-
Notifications
You must be signed in to change notification settings - Fork 0
92 lines (82 loc) · 3.21 KB
/
vanilla-build-pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: opa-pam-build-from-scratch
# triggers defined below to automatically trigger the pipeline on push and pull requests
on:
push:
branches:
- master
- develop
- 'feature/**'
paths-ignore:
- '.vscode/**'
- README.md
- docs/**
- '.github/workflows/docker-pipeline.yml'
pull_request:
branches:
- master
- develop
- 'feature/**'
# the single 'playground' job installs the necessary dependencies, configures the pipeline and executes the command.
# Ideally, two different jobs ('build' and 'run command') helps here. But github workflows does not offer a 'stage'
# inside which jobs can execute as the azure pipelines.
jobs:
playground:
name: playground
runs-on: ubuntu-20.04
steps:
# the below dependencies will be required to build the OPA-PAM setup
- name: Install dependencies
run: |
set -e -x
sudo apt-get update -y
sudo apt-get install -y libpam0g-dev libtool-bin libcurl4-gnutls-dev autoconf
# Check out the current repository in the pipeline
- name: Checkout repo
uses: actions/checkout@v2
# Check out the open-policy-agent/contrib repository in the pipeline
# and place its contents in the contrib directory
- name: Checkout open-policy-agent/contrib
uses: actions/checkout@v2
with:
repository: open-policy-agent/contrib
ref: refs/heads/main
path: contrib
# Check out the akheron/jansson repository in the pipeline
# and place its contents in the jansson directory
- name: Checkout akheron/jansson
uses: actions/checkout@v2
with:
repository: akheron/jansson
ref: refs/heads/master
path: jansson
# Build and install the akheron/jansson repository on the agent
# (The C library for encoding, decoding and manipulating JSON data)
- name: Setup akheron/jansson
run: |
set -e -x
cd jansson
sudo autoreconf -i
sudo ./configure --prefix=/usr && sudo make
sudo make install
# Build the OPA PAM module and copy it to /lib/security directory in the system.
- name: Copy the pam module to /lib/x86_64-linux-gnu/security/
run: |
set -e -x
cd contrib/pam_opa/pam/ && sudo make
sudo cp *.so /lib/x86_64-linux-gnu/security/
# Configure the agent's sudo service to use the OPA PAM for sudo authorization
- name: Configure OPA as PAM module
run: |
set -e -x
sudo chmod 777 /etc/pam.d/sudo
echo auth required /lib/x86_64-linux-gnu/security/pam_opa.so url=http://opa-auth-server.herokuapp.com:80 authz_endpoint=/v1/data/sudo/authz log_level=debug >> /etc/pam.d/sudo
cat /etc/pam.d/sudo
# Finally, test if the sudo command connects to the authorization service to
# get a policy decision and act accordingly
- name: Execute privileged command and test
run: |
set -ex
echo "$USER:${{ secrets.REMOTE_PASSWORD }}" | sudo chpasswd
echo "$USER ALL=(ALL) PASSWD: ALL" | sudo tee -a /etc/sudoers
echo ${{ secrets.REMOTE_PASSWORD }} | sudo -S ls
# demo-time