From 140506df7dea064998045aada1dde4da6e773612 Mon Sep 17 00:00:00 2001 From: Felix Bartels Date: Mon, 18 Mar 2019 15:22:32 +0100 Subject: [PATCH] Add support for meet guest mode and make meet configurable through env (#105) * get settings for meet from env * prepare ssl container for device registration for konnect/kwmserver * move device registry modification to konnect container * enable WebApp in the app switcher * upstream docker container has been updated to alpine 3.9 * update konnect * add further config for guest mode * replace the check for the file with a check for konnect startup * fix kwmserver wrapper * add possibility to change logging in kwmserver --- docker-compose.yml | 13 ++++++++++ konnect/Dockerfile | 11 +++++--- konnect/wrapper.sh | 23 +++++++++++++++-- kwmserver/Dockerfile | 9 +++++++ kwmserver/wrapper.sh | 60 ++++++++++++++++++++++++++++++++++++++++++- meet/start-service.sh | 14 ++++++++-- ssl/start.sh | 21 +++++++++++++++ 7 files changed, 142 insertions(+), 9 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index be7d264..9d390ed 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -427,8 +427,11 @@ services: volumes: - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano + depends_on: + - kopano_ssl environment: - FQDN=${FQDN} + - allow_client_guests=yes env_file: - kopano_konnect.env networks: @@ -438,6 +441,9 @@ services: kopano_playground: image: ${docker_repo:-zokradonh}/kopano_playground container_name: kopano_playground + depends_on: + - kopano_kapi + - kopano_konnect networks: - kopano-net - web-net @@ -446,9 +452,14 @@ services: image: ${docker_repo:-zokradonh}/kopano_kwmserver:${KWM_VERSION:-latest} container_name: kopano_kwmserver command: wrapper.sh + depends_on: + - kopano_kapi + - kopano_konnect environment: - INSECURE=${INSECURE} - oidc_issuer_identifier=https://${FQDN} + - enable_guest_api=yes + - public_guest_access_regexp=^group/public/.* env_file: - kopano_kwmserver.env volumes: @@ -462,6 +473,8 @@ services: environment: - SERVICE_TO_START=meet - KCCONF_KWEBD_TLS=no + - KCCONF_MEET_guests_enabled=true + - KCCONF_MEET_disableFullGAB=false env_file: - kopano_meet.env depends_on: diff --git a/konnect/Dockerfile b/konnect/Dockerfile index 8230d00..217254b 100644 --- a/konnect/Dockerfile +++ b/konnect/Dockerfile @@ -1,16 +1,19 @@ -ARG CODE_VERSION=0.19.1 +ARG CODE_VERSION=0.20.0 FROM kopano/konnectd:${CODE_VERSION} ARG CODE_VERSION ENV CODE_VERSION="${CODE_VERSION}" RUN apk add --no-cache \ - openssl + jq \ + moreutils \ + openssl \ + py-pip \ + && pip install yq==2.7.2 ENV DOCKERIZE_VERSION v0.6.1 RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz -RUN mkdir -p /etc/kopano/ -COPY konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/ +COPY --chown=nobody:nogroup konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/ COPY wrapper.sh /usr/local/bin diff --git a/konnect/wrapper.sh b/konnect/wrapper.sh index 0e0e95e..7db3348 100755 --- a/konnect/wrapper.sh +++ b/konnect/wrapper.sh @@ -2,6 +2,25 @@ set -e +dockerize \ + -wait file:///kopano/ssl/meet-kwmserver.pem \ + -timeout 360s +cd /kopano/ssl/ + +konnectd utils jwk-from-pem --use sig /kopano/ssl/meet-kwmserver.pem > /tmp/jwk-meet.json +CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml +yq -y ".clients |= [{\"id\": \"kpop-https://$FQDN/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://$FQDN/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge /kopano/ssl/konnectd-identifier-registration.yaml + +# shellcheck disable=SC2154 +if [ -n "$log_level" ]; then + set -- "$@" --log-level="$log_level" +fi + +# shellcheck disable=SC2154 +if [ "$allow_client_guests" = "yes" ]; then + set -- "$@" "--allow-client-guests" +fi + dockerize \ -wait file:///kopano/ssl/konnectd-tokens-signing-key.pem \ -wait file:///kopano/ssl/konnectd-encryption.key \ @@ -10,6 +29,6 @@ dockerize \ --signing-private-key=/kopano/ssl/konnectd-tokens-signing-key.pem \ --encryption-secret=/kopano/ssl/konnectd-encryption.key \ --iss=https://"$FQDN" \ - --identifier-registration-conf /etc/kopano/konnectd-identifier-registration.yaml \ + --identifier-registration-conf /kopano/ssl/konnectd-identifier-registration.yaml \ --identifier-scopes-conf /etc/kopano/konnectd-identifier-scopes.yaml \ - kc + "$@" kc diff --git a/kwmserver/Dockerfile b/kwmserver/Dockerfile index 549a8e7..899f9eb 100644 --- a/kwmserver/Dockerfile +++ b/kwmserver/Dockerfile @@ -3,4 +3,13 @@ FROM kopano/kwmserverd:${CODE_VERSION} ARG CODE_VERSION ENV CODE_VERSION="${CODE_VERSION}" +USER root + +ENV DOCKERIZE_VERSION v0.6.1 +RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ + && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ + && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz + COPY wrapper.sh /usr/local/bin + +USER nobody diff --git a/kwmserver/wrapper.sh b/kwmserver/wrapper.sh index 4573442..0cf9e84 100755 --- a/kwmserver/wrapper.sh +++ b/kwmserver/wrapper.sh @@ -2,14 +2,72 @@ set -e +# shellcheck disable=SC2154 +if [ -n "$log_level" ]; then + set -- "$@" --log-level="$log_level" +fi + # shellcheck disable=SC2154 if [ -n "$oidc_issuer_identifier" ]; then set -- "$@" --iss="$oidc_issuer_identifier" fi +# shellcheck disable=SC2154 +if [ "$enable_guest_api" = "yes" ]; then + set -- "$@" --enable-guest-api +fi + if [ "$INSECURE" = "yes" ]; then set -- "$@" --insecure fi -exec /usr/local/bin/docker-entrypoint.sh serve "$@" +# kwmserver turn +# shellcheck disable=SC2154 +if [ -z "$turn_service_url" ]; then + turn_service_url=https://turnauth.kopano.com/turnserverauth/ +fi + +if [ -n "$turn_service_url" ]; then + set -- "$@" --turn-service-url="$turn_service_url" +fi + +# shellcheck disable=SC2154 +if [ -n "$turn_service_credentials" ]; then + set -- "$@" --turn-service-credentials="$$turn_service_credentials" + fi + +# shellcheck disable=SC2154 +if [ -n "$turn_server_shared_secret" ]; then + set -- "$@" --turn-server-shared-secret="$turn_server_shared_secret" +fi + +# shellcheck disable=SC2154 +if [ -n "$turn_uris" ]; then + for uri in $turn_uris; do + set -- "$@" --turn-uri="$uri" + done +fi + +# kwmserver guest +# shellcheck disable=SC2154 +if [ "$allow_guest_only_channels" = "yes" ]; then + set -- "$@" --allow-guest-only-channels +fi + +# shellcheck disable=SC2154 +if [ -n "$public_guest_access_regexp" ]; then + set -- "$@" --public-guest-access-regexp="$public_guest_access_regexp" +fi + +# shellcheck disable=SC2034 +export registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml + +# originally I wanted to wait for $registration_conf, but I needed to precreate the file +# so the konnect container (since the startup is running as nobody) can write to it. +exec dockerize \ + -wait http://kopano_konnect:8777/.well-known/openid-configuration \ + -timeout 360s \ + /usr/local/bin/docker-entrypoint.sh serve \ + --registration-conf /kopano/ssl/konnectd-identifier-registration.yaml \ + "$@" diff --git a/meet/start-service.sh b/meet/start-service.sh index 8341d1a..00b61ba 100755 --- a/meet/start-service.sh +++ b/meet/start-service.sh @@ -18,7 +18,18 @@ if [ $# -gt 0 ]; then exit fi -# TODO use jq to modify /usr/share/kopano-kweb/www/config/kopano/meet.json +CONFIG_JSON="/usr/share/kopano-kweb/www/config/kopano/meet.json" +echo "Updating $CONFIG_JSON" +for setting in $(compgen -A variable KCCONF_MEET); do + setting2=${setting#KCCONF_MEET_} + # dots in setting2 need to be escaped to not be handled as separate entities in the json file + jq ".\"${setting2//_/\".\"}\" = \"${!setting}\"" $CONFIG_JSON | sponge $CONFIG_JSON +done + +# enable Kopano WebApp in the app switcher +jq '.apps += {"enabled": ["kopano-webapp"]}' $CONFIG_JSON | sponge $CONFIG_JSON + +#cat $CONFIG_JSON sed -i s/\ *=\ */=/g /etc/kopano/kwebd.cfg # shellcheck disable=SC2046 @@ -26,4 +37,3 @@ export $(grep -v '^#' /etc/kopano/kwebd.cfg | xargs -d '\n') # cleaning up env variables unset "${!KCCONF_@}" exec kopano-kwebd serve - diff --git a/ssl/start.sh b/ssl/start.sh index 93f7056..a5fc6e6 100755 --- a/ssl/start.sh +++ b/ssl/start.sh @@ -53,6 +53,27 @@ if [ ! -f $secretkey ]; then mv $secretkey.tmp $secretkey fi +# Meet guest mode +ecparam="/kopano/ssl/ecparam.pem" +if [ ! -f $ecparam ]; then + echo "Creating ec param key for Meet..." + openssl ecparam -name prime256v1 -genkey -noout -out $ecparam.tmp >/dev/null 2>&1 + mv $ecparam.tmp $ecparam +fi + +# create registration.yml so that konnect can write to it +touch /kopano/ssl/konnectd-identifier-registration.yaml +# chown to the numerical representation of nobody/nogroup +chown 65534:65534 /kopano/ssl/konnectd-identifier-registration.yaml + +eckey="/kopano/ssl/meet-kwmserver.pem" +if [ ! -f $eckey ]; then + echo "Creating ec key for Meet..." + openssl ec -in $ecparam -out $eckey.tmp >/dev/null 2>&1 + chown 65534:65534 $eckey.tmp + mv $eckey.tmp $eckey +fi + echo "SSL certs:" ls -l /kopano/ssl/*.*