Further tweaks for univention app (#264)

* add option to change base path
* fix env name
* add kweb configuration for using konnect in a subpath
* make webapp display configurable
* more explicit startup messages
* add ability to use an external oidc provider
* install the grapi ldap backend in the image when building with a recent enough kopano version
* add the ability to run test in the konnect container
  * the startup script gets more and more complicated, there should be a way to test it
* test some values and add test helper
* do not simply cat the registration, but call with yq
* update kweb and konnect

Makefile

@@ -412,6 +412,7 @@ test-commander: ## Test scripts with commander
 	COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=core/commander/grapi dccommander run kopano_grapi
 	COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=webapp dccommander run kopano_webapp
 	COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=zpush dccommander run kopano_zpush
+	COMMANDER_OPTS="--concurrent 1 --verbose" COMMANDER_FILES_PATH=konnect dccommander run kopano_konnect
 	COMMANDER_OPTS="--concurrent 1" COMMANDER_FILES_PATH=scheduler dccommander run kopano_scheduler
 	# this test will fail if you are not on a whitelisted ip
 	commander test tests/commander-supported.yaml || true

core/Dockerfile

@@ -54,6 +54,11 @@ RUN \
         kopano-grapi kopano-kapid \
         ${ADDITIONAL_KOPANO_PACKAGES} \
         && \
+    coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server) && \
+    if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then \
+        apt-get install --no-install-recommends -y \
+            python3-grapi.backend.ldap; \
+    fi; \
     set +x && \
     rm -rf /var/cache/apt /var/lib/apt/lists && \
     touch /etc/kopano/admin.cfg && \

examples/meet/docker-compose.yml

@@ -154,6 +154,7 @@ services:
       - KCCONF_MEET_disableFullGAB=false
       - KCCONF_MEET_guests_enabled=true
       - KCCONF_MEET_useIdentifiedUser=true
+      - KCCONF_MEET_GRID_WEBAPP=no
     depends_on:
       - kopano_kapi
       - kopano_konnect

konnect/Dockerfile

@@ -1,4 +1,4 @@
-ARG CODE_VERSION=0.25.3
+ARG CODE_VERSION=0.26.0
 FROM kopano/konnectd:${CODE_VERSION}
 
 ARG VCS_REF

konnect/commander.yaml

@@ -0,0 +1,43 @@
+tests:
+  normal startup:
+    command: /commander/test-helper.sh && wrapper.sh
+    exit-code: 0
+    stdout:
+      contains:
+        - "Entrypoint: Allowing guest login"
+        - "--allow-client-guests"
+        - "Entrypoint: Allowing dynamic client registration"
+        - "--allow-dynamic-client-registration"
+  guests disabled:
+    command: /commander/test-helper.sh && wrapper.sh && yq . $identifier_registration_conf
+    stdout:
+      not-contains:
+        - "--allow-client-guests"
+        - "kpop-https://$FQDN/meet/"
+    config:
+      env:
+        allow_client_guests: no
+  external oidc provider:
+    command: /commander/test-helper.sh && wrapper.sh && yq . $identifier_registration_conf
+    stdout:
+      contains:
+        - '"authorities": ['
+    config:
+      env:
+        external_oidc_provider: yes
+config:
+  env:
+    PATH: ${PATH}
+    eckey: ${eckey}
+    allow_client_guests: ${allow_client_guests}
+    ecparam: ${ecparam} 
+    signing_private_key: ${signing_private_key}
+    KONNECT_BACKEND: ${KONNECT_BACKEND}
+    FQDN: ${FQDN}
+    identifier_registration_conf: ${identifier_registration_conf}
+    encryption_secret_key: ${encryption_secret_key}
+    identifier_scopes_conf: ${identifier_scopes_conf}
+    allow_dynamic_client_registration: ${allow_dynamic_client_registration}
+    DEBUG: ${DEBUG}
+    LANG: ${LANG}
+

konnect/test-helper.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# add a dummy for the konnectd binary
+cat << 'EOF' > /commander/konnectd
+#!/bin/sh
+echo konnectd $@
+EOF
+
+chmod +x /commander/konnectd
+
+exit 0

konnect/wrapper.sh

@@ -3,6 +3,12 @@
 set -eu
 [ "$DEBUG" ] && set -x
 
+# allow helper commands given by "docker-compose run"
+if [ $# -gt 0 ]; then
+	exec "$@"
+	exit
+fi
+
 dockerize \
 	-wait file://"${ecparam:?}" \
 	-wait file://"${eckey:?}" \
@@ -21,12 +27,19 @@ fi
 
 if [ "${allow_client_guests:-}" = "yes" ]; then
 	echo "Patching identifier registration for use of the Meet guest mode"
-	konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json
+	/usr/local/bin/konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json
 	CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
 	#yq -y ".clients += [{\"id\": \"grapi-explorer.js\", \"name\": \"Grapi Explorer\", \"application_type\": \"web\", \"trusted\": true, \"insecure\": true, \"redirect_uris\": [\"http://$FQDNCLEANED:3000/\"]}]" $CONFIG_JSON | sponge $CONFIG_JSON
 	yq -y ".clients += [{\"id\": \"kpop-https://$FQDN/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://$FQDN/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge $CONFIG_JSON
-	# TODO this last bit can likely go
+	# TODO this last bit can likely go (but then we must default to a registry stored below /etc/kopano)
-	yq -y . $CONFIG_JSON | sponge /kopano/ssl/konnectd-identifier-registration.yaml
+	yq -y . $CONFIG_JSON | sponge "${identifier_scopes_conf:?}"
+fi
+
+if [ "${external_oidc_provider:-}" = "yes" ]; then
+	echo "Patching identifier registration for external OIDC provider"
+	CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
+	echo "authorities: [{name: ${external_oidc_name:-}, default: yes, iss: ${external_oidc_url:-}, client_id: kopano-meet, client_secret: ${external_oidc_clientsecret:-}, authority_type: oidc, response_type: id_token, scopes: [openid, profile, email]}]" >> $CONFIG_JSON
+	yq -y . $CONFIG_JSON | sponge "${identifier_scopes_conf:?}"
 fi
 
 # source additional configuration from Konnect cfg (potentially overwrites env vars)
@@ -36,14 +49,16 @@ if [ -e /etc/kopano/konnectd.cfg ]; then
 fi
 
 oidc_issuer_identifier=${oidc_issuer_identifier:-https://$FQDN}
-set -- "$@" --iss="$oidc_issuer_identifier"
 echo "Entrypoint: Issuer url (--iss): $oidc_issuer_identifier"
+set -- "$@" --iss="$oidc_issuer_identifier"
 
 if [ -n "${log_level:-}" ]; then
+	echo "Entrypoint: Setting logging to $log_level"
 	set -- "$@" --log-level="$log_level"
 fi
 
 if [ "${allow_client_guests:-}" = "yes" ]; then
+	echo "Entrypoint: Allowing guest login"
 	set -- "$@" "--allow-client-guests"
 fi
 
@@ -52,6 +67,22 @@ if [ "${allow_dynamic_client_registration:-}" = "yes" ]; then
 	set -- "$@" "--allow-dynamic-client-registration"
 fi
 
+if [ -n "${uri_base_path:-}" ]; then
+	echo "Entrypoint: Setting base-path to $uri_base_path"
+	set -- "$@" --uri-base-path="$uri_base_path"
+fi
+
+if [ "${insecure:-}" = "yes" ]; then
+	echo "Entrypoint: running Konnect in insecure mode"
+	set -- "$@" "--insecure"
+fi
+
+# read password from file (UCS requirement)
+if [ -n "${LDAP_BINDPW_FILE:-}" ]; then
+	bindpw="$(cat "${LDAP_BINDPW_FILE}")"
+	export LDAP_BINDPW="${bindpw}"
+fi
+
 dockerize \
 	-wait file://"${signing_private_key:?}" \
 	-wait file://"${encryption_secret_key:?}" \

meet/start-service.sh

@@ -34,8 +34,14 @@ for setting in $(compgen -A variable KCCONF_MEET); do
 		esac
 done
 
-# enable Kopano WebApp in the app switcher
+# enable Kopano Konnect in the app grid
-jq '.apps += {"enabled": ["kopano-webapp"]}' $CONFIG_JSON | sponge $CONFIG_JSON
+jq '.apps += {"enabled": ["kopano-konnect"]}' $CONFIG_JSON | sponge $CONFIG_JSON
+
+# enable Kopano WebApp in the app grid (enabled by default)
+# TODO how to only update the array?
+if [ "${GRID_WEBAPP:-yes}" = "yes" ]; then
+	jq '.apps += {"enabled": ["kopano-webapp", "kopano-konnect"]}' $CONFIG_JSON | sponge $CONFIG_JSON
+fi
 
 #cat $CONFIG_JSON
 

web/Dockerfile

@@ -1,4 +1,4 @@
-ARG CODE_VERSION=0.8.2
+ARG CODE_VERSION=0.8.3
 FROM kopano/kwebd:${CODE_VERSION}
 
 ARG VCS_REF

web/kweb.cfg

@@ -61,6 +61,14 @@
 	}
 	redir /signin /signin/v1/identifier
 
+	# Konnect in subpath - this config supports /kopanoid as a subpath
+	rewrite /kopanoid/konnect/v1/ {
+		to /upstreams/konnect/{path}
+	}
+	rewrite /kopanoid/signin/v1/ {
+		to /upstreams/konnect/{path}
+	}
+
 	# Kapi
 	proxy /upstreams/kapi/ {
 		without /upstreams/kapi/