diff --git a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
index 9532c81..bf229ac 100644
--- a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
@@ -18,7 +18,9 @@
/etc/lemonldap-ng/nginx-lmlog.conf
/etc/default/lemonldap-ng-fastcgi-server
/sbin/interne_well_known.pl
+ /sbin/wget.pl
/tmpfiles.d/0lemonldap.conf
+ /tests/lemonldap.yml
diff --git a/seed/lemonldap/templates/interne_well_known.pl b/seed/lemonldap/templates/interne_well_known.pl
index 5137895..586d053 100644
--- a/seed/lemonldap/templates/interne_well_known.pl
+++ b/seed/lemonldap/templates/interne_well_known.pl
@@ -1,4 +1,5 @@
%echo "#!/usr/bin/env perl"
+# retrieve and modify (if no argument) well-known file
use HTTP::Tiny;
use JSON qw(from_json to_json);
@@ -10,7 +11,11 @@ my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configu
die "Failed!\n" unless $response->{success};
my $json = from_json($response->{content});
-$json->{token_endpoint} = $baseUrl . 'oauth2/token';
-$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
-$json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
+%echo "$num_args = $#ARGV + 1;"
+
+if ($num_args == 0) {
+ $json->{token_endpoint} = $baseUrl . 'oauth2/token';
+ $json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
+ $json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
+}
printf to_json($json) . "\n";
diff --git a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service
index 2b1add6..984b4f0 100644
--- a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service
+++ b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service
@@ -3,4 +3,5 @@ After=nginx.service
[Service]
ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
-ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done'
+ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 5; done'
+ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext'
diff --git a/seed/lemonldap/templates/lemonldap.yml b/seed/lemonldap/templates/lemonldap.yml
new file mode 100644
index 0000000..73fcfdb
--- /dev/null
+++ b/seed/lemonldap/templates/lemonldap.yml
@@ -0,0 +1,3 @@
+address: %%revprox_client_external_domainname
+internal_address: %%domain_name_eth0
+ip: %%ip_eth0
diff --git a/seed/lemonldap/templates/portal-nginx.conf b/seed/lemonldap/templates/portal-nginx.conf
index 1ec0e3a..54087f9 100644
--- a/seed/lemonldap/templates/portal-nginx.conf
+++ b/seed/lemonldap/templates/portal-nginx.conf
@@ -15,24 +15,32 @@ upstream llng_portal_upstream {
server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
}
-# GNUNUX server {
-# GNUNUX listen 127.0.0.1:80;
-# GNUNUX server_name localhost;
-# GNUNUX root /usr/share/lemonldap-ng/portal/htdocs/;
-# GNUNUX if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
-# GNUNUX rewrite ^/(.*)$ /index.psgi/$1 break;
-# GNUNUX }
-# GNUNUX location ~ ^(?/.*\.psgi)(?:$|/) {
-# GNUNUX include /etc/nginx/fastcgi_params;
-# GNUNUX fastcgi_pass llng_portal_upstream;
-# GNUNUX fastcgi_param REQUEST_URI /.well-known/openid-configuration;
-# GNUNUX fastcgi_param HTTP_HOST %%domain_name_eth0;
-# GNUNUX fastcgi_param LLTYPE psgi;
-# GNUNUX fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-# GNUNUX fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
-# GNUNUX fastcgi_param PATH_INFO $fastcgi_path_info;
-# GNUNUX }
-# GNUNUX }
+server {
+ listen 127.0.0.1:80;
+ server_name localhost;
+ root /usr/share/lemonldap-ng/portal/htdocs/;
+ if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
+ rewrite ^/(.*)$ /index.psgi/$1 break;
+ }
+ location ~ ^(?/.*\.psgi)(?:$|/) {
+ include /etc/nginx/fastcgi_params;
+ fastcgi_pass llng_portal_upstream;
+ fastcgi_param REQUEST_URI /.well-known/openid-configuration;
+ fastcgi_param HTTP_HOST %%domain_name_eth0;
+ fastcgi_param LLTYPE psgi;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ }
+}
+
+#>GNUNUX
+geo $zone_name {
+ default ext;
+ %%gateway_eth0 ext;
+ %%network_eth0 int;
+}
+#GNUNUX
# rewrite well-known
+ rewrite ^/.well-known/openid-configuration /.well-known/openid-configuration/$zone_name break;
location /.well-known/openid-configuration {
root /var/www/html;
}
diff --git a/seed/lemonldap/templates/tmpfile-lemonldap.conf b/seed/lemonldap/templates/tmpfile-lemonldap.conf
index dd4d8af..d3e9d98 100644
--- a/seed/lemonldap/templates/tmpfile-lemonldap.conf
+++ b/seed/lemonldap/templates/tmpfile-lemonldap.conf
@@ -9,4 +9,4 @@ d /srv/lemonldap-ng/psessions/lock 750 www-data www-data - -
d /srv/lemonldap-ng/sessions 750 www-data www-data - -
d /srv/lemonldap-ng/sessions/lock 750 www-data www-data - -
d /srv/lemonldap-ng/cache 750 www-data www-data - -
-d /var/www/html/.well-known 755 root root - -
+d /var/www/html/.well-known/openid-configuration 755 root root - -
diff --git a/seed/lemonldap/templates/wget.pl b/seed/lemonldap/templates/wget.pl
new file mode 100644
index 0000000..b46dc4b
--- /dev/null
+++ b/seed/lemonldap/templates/wget.pl
@@ -0,0 +1,10 @@
+%echo "#!/usr/bin/env perl"
+
+use HTTP::Tiny;
+use JSON qw(from_json to_json);
+
+my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
+
+die "Failed!\n" unless $response->{success};
+
+printf $response->{content} . "\n";
diff --git a/seed/lemonldap/tests/test_lemonldap.py b/seed/lemonldap/tests/test_lemonldap.py
new file mode 100644
index 0000000..77a96da
--- /dev/null
+++ b/seed/lemonldap/tests/test_lemonldap.py
@@ -0,0 +1,54 @@
+from yaml import load, SafeLoader
+from os import environ
+import warnings
+import socket
+from json import loads
+from requests import get
+
+from execute import run
+
+
+def req(url, ip, verify=True):
+ # Monkey patch to force IPv4 resolution
+ old_getaddrinfo = socket.getaddrinfo
+ def new_getaddrinfo(*args, **kwargs):
+ ret = old_getaddrinfo(*args, **kwargs)
+ dns = list(ret[0])
+ dns[-1] = (ip, dns[-1][1])
+ return [dns]
+ socket.getaddrinfo = new_getaddrinfo
+ ret = get(url, verify=verify)
+ ret_code = ret.status_code
+ content = ret.content
+ socket.getaddrinfo = old_getaddrinfo
+ return ret_code, content.decode()
+
+
+def test_well_known_outside():
+ conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
+ with open(conf_file) as yaml:
+ data = load(yaml, Loader=SafeLoader)
+ url = f'https://{data["address"]}/.well-known/openid-configuration'
+ with warnings.catch_warnings():
+ warnings.simplefilter("ignore")
+ ret_code, content = req(url, data['ip'], verify=False)
+ assert ret_code == 200
+ json = loads(content)
+
+ assert data['internal_address'] not in json['token_endpoint']
+ assert data['internal_address'] not in json['userinfo_endpoint']
+ assert data['internal_address'] not in json['jwks_uri']
+
+
+def test_well_known_inside():
+ conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
+ with open(conf_file) as yaml:
+ data = load(yaml, Loader=SafeLoader)
+ result = run(data['internal_address'],
+ ['/usr/local/lib/sbin/wget.pl'],
+ )
+ json = loads(list(result)[-2])
+
+ assert data['internal_address'] in json['token_endpoint']
+ assert data['internal_address'] in json['userinfo_endpoint']
+ assert data['internal_address'] in json['jwks_uri']
diff --git a/seed/nextcloud/DEBUG.md b/seed/nextcloud/DEBUG.md
index d85ac5b..2168b85 100644
--- a/seed/nextcloud/DEBUG.md
+++ b/seed/nextcloud/DEBUG.md
@@ -34,3 +34,23 @@ php /usr/share/nextcloud/occ ldap:check-user gnunux@gnunux.info
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ app:disable oidc_login"
Password : password/nextcloud.in.gnunux.info/nextcloud/admin_password
+
+## The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available.
+
+VĂ©rification :
+
+```
+su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:list"|grep know
+```
+
+Suppression de cache nextcloud :
+
+```
+su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:app:set --value 0 oidc_login last_updated_well_known"
+```
+
+Sur lemonldap, le script de création du fichier .well-known :
+
+```
+/usr/local/lib/sbin/interne_well_known.pl
+```