From 067747942e131d933e65d86d1caca7282d495ea5 Mon Sep 17 00:00:00 2001 From: Emmanuel Garette Date: Tue, 5 Jul 2022 22:07:23 +0200 Subject: [PATCH] manage well-known file (from internal or external) --- .../dictionaries/70_lemonldap_ng.xml | 2 + .../lemonldap/templates/interne_well_known.pl | 11 ++-- .../lemonldap-ng-fastcgi-server.service | 3 +- seed/lemonldap/templates/lemonldap.yml | 3 ++ seed/lemonldap/templates/portal-nginx.conf | 45 +++++++++------- .../templates/tmpfile-lemonldap.conf | 2 +- seed/lemonldap/templates/wget.pl | 10 ++++ seed/lemonldap/tests/test_lemonldap.py | 54 +++++++++++++++++++ seed/nextcloud/DEBUG.md | 20 +++++++ 9 files changed, 127 insertions(+), 23 deletions(-) create mode 100644 seed/lemonldap/templates/lemonldap.yml create mode 100644 seed/lemonldap/templates/wget.pl create mode 100644 seed/lemonldap/tests/test_lemonldap.py diff --git a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml index 9532c81..bf229ac 100644 --- a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml +++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml @@ -18,7 +18,9 @@ /etc/lemonldap-ng/nginx-lmlog.conf /etc/default/lemonldap-ng-fastcgi-server /sbin/interne_well_known.pl + /sbin/wget.pl /tmpfiles.d/0lemonldap.conf + /tests/lemonldap.yml diff --git a/seed/lemonldap/templates/interne_well_known.pl b/seed/lemonldap/templates/interne_well_known.pl index 5137895..586d053 100644 --- a/seed/lemonldap/templates/interne_well_known.pl +++ b/seed/lemonldap/templates/interne_well_known.pl @@ -1,4 +1,5 @@ %echo "#!/usr/bin/env perl" +# retrieve and modify (if no argument) well-known file use HTTP::Tiny; use JSON qw(from_json to_json); @@ -10,7 +11,11 @@ my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configu die "Failed!\n" unless $response->{success}; my $json = from_json($response->{content}); -$json->{token_endpoint} = $baseUrl . 'oauth2/token'; -$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo'; -$json->{jwks_uri} = $baseUrl . 'oauth2/jwks'; +%echo "$num_args = $#ARGV + 1;" + +if ($num_args == 0) { + $json->{token_endpoint} = $baseUrl . 'oauth2/token'; + $json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo'; + $json->{jwks_uri} = $baseUrl . 'oauth2/jwks'; +} printf to_json($json) . "\n"; diff --git a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service index 2b1add6..984b4f0 100644 --- a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service +++ b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service @@ -3,4 +3,5 @@ After=nginx.service [Service] ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done' -ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done' +ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 5; done' +ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext' diff --git a/seed/lemonldap/templates/lemonldap.yml b/seed/lemonldap/templates/lemonldap.yml new file mode 100644 index 0000000..73fcfdb --- /dev/null +++ b/seed/lemonldap/templates/lemonldap.yml @@ -0,0 +1,3 @@ +address: %%revprox_client_external_domainname +internal_address: %%domain_name_eth0 +ip: %%ip_eth0 diff --git a/seed/lemonldap/templates/portal-nginx.conf b/seed/lemonldap/templates/portal-nginx.conf index 1ec0e3a..54087f9 100644 --- a/seed/lemonldap/templates/portal-nginx.conf +++ b/seed/lemonldap/templates/portal-nginx.conf @@ -15,24 +15,32 @@ upstream llng_portal_upstream { server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; } -# GNUNUX server { -# GNUNUX listen 127.0.0.1:80; -# GNUNUX server_name localhost; -# GNUNUX root /usr/share/lemonldap-ng/portal/htdocs/; -# GNUNUX if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) { -# GNUNUX rewrite ^/(.*)$ /index.psgi/$1 break; -# GNUNUX } -# GNUNUX location ~ ^(?/.*\.psgi)(?:$|/) { -# GNUNUX include /etc/nginx/fastcgi_params; -# GNUNUX fastcgi_pass llng_portal_upstream; -# GNUNUX fastcgi_param REQUEST_URI /.well-known/openid-configuration; -# GNUNUX fastcgi_param HTTP_HOST %%domain_name_eth0; -# GNUNUX fastcgi_param LLTYPE psgi; -# GNUNUX fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# GNUNUX fastcgi_split_path_info ^(.*\.psgi)(/.*)$; -# GNUNUX fastcgi_param PATH_INFO $fastcgi_path_info; -# GNUNUX } -# GNUNUX } +server { + listen 127.0.0.1:80; + server_name localhost; + root /usr/share/lemonldap-ng/portal/htdocs/; + if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) { + rewrite ^/(.*)$ /index.psgi/$1 break; + } + location ~ ^(?/.*\.psgi)(?:$|/) { + include /etc/nginx/fastcgi_params; + fastcgi_pass llng_portal_upstream; + fastcgi_param REQUEST_URI /.well-known/openid-configuration; + fastcgi_param HTTP_HOST %%domain_name_eth0; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + } +} + +#>GNUNUX +geo $zone_name { + default ext; + %%gateway_eth0 ext; + %%network_eth0 int; +} +#GNUNUX # rewrite well-known + rewrite ^/.well-known/openid-configuration /.well-known/openid-configuration/$zone_name break; location /.well-known/openid-configuration { root /var/www/html; } diff --git a/seed/lemonldap/templates/tmpfile-lemonldap.conf b/seed/lemonldap/templates/tmpfile-lemonldap.conf index dd4d8af..d3e9d98 100644 --- a/seed/lemonldap/templates/tmpfile-lemonldap.conf +++ b/seed/lemonldap/templates/tmpfile-lemonldap.conf @@ -9,4 +9,4 @@ d /srv/lemonldap-ng/psessions/lock 750 www-data www-data - - d /srv/lemonldap-ng/sessions 750 www-data www-data - - d /srv/lemonldap-ng/sessions/lock 750 www-data www-data - - d /srv/lemonldap-ng/cache 750 www-data www-data - - -d /var/www/html/.well-known 755 root root - - +d /var/www/html/.well-known/openid-configuration 755 root root - - diff --git a/seed/lemonldap/templates/wget.pl b/seed/lemonldap/templates/wget.pl new file mode 100644 index 0000000..b46dc4b --- /dev/null +++ b/seed/lemonldap/templates/wget.pl @@ -0,0 +1,10 @@ +%echo "#!/usr/bin/env perl" + +use HTTP::Tiny; +use JSON qw(from_json to_json); + +my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration'); + +die "Failed!\n" unless $response->{success}; + +printf $response->{content} . "\n"; diff --git a/seed/lemonldap/tests/test_lemonldap.py b/seed/lemonldap/tests/test_lemonldap.py new file mode 100644 index 0000000..77a96da --- /dev/null +++ b/seed/lemonldap/tests/test_lemonldap.py @@ -0,0 +1,54 @@ +from yaml import load, SafeLoader +from os import environ +import warnings +import socket +from json import loads +from requests import get + +from execute import run + + +def req(url, ip, verify=True): + # Monkey patch to force IPv4 resolution + old_getaddrinfo = socket.getaddrinfo + def new_getaddrinfo(*args, **kwargs): + ret = old_getaddrinfo(*args, **kwargs) + dns = list(ret[0]) + dns[-1] = (ip, dns[-1][1]) + return [dns] + socket.getaddrinfo = new_getaddrinfo + ret = get(url, verify=verify) + ret_code = ret.status_code + content = ret.content + socket.getaddrinfo = old_getaddrinfo + return ret_code, content.decode() + + +def test_well_known_outside(): + conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml' + with open(conf_file) as yaml: + data = load(yaml, Loader=SafeLoader) + url = f'https://{data["address"]}/.well-known/openid-configuration' + with warnings.catch_warnings(): + warnings.simplefilter("ignore") + ret_code, content = req(url, data['ip'], verify=False) + assert ret_code == 200 + json = loads(content) + + assert data['internal_address'] not in json['token_endpoint'] + assert data['internal_address'] not in json['userinfo_endpoint'] + assert data['internal_address'] not in json['jwks_uri'] + + +def test_well_known_inside(): + conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml' + with open(conf_file) as yaml: + data = load(yaml, Loader=SafeLoader) + result = run(data['internal_address'], + ['/usr/local/lib/sbin/wget.pl'], + ) + json = loads(list(result)[-2]) + + assert data['internal_address'] in json['token_endpoint'] + assert data['internal_address'] in json['userinfo_endpoint'] + assert data['internal_address'] in json['jwks_uri'] diff --git a/seed/nextcloud/DEBUG.md b/seed/nextcloud/DEBUG.md index d85ac5b..2168b85 100644 --- a/seed/nextcloud/DEBUG.md +++ b/seed/nextcloud/DEBUG.md @@ -34,3 +34,23 @@ php /usr/share/nextcloud/occ ldap:check-user gnunux@gnunux.info su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ app:disable oidc_login" Password : password/nextcloud.in.gnunux.info/nextcloud/admin_password + +## The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available. + +Vérification : + +``` +su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:list"|grep know +``` + +Suppression de cache nextcloud : + +``` +su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:app:set --value 0 oidc_login last_updated_well_known" +``` + +Sur lemonldap, le script de création du fichier .well-known : + +``` +/usr/local/lib/sbin/interne_well_known.pl +```