Merge pull request #1 from grumlimited/static

Static

.github/workflows/ci.yml

@@ -26,6 +26,6 @@ jobs:
         with:
           go-version: '1.22'
 
-      - name: Build
+      - name: Test
         run: |
-          GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build
+          make test

.github/workflows/release.yml

@@ -25,30 +25,17 @@ jobs:
 
       - name: Build
         run: |
-          GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build -o gohip-${{ matrix.goos }}-${{ matrix.goarch }}
+          GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} make build
           RELEASE_VERSION=$(echo ${{ github.ref }} | tr -d 'refs/tags/v')
           echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV
 
-      - name: Create Release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/') # redundant, but just to be sure
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
-          draft: false
-          prerelease: false
-
-      - name: Upload Release Assets
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_name: gohip-linux-amd64
-          asset_path: ./gohip-linux-amd64
-          asset_content_type: application/octet-stream
+          files: |
+            gohip-linux-amd64
+            gohip-static-linux-amd64
 
       - name: Create Debian package
         env:

Makefile

@@ -14,16 +14,31 @@ push_tag:
 
 .PHONY: all delete_latest_tag recreate_tag push_tag
 
-build:
+test:
+	go test -v ./systemd ./others ./osdata ./types .
+
+build: build-dynamic build-static
+
+build-dynamic:
 	go build -o gohip-$(GOOS)-$(GOARCH)
 
+build-static:
+	CGO_ENABLED=0 go build -o gohip-static-$(GOOS)-$(GOARCH)
+
 install: build
 	mkdir -p $(DESTDIR)/usr/bin
 	cp gohip-$(GOOS)-$(GOARCH) $(DESTDIR)/usr/bin/gohip
+	cp gohip-static-$(GOOS)-$(GOARCH) $(DESTDIR)/usr/bin/gohip-static
 
 debian-pkg: install
 	mkdir -p $(DESTDIR)/DEBIAN
+	mkdir -p $(DESTDIR)/etc/vpnc/post-connect.d/
+
+	cp build-aux/scripts/split.sh $(DESTDIR)/etc/vpnc/post-connect.d/split.sh
+	chmod 755 $(DESTDIR)/etc/vpnc/post-connect.d/split.sh
+
 	cp build-aux/debian/control $(DESTDIR)/DEBIAN/
+
 	echo "Version: $(RELEASE_VERSION)" >> $(DESTDIR)/DEBIAN/control
 	cp build-aux/debian/postinst $(DESTDIR)/DEBIAN/
 	chmod 775 $(DESTDIR)/DEBIAN/postinst

README.md

@@ -1 +1,40 @@
-# gohip
+gohip
+=====
+
+The HIP ( `Host Integrity Protection`) mechanism is a security scanner for the Palo Alto Networks GlobalProtect VPNs, in the same vein as Cisco's CSD and Juniper's Host Checker ([source](https://www.infradead.org/openconnect/hip.html)).
+
+# Installation
+
+Download and install `gohip` from the [releases page](https://github.com/bechampion/gohip/releases).
+
+The packaged version will drop a file in `/etc/vpnc/post-connect.d/split.sh`. If you opted to install the binary manually, you can create this file manually should you want to use the _splitvpn_ feature.
+
+# Usage
+
+Create file `/etc/vpnc/splitvpn` with the following content:
+
+    MAIN_DEV="enp0s31f6" # Your main network interface
+    GW="192.168.1.254"   # Your gateway
+
+You can determine those values with
+
+    ip -json r get 1.1.1.1 | jq '.[]| "MAIN_DEV=\"\(.dev)\" \nGW=\"\(.gateway)\""' -r
+
+Then start the vpn client with
+
+    sudo -E gpclient connect --hip --csd-wrapper /usr/bin/gohip vpn.endpoint.com
+
+# Using your default browser (so creds are remembered , hsm etc)
+
+You can pass `--default-browser` to `gpclient` if your in version `2.3.2` at least,  and that should open on what `xdg-config` says
+
+    sudo -E gpclient connect --hip --csd-wrapper /path/to/gohip vpn.endpoint.com --default-browser
+
+
+To set your default browser you can do
+
+    xdg-settings set default-web-browser firefox.desktop
+
+
+## Notes
+If you use firefox/chrome from snaps this will not work,  gpclient drops a file on `/tmp` that needs to be reachable by the browser and that doesn't work with snaps

build-aux/arch/gohip-bin/PKGBUILD

@@ -7,15 +7,15 @@ arch=('x86_64')
 url="https://github.com/bechampion/$_deb_pkgname"
 license=('GPLv3')
 groups=()
-depends=('iproute2')
+depends=('iproute2' 'clamav')
 makedepends=()
 checkdepends=()
 optdepends=()
 provides=()
 replaces=()
 backup=()
 options=()
-source=("$url/releases/download/$pkgver/$_deb_pkgname-$pkgver-$arch.deb")
+source=("$url/releases/download/v$pkgver/$_deb_pkgname-$pkgver-$arch.deb")
 noextract=()
 
 build() {
@@ -25,4 +25,5 @@ build() {
 
 package() {
 	cp -fr usr/ ${pkgdir}
+	cp -fr etc/ ${pkgdir}
 }

build-aux/debian/control

@@ -2,6 +2,6 @@ Package: gohip
 Section: network
 Priority: optional
 Architecture: amd64
-Depends: iproute2
+Depends: iproute2,clamav-daemon,clamav-freshclam
 Maintainer: romain_gallet_at_gmail_com
 Description: gohip global protect vpn HIP script

build-aux/scripts/split.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# THIS SCRIPT IS PART OF gohip. DO NOT MODIFY IT UNLESS YOU KNOW WHAT YOU ARE DOING.
+
+set -e
+
+CONFIG_FILE=/etc/vpnc/splitvpn
+
+if [[ ! -f $CONFIG_FILE ]]; then
+    echo "$CONFIG_FILE does not exist. Split tunneling will not be active. Please create it with the following content if you want to activate:"
+cat << EOF
+
+# beginning
+MAIN_DEV="enp0s31f6" # Your main network interface
+GW="192.168.1.254"   # Your gateway
+# end
+
+You can determine those values with
+  ip -json r get 1.1.1.1 | jq '.[]| "MAIN_DEV=\"\(.dev)\" \nGW=\"\(.gateway)\""' -r
+
+EOF
+    exit 0
+fi
+
+VPN_NET="10/8"
+VPN_DEV="tun0"
+
+. $CONFIG_FILE
+
+ip route del default
+ip route add default via $GW dev $MAIN_DEV
+ip route add $VPN_NET dev $VPN_DEV
+
+exit 0

checks.go

@@ -0,0 +1,12 @@
+package main
+
+import (
+	"errors"
+	systemd "github.com/bechampion/gohip/systemd"
+)
+
+func RunPreflightChecks() error {
+	clamavError := systemd.DefaultDbAgeCheck()
+
+	return errors.Join(clamavError)
+}

go.mod

@@ -2,29 +2,15 @@ module github.com/bechampion/gohip
 
 go 1.22.3
 
-require (
-	gohip/osdata v0.0.0-00010101000000-000000000000
-	gohip/others v0.0.0-00010101000000-000000000000
-	gohip/systemd v0.0.0-00010101000000-000000000000
-	gohip/types v0.0.0-00010101000000-000000000000
-)
+require github.com/shirou/gopsutil/v3 v3.24.5
 
 require (
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/shirou/gopsutil/v3 v3.24.4 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
 )
-
-replace gohip/types => ./types
-
-replace gohip/osdata => ./osdata
-
-replace gohip/others => ./others
-
-replace gohip/systemd => ./systemd

go.sum

@@ -1,10 +1,8 @@
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
@@ -13,19 +11,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/shirou/gopsutil/v3 v3.24.4 h1:dEHgzZXt4LMNm+oYELpzl9YCqV65Yr/6SfrvgRBtXeU=
-github.com/shirou/gopsutil/v3 v3.24.4/go.mod h1:lTd2mdiOspcqLgAnr9/nGi71NkeMpWKdmhuxm9GusH8=
+github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
+github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
 github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
@@ -38,10 +29,8 @@ golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

main.go

@@ -4,10 +4,10 @@ import (
 	"encoding/xml"
 	"flag"
 	"fmt"
-	osdata "gohip/osdata"
-	others "gohip/others"
-	systemd "gohip/systemd"
-	ctypes "gohip/types"
+	osdata "github.com/bechampion/gohip/osdata"
+	others "github.com/bechampion/gohip/others"
+	systemd "github.com/bechampion/gohip/systemd"
+	ctypes "github.com/bechampion/gohip/types"
 	"log"
 	"net/url"
 	"os"
@@ -17,6 +17,11 @@ import (
 
 func logCommandAndArgs() {
 	command := os.Args[0]
+
+	if err := RunPreflightChecks(); err != nil {
+		log.Fatalf("%v", err)
+	}
+
 	args := strings.Join(os.Args[1:], " ")
 	file, err := os.OpenFile("command.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
 	if err != nil {

osdata/main.go

@@ -3,8 +3,8 @@ package osdata
 import (
 	"encoding/json"
 	"fmt"
+	ctypes "github.com/bechampion/gohip/types"
 	"github.com/shirou/gopsutil/v3/host"
-	ctypes "gohip/types"
 	"os"
 	"os/exec"
 )