OIDC auth implemented, tests amended

CloudronManifest.json

@@ -12,6 +12,7 @@
   "addons": {
     "localstorage": {},
     "mysql": {},
+    "oidc": { "loginRedirectUri": "/i/oidc/" },
     "scheduler": {
       "update_feeds": {
         "schedule": "*/1 * * * *",
@@ -28,7 +29,8 @@
     "https://screenshots.cloudron.io/org.freshrss.cloudronapp/1.png"
   ],
   "postInstallMessage": "file://POSTINSTALL.md",
-  "minBoxVersion": "7.1.0",
+  "minBoxVersion": "7.5.1",
   "forumUrl": "https://forum.cloudron.io/category/27/freshrss",
-  "documentationUrl": "https://cloudron.io/documentation/apps/freshrss/"
+  "documentationUrl": "https://cloudron.io/documentation/apps/freshrss/",
+  "optionalSso": true
 }

Dockerfile

@@ -1,5 +1,10 @@
 FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
 
+
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y \
+    libapache2-mod-auth-openidc
+
 RUN mkdir -p /app/code
 WORKDIR /app/code
 
@@ -21,7 +26,7 @@ RUN a2disconf other-vhosts-access-log
 ADD apache/freshrss.conf /etc/apache2/sites-enabled/freshrss.conf
 RUN echo "Listen 8000" > /etc/apache2/ports.conf
 
-RUN a2enmod headers expires deflate mime dir rewrite setenvif
+RUN a2enmod headers expires deflate mime dir rewrite setenvif auth_openidc
 
 RUN rm -rf /var/lib/php && ln -s /run/php /var/lib/php
 

POSTINSTALL.md

@@ -1,7 +1,16 @@
+<sso>
+On first visit, sign in using the built-in Cloudron authentication and then make the user administrator
+by running:
+```
+php cli/reconfigure.php --default_user YOUR_USERNAME
+```
+</sso>
+
+<nosso>
 This app is pre-setup with an admin account. The initial credentials are:
   
 **Username**: admin<br/>
 **Password**: changeme<br/>
 
 Please change the admin password immediately.
-
+</nosso>

apache/freshrss.conf

@@ -1,3 +1,4 @@
+
 ServerName %{HTTP_HOST}
 
 <VirtualHost *:8000>
@@ -13,4 +14,41 @@ ServerName %{HTTP_HOST}
         AllowOverride All
         Require all granted
     </Directory>
+
+	<Directory /app/code/p/api>
+		Include /app/code/p/api/.htaccess
+	</Directory>
+
+	<Directory /app/code/p/i>
+		ExpiresActive Off
+
+		<IfDefine OIDC_ENABLED>
+			AuthType openid-connect
+			Require valid-user
+		</IfDefine>
+		IncludeOptional /app/code/p/i/.htaccess
+	</Directory>
+
+	<Directory /app/code/p/themes>
+		Include /app/code/p/themes/.htaccess
+	</Directory>
+
+
+	<IfDefine OIDC_ENABLED>
+		OIDCProviderMetadataURL ${CLOUDRON_OIDC_DISCOVERY_URL}
+		OIDCClientID ${CLOUDRON_OIDC_CLIENT_ID}
+		OIDCClientSecret ${CLOUDRON_OIDC_CLIENT_SECRET}
+
+		OIDCRedirectURI /i/oidc/
+
+		OIDCCryptoPassphrase ${OIDC_CRYPTO_PASSPHRASE}
+
+		OIDCRemoteUserClaim sub
+
+		OIDCScope "openid profile email"
+
+		OIDCRefreshAccessTokenBeforeExpiry 30
+		OIDCPassClaimsAs headers
+		OIDCXForwardedHeaders X-Forwarded-Proto
+    </IfDefine>
 </VirtualHost>

start.sh

@@ -13,11 +13,21 @@ if ! [ -f /app/data/.installed ]; then
       --db-user "${CLOUDRON_MYSQL_USERNAME}" --db-password "${CLOUDRON_MYSQL_PASSWORD}" \
       --db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
       --disable_update
-    php cli/create-user.php --user admin --password changeme --language en
+
+    if [ -z "${CLOUDRON_OIDC_ISSUER:-}" ]; then
+        php cli/create-user.php --user admin --password changeme --language en
+    fi
+
     touch /app/data/.installed
     echo "==> Done."
 fi
 
+echo "==> Get OAUTH Crypto Passphrase"
+if [[ ! -f /app/data/.oauth_crypto_passphrase ]]; then
+    openssl rand -base64 42 > /app/data/.oauth_crypto_passphrase
+fi
+export OIDC_CRYPTO_PASSPHRASE=$(</app/data/.oauth_crypto_passphrase)
+
 if [[ ! -f /app/data/php.ini ]]; then
     echo -e "; Add custom PHP configuration in this file\n; Settings here are merged with the package's built-in php.ini\n\n" > /app/data/php.ini
 fi
@@ -41,10 +51,16 @@ php cli/reconfigure.php --default_user admin --base_url "https://${CLOUDRON_APP_
     --db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
     --disable_update
 
+if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+    php cli/reconfigure.php --default_user admin
+else
+    php cli/reconfigure.php --auth_type "http_auth"
+fi
+
 echo "==> Setting permissions"
 chown -R www-data.www-data /run/php /app/data /tmp/log_api.txt
 
 echo "==> Starting apache"
 APACHE_CONFDIR="" source /etc/apache2/envvars
 rm -f "${APACHE_PID_FILE}"
-exec /usr/sbin/apache2 -DFOREGROUND
+exec /usr/sbin/apache2 -D FOREGROUND $([ -n "$CLOUDRON_OIDC_ISSUER" ] && echo '-D OIDC_ENABLED')

test/test.js

@@ -18,7 +18,12 @@ const execSync = require('child_process').execSync,
     { Builder, By, Key, until } = require('selenium-webdriver'),
     { Options } = require('selenium-webdriver/chrome');
 
-const username = 'admin', password = 'changeme';
+const admin_username = 'admin', admin_password = 'changeme';
+
+if (!process.env.USERNAME || !process.env.PASSWORD) {
+    console.log('USERNAME and PASSWORD env vars need to be set');
+    process.exit(1);
+}
 
 describe('Application life cycle test', function () {
     this.timeout(0);
@@ -27,7 +32,11 @@ describe('Application life cycle test', function () {
     const TEST_TIMEOUT = 10000;
     const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
 
+    const USERNAME = process.env.USERNAME;
+    const PASSWORD = process.env.PASSWORD;
+
     let browser, app;
+    let athenticated_by_oidc = false;
 
     before(function () {
         const options = new Options().windowSize({ width: 1280, height: 1024 });
@@ -56,7 +65,7 @@ describe('Application life cycle test', function () {
         await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
     }
 
-    async function login(password) {
+    async function login(username, password) {
         await browser.get('https://' + app.fqdn);
         await waitForElement(By.id('loginButton'));
         await browser.findElement(By.id('username')).sendKeys(username);
@@ -65,6 +74,25 @@ describe('Application life cycle test', function () {
         await waitForElement(By.id('btn-subscription'));
     }
 
+    async function loginOIDC(username, password) {
+        browser.manage().deleteAllCookies();
+        await browser.get(`https://${app.fqdn}/i/`);
+        await browser.sleep(6000);
+
+        if (!athenticated_by_oidc) {
+            await waitForElement(By.xpath('//input[@name="username"]'));
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
+            await browser.sleep(2000);
+            await browser.findElement(By.xpath('//button[@type="submit" and contains(text(), "Sign in")]')).click();
+            await browser.sleep(2000);
+
+            athenticated_by_oidc = true;
+        }
+
+        await waitForElement(By.id('btn-subscription'));
+    }
+
     async function logout() {
         var logout_btn = By.xpath('//li/a[@class="signout"]');
 
@@ -87,12 +115,10 @@ describe('Application life cycle test', function () {
         await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
     }
 
-    async function addUser(password) {
-        var test_username = 'test';
-
+    async function addUser(username, password) {
         await browser.get(`${baseUrl()}/i/?c=user&a=manage`);
         await waitForElement(By.id('new_user_name'));
-        await browser.findElement(By.id('new_user_name')).sendKeys(test_username);
+        await browser.findElement(By.id('new_user_name')).sendKeys(username);
         await browser.findElement(By.id('new_user_passwordPlain')).sendKeys(password);
         await browser.findElement(By.xpath('//button[text()="Create"]')).click();
         await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
@@ -128,18 +154,33 @@ describe('Application life cycle test', function () {
     }
 
     xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
-    it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
+    // No SSO
+    it('install app', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
 
     it('can get app information', getAppInfo);
 
-    it('can login', login.bind(null, password));
+    it('can login', login.bind(null, admin_username, admin_password));
     it('can subscribe', addSubscription);
-    it('can add users', addUser.bind(null, password));
+    it('can add users', addUser.bind(null, 'test', admin_password));
     it('can enable API', enableApi);
     it('can check configuration', checkApiConfiguration);
     it('subscription exists', subscriptionExists);
     it('can get static extension file', getStaticExtensionFile);
     it('can logout', logout);
+    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
+
+    // SSO
+    it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
+
+    it('can get app information', getAppInfo);
+
+    it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
+    it('can make user Administrator', function () { execSync(`cloudron exec --app ${app.id} -- bash -c "php cli/reconfigure.php --default_user ${USERNAME}"`); });
+    it('can subscribe', addSubscription);
+    it('can enable API', enableApi);
+    it('can check configuration', checkApiConfiguration);
+    it('subscription exists', subscriptionExists);
+    it('can get static extension file', getStaticExtensionFile);
 
     it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
 
@@ -151,11 +192,10 @@ describe('Application life cycle test', function () {
         execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS);
     });
 
-    it('can login', login.bind(null, password));
+    it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
     it('can check configuration', checkApiConfiguration);
     it('subscription exists', subscriptionExists);
     it('can get static extension file', getStaticExtensionFile);
-    it('can logout', logout);
 
     it('move to different location', function () {
         browser.manage().deleteAllCookies();
@@ -165,11 +205,10 @@ describe('Application life cycle test', function () {
         expect(app).to.be.an('object');
     });
 
-    it('can login', login.bind(null, password));
+    it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
     it('can check configuration', checkApiConfiguration);
     it('subscription exists', subscriptionExists);
     it('can get static extension file', getStaticExtensionFile);
-    it('can logout', logout);
 
     it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
 
@@ -177,9 +216,10 @@ describe('Application life cycle test', function () {
     it('can install app', function () { execSync('cloudron install --appstore-id org.freshrss.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
 
     it('can get app information', getAppInfo);
-    it('can login', login.bind(null, password));
+    // it can be changed to loginOIDC in the nextrelease
+    it('can login', login.bind(null, admin_username, admin_password));
     it('can subscribe', addSubscription);
-    it('can add users', addUser.bind(null, password));
+    it('can add users', addUser.bind(null, 'test', admin_password));
 
     it('can update', function () {
         execSync('cloudron update --app ' + app.id, EXEC_ARGS);
@@ -188,7 +228,7 @@ describe('Application life cycle test', function () {
         expect(app).to.be.an('object');
     });
 
-    it('can login', login.bind(null, password));
+    it('can login', login.bind(null, admin_username, admin_password));
     it('subscription exists', subscriptionExists);
     it('can get static extension file', getStaticExtensionFile);