manage well-known file (from internal or external)

This commit is contained in:
Emmanuel Garette 2022-07-05 22:07:23 +02:00
parent 4d98ec14f1
commit 067747942e
9 changed files with 127 additions and 23 deletions

View file

@ -18,7 +18,9 @@
<file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
<file>/etc/default/lemonldap-ng-fastcgi-server</file>
<file mode="750">/sbin/interne_well_known.pl</file>
<file mode="750">/sbin/wget.pl</file>
<file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
<file>/tests/lemonldap.yml</file>
</service>
</services>
<variables>

View file

@ -1,4 +1,5 @@
%echo "#!/usr/bin/env perl"
# retrieve and modify (if no argument) well-known file
use HTTP::Tiny;
use JSON qw(from_json to_json);
@ -10,7 +11,11 @@ my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configu
die "Failed!\n" unless $response->{success};
my $json = from_json($response->{content});
$json->{token_endpoint} = $baseUrl . 'oauth2/token';
$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
$json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
%echo "$num_args = $#ARGV + 1;"
if ($num_args == 0) {
$json->{token_endpoint} = $baseUrl . 'oauth2/token';
$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
$json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
}
printf to_json($json) . "\n";

View file

@ -3,4 +3,5 @@ After=nginx.service
[Service]
ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done'
ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 5; done'
ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext'

View file

@ -0,0 +1,3 @@
address: %%revprox_client_external_domainname
internal_address: %%domain_name_eth0
ip: %%ip_eth0

View file

@ -15,24 +15,32 @@ upstream llng_portal_upstream {
server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
}
# GNUNUX server {
# GNUNUX listen 127.0.0.1:80;
# GNUNUX server_name localhost;
# GNUNUX root /usr/share/lemonldap-ng/portal/htdocs/;
# GNUNUX if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
# GNUNUX rewrite ^/(.*)$ /index.psgi/$1 break;
# GNUNUX }
# GNUNUX location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
# GNUNUX include /etc/nginx/fastcgi_params;
# GNUNUX fastcgi_pass llng_portal_upstream;
# GNUNUX fastcgi_param REQUEST_URI /.well-known/openid-configuration;
# GNUNUX fastcgi_param HTTP_HOST %%domain_name_eth0;
# GNUNUX fastcgi_param LLTYPE psgi;
# GNUNUX fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# GNUNUX fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
# GNUNUX fastcgi_param PATH_INFO $fastcgi_path_info;
# GNUNUX }
# GNUNUX }
server {
listen 127.0.0.1:80;
server_name localhost;
root /usr/share/lemonldap-ng/portal/htdocs/;
if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
include /etc/nginx/fastcgi_params;
fastcgi_pass llng_portal_upstream;
fastcgi_param REQUEST_URI /.well-known/openid-configuration;
fastcgi_param HTTP_HOST %%domain_name_eth0;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
#>GNUNUX
geo $zone_name {
default ext;
%%gateway_eth0 ext;
%%network_eth0 int;
}
#<GNUNUX
server {
# GNUNUX listen 80;
@ -163,6 +171,7 @@ server {
}
#>GNUNUX
# rewrite well-known
rewrite ^/.well-known/openid-configuration /.well-known/openid-configuration/$zone_name break;
location /.well-known/openid-configuration {
root /var/www/html;
}

View file

@ -9,4 +9,4 @@ d /srv/lemonldap-ng/psessions/lock 750 www-data www-data - -
d /srv/lemonldap-ng/sessions 750 www-data www-data - -
d /srv/lemonldap-ng/sessions/lock 750 www-data www-data - -
d /srv/lemonldap-ng/cache 750 www-data www-data - -
d /var/www/html/.well-known 755 root root - -
d /var/www/html/.well-known/openid-configuration 755 root root - -

View file

@ -0,0 +1,10 @@
%echo "#!/usr/bin/env perl"
use HTTP::Tiny;
use JSON qw(from_json to_json);
my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
die "Failed!\n" unless $response->{success};
printf $response->{content} . "\n";

View file

@ -0,0 +1,54 @@
from yaml import load, SafeLoader
from os import environ
import warnings
import socket
from json import loads
from requests import get
from execute import run
def req(url, ip, verify=True):
# Monkey patch to force IPv4 resolution
old_getaddrinfo = socket.getaddrinfo
def new_getaddrinfo(*args, **kwargs):
ret = old_getaddrinfo(*args, **kwargs)
dns = list(ret[0])
dns[-1] = (ip, dns[-1][1])
return [dns]
socket.getaddrinfo = new_getaddrinfo
ret = get(url, verify=verify)
ret_code = ret.status_code
content = ret.content
socket.getaddrinfo = old_getaddrinfo
return ret_code, content.decode()
def test_well_known_outside():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
url = f'https://{data["address"]}/.well-known/openid-configuration'
with warnings.catch_warnings():
warnings.simplefilter("ignore")
ret_code, content = req(url, data['ip'], verify=False)
assert ret_code == 200
json = loads(content)
assert data['internal_address'] not in json['token_endpoint']
assert data['internal_address'] not in json['userinfo_endpoint']
assert data['internal_address'] not in json['jwks_uri']
def test_well_known_inside():
conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
result = run(data['internal_address'],
['/usr/local/lib/sbin/wget.pl'],
)
json = loads(list(result)[-2])
assert data['internal_address'] in json['token_endpoint']
assert data['internal_address'] in json['userinfo_endpoint']
assert data['internal_address'] in json['jwks_uri']

View file

@ -34,3 +34,23 @@ php /usr/share/nextcloud/occ ldap:check-user gnunux@gnunux.info
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ app:disable oidc_login"
Password : password/nextcloud.in.gnunux.info/nextcloud/admin_password
## The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available.
Vérification :
```
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:list"|grep know
```
Suppression de cache nextcloud :
```
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:app:set --value 0 oidc_login last_updated_well_known"
```
Sur lemonldap, le script de création du fichier .well-known :
```
/usr/local/lib/sbin/interne_well_known.pl
```