flywithu/kopano-docker
1
0
Fork 0
mirror of https://github.com/zokradonh/kopano-docker synced 2025-06-07 16:06:14 +00:00
Code Issues Releases Wiki Activity
kopano-docker/konnect/wrapper.sh
Felix Bartels 0130c9829f
Move ecparam and eckey generation into guest mode if (#291) 
move waiting for ecparam and eckey into the allow guest mode if as this is only required for the guest mode
2019-11-22 08:19:44 +01:00

105 lines
4.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
set -eu
[ "$DEBUG" ] && set -x
# allow helper commands given by "docker-compose run"
if [ $# -gt 0 ]; then
exec "$@"
exit
fi
if [ "${allow_client_guests:-}" = "yes" ]; then
# TODO this should be simplified so that ecparam and eckey are only required if the is no jwk-meet.json yet
dockerize \
-wait file://"${ecparam:?}" \
-wait file://"${eckey:?}" \
-timeout 360s
# Key generation for Meet guest mode
if [ ! -s "$ecparam" ]; then
echo "Creating ec param key for Meet..."
openssl ecparam -name prime256v1 -genkey -noout -out "$ecparam" >/dev/null 2>&1
fi
if [ ! -s "$eckey" ]; then
echo "Creating ec private key for Meet..."
openssl ec -in "$ecparam" -out "$eckey" >/dev/null 2>&1
fi
echo "Patching identifier registration for use of the Meet guest mode"
/usr/local/bin/konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json
CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
#yq -y ".clients += [{\"id\": \"grapi-explorer.js\", \"name\": \"Grapi Explorer\", \"application_type\": \"web\", \"trusted\": true, \"insecure\": true, \"redirect_uris\": [\"http://$FQDNCLEANED:3000/\"]}]" $CONFIG_JSON | sponge $CONFIG_JSON
yq -y ".clients += [{\"id\": \"kpop-https://$FQDN/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://$FQDN/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge $CONFIG_JSON
# TODO this last bit can likely go (but then we must default to a registry stored below /etc/kopano)
yq -y . $CONFIG_JSON | sponge "${identifier_registration_conf:?}"
fi
if [ "${external_oidc_provider:-}" = "yes" ]; then
echo "Patching identifier registration for external OIDC provider"
CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
echo "authorities: [{name: ${external_oidc_name:-}, default: yes, iss: ${external_oidc_url:-}, client_id: kopano-meet, client_secret: ${external_oidc_clientsecret:-}, authority_type: oidc, response_type: id_token, scopes: [openid, profile, email]}]" >> $CONFIG_JSON
yq -y . $CONFIG_JSON | sponge "${identifier_registration_conf:?}"
fi
# source additional configuration from Konnect cfg (potentially overwrites env vars)
if [ -e /etc/kopano/konnectd.cfg ]; then
# shellcheck disable=SC1091
. /etc/kopano/konnectd.cfg
fi
oidc_issuer_identifier=${oidc_issuer_identifier:-https://$FQDN}
echo "Entrypoint: Issuer url (--iss): $oidc_issuer_identifier"
set -- "$@" --iss="$oidc_issuer_identifier"
if [ -n "${log_level:-}" ]; then
echo "Entrypoint: Setting logging to $log_level"
set -- "$@" --log-level="$log_level"
fi
if [ "${allow_client_guests:-}" = "yes" ]; then
echo "Entrypoint: Allowing guest login"
set -- "$@" "--allow-client-guests"
fi
if [ "${allow_dynamic_client_registration:-}" = "yes" ]; then
echo "Entrypoint: Allowing dynamic client registration"
set -- "$@" "--allow-dynamic-client-registration"
fi
if [ -n "${uri_base_path:-}" ]; then
echo "Entrypoint: Setting base-path to $uri_base_path"
set -- "$@" --uri-base-path="$uri_base_path"
fi
if [ "${insecure:-}" = "yes" ]; then
echo "Entrypoint: running Konnect in insecure mode"
set -- "$@" "--insecure"
fi
# Support additional args provided via environment.
if [ -n "${ARGS:-}" ]; then
set -- "$@" "${ARGS}"
fi
# read password from file (UCS requirement)
if [ -n "${LDAP_BINDPW_FILE:-}" ]; then
bindpw="$(cat "${LDAP_BINDPW_FILE}")"
export LDAP_BINDPW="${bindpw}"
fi
# services need to be aware of the machine-id
dockerize \
-wait file://"${signing_private_key:?}" \
-wait file://"${encryption_secret_key:?}" \
-wait file:///etc/machine-id \
-wait file:///var/lib/dbus/machine-id \
-timeout 360s
exec konnectd serve \
--signing-private-key="${signing_private_key:?}" \
--encryption-secret="${encryption_secret_key:?}" \
--identifier-registration-conf "${identifier_registration_conf:?}" \
--identifier-scopes-conf "${identifier_scopes_conf:?}" \
"$@" "$KONNECT_BACKEND"
Reference in New Issue View Git Blame Copy Permalink