OIDC auth implemented, tests amended

This commit is contained in:
Vladimir D 2023-10-27 12:36:22 +04:00
parent 8b6fbb5aab
commit f8e08f1c51
6 changed files with 132 additions and 22 deletions

View File

@ -12,6 +12,7 @@
"addons": { "addons": {
"localstorage": {}, "localstorage": {},
"mysql": {}, "mysql": {},
"oidc": { "loginRedirectUri": "/i/oidc/" },
"scheduler": { "scheduler": {
"update_feeds": { "update_feeds": {
"schedule": "*/1 * * * *", "schedule": "*/1 * * * *",
@ -28,7 +29,8 @@
"https://screenshots.cloudron.io/org.freshrss.cloudronapp/1.png" "https://screenshots.cloudron.io/org.freshrss.cloudronapp/1.png"
], ],
"postInstallMessage": "file://POSTINSTALL.md", "postInstallMessage": "file://POSTINSTALL.md",
"minBoxVersion": "7.1.0", "minBoxVersion": "7.5.1",
"forumUrl": "https://forum.cloudron.io/category/27/freshrss", "forumUrl": "https://forum.cloudron.io/category/27/freshrss",
"documentationUrl": "https://cloudron.io/documentation/apps/freshrss/" "documentationUrl": "https://cloudron.io/documentation/apps/freshrss/",
"optionalSso": true
} }

View File

@ -1,5 +1,10 @@
FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4 FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
RUN apt-get update && \
apt-get install --no-install-recommends -y \
libapache2-mod-auth-openidc
RUN mkdir -p /app/code RUN mkdir -p /app/code
WORKDIR /app/code WORKDIR /app/code
@ -21,7 +26,7 @@ RUN a2disconf other-vhosts-access-log
ADD apache/freshrss.conf /etc/apache2/sites-enabled/freshrss.conf ADD apache/freshrss.conf /etc/apache2/sites-enabled/freshrss.conf
RUN echo "Listen 8000" > /etc/apache2/ports.conf RUN echo "Listen 8000" > /etc/apache2/ports.conf
RUN a2enmod headers expires deflate mime dir rewrite setenvif RUN a2enmod headers expires deflate mime dir rewrite setenvif auth_openidc
RUN rm -rf /var/lib/php && ln -s /run/php /var/lib/php RUN rm -rf /var/lib/php && ln -s /run/php /var/lib/php

View File

@ -1,7 +1,16 @@
<sso>
On first visit, sign in using the built-in Cloudron authentication and then make the user administrator
by running:
```
php cli/reconfigure.php --default_user YOUR_USERNAME
```
</sso>
<nosso>
This app is pre-setup with an admin account. The initial credentials are: This app is pre-setup with an admin account. The initial credentials are:
**Username**: admin<br/> **Username**: admin<br/>
**Password**: changeme<br/> **Password**: changeme<br/>
Please change the admin password immediately. Please change the admin password immediately.
</nosso>

View File

@ -1,3 +1,4 @@
ServerName %{HTTP_HOST} ServerName %{HTTP_HOST}
<VirtualHost *:8000> <VirtualHost *:8000>
@ -13,4 +14,41 @@ ServerName %{HTTP_HOST}
AllowOverride All AllowOverride All
Require all granted Require all granted
</Directory> </Directory>
<Directory /app/code/p/api>
Include /app/code/p/api/.htaccess
</Directory>
<Directory /app/code/p/i>
ExpiresActive Off
<IfDefine OIDC_ENABLED>
AuthType openid-connect
Require valid-user
</IfDefine>
IncludeOptional /app/code/p/i/.htaccess
</Directory>
<Directory /app/code/p/themes>
Include /app/code/p/themes/.htaccess
</Directory>
<IfDefine OIDC_ENABLED>
OIDCProviderMetadataURL ${CLOUDRON_OIDC_DISCOVERY_URL}
OIDCClientID ${CLOUDRON_OIDC_CLIENT_ID}
OIDCClientSecret ${CLOUDRON_OIDC_CLIENT_SECRET}
OIDCRedirectURI /i/oidc/
OIDCCryptoPassphrase ${OIDC_CRYPTO_PASSPHRASE}
OIDCRemoteUserClaim sub
OIDCScope "openid profile email"
OIDCRefreshAccessTokenBeforeExpiry 30
OIDCPassClaimsAs headers
OIDCXForwardedHeaders X-Forwarded-Proto
</IfDefine>
</VirtualHost> </VirtualHost>

View File

@ -13,11 +13,21 @@ if ! [ -f /app/data/.installed ]; then
--db-user "${CLOUDRON_MYSQL_USERNAME}" --db-password "${CLOUDRON_MYSQL_PASSWORD}" \ --db-user "${CLOUDRON_MYSQL_USERNAME}" --db-password "${CLOUDRON_MYSQL_PASSWORD}" \
--db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \ --db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
--disable_update --disable_update
if [ -z "${CLOUDRON_OIDC_ISSUER:-}" ]; then
php cli/create-user.php --user admin --password changeme --language en php cli/create-user.php --user admin --password changeme --language en
fi
touch /app/data/.installed touch /app/data/.installed
echo "==> Done." echo "==> Done."
fi fi
echo "==> Get OAUTH Crypto Passphrase"
if [[ ! -f /app/data/.oauth_crypto_passphrase ]]; then
openssl rand -base64 42 > /app/data/.oauth_crypto_passphrase
fi
export OIDC_CRYPTO_PASSPHRASE=$(</app/data/.oauth_crypto_passphrase)
if [[ ! -f /app/data/php.ini ]]; then if [[ ! -f /app/data/php.ini ]]; then
echo -e "; Add custom PHP configuration in this file\n; Settings here are merged with the package's built-in php.ini\n\n" > /app/data/php.ini echo -e "; Add custom PHP configuration in this file\n; Settings here are merged with the package's built-in php.ini\n\n" > /app/data/php.ini
fi fi
@ -41,10 +51,16 @@ php cli/reconfigure.php --default_user admin --base_url "https://${CLOUDRON_APP_
--db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \ --db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
--disable_update --disable_update
if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
php cli/reconfigure.php --default_user admin
else
php cli/reconfigure.php --auth_type "http_auth"
fi
echo "==> Setting permissions" echo "==> Setting permissions"
chown -R www-data.www-data /run/php /app/data /tmp/log_api.txt chown -R www-data.www-data /run/php /app/data /tmp/log_api.txt
echo "==> Starting apache" echo "==> Starting apache"
APACHE_CONFDIR="" source /etc/apache2/envvars APACHE_CONFDIR="" source /etc/apache2/envvars
rm -f "${APACHE_PID_FILE}" rm -f "${APACHE_PID_FILE}"
exec /usr/sbin/apache2 -DFOREGROUND exec /usr/sbin/apache2 -D FOREGROUND $([ -n "$CLOUDRON_OIDC_ISSUER" ] && echo '-D OIDC_ENABLED')

View File

@ -18,7 +18,12 @@ const execSync = require('child_process').execSync,
{ Builder, By, Key, until } = require('selenium-webdriver'), { Builder, By, Key, until } = require('selenium-webdriver'),
{ Options } = require('selenium-webdriver/chrome'); { Options } = require('selenium-webdriver/chrome');
const username = 'admin', password = 'changeme'; const admin_username = 'admin', admin_password = 'changeme';
if (!process.env.USERNAME || !process.env.PASSWORD) {
console.log('USERNAME and PASSWORD env vars need to be set');
process.exit(1);
}
describe('Application life cycle test', function () { describe('Application life cycle test', function () {
this.timeout(0); this.timeout(0);
@ -27,7 +32,11 @@ describe('Application life cycle test', function () {
const TEST_TIMEOUT = 10000; const TEST_TIMEOUT = 10000;
const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' }; const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
const USERNAME = process.env.USERNAME;
const PASSWORD = process.env.PASSWORD;
let browser, app; let browser, app;
let athenticated_by_oidc = false;
before(function () { before(function () {
const options = new Options().windowSize({ width: 1280, height: 1024 }); const options = new Options().windowSize({ width: 1280, height: 1024 });
@ -56,7 +65,7 @@ describe('Application life cycle test', function () {
await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT); await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
} }
async function login(password) { async function login(username, password) {
await browser.get('https://' + app.fqdn); await browser.get('https://' + app.fqdn);
await waitForElement(By.id('loginButton')); await waitForElement(By.id('loginButton'));
await browser.findElement(By.id('username')).sendKeys(username); await browser.findElement(By.id('username')).sendKeys(username);
@ -65,6 +74,25 @@ describe('Application life cycle test', function () {
await waitForElement(By.id('btn-subscription')); await waitForElement(By.id('btn-subscription'));
} }
async function loginOIDC(username, password) {
browser.manage().deleteAllCookies();
await browser.get(`https://${app.fqdn}/i/`);
await browser.sleep(6000);
if (!athenticated_by_oidc) {
await waitForElement(By.xpath('//input[@name="username"]'));
await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
await browser.sleep(2000);
await browser.findElement(By.xpath('//button[@type="submit" and contains(text(), "Sign in")]')).click();
await browser.sleep(2000);
athenticated_by_oidc = true;
}
await waitForElement(By.id('btn-subscription'));
}
async function logout() { async function logout() {
var logout_btn = By.xpath('//li/a[@class="signout"]'); var logout_btn = By.xpath('//li/a[@class="signout"]');
@ -87,12 +115,10 @@ describe('Application life cycle test', function () {
await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]')); await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
} }
async function addUser(password) { async function addUser(username, password) {
var test_username = 'test';
await browser.get(`${baseUrl()}/i/?c=user&a=manage`); await browser.get(`${baseUrl()}/i/?c=user&a=manage`);
await waitForElement(By.id('new_user_name')); await waitForElement(By.id('new_user_name'));
await browser.findElement(By.id('new_user_name')).sendKeys(test_username); await browser.findElement(By.id('new_user_name')).sendKeys(username);
await browser.findElement(By.id('new_user_passwordPlain')).sendKeys(password); await browser.findElement(By.id('new_user_passwordPlain')).sendKeys(password);
await browser.findElement(By.xpath('//button[text()="Create"]')).click(); await browser.findElement(By.xpath('//button[text()="Create"]')).click();
await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]')); await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
@ -128,18 +154,33 @@ describe('Application life cycle test', function () {
} }
xit('build app', function () { execSync('cloudron build', EXEC_ARGS); }); xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); }); // No SSO
it('install app', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
it('can get app information', getAppInfo); it('can get app information', getAppInfo);
it('can login', login.bind(null, password)); it('can login', login.bind(null, admin_username, admin_password));
it('can subscribe', addSubscription); it('can subscribe', addSubscription);
it('can add users', addUser.bind(null, password)); it('can add users', addUser.bind(null, 'test', admin_password));
it('can enable API', enableApi); it('can enable API', enableApi);
it('can check configuration', checkApiConfiguration); it('can check configuration', checkApiConfiguration);
it('subscription exists', subscriptionExists); it('subscription exists', subscriptionExists);
it('can get static extension file', getStaticExtensionFile); it('can get static extension file', getStaticExtensionFile);
it('can logout', logout); it('can logout', logout);
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
// SSO
it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
it('can get app information', getAppInfo);
it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
it('can make user Administrator', function () { execSync(`cloudron exec --app ${app.id} -- bash -c "php cli/reconfigure.php --default_user ${USERNAME}"`); });
it('can subscribe', addSubscription);
it('can enable API', enableApi);
it('can check configuration', checkApiConfiguration);
it('subscription exists', subscriptionExists);
it('can get static extension file', getStaticExtensionFile);
it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); }); it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
@ -151,11 +192,10 @@ describe('Application life cycle test', function () {
execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS); execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS);
}); });
it('can login', login.bind(null, password)); it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
it('can check configuration', checkApiConfiguration); it('can check configuration', checkApiConfiguration);
it('subscription exists', subscriptionExists); it('subscription exists', subscriptionExists);
it('can get static extension file', getStaticExtensionFile); it('can get static extension file', getStaticExtensionFile);
it('can logout', logout);
it('move to different location', function () { it('move to different location', function () {
browser.manage().deleteAllCookies(); browser.manage().deleteAllCookies();
@ -165,11 +205,10 @@ describe('Application life cycle test', function () {
expect(app).to.be.an('object'); expect(app).to.be.an('object');
}); });
it('can login', login.bind(null, password)); it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
it('can check configuration', checkApiConfiguration); it('can check configuration', checkApiConfiguration);
it('subscription exists', subscriptionExists); it('subscription exists', subscriptionExists);
it('can get static extension file', getStaticExtensionFile); it('can get static extension file', getStaticExtensionFile);
it('can logout', logout);
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); }); it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
@ -177,9 +216,10 @@ describe('Application life cycle test', function () {
it('can install app', function () { execSync('cloudron install --appstore-id org.freshrss.cloudronapp --location ' + LOCATION, EXEC_ARGS); }); it('can install app', function () { execSync('cloudron install --appstore-id org.freshrss.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
it('can get app information', getAppInfo); it('can get app information', getAppInfo);
it('can login', login.bind(null, password)); // it can be changed to loginOIDC in the nextrelease
it('can login', login.bind(null, admin_username, admin_password));
it('can subscribe', addSubscription); it('can subscribe', addSubscription);
it('can add users', addUser.bind(null, password)); it('can add users', addUser.bind(null, 'test', admin_password));
it('can update', function () { it('can update', function () {
execSync('cloudron update --app ' + app.id, EXEC_ARGS); execSync('cloudron update --app ' + app.id, EXEC_ARGS);
@ -188,7 +228,7 @@ describe('Application life cycle test', function () {
expect(app).to.be.an('object'); expect(app).to.be.an('object');
}); });
it('can login', login.bind(null, password)); it('can login', login.bind(null, admin_username, admin_password));
it('subscription exists', subscriptionExists); it('subscription exists', subscriptionExists);
it('can get static extension file', getStaticExtensionFile); it('can get static extension file', getStaticExtensionFile);