OIDC auth implemented, tests amended
This commit is contained in:
parent
8b6fbb5aab
commit
f8e08f1c51
|
@ -12,6 +12,7 @@
|
||||||
"addons": {
|
"addons": {
|
||||||
"localstorage": {},
|
"localstorage": {},
|
||||||
"mysql": {},
|
"mysql": {},
|
||||||
|
"oidc": { "loginRedirectUri": "/i/oidc/" },
|
||||||
"scheduler": {
|
"scheduler": {
|
||||||
"update_feeds": {
|
"update_feeds": {
|
||||||
"schedule": "*/1 * * * *",
|
"schedule": "*/1 * * * *",
|
||||||
|
@ -28,7 +29,8 @@
|
||||||
"https://screenshots.cloudron.io/org.freshrss.cloudronapp/1.png"
|
"https://screenshots.cloudron.io/org.freshrss.cloudronapp/1.png"
|
||||||
],
|
],
|
||||||
"postInstallMessage": "file://POSTINSTALL.md",
|
"postInstallMessage": "file://POSTINSTALL.md",
|
||||||
"minBoxVersion": "7.1.0",
|
"minBoxVersion": "7.5.1",
|
||||||
"forumUrl": "https://forum.cloudron.io/category/27/freshrss",
|
"forumUrl": "https://forum.cloudron.io/category/27/freshrss",
|
||||||
"documentationUrl": "https://cloudron.io/documentation/apps/freshrss/"
|
"documentationUrl": "https://cloudron.io/documentation/apps/freshrss/",
|
||||||
|
"optionalSso": true
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
|
FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
|
||||||
|
|
||||||
|
|
||||||
|
RUN apt-get update && \
|
||||||
|
apt-get install --no-install-recommends -y \
|
||||||
|
libapache2-mod-auth-openidc
|
||||||
|
|
||||||
RUN mkdir -p /app/code
|
RUN mkdir -p /app/code
|
||||||
WORKDIR /app/code
|
WORKDIR /app/code
|
||||||
|
|
||||||
|
@ -21,7 +26,7 @@ RUN a2disconf other-vhosts-access-log
|
||||||
ADD apache/freshrss.conf /etc/apache2/sites-enabled/freshrss.conf
|
ADD apache/freshrss.conf /etc/apache2/sites-enabled/freshrss.conf
|
||||||
RUN echo "Listen 8000" > /etc/apache2/ports.conf
|
RUN echo "Listen 8000" > /etc/apache2/ports.conf
|
||||||
|
|
||||||
RUN a2enmod headers expires deflate mime dir rewrite setenvif
|
RUN a2enmod headers expires deflate mime dir rewrite setenvif auth_openidc
|
||||||
|
|
||||||
RUN rm -rf /var/lib/php && ln -s /run/php /var/lib/php
|
RUN rm -rf /var/lib/php && ln -s /run/php /var/lib/php
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,16 @@
|
||||||
|
<sso>
|
||||||
|
On first visit, sign in using the built-in Cloudron authentication and then make the user administrator
|
||||||
|
by running:
|
||||||
|
```
|
||||||
|
php cli/reconfigure.php --default_user YOUR_USERNAME
|
||||||
|
```
|
||||||
|
</sso>
|
||||||
|
|
||||||
|
<nosso>
|
||||||
This app is pre-setup with an admin account. The initial credentials are:
|
This app is pre-setup with an admin account. The initial credentials are:
|
||||||
|
|
||||||
**Username**: admin<br/>
|
**Username**: admin<br/>
|
||||||
**Password**: changeme<br/>
|
**Password**: changeme<br/>
|
||||||
|
|
||||||
Please change the admin password immediately.
|
Please change the admin password immediately.
|
||||||
|
</nosso>
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
ServerName %{HTTP_HOST}
|
ServerName %{HTTP_HOST}
|
||||||
|
|
||||||
<VirtualHost *:8000>
|
<VirtualHost *:8000>
|
||||||
|
@ -13,4 +14,41 @@ ServerName %{HTTP_HOST}
|
||||||
AllowOverride All
|
AllowOverride All
|
||||||
Require all granted
|
Require all granted
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory /app/code/p/api>
|
||||||
|
Include /app/code/p/api/.htaccess
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
<Directory /app/code/p/i>
|
||||||
|
ExpiresActive Off
|
||||||
|
|
||||||
|
<IfDefine OIDC_ENABLED>
|
||||||
|
AuthType openid-connect
|
||||||
|
Require valid-user
|
||||||
|
</IfDefine>
|
||||||
|
IncludeOptional /app/code/p/i/.htaccess
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
<Directory /app/code/p/themes>
|
||||||
|
Include /app/code/p/themes/.htaccess
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
|
||||||
|
<IfDefine OIDC_ENABLED>
|
||||||
|
OIDCProviderMetadataURL ${CLOUDRON_OIDC_DISCOVERY_URL}
|
||||||
|
OIDCClientID ${CLOUDRON_OIDC_CLIENT_ID}
|
||||||
|
OIDCClientSecret ${CLOUDRON_OIDC_CLIENT_SECRET}
|
||||||
|
|
||||||
|
OIDCRedirectURI /i/oidc/
|
||||||
|
|
||||||
|
OIDCCryptoPassphrase ${OIDC_CRYPTO_PASSPHRASE}
|
||||||
|
|
||||||
|
OIDCRemoteUserClaim sub
|
||||||
|
|
||||||
|
OIDCScope "openid profile email"
|
||||||
|
|
||||||
|
OIDCRefreshAccessTokenBeforeExpiry 30
|
||||||
|
OIDCPassClaimsAs headers
|
||||||
|
OIDCXForwardedHeaders X-Forwarded-Proto
|
||||||
|
</IfDefine>
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
18
start.sh
18
start.sh
|
@ -13,11 +13,21 @@ if ! [ -f /app/data/.installed ]; then
|
||||||
--db-user "${CLOUDRON_MYSQL_USERNAME}" --db-password "${CLOUDRON_MYSQL_PASSWORD}" \
|
--db-user "${CLOUDRON_MYSQL_USERNAME}" --db-password "${CLOUDRON_MYSQL_PASSWORD}" \
|
||||||
--db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
|
--db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
|
||||||
--disable_update
|
--disable_update
|
||||||
|
|
||||||
|
if [ -z "${CLOUDRON_OIDC_ISSUER:-}" ]; then
|
||||||
php cli/create-user.php --user admin --password changeme --language en
|
php cli/create-user.php --user admin --password changeme --language en
|
||||||
|
fi
|
||||||
|
|
||||||
touch /app/data/.installed
|
touch /app/data/.installed
|
||||||
echo "==> Done."
|
echo "==> Done."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
echo "==> Get OAUTH Crypto Passphrase"
|
||||||
|
if [[ ! -f /app/data/.oauth_crypto_passphrase ]]; then
|
||||||
|
openssl rand -base64 42 > /app/data/.oauth_crypto_passphrase
|
||||||
|
fi
|
||||||
|
export OIDC_CRYPTO_PASSPHRASE=$(</app/data/.oauth_crypto_passphrase)
|
||||||
|
|
||||||
if [[ ! -f /app/data/php.ini ]]; then
|
if [[ ! -f /app/data/php.ini ]]; then
|
||||||
echo -e "; Add custom PHP configuration in this file\n; Settings here are merged with the package's built-in php.ini\n\n" > /app/data/php.ini
|
echo -e "; Add custom PHP configuration in this file\n; Settings here are merged with the package's built-in php.ini\n\n" > /app/data/php.ini
|
||||||
fi
|
fi
|
||||||
|
@ -41,10 +51,16 @@ php cli/reconfigure.php --default_user admin --base_url "https://${CLOUDRON_APP_
|
||||||
--db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
|
--db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
|
||||||
--disable_update
|
--disable_update
|
||||||
|
|
||||||
|
if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
|
||||||
|
php cli/reconfigure.php --default_user admin
|
||||||
|
else
|
||||||
|
php cli/reconfigure.php --auth_type "http_auth"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "==> Setting permissions"
|
echo "==> Setting permissions"
|
||||||
chown -R www-data.www-data /run/php /app/data /tmp/log_api.txt
|
chown -R www-data.www-data /run/php /app/data /tmp/log_api.txt
|
||||||
|
|
||||||
echo "==> Starting apache"
|
echo "==> Starting apache"
|
||||||
APACHE_CONFDIR="" source /etc/apache2/envvars
|
APACHE_CONFDIR="" source /etc/apache2/envvars
|
||||||
rm -f "${APACHE_PID_FILE}"
|
rm -f "${APACHE_PID_FILE}"
|
||||||
exec /usr/sbin/apache2 -DFOREGROUND
|
exec /usr/sbin/apache2 -D FOREGROUND $([ -n "$CLOUDRON_OIDC_ISSUER" ] && echo '-D OIDC_ENABLED')
|
||||||
|
|
72
test/test.js
72
test/test.js
|
@ -18,7 +18,12 @@ const execSync = require('child_process').execSync,
|
||||||
{ Builder, By, Key, until } = require('selenium-webdriver'),
|
{ Builder, By, Key, until } = require('selenium-webdriver'),
|
||||||
{ Options } = require('selenium-webdriver/chrome');
|
{ Options } = require('selenium-webdriver/chrome');
|
||||||
|
|
||||||
const username = 'admin', password = 'changeme';
|
const admin_username = 'admin', admin_password = 'changeme';
|
||||||
|
|
||||||
|
if (!process.env.USERNAME || !process.env.PASSWORD) {
|
||||||
|
console.log('USERNAME and PASSWORD env vars need to be set');
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
describe('Application life cycle test', function () {
|
describe('Application life cycle test', function () {
|
||||||
this.timeout(0);
|
this.timeout(0);
|
||||||
|
@ -27,7 +32,11 @@ describe('Application life cycle test', function () {
|
||||||
const TEST_TIMEOUT = 10000;
|
const TEST_TIMEOUT = 10000;
|
||||||
const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
|
const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
|
||||||
|
|
||||||
|
const USERNAME = process.env.USERNAME;
|
||||||
|
const PASSWORD = process.env.PASSWORD;
|
||||||
|
|
||||||
let browser, app;
|
let browser, app;
|
||||||
|
let athenticated_by_oidc = false;
|
||||||
|
|
||||||
before(function () {
|
before(function () {
|
||||||
const options = new Options().windowSize({ width: 1280, height: 1024 });
|
const options = new Options().windowSize({ width: 1280, height: 1024 });
|
||||||
|
@ -56,7 +65,7 @@ describe('Application life cycle test', function () {
|
||||||
await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
|
await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
|
||||||
}
|
}
|
||||||
|
|
||||||
async function login(password) {
|
async function login(username, password) {
|
||||||
await browser.get('https://' + app.fqdn);
|
await browser.get('https://' + app.fqdn);
|
||||||
await waitForElement(By.id('loginButton'));
|
await waitForElement(By.id('loginButton'));
|
||||||
await browser.findElement(By.id('username')).sendKeys(username);
|
await browser.findElement(By.id('username')).sendKeys(username);
|
||||||
|
@ -65,6 +74,25 @@ describe('Application life cycle test', function () {
|
||||||
await waitForElement(By.id('btn-subscription'));
|
await waitForElement(By.id('btn-subscription'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
async function loginOIDC(username, password) {
|
||||||
|
browser.manage().deleteAllCookies();
|
||||||
|
await browser.get(`https://${app.fqdn}/i/`);
|
||||||
|
await browser.sleep(6000);
|
||||||
|
|
||||||
|
if (!athenticated_by_oidc) {
|
||||||
|
await waitForElement(By.xpath('//input[@name="username"]'));
|
||||||
|
await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
|
||||||
|
await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
|
||||||
|
await browser.sleep(2000);
|
||||||
|
await browser.findElement(By.xpath('//button[@type="submit" and contains(text(), "Sign in")]')).click();
|
||||||
|
await browser.sleep(2000);
|
||||||
|
|
||||||
|
athenticated_by_oidc = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
await waitForElement(By.id('btn-subscription'));
|
||||||
|
}
|
||||||
|
|
||||||
async function logout() {
|
async function logout() {
|
||||||
var logout_btn = By.xpath('//li/a[@class="signout"]');
|
var logout_btn = By.xpath('//li/a[@class="signout"]');
|
||||||
|
|
||||||
|
@ -87,12 +115,10 @@ describe('Application life cycle test', function () {
|
||||||
await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
|
await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
|
||||||
}
|
}
|
||||||
|
|
||||||
async function addUser(password) {
|
async function addUser(username, password) {
|
||||||
var test_username = 'test';
|
|
||||||
|
|
||||||
await browser.get(`${baseUrl()}/i/?c=user&a=manage`);
|
await browser.get(`${baseUrl()}/i/?c=user&a=manage`);
|
||||||
await waitForElement(By.id('new_user_name'));
|
await waitForElement(By.id('new_user_name'));
|
||||||
await browser.findElement(By.id('new_user_name')).sendKeys(test_username);
|
await browser.findElement(By.id('new_user_name')).sendKeys(username);
|
||||||
await browser.findElement(By.id('new_user_passwordPlain')).sendKeys(password);
|
await browser.findElement(By.id('new_user_passwordPlain')).sendKeys(password);
|
||||||
await browser.findElement(By.xpath('//button[text()="Create"]')).click();
|
await browser.findElement(By.xpath('//button[text()="Create"]')).click();
|
||||||
await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
|
await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
|
||||||
|
@ -128,18 +154,33 @@ describe('Application life cycle test', function () {
|
||||||
}
|
}
|
||||||
|
|
||||||
xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
|
xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
|
||||||
it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
|
// No SSO
|
||||||
|
it('install app', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
|
||||||
|
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
|
|
||||||
it('can login', login.bind(null, password));
|
it('can login', login.bind(null, admin_username, admin_password));
|
||||||
it('can subscribe', addSubscription);
|
it('can subscribe', addSubscription);
|
||||||
it('can add users', addUser.bind(null, password));
|
it('can add users', addUser.bind(null, 'test', admin_password));
|
||||||
it('can enable API', enableApi);
|
it('can enable API', enableApi);
|
||||||
it('can check configuration', checkApiConfiguration);
|
it('can check configuration', checkApiConfiguration);
|
||||||
it('subscription exists', subscriptionExists);
|
it('subscription exists', subscriptionExists);
|
||||||
it('can get static extension file', getStaticExtensionFile);
|
it('can get static extension file', getStaticExtensionFile);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
|
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
|
||||||
|
|
||||||
|
// SSO
|
||||||
|
it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
|
||||||
|
|
||||||
|
it('can get app information', getAppInfo);
|
||||||
|
|
||||||
|
it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
|
||||||
|
it('can make user Administrator', function () { execSync(`cloudron exec --app ${app.id} -- bash -c "php cli/reconfigure.php --default_user ${USERNAME}"`); });
|
||||||
|
it('can subscribe', addSubscription);
|
||||||
|
it('can enable API', enableApi);
|
||||||
|
it('can check configuration', checkApiConfiguration);
|
||||||
|
it('subscription exists', subscriptionExists);
|
||||||
|
it('can get static extension file', getStaticExtensionFile);
|
||||||
|
|
||||||
it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
|
it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
|
||||||
|
|
||||||
|
@ -151,11 +192,10 @@ describe('Application life cycle test', function () {
|
||||||
execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS);
|
execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('can login', login.bind(null, password));
|
it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
|
||||||
it('can check configuration', checkApiConfiguration);
|
it('can check configuration', checkApiConfiguration);
|
||||||
it('subscription exists', subscriptionExists);
|
it('subscription exists', subscriptionExists);
|
||||||
it('can get static extension file', getStaticExtensionFile);
|
it('can get static extension file', getStaticExtensionFile);
|
||||||
it('can logout', logout);
|
|
||||||
|
|
||||||
it('move to different location', function () {
|
it('move to different location', function () {
|
||||||
browser.manage().deleteAllCookies();
|
browser.manage().deleteAllCookies();
|
||||||
|
@ -165,11 +205,10 @@ describe('Application life cycle test', function () {
|
||||||
expect(app).to.be.an('object');
|
expect(app).to.be.an('object');
|
||||||
});
|
});
|
||||||
|
|
||||||
it('can login', login.bind(null, password));
|
it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
|
||||||
it('can check configuration', checkApiConfiguration);
|
it('can check configuration', checkApiConfiguration);
|
||||||
it('subscription exists', subscriptionExists);
|
it('subscription exists', subscriptionExists);
|
||||||
it('can get static extension file', getStaticExtensionFile);
|
it('can get static extension file', getStaticExtensionFile);
|
||||||
it('can logout', logout);
|
|
||||||
|
|
||||||
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
|
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
|
||||||
|
|
||||||
|
@ -177,9 +216,10 @@ describe('Application life cycle test', function () {
|
||||||
it('can install app', function () { execSync('cloudron install --appstore-id org.freshrss.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
|
it('can install app', function () { execSync('cloudron install --appstore-id org.freshrss.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
|
||||||
|
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
it('can login', login.bind(null, password));
|
// it can be changed to loginOIDC in the nextrelease
|
||||||
|
it('can login', login.bind(null, admin_username, admin_password));
|
||||||
it('can subscribe', addSubscription);
|
it('can subscribe', addSubscription);
|
||||||
it('can add users', addUser.bind(null, password));
|
it('can add users', addUser.bind(null, 'test', admin_password));
|
||||||
|
|
||||||
it('can update', function () {
|
it('can update', function () {
|
||||||
execSync('cloudron update --app ' + app.id, EXEC_ARGS);
|
execSync('cloudron update --app ' + app.id, EXEC_ARGS);
|
||||||
|
@ -188,7 +228,7 @@ describe('Application life cycle test', function () {
|
||||||
expect(app).to.be.an('object');
|
expect(app).to.be.an('object');
|
||||||
});
|
});
|
||||||
|
|
||||||
it('can login', login.bind(null, password));
|
it('can login', login.bind(null, admin_username, admin_password));
|
||||||
it('subscription exists', subscriptionExists);
|
it('subscription exists', subscriptionExists);
|
||||||
it('can get static extension file', getStaticExtensionFile);
|
it('can get static extension file', getStaticExtensionFile);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue