forked from stove/dataset
manage well-known file (from internal or external)
This commit is contained in:
parent
4d98ec14f1
commit
067747942e
9 changed files with 127 additions and 23 deletions
|
@ -18,7 +18,9 @@
|
||||||
<file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
|
<file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
|
||||||
<file>/etc/default/lemonldap-ng-fastcgi-server</file>
|
<file>/etc/default/lemonldap-ng-fastcgi-server</file>
|
||||||
<file mode="750">/sbin/interne_well_known.pl</file>
|
<file mode="750">/sbin/interne_well_known.pl</file>
|
||||||
|
<file mode="750">/sbin/wget.pl</file>
|
||||||
<file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
|
<file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
|
||||||
|
<file>/tests/lemonldap.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
%echo "#!/usr/bin/env perl"
|
%echo "#!/usr/bin/env perl"
|
||||||
|
# retrieve and modify (if no argument) well-known file
|
||||||
|
|
||||||
use HTTP::Tiny;
|
use HTTP::Tiny;
|
||||||
use JSON qw(from_json to_json);
|
use JSON qw(from_json to_json);
|
||||||
|
@ -10,7 +11,11 @@ my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configu
|
||||||
die "Failed!\n" unless $response->{success};
|
die "Failed!\n" unless $response->{success};
|
||||||
|
|
||||||
my $json = from_json($response->{content});
|
my $json = from_json($response->{content});
|
||||||
|
%echo "$num_args = $#ARGV + 1;"
|
||||||
|
|
||||||
|
if ($num_args == 0) {
|
||||||
$json->{token_endpoint} = $baseUrl . 'oauth2/token';
|
$json->{token_endpoint} = $baseUrl . 'oauth2/token';
|
||||||
$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
|
$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
|
||||||
$json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
|
$json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
|
||||||
|
}
|
||||||
printf to_json($json) . "\n";
|
printf to_json($json) . "\n";
|
||||||
|
|
|
@ -3,4 +3,5 @@ After=nginx.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
|
ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
|
||||||
ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done'
|
ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 5; done'
|
||||||
|
ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext'
|
||||||
|
|
3
seed/lemonldap/templates/lemonldap.yml
Normal file
3
seed/lemonldap/templates/lemonldap.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
address: %%revprox_client_external_domainname
|
||||||
|
internal_address: %%domain_name_eth0
|
||||||
|
ip: %%ip_eth0
|
|
@ -15,24 +15,32 @@ upstream llng_portal_upstream {
|
||||||
server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
||||||
}
|
}
|
||||||
|
|
||||||
# GNUNUX server {
|
server {
|
||||||
# GNUNUX listen 127.0.0.1:80;
|
listen 127.0.0.1:80;
|
||||||
# GNUNUX server_name localhost;
|
server_name localhost;
|
||||||
# GNUNUX root /usr/share/lemonldap-ng/portal/htdocs/;
|
root /usr/share/lemonldap-ng/portal/htdocs/;
|
||||||
# GNUNUX if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
|
if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
|
||||||
# GNUNUX rewrite ^/(.*)$ /index.psgi/$1 break;
|
rewrite ^/(.*)$ /index.psgi/$1 break;
|
||||||
# GNUNUX }
|
}
|
||||||
# GNUNUX location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
|
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
|
||||||
# GNUNUX include /etc/nginx/fastcgi_params;
|
include /etc/nginx/fastcgi_params;
|
||||||
# GNUNUX fastcgi_pass llng_portal_upstream;
|
fastcgi_pass llng_portal_upstream;
|
||||||
# GNUNUX fastcgi_param REQUEST_URI /.well-known/openid-configuration;
|
fastcgi_param REQUEST_URI /.well-known/openid-configuration;
|
||||||
# GNUNUX fastcgi_param HTTP_HOST %%domain_name_eth0;
|
fastcgi_param HTTP_HOST %%domain_name_eth0;
|
||||||
# GNUNUX fastcgi_param LLTYPE psgi;
|
fastcgi_param LLTYPE psgi;
|
||||||
# GNUNUX fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
# GNUNUX fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
|
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
|
||||||
# GNUNUX fastcgi_param PATH_INFO $fastcgi_path_info;
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
# GNUNUX }
|
}
|
||||||
# GNUNUX }
|
}
|
||||||
|
|
||||||
|
#>GNUNUX
|
||||||
|
geo $zone_name {
|
||||||
|
default ext;
|
||||||
|
%%gateway_eth0 ext;
|
||||||
|
%%network_eth0 int;
|
||||||
|
}
|
||||||
|
#<GNUNUX
|
||||||
|
|
||||||
server {
|
server {
|
||||||
# GNUNUX listen 80;
|
# GNUNUX listen 80;
|
||||||
|
@ -163,6 +171,7 @@ server {
|
||||||
}
|
}
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
# rewrite well-known
|
# rewrite well-known
|
||||||
|
rewrite ^/.well-known/openid-configuration /.well-known/openid-configuration/$zone_name break;
|
||||||
location /.well-known/openid-configuration {
|
location /.well-known/openid-configuration {
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,4 +9,4 @@ d /srv/lemonldap-ng/psessions/lock 750 www-data www-data - -
|
||||||
d /srv/lemonldap-ng/sessions 750 www-data www-data - -
|
d /srv/lemonldap-ng/sessions 750 www-data www-data - -
|
||||||
d /srv/lemonldap-ng/sessions/lock 750 www-data www-data - -
|
d /srv/lemonldap-ng/sessions/lock 750 www-data www-data - -
|
||||||
d /srv/lemonldap-ng/cache 750 www-data www-data - -
|
d /srv/lemonldap-ng/cache 750 www-data www-data - -
|
||||||
d /var/www/html/.well-known 755 root root - -
|
d /var/www/html/.well-known/openid-configuration 755 root root - -
|
||||||
|
|
10
seed/lemonldap/templates/wget.pl
Normal file
10
seed/lemonldap/templates/wget.pl
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
%echo "#!/usr/bin/env perl"
|
||||||
|
|
||||||
|
use HTTP::Tiny;
|
||||||
|
use JSON qw(from_json to_json);
|
||||||
|
|
||||||
|
my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
|
||||||
|
|
||||||
|
die "Failed!\n" unless $response->{success};
|
||||||
|
|
||||||
|
printf $response->{content} . "\n";
|
54
seed/lemonldap/tests/test_lemonldap.py
Normal file
54
seed/lemonldap/tests/test_lemonldap.py
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
from yaml import load, SafeLoader
|
||||||
|
from os import environ
|
||||||
|
import warnings
|
||||||
|
import socket
|
||||||
|
from json import loads
|
||||||
|
from requests import get
|
||||||
|
|
||||||
|
from execute import run
|
||||||
|
|
||||||
|
|
||||||
|
def req(url, ip, verify=True):
|
||||||
|
# Monkey patch to force IPv4 resolution
|
||||||
|
old_getaddrinfo = socket.getaddrinfo
|
||||||
|
def new_getaddrinfo(*args, **kwargs):
|
||||||
|
ret = old_getaddrinfo(*args, **kwargs)
|
||||||
|
dns = list(ret[0])
|
||||||
|
dns[-1] = (ip, dns[-1][1])
|
||||||
|
return [dns]
|
||||||
|
socket.getaddrinfo = new_getaddrinfo
|
||||||
|
ret = get(url, verify=verify)
|
||||||
|
ret_code = ret.status_code
|
||||||
|
content = ret.content
|
||||||
|
socket.getaddrinfo = old_getaddrinfo
|
||||||
|
return ret_code, content.decode()
|
||||||
|
|
||||||
|
|
||||||
|
def test_well_known_outside():
|
||||||
|
conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
|
||||||
|
with open(conf_file) as yaml:
|
||||||
|
data = load(yaml, Loader=SafeLoader)
|
||||||
|
url = f'https://{data["address"]}/.well-known/openid-configuration'
|
||||||
|
with warnings.catch_warnings():
|
||||||
|
warnings.simplefilter("ignore")
|
||||||
|
ret_code, content = req(url, data['ip'], verify=False)
|
||||||
|
assert ret_code == 200
|
||||||
|
json = loads(content)
|
||||||
|
|
||||||
|
assert data['internal_address'] not in json['token_endpoint']
|
||||||
|
assert data['internal_address'] not in json['userinfo_endpoint']
|
||||||
|
assert data['internal_address'] not in json['jwks_uri']
|
||||||
|
|
||||||
|
|
||||||
|
def test_well_known_inside():
|
||||||
|
conf_file = f'{environ["MACHINE_TEST_DIR"]}/lemonldap.yml'
|
||||||
|
with open(conf_file) as yaml:
|
||||||
|
data = load(yaml, Loader=SafeLoader)
|
||||||
|
result = run(data['internal_address'],
|
||||||
|
['/usr/local/lib/sbin/wget.pl'],
|
||||||
|
)
|
||||||
|
json = loads(list(result)[-2])
|
||||||
|
|
||||||
|
assert data['internal_address'] in json['token_endpoint']
|
||||||
|
assert data['internal_address'] in json['userinfo_endpoint']
|
||||||
|
assert data['internal_address'] in json['jwks_uri']
|
|
@ -34,3 +34,23 @@ php /usr/share/nextcloud/occ ldap:check-user gnunux@gnunux.info
|
||||||
|
|
||||||
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ app:disable oidc_login"
|
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ app:disable oidc_login"
|
||||||
Password : password/nextcloud.in.gnunux.info/nextcloud/admin_password
|
Password : password/nextcloud.in.gnunux.info/nextcloud/admin_password
|
||||||
|
|
||||||
|
## The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available.
|
||||||
|
|
||||||
|
Vérification :
|
||||||
|
|
||||||
|
```
|
||||||
|
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:list"|grep know
|
||||||
|
```
|
||||||
|
|
||||||
|
Suppression de cache nextcloud :
|
||||||
|
|
||||||
|
```
|
||||||
|
su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:app:set --value 0 oidc_login last_updated_well_known"
|
||||||
|
```
|
||||||
|
|
||||||
|
Sur lemonldap, le script de création du fichier .well-known :
|
||||||
|
|
||||||
|
```
|
||||||
|
/usr/local/lib/sbin/interne_well_known.pl
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in a new issue