flywithu/kopano-docker
1
0
Fork 0
mirror of https://github.com/zokradonh/kopano-docker synced 2025-06-07 16:06:14 +00:00
Code Issues Releases Wiki Activity

Improve Konnect wrapper script (#359)

Browse Source 
* only enter guest mode config if the value is not in the identifier registration already
This commit is contained in:
Felix Bartels 2020-03-16 15:09:24 -04:00 committed by GitHub
parent 646f5151f5
commit 4e9829f466
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 50 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
konnect/wrapper.sh
View File

@ -47,8 +47,10 @@ if [ -f "${encryption_secret_key}" ] && [ ! -s "${encryption_secret_key}" ]; the
fi fi
if [ "${allow_client_guests:-}" = "yes" ]; then if [ "${allow_client_guests:-}" = "yes" ]; then
# TODO this could be simplified so that ecparam and eckey are only required if there is no jwk-meet.json yet # only modify identifier registration if it does not already contain the right settings
if ! grep -q "konnect/guestok" "${identifier_registration_conf:?}"; then
# TODO this could be simplified so that ecparam and eckey are only required if there is no jwk-meet.json yet
ecparam=${ecparam:-/etc/kopano/ecparam.pem} ecparam=${ecparam:-/etc/kopano/ecparam.pem}
if ! true >> "$ecparam"; then if ! true >> "$ecparam"; then
# ecparam can not be created in this container, wait for external creation # ecparam can not be created in this container, wait for external creation
@ -83,14 +85,17 @@ if [ "${allow_client_guests:-}" = "yes" ]; then
#yq -y ".clients += [{\"id\": \"grapi-explorer.js\", \"name\": \"Grapi Explorer\", \"application_type\": \"web\", \"trusted\": true, \"insecure\": true, \"redirect_uris\": [\"http://$FQDNCLEANED:3000/\"]}]" $CONFIG_JSON | sponge $CONFIG_JSON #yq -y ".clients += [{\"id\": \"grapi-explorer.js\", \"name\": \"Grapi Explorer\", \"application_type\": \"web\", \"trusted\": true, \"insecure\": true, \"redirect_uris\": [\"http://$FQDNCLEANED:3000/\"]}]" $CONFIG_JSON | sponge $CONFIG_JSON
yq -y ".clients += [{\"id\": \"kpop-https://${FQDN%/*}/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://${FQDN%/*}/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge $CONFIG_JSON yq -y ".clients += [{\"id\": \"kpop-https://${FQDN%/*}/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://${FQDN%/*}/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge $CONFIG_JSON
# TODO this last bit can likely go (but then we must default to a registry stored below /etc/kopano) # TODO this last bit can likely go (but then we must default to a registry stored below /etc/kopano)
yq -y . $CONFIG_JSON | sponge "${identifier_registration_conf:?}" yq -y . $CONFIG_JSON | sponge "$identifier_registration_conf"
else
echo "Entrypoint: Skipping guest mode configuration, as it is already configured."
fi
fi fi
if [ "${external_oidc_provider:-}" = "yes" ]; then if [ "${external_oidc_provider:-}" = "yes" ]; then
echo "Patching identifier registration for external OIDC provider" echo "Patching identifier registration for external OIDC provider"
CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
echo "authorities: [{name: ${external_oidc_name:-}, default: yes, iss: ${external_oidc_url:-}, client_id: kopano-meet, client_secret: ${external_oidc_clientsecret:-}, authority_type: oidc, response_type: id_token, scopes: [openid, profile, email]}]" >> $CONFIG_JSON echo "authorities: [{name: ${external_oidc_name:-}, default: yes, iss: ${external_oidc_url:-}, client_id: kopano-meet, client_secret: ${external_oidc_clientsecret:-}, authority_type: oidc, response_type: id_token, scopes: [openid, profile, email]}]" >> $CONFIG_JSON
yq -y . $CONFIG_JSON | sponge "${identifier_registration_conf:?}" yq -y . $CONFIG_JSON | sponge "$identifier_registration_conf"
fi fi
# source additional configuration from Konnect cfg (potentially overwrites env vars) # source additional configuration from Konnect cfg (potentially overwrites env vars)