From 52d6b18322e280904a8d11a123e15fdbe522b707 Mon Sep 17 00:00:00 2001 From: Felix Bartels <1257835+fbartels@users.noreply.github.com> Date: Mon, 11 Nov 2019 10:54:54 +0100 Subject: [PATCH] Further tweaks for univention app (#264) * add option to change base path * fix env name * add kweb configuration for using konnect in a subpath * make webapp display configurable * more explicit startup messages * add ability to use an external oidc provider * install the grapi ldap backend in the image when building with a recent enough kopano version * add the ability to run test in the konnect container * the startup script gets more and more complicated, there should be a way to test it * test some values and add test helper * do not simply cat the registration, but call with yq * update kweb and konnect --- Makefile | 1 + core/Dockerfile | 5 ++++ examples/meet/docker-compose.yml | 1 + konnect/Dockerfile | 2 +- konnect/commander.yaml | 43 ++++++++++++++++++++++++++++++++ konnect/test-helper.sh | 11 ++++++++ konnect/wrapper.sh | 39 ++++++++++++++++++++++++++--- meet/start-service.sh | 10 ++++++-- web/Dockerfile | 2 +- web/kweb.cfg | 8 ++++++ 10 files changed, 114 insertions(+), 8 deletions(-) create mode 100644 konnect/commander.yaml create mode 100755 konnect/test-helper.sh diff --git a/Makefile b/Makefile index ff6826b..44cf422 100644 --- a/Makefile +++ b/Makefile @@ -412,6 +412,7 @@ test-commander: ## Test scripts with commander COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=core/commander/grapi dccommander run kopano_grapi COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=webapp dccommander run kopano_webapp COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=zpush dccommander run kopano_zpush + COMMANDER_OPTS="--concurrent 1 --verbose" COMMANDER_FILES_PATH=konnect dccommander run kopano_konnect COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=scheduler dccommander run kopano_scheduler # this test will fail if you are not on a whitelisted ip commander test tests/commander-supported.yaml || true diff --git a/core/Dockerfile b/core/Dockerfile index 857b254..ce4afd4 100644 --- a/core/Dockerfile +++ b/core/Dockerfile @@ -54,6 +54,11 @@ RUN \ kopano-grapi kopano-kapid \ ${ADDITIONAL_KOPANO_PACKAGES} \ && \ + coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server) && \ + if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then \ + apt-get install --no-install-recommends -y \ + python3-grapi.backend.ldap; \ + fi; \ set +x && \ rm -rf /var/cache/apt /var/lib/apt/lists && \ touch /etc/kopano/admin.cfg && \ diff --git a/examples/meet/docker-compose.yml b/examples/meet/docker-compose.yml index ac84bf2..09853da 100644 --- a/examples/meet/docker-compose.yml +++ b/examples/meet/docker-compose.yml @@ -154,6 +154,7 @@ services: - KCCONF_MEET_disableFullGAB=false - KCCONF_MEET_guests_enabled=true - KCCONF_MEET_useIdentifiedUser=true + - KCCONF_MEET_GRID_WEBAPP=no depends_on: - kopano_kapi - kopano_konnect diff --git a/konnect/Dockerfile b/konnect/Dockerfile index 6222ccf..0f1582a 100644 --- a/konnect/Dockerfile +++ b/konnect/Dockerfile @@ -1,4 +1,4 @@ -ARG CODE_VERSION=0.25.3 +ARG CODE_VERSION=0.26.0 FROM kopano/konnectd:${CODE_VERSION} ARG VCS_REF diff --git a/konnect/commander.yaml b/konnect/commander.yaml new file mode 100644 index 0000000..198e911 --- /dev/null +++ b/konnect/commander.yaml @@ -0,0 +1,43 @@ +tests: + normal startup: + command: /commander/test-helper.sh && wrapper.sh + exit-code: 0 + stdout: + contains: + - "Entrypoint: Allowing guest login" + - "--allow-client-guests" + - "Entrypoint: Allowing dynamic client registration" + - "--allow-dynamic-client-registration" + guests disabled: + command: /commander/test-helper.sh && wrapper.sh && yq . $identifier_registration_conf + stdout: + not-contains: + - "--allow-client-guests" + - "kpop-https://$FQDN/meet/" + config: + env: + allow_client_guests: no + external oidc provider: + command: /commander/test-helper.sh && wrapper.sh && yq . $identifier_registration_conf + stdout: + contains: + - '"authorities": [' + config: + env: + external_oidc_provider: yes +config: + env: + PATH: ${PATH} + eckey: ${eckey} + allow_client_guests: ${allow_client_guests} + ecparam: ${ecparam} + signing_private_key: ${signing_private_key} + KONNECT_BACKEND: ${KONNECT_BACKEND} + FQDN: ${FQDN} + identifier_registration_conf: ${identifier_registration_conf} + encryption_secret_key: ${encryption_secret_key} + identifier_scopes_conf: ${identifier_scopes_conf} + allow_dynamic_client_registration: ${allow_dynamic_client_registration} + DEBUG: ${DEBUG} + LANG: ${LANG} + diff --git a/konnect/test-helper.sh b/konnect/test-helper.sh new file mode 100755 index 0000000..38ad682 --- /dev/null +++ b/konnect/test-helper.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +# add a dummy for the konnectd binary +cat << 'EOF' > /commander/konnectd +#!/bin/sh +echo konnectd $@ +EOF + +chmod +x /commander/konnectd + +exit 0 diff --git a/konnect/wrapper.sh b/konnect/wrapper.sh index 937bcb6..a74dd62 100755 --- a/konnect/wrapper.sh +++ b/konnect/wrapper.sh @@ -3,6 +3,12 @@ set -eu [ "$DEBUG" ] && set -x +# allow helper commands given by "docker-compose run" +if [ $# -gt 0 ]; then + exec "$@" + exit +fi + dockerize \ -wait file://"${ecparam:?}" \ -wait file://"${eckey:?}" \ @@ -21,12 +27,19 @@ fi if [ "${allow_client_guests:-}" = "yes" ]; then echo "Patching identifier registration for use of the Meet guest mode" - konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json + /usr/local/bin/konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml #yq -y ".clients += [{\"id\": \"grapi-explorer.js\", \"name\": \"Grapi Explorer\", \"application_type\": \"web\", \"trusted\": true, \"insecure\": true, \"redirect_uris\": [\"http://$FQDNCLEANED:3000/\"]}]" $CONFIG_JSON | sponge $CONFIG_JSON yq -y ".clients += [{\"id\": \"kpop-https://$FQDN/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://$FQDN/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge $CONFIG_JSON - # TODO this last bit can likely go - yq -y . $CONFIG_JSON | sponge /kopano/ssl/konnectd-identifier-registration.yaml + # TODO this last bit can likely go (but then we must default to a registry stored below /etc/kopano) + yq -y . $CONFIG_JSON | sponge "${identifier_scopes_conf:?}" +fi + +if [ "${external_oidc_provider:-}" = "yes" ]; then + echo "Patching identifier registration for external OIDC provider" + CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml + echo "authorities: [{name: ${external_oidc_name:-}, default: yes, iss: ${external_oidc_url:-}, client_id: kopano-meet, client_secret: ${external_oidc_clientsecret:-}, authority_type: oidc, response_type: id_token, scopes: [openid, profile, email]}]" >> $CONFIG_JSON + yq -y . $CONFIG_JSON | sponge "${identifier_scopes_conf:?}" fi # source additional configuration from Konnect cfg (potentially overwrites env vars) @@ -36,14 +49,16 @@ if [ -e /etc/kopano/konnectd.cfg ]; then fi oidc_issuer_identifier=${oidc_issuer_identifier:-https://$FQDN} -set -- "$@" --iss="$oidc_issuer_identifier" echo "Entrypoint: Issuer url (--iss): $oidc_issuer_identifier" +set -- "$@" --iss="$oidc_issuer_identifier" if [ -n "${log_level:-}" ]; then + echo "Entrypoint: Setting logging to $log_level" set -- "$@" --log-level="$log_level" fi if [ "${allow_client_guests:-}" = "yes" ]; then + echo "Entrypoint: Allowing guest login" set -- "$@" "--allow-client-guests" fi @@ -52,6 +67,22 @@ if [ "${allow_dynamic_client_registration:-}" = "yes" ]; then set -- "$@" "--allow-dynamic-client-registration" fi +if [ -n "${uri_base_path:-}" ]; then + echo "Entrypoint: Setting base-path to $uri_base_path" + set -- "$@" --uri-base-path="$uri_base_path" +fi + +if [ "${insecure:-}" = "yes" ]; then + echo "Entrypoint: running Konnect in insecure mode" + set -- "$@" "--insecure" +fi + +# read password from file (UCS requirement) +if [ -n "${LDAP_BINDPW_FILE:-}" ]; then + bindpw="$(cat "${LDAP_BINDPW_FILE}")" + export LDAP_BINDPW="${bindpw}" +fi + dockerize \ -wait file://"${signing_private_key:?}" \ -wait file://"${encryption_secret_key:?}" \ diff --git a/meet/start-service.sh b/meet/start-service.sh index 216a3a8..e5fa0a4 100755 --- a/meet/start-service.sh +++ b/meet/start-service.sh @@ -34,8 +34,14 @@ for setting in $(compgen -A variable KCCONF_MEET); do esac done -# enable Kopano WebApp in the app switcher -jq '.apps += {"enabled": ["kopano-webapp"]}' $CONFIG_JSON | sponge $CONFIG_JSON +# enable Kopano Konnect in the app grid +jq '.apps += {"enabled": ["kopano-konnect"]}' $CONFIG_JSON | sponge $CONFIG_JSON + +# enable Kopano WebApp in the app grid (enabled by default) +# TODO how to only update the array? +if [ "${GRID_WEBAPP:-yes}" = "yes" ]; then + jq '.apps += {"enabled": ["kopano-webapp", "kopano-konnect"]}' $CONFIG_JSON | sponge $CONFIG_JSON +fi #cat $CONFIG_JSON diff --git a/web/Dockerfile b/web/Dockerfile index 43dd23f..7cbd16b 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -1,4 +1,4 @@ -ARG CODE_VERSION=0.8.2 +ARG CODE_VERSION=0.8.3 FROM kopano/kwebd:${CODE_VERSION} ARG VCS_REF diff --git a/web/kweb.cfg b/web/kweb.cfg index 053a50e..393ddd5 100644 --- a/web/kweb.cfg +++ b/web/kweb.cfg @@ -61,6 +61,14 @@ } redir /signin /signin/v1/identifier + # Konnect in subpath - this config supports /kopanoid as a subpath + rewrite /kopanoid/konnect/v1/ { + to /upstreams/konnect/{path} + } + rewrite /kopanoid/signin/v1/ { + to /upstreams/konnect/{path} + } + # Kapi proxy /upstreams/kapi/ { without /upstreams/kapi/