New Feature: Two Man Realms

docker/Dockerfile-ca

@@ -1,38 +1,10 @@
-# This dockerfile builds a container capable of running the SSH CA bot. Note that a lot of this code is duplicated
-# between this file and Dockerfile-kssh.
-FROM ubuntu:18.04
-
-# Dependencies
-RUN apt-get -qq update
-RUN apt-get -qq  install curl software-properties-common ca-certificates gnupg -y
-RUN useradd -ms /bin/bash keybase
-USER keybase
-WORKDIR /home/keybase
-
-# Download and verify the deb
-# Key fingerprint from https://keybase.io/docs/server_security/our_code_signing_key
-RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb
-RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb.sig
-# Import our gpg key from our website. Pulling from key servers caused a flakey build so
-# we get the key from the Keybase website instead.
-RUN curl -sSL https://keybase.io/docs/server_security/code_signing_key.asc | gpg --import
-# This line will error if the fingerprint of the key in the file does not match the
-# known fingerprint of the our PGP key
-RUN gpg --fingerprint 222B85B0F90BE2D24CFEB93F47484E50656D16C7
-# And then verify the signature now that we have the key
-RUN gpg --verify keybase_amd64.deb.sig keybase_amd64.deb
-
-# Silence the error from dpkg about failing to configure keybase since `apt-get install -f` fixes it
-USER root
-RUN dpkg -i keybase_amd64.deb || true
-RUN apt-get install -fy
-USER keybase
+# See docker/Dockerfile-keybase
+FROM keybase:latest
 
 # Install go
 USER root
 RUN add-apt-repository ppa:gophers/archive -y
-RUN apt-get update
-RUN apt-get install golang-1.11-go git sudo -y
+RUN apt-get update && apt-get install golang-1.11-go git sudo -y
 USER keybase
 
 # Install go dependencies (speeds up future builds)

docker/Dockerfile-keybase

@@ -0,0 +1,26 @@
+# This dockerfile builds an Ubuntu container with Keybase installed
+FROM ubuntu:18.04
+
+# Dependencies
+RUN apt-get -qq update && apt-get -qq  install curl software-properties-common ca-certificates gnupg -y
+RUN useradd -ms /bin/bash keybase
+USER keybase
+WORKDIR /home/keybase
+
+# Download and verify the deb
+RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb
+RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb.sig
+# Import our gpg key from our website. Pulling from key servers caused a flakey build so
+# we get the key from the Keybase website instead.
+RUN curl -sSL https://keybase.io/docs/server_security/code_signing_key.asc | gpg --import
+# This line will error if the fingerprint of the key in the file does not match the
+# known fingerprint of the our PGP key
+RUN gpg --fingerprint 222B85B0F90BE2D24CFEB93F47484E50656D16C7
+# And then verify the signature now that we have the key
+RUN gpg --verify keybase_amd64.deb.sig keybase_amd64.deb
+
+# Silence the error from dpkg about failing to configure keybase since `apt-get install -f` fixes it
+USER root
+RUN dpkg -i keybase_amd64.deb || true
+RUN apt-get install -fy
+USER keybase

docker/Makefile

@@ -11,6 +11,7 @@ SHELL := /bin/bash
 
 # Build a new docker image for the CA bot
 build: reset-permissions
+	docker build -t keybase -f Dockerfile-keybase .
 	docker build -t ca -f Dockerfile-ca ..
 
 # Generate a new CA key

docs/env.md

@@ -106,6 +106,45 @@ export ANNOUNCEMENT="Hello! I'm {USERNAME} and I'm an SSH bot! I'm currently lis
 export ANNOUNCEMENT="Hello! I'm {USERNAME} and I'm an SSH bot! Being in {CURRENT_TEAM} will grant you SSH access to certain servers. Reach out to @dworken for more information."
 ```
 
+## M of N Realms
+
+It is possible to configure the SSH CA bot to require approval prior to granting access. For example, one could require
+that in order to use kssh with servers in the `team.ssh.root_everywhere` realm two other people must approve the request. 
+Approvals are done by reacting with a :+1: emoji to the message inside of Keybase chat. 
+
+In order to configure this, there are 3 environment variables that can be used:
+
+```
+export CTRL_POLICY_MOFN_TEAMS="team.ssh.root_everywhere, team.ssh.ci"
+export CTRL_POLICY_MOFN_APPROVERS="username0, username1, username2" 
+export CTRL_POLICY_MOFN_REQUIRED_COUNT="2"
+```
+
+The above will require that anyone who wants to use kssh with `team.ssh.root_everywhere` or `team.ssh.ci` gets approval
+from two other people. Only three people are configured to approve requests: `username0, username1, username2`. 
+
+A few other example configurations are:
+
+``` 
+export CTRL_POLICY_MOFN_TEAMS="team.ssh.root_everywhere"
+export CTRL_POLICY_MOFN_APPROVERS="username" 
+```
+
+This would require that in order to use kssh with `team.ssh.root_everywhere` it must be approved by `username`. 
+
+As a user, this would be done by running:
+
+```
+kssh --request-realm team.ssh.root_everywhere root@production
+```
+
+For a user, the standard commands would work for all other configured teams:
+
+``` 
+kssh dev@staging
+kssh dev@prod
+```
+
 ## Developer Options
 
 These environment variables are mainly useful for dev work. For security reasons, it is recommended always to run a 

integrationTest.sh

@@ -47,7 +47,8 @@ cd tests/
 reset_docker
 
 echo "Building containers..."
-cd ../docker/ && make && cd ../tests/
+cd ../docker/ && make build && cd ../tests/
+pwd
 docker-compose build
 echo "Running integration tests..."
 docker-compose up -d

src/cmd/kssh/kssh.go

@@ -20,27 +20,27 @@ import (
 
 func main() {
 	kssh.InitLogging()
-	team, remainingArgs, action, err := handleArgs(os.Args[1:])
+	botname, requestedPrincipal, remainingArgs, action, err := handleArgs(os.Args[1:])
 	if err != nil {
 		fmt.Printf("Failed to parse arguments: %v\n", err)
 		os.Exit(1)
 	}
-	keyPath, err := getSignedKeyLocation(team)
+	keyPath, err := getSignedKeyLocation(botname)
 	if err != nil {
 		fmt.Printf("Failed to retrieve location to store SSH keys: %v\n", err)
 		os.Exit(1)
 	}
-	if isValidCert(keyPath) {
+	if isValidCert(keyPath) && requestedPrincipal == "" {
 		log.WithField("keyPath", keyPath).Debug("Reusing unexpired certificate")
 		doAction(action, keyPath, remainingArgs)
 		os.Exit(0)
 	}
-	config, err := getConfig(team)
+	config, err := getConfig(botname)
 	if err != nil {
 		fmt.Printf("%v\n", err)
 		os.Exit(1)
 	}
-	err = provisionNewKey(config, keyPath)
+	err = provisionNewKey(config, keyPath, requestedPrincipal)
 	if err != nil {
 		fmt.Printf("%v\n", err)
 		os.Exit(1)
@@ -104,6 +104,7 @@ var cliArguments = []kssh.CLIArgument{
 	{Name: "--help", HasArgument: false},
 	{Name: "-v", HasArgument: false, Preserve: true},
 	{Name: "--set-keybase-binary", HasArgument: true},
+	{Name: "--request-realm", HasArgument: true},
 }
 
 var VersionNumber = "master"
@@ -131,7 +132,8 @@ GLOBAL OPTIONS:
    --set-default-user    Set the default SSH user to be used for kssh. Useful if you use ssh configs that do not set 
 					     a default SSH user 
    --clear-default-user  Clear the default SSH user
-   --set-keybase-binary  Run kssh with a specific keybase binary rather than resolving via $PATH `, VersionNumber)
+   --set-keybase-binary  Advanced feature: Run kssh with a specific keybase binary rather than resolving via $PATH 
+   --request-realm       Advanced feature: Request a specific M of N enabled realm in your provisioned certificate `, VersionNumber)
 }
 
 type Action int
@@ -141,55 +143,56 @@ const (
 	SSH
 )
 
-// Returns botname, remaining arguments, action, error
+// Returns botname, requestedPrincipal, remaining arguments, action, error
 // If the argument requires exiting after processing, it will call os.Exit
-func handleArgs(args []string) (string, []string, Action, error) {
+func handleArgs(args []string) (string, string, []string, Action, error) {
 	remaining, found, err := kssh.ParseArgs(args, cliArguments)
 	if err != nil {
-		return "", nil, 0, fmt.Errorf("Failed to parse provided arguments: %v", err)
+		return "", "", nil, 0, fmt.Errorf("Failed to parse provided arguments: %v", err)
 	}
 
-	team := ""
+	requestedPrincipal := ""
+	botname := ""
 	action := SSH
 	for _, arg := range found {
 		if arg.Argument.Name == "--bot" {
-			team = arg.Value
+			botname = arg.Value
 		}
-		if arg.Argument.Name == "--set-default-user" {
-			err := kssh.SetDefaultSSHUser(arg.Value)
+		if arg.Argument.Name == "--set-default-bot" {
+			// We exit immediately after setting the default bot
+			err := kssh.SetDefaultBot(arg.Value)
 			if err != nil {
-				fmt.Printf("Failed to set the default ssh user: %v\n", err)
+				fmt.Printf("Failed to set the default bot: %v\n", err)
 				os.Exit(1)
 			}
-			fmt.Println("Set default ssh user, exiting...")
+			fmt.Println("Set default bot, exiting...")
 			os.Exit(0)
 		}
-		if arg.Argument.Name == "--clear-default-user" {
-			err := kssh.SetDefaultSSHUser("")
+		if arg.Argument.Name == "--clear-default-bot" {
+			err := kssh.SetDefaultBot("")
 			if err != nil {
-				fmt.Printf("Failed to clear the default ssh user: %v\n", err)
+				fmt.Printf("Failed to clear the default bot: %v\n", err)
 				os.Exit(1)
 			}
-			fmt.Println("Cleared default ssh user, exiting...")
+			fmt.Println("Cleared default bot, exiting...")
 			os.Exit(0)
 		}
-		if arg.Argument.Name == "--set-default-bot" {
-			// We exit immediately after setting the default bot
-			err := kssh.SetDefaultBot(arg.Value)
+		if arg.Argument.Name == "--set-default-user" {
+			err := kssh.SetDefaultSSHUser(arg.Value)
 			if err != nil {
-				fmt.Printf("Failed to set the default bot: %v\n", err)
+				fmt.Printf("Failed to set the default ssh user: %v\n", err)
 				os.Exit(1)
 			}
-			fmt.Println("Set default bot, exiting...")
+			fmt.Println("Set default ssh user, exiting...")
 			os.Exit(0)
 		}
-		if arg.Argument.Name == "--clear-default-bot" {
-			err := kssh.SetDefaultBot("")
+		if arg.Argument.Name == "--clear-default-user" {
+			err := kssh.SetDefaultSSHUser("")
 			if err != nil {
-				fmt.Printf("Failed to clear the default bot: %v\n", err)
+				fmt.Printf("Failed to clear the default ssh user: %v\n", err)
 				os.Exit(1)
 			}
-			fmt.Println("Cleared default bot, exiting...")
+			fmt.Println("Cleared default ssh user, exiting...")
 			os.Exit(0)
 		}
 		if arg.Argument.Name == "--set-keybase-binary" {
@@ -211,8 +214,11 @@ func handleArgs(args []string) (string, []string, Action, error) {
 		if arg.Argument.Name == "-v" {
 			log.SetLevel(log.DebugLevel)
 		}
+		if arg.Argument.Name == "--request-realm" {
+			requestedPrincipal = arg.Value
+		}
 	}
-	return team, remaining, action, nil
+	return botname, requestedPrincipal, remaining, action, nil
 }
 
 // Get the kssh.ConfigFile. botname is the team specified via --bot if one was specified, otherwise the empty string
@@ -289,7 +295,7 @@ func isValidCert(keyPath string) bool {
 }
 
 // Provision a new signed SSH key with the given config
-func provisionNewKey(config kssh.ConfigFile, keyPath string) error {
+func provisionNewKey(config kssh.ConfigFile, keyPath string, requestedPrincipal string) error {
 	log.Debug("Generating a new SSH key...")
 
 	// Make ~/.ssh/ in case it doesn't exist
@@ -316,8 +322,9 @@ func provisionNewKey(config kssh.ConfigFile, keyPath string) error {
 
 	log.Debug("Requesting signature from the CA....")
 	resp, err := kssh.GetSignedKey(config, shared.SignatureRequest{
-		UUID:         randomUUID.String(),
-		SSHPublicKey: string(pubKey),
+		UUID:               randomUUID.String(),
+		SSHPublicKey:       string(pubKey),
+		RequestedPrincipal: requestedPrincipal,
 	})
 	if err != nil {
 		return fmt.Errorf("Failed to get a signed key from the CA: %v", err)