From f8e08f1c514a6abc3fea5eca2888491992b381bf Mon Sep 17 00:00:00 2001 From: Vladimir D Date: Fri, 27 Oct 2023 12:36:22 +0400 Subject: [PATCH] OIDC auth implemented, tests amended --- CloudronManifest.json | 6 ++-- Dockerfile | 7 ++++- POSTINSTALL.md | 11 ++++++- apache/freshrss.conf | 38 +++++++++++++++++++++++ start.sh | 20 ++++++++++-- test/test.js | 72 +++++++++++++++++++++++++++++++++---------- 6 files changed, 132 insertions(+), 22 deletions(-) diff --git a/CloudronManifest.json b/CloudronManifest.json index 4784019..899971c 100644 --- a/CloudronManifest.json +++ b/CloudronManifest.json @@ -12,6 +12,7 @@ "addons": { "localstorage": {}, "mysql": {}, + "oidc": { "loginRedirectUri": "/i/oidc/" }, "scheduler": { "update_feeds": { "schedule": "*/1 * * * *", @@ -28,7 +29,8 @@ "https://screenshots.cloudron.io/org.freshrss.cloudronapp/1.png" ], "postInstallMessage": "file://POSTINSTALL.md", - "minBoxVersion": "7.1.0", + "minBoxVersion": "7.5.1", "forumUrl": "https://forum.cloudron.io/category/27/freshrss", - "documentationUrl": "https://cloudron.io/documentation/apps/freshrss/" + "documentationUrl": "https://cloudron.io/documentation/apps/freshrss/", + "optionalSso": true } diff --git a/Dockerfile b/Dockerfile index bafcb35..eb8e132 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,10 @@ FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4 + +RUN apt-get update && \ + apt-get install --no-install-recommends -y \ + libapache2-mod-auth-openidc + RUN mkdir -p /app/code WORKDIR /app/code @@ -21,7 +26,7 @@ RUN a2disconf other-vhosts-access-log ADD apache/freshrss.conf /etc/apache2/sites-enabled/freshrss.conf RUN echo "Listen 8000" > /etc/apache2/ports.conf -RUN a2enmod headers expires deflate mime dir rewrite setenvif +RUN a2enmod headers expires deflate mime dir rewrite setenvif auth_openidc RUN rm -rf /var/lib/php && ln -s /run/php /var/lib/php diff --git a/POSTINSTALL.md b/POSTINSTALL.md index 973c8ee..afb4afb 100644 --- a/POSTINSTALL.md +++ b/POSTINSTALL.md @@ -1,7 +1,16 @@ + +On first visit, sign in using the built-in Cloudron authentication and then make the user administrator +by running: +``` +php cli/reconfigure.php --default_user YOUR_USERNAME +``` + + + This app is pre-setup with an admin account. The initial credentials are: **Username**: admin
**Password**: changeme
Please change the admin password immediately. - + diff --git a/apache/freshrss.conf b/apache/freshrss.conf index 67c7f31..ab36626 100644 --- a/apache/freshrss.conf +++ b/apache/freshrss.conf @@ -1,3 +1,4 @@ + ServerName %{HTTP_HOST} @@ -13,4 +14,41 @@ ServerName %{HTTP_HOST} AllowOverride All Require all granted + + + Include /app/code/p/api/.htaccess + + + + ExpiresActive Off + + + AuthType openid-connect + Require valid-user + + IncludeOptional /app/code/p/i/.htaccess + + + + Include /app/code/p/themes/.htaccess + + + + + OIDCProviderMetadataURL ${CLOUDRON_OIDC_DISCOVERY_URL} + OIDCClientID ${CLOUDRON_OIDC_CLIENT_ID} + OIDCClientSecret ${CLOUDRON_OIDC_CLIENT_SECRET} + + OIDCRedirectURI /i/oidc/ + + OIDCCryptoPassphrase ${OIDC_CRYPTO_PASSPHRASE} + + OIDCRemoteUserClaim sub + + OIDCScope "openid profile email" + + OIDCRefreshAccessTokenBeforeExpiry 30 + OIDCPassClaimsAs headers + OIDCXForwardedHeaders X-Forwarded-Proto + diff --git a/start.sh b/start.sh index 71edaee..5a64bc1 100755 --- a/start.sh +++ b/start.sh @@ -13,11 +13,21 @@ if ! [ -f /app/data/.installed ]; then --db-user "${CLOUDRON_MYSQL_USERNAME}" --db-password "${CLOUDRON_MYSQL_PASSWORD}" \ --db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \ --disable_update - php cli/create-user.php --user admin --password changeme --language en + + if [ -z "${CLOUDRON_OIDC_ISSUER:-}" ]; then + php cli/create-user.php --user admin --password changeme --language en + fi + touch /app/data/.installed echo "==> Done." fi +echo "==> Get OAUTH Crypto Passphrase" +if [[ ! -f /app/data/.oauth_crypto_passphrase ]]; then + openssl rand -base64 42 > /app/data/.oauth_crypto_passphrase +fi +export OIDC_CRYPTO_PASSPHRASE=$( /app/data/php.ini fi @@ -41,10 +51,16 @@ php cli/reconfigure.php --default_user admin --base_url "https://${CLOUDRON_APP_ --db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \ --disable_update +if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then + php cli/reconfigure.php --default_user admin +else + php cli/reconfigure.php --auth_type "http_auth" +fi + echo "==> Setting permissions" chown -R www-data.www-data /run/php /app/data /tmp/log_api.txt echo "==> Starting apache" APACHE_CONFDIR="" source /etc/apache2/envvars rm -f "${APACHE_PID_FILE}" -exec /usr/sbin/apache2 -DFOREGROUND +exec /usr/sbin/apache2 -D FOREGROUND $([ -n "$CLOUDRON_OIDC_ISSUER" ] && echo '-D OIDC_ENABLED') diff --git a/test/test.js b/test/test.js index 048ead1..45a8782 100644 --- a/test/test.js +++ b/test/test.js @@ -18,7 +18,12 @@ const execSync = require('child_process').execSync, { Builder, By, Key, until } = require('selenium-webdriver'), { Options } = require('selenium-webdriver/chrome'); -const username = 'admin', password = 'changeme'; +const admin_username = 'admin', admin_password = 'changeme'; + +if (!process.env.USERNAME || !process.env.PASSWORD) { + console.log('USERNAME and PASSWORD env vars need to be set'); + process.exit(1); +} describe('Application life cycle test', function () { this.timeout(0); @@ -27,7 +32,11 @@ describe('Application life cycle test', function () { const TEST_TIMEOUT = 10000; const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' }; + const USERNAME = process.env.USERNAME; + const PASSWORD = process.env.PASSWORD; + let browser, app; + let athenticated_by_oidc = false; before(function () { const options = new Options().windowSize({ width: 1280, height: 1024 }); @@ -56,7 +65,7 @@ describe('Application life cycle test', function () { await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT); } - async function login(password) { + async function login(username, password) { await browser.get('https://' + app.fqdn); await waitForElement(By.id('loginButton')); await browser.findElement(By.id('username')).sendKeys(username); @@ -65,6 +74,25 @@ describe('Application life cycle test', function () { await waitForElement(By.id('btn-subscription')); } + async function loginOIDC(username, password) { + browser.manage().deleteAllCookies(); + await browser.get(`https://${app.fqdn}/i/`); + await browser.sleep(6000); + + if (!athenticated_by_oidc) { + await waitForElement(By.xpath('//input[@name="username"]')); + await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username); + await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password); + await browser.sleep(2000); + await browser.findElement(By.xpath('//button[@type="submit" and contains(text(), "Sign in")]')).click(); + await browser.sleep(2000); + + athenticated_by_oidc = true; + } + + await waitForElement(By.id('btn-subscription')); + } + async function logout() { var logout_btn = By.xpath('//li/a[@class="signout"]'); @@ -87,12 +115,10 @@ describe('Application life cycle test', function () { await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]')); } - async function addUser(password) { - var test_username = 'test'; - + async function addUser(username, password) { await browser.get(`${baseUrl()}/i/?c=user&a=manage`); await waitForElement(By.id('new_user_name')); - await browser.findElement(By.id('new_user_name')).sendKeys(test_username); + await browser.findElement(By.id('new_user_name')).sendKeys(username); await browser.findElement(By.id('new_user_passwordPlain')).sendKeys(password); await browser.findElement(By.xpath('//button[text()="Create"]')).click(); await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]')); @@ -128,18 +154,33 @@ describe('Application life cycle test', function () { } xit('build app', function () { execSync('cloudron build', EXEC_ARGS); }); - it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); }); + // No SSO + it('install app', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); }); it('can get app information', getAppInfo); - it('can login', login.bind(null, password)); + it('can login', login.bind(null, admin_username, admin_password)); it('can subscribe', addSubscription); - it('can add users', addUser.bind(null, password)); + it('can add users', addUser.bind(null, 'test', admin_password)); it('can enable API', enableApi); it('can check configuration', checkApiConfiguration); it('subscription exists', subscriptionExists); it('can get static extension file', getStaticExtensionFile); it('can logout', logout); + it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); }); + + // SSO + it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); }); + + it('can get app information', getAppInfo); + + it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD)); + it('can make user Administrator', function () { execSync(`cloudron exec --app ${app.id} -- bash -c "php cli/reconfigure.php --default_user ${USERNAME}"`); }); + it('can subscribe', addSubscription); + it('can enable API', enableApi); + it('can check configuration', checkApiConfiguration); + it('subscription exists', subscriptionExists); + it('can get static extension file', getStaticExtensionFile); it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); }); @@ -151,11 +192,10 @@ describe('Application life cycle test', function () { execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS); }); - it('can login', login.bind(null, password)); + it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD)); it('can check configuration', checkApiConfiguration); it('subscription exists', subscriptionExists); it('can get static extension file', getStaticExtensionFile); - it('can logout', logout); it('move to different location', function () { browser.manage().deleteAllCookies(); @@ -165,11 +205,10 @@ describe('Application life cycle test', function () { expect(app).to.be.an('object'); }); - it('can login', login.bind(null, password)); + it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD)); it('can check configuration', checkApiConfiguration); it('subscription exists', subscriptionExists); it('can get static extension file', getStaticExtensionFile); - it('can logout', logout); it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); }); @@ -177,9 +216,10 @@ describe('Application life cycle test', function () { it('can install app', function () { execSync('cloudron install --appstore-id org.freshrss.cloudronapp --location ' + LOCATION, EXEC_ARGS); }); it('can get app information', getAppInfo); - it('can login', login.bind(null, password)); + // it can be changed to loginOIDC in the nextrelease + it('can login', login.bind(null, admin_username, admin_password)); it('can subscribe', addSubscription); - it('can add users', addUser.bind(null, password)); + it('can add users', addUser.bind(null, 'test', admin_password)); it('can update', function () { execSync('cloudron update --app ' + app.id, EXEC_ARGS); @@ -188,7 +228,7 @@ describe('Application life cycle test', function () { expect(app).to.be.an('object'); }); - it('can login', login.bind(null, password)); + it('can login', login.bind(null, admin_username, admin_password)); it('subscription exists', subscriptionExists); it('can get static extension file', getStaticExtensionFile);