmode=external -s -w "+strings.Join(xflags, " "), "-osarch=linux/amd64 linux/arm linux/arm64", "./cmd/authelia/")
cmd.Env = append(os.Environ(), cmd.Env = append(os.Environ(),
"GOFLAGS=-trimpath", "CGO_ENABLED=0") "CGO_CPPFLAGS=-D_FORTIFY_SOURCE=2 -fstack-protector-strong", "CGO_LDFLAGS=-Wl,-z,relro,-z,now",
} "GOX_LINUX_ARM_CC=arm-linux-musleabihf-gcc", "GOX_LINUX_ARM64_CC=aarch64-linux-musl-gcc")
err := cmd.Run() err := cmd.Run()
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
}()
go func() {
defer wg.Done()
cmd := utils.CommandWithStdout("bash", "-c", "docker run --rm -e GOX_LINUX_ARM_CC=arm-linux-gnueabihf-gcc -e GOX_LINUX_ARM64_CC=aarch64-linux-gnu-gcc -e GOX_FREEBSD_AMD64_CC=x86_64-pc-freebsd13-gcc -v ${PWD}:/workdir -v /buildkite/.go:/root/go authelia/crossbuild "+
"gox -output={{.Dir}}-{{.OS}}-{{.Arch}} -buildmode=pie -trimpath -cgo -ldflags=\"-linkmode=external -s -w "+strings.Join(xflags, " ")+"\" -osarch=\"linux/amd64 linux/arm linux/arm64 freebsd/amd64\" ./cmd/authelia/")
err := cmd.Run()
if err != nil {
log.Fatal(err)
}
}()
wg.Wait()
e := time.Since(s)
log.Debugf("Binary compilation completed in %s.", e)
} else {
cmd := utils.CommandWithStdout("go", "build", "-buildmode=pie", "-trimpath", "-o", OutputDir+"/authelia", "-ldflags", "-linkmode=external -s -w "+strings.Join(xflags, " "), "./cmd/authelia/")
cmd.Env = append(os.Environ(),
"CGO_CPPFLAGS=-D_FORTIFY_SOURCE=2 -fstack-protector-strong", "CGO_LDFLAGS=-Wl,-z,relro,-z,now")
err := cmd.Run()
if err != nil {
log.Fatal(err)
}
}
} }
func buildFrontend() { func buildFrontend() {
@ -102,6 +138,17 @@ func cleanAssets() {
func Build(cobraCmd *cobra.Command, args []string) { func Build(cobraCmd *cobra.Command, args []string) {
log.Info("Building Authelia...") log.Info("Building Authelia...")
buildkite, _ := cobraCmd.Flags().GetBool("buildkite")
if buildkite {
cmd := utils.CommandWithStdout("bash", "-c", "docker pull authelia/crossbuild -q &")
err := cmd.Run()
if err != nil {
log.Fatal(err)
}
}
Clean(cobraCmd, args) Clean(cobraCmd, args)
xflags, err := getXFlags(os.Getenv("BUILDKITE_BRANCH"), os.Getenv("BUILDKITE_BUILD_NUMBER"), "") xflags, err := getXFlags(os.Getenv("BUILDKITE_BRANCH"), os.Getenv("BUILDKITE_BUILD_NUMBER"), "")
@ -122,7 +169,6 @@ func Build(cobraCmd *cobra.Command, args []string) {
log.Debug("Building swagger-ui frontend...") log.Debug("Building swagger-ui frontend...")
buildSwagger() buildSwagger()
buildkite, _ := cobraCmd.Flags().GetBool("buildkite")
if buildkite { if buildkite {
log.Debug("Building Authelia Go binaries with gox...") log.Debug("Building Authelia Go binaries with gox...")
} else { } else {