OIDC auth implemented, tests updated

2024-02-19 17:13:57 +04:00 · 2024-02-19 17:13:57 +04:00 · 7417ce44e5
parent 88918c602a
commit 7417ce44e5
6 changed files with 113 additions and 16 deletions
--- a/CloudronManifest.json
+++ b/CloudronManifest.json
@ -19,7 +19,8 @@
    }
  },
  "addons": {
-    "localstorage": {}
+    "localstorage": {},
+    "oidc": { "loginRedirectUri": "/oauth_callback" }
  },
  "manifestVersion": 2,
  "website": "http://www.minio.io",
--- a/POSTINSTALL.md
+++ b/POSTINSTALL.md
@ -5,3 +5,15 @@ Please use the following credentials to login:

 Please change the credentials immediately by following this [guide](https://cloudron.io/documentation/apps/minio/#admin-credentials).

+By default, Cloudron users have `readwrite` access policy.
+If you'd like to change it, you should create a respective policy by following [Minio documentation](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html)
+
+After that you should add the variable MINIO_IDENTITY_OPENID_ROLE_POLICY in /app/data/env.sh, e.g.
+
+```
+export MINIO_IDENTITY_OPENID_ROLE_POLICY="new-policy-name"
+```
+
+Where `new-policy-name` is the policy you have created.
+
+Be sure to restart the app after making changes.
--- a/start.sh
+++ b/start.sh
@ -17,6 +17,19 @@ if [[ ! -d /app/data/mc_config ]]; then
    /app/code/mc --config-dir /app/data/mc_config &> /dev/null || true
 fi

+if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+    export MINIO_IDENTITY_OPENID_DISPLAY_NAME="Cloudron"
+    export MINIO_IDENTITY_OPENID_CONFIG_URL="${CLOUDRON_OIDC_DISCOVERY_URL}"
+    export MINIO_IDENTITY_OPENID_CLIENT_ID="${CLOUDRON_OIDC_CLIENT_ID}"
+    export MINIO_IDENTITY_OPENID_CLIENT_SECRET="${CLOUDRON_OIDC_CLIENT_SECRET}"
+    export MINIO_IDENTITY_OPENID_SCOPES="openid profile email"
+    if [[ -z "${MINIO_IDENTITY_OPENID_ROLE_POLICY:-}" ]]; then
+        export MINIO_IDENTITY_OPENID_ROLE_POLICY="readwrite"
+    fi
+
+    export MINIO_IDENTITY_OPENID_COMMENT="Cloudron OIDC"
+fi
+
 # minio is used for backups at times and has a large number of files. optimize by checking if files are actually in correct chown state
 echo "==> Changing ownership"
 [[ $(stat --format '%U' /app/data/data) != "cloudron" ]] && chown -R cloudron:cloudron /app/data
--- a/test/package-lock.json
+++ b/test/package-lock.json
@ -9,7 +9,7 @@
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
-        "chromedriver": "^121.0.1",
+        "chromedriver": "^121.0.2",
        "expect.js": "^0.3.1",
        "mocha": "^10.3.0",
        "selenium-webdriver": "^4.17.0",
@ -228,9 +228,9 @@
      }
    },
    "node_modules/chromedriver": {
-      "version": "121.0.1",
-      "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-121.0.1.tgz",
-      "integrity": "sha512-7y/RLV3tKNpNf/Ye74eOF7gyrCA78qq3i6JjrMJ4xovc2XZaw4a3cZA6+2PflGX/0HttYiKJV2WO611JROGNaw==",
+      "version": "121.0.2",
+      "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-121.0.2.tgz",
+      "integrity": "sha512-58MUSCEE3oB3G3Y/Jo3URJ2Oa1VLHcVBufyYt7vNfGrABSJm7ienQLF9IQ8LPDlPVgLUXt2OBfggK3p2/SlEBg==",
      "hasInstallScript": true,
      "dependencies": {
        "@testim/chrome-version": "^1.1.4",
@ -1710,9 +1710,9 @@
      }
    },
    "chromedriver": {
-      "version": "121.0.1",
-      "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-121.0.1.tgz",
-      "integrity": "sha512-7y/RLV3tKNpNf/Ye74eOF7gyrCA78qq3i6JjrMJ4xovc2XZaw4a3cZA6+2PflGX/0HttYiKJV2WO611JROGNaw==",
+      "version": "121.0.2",
+      "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-121.0.2.tgz",
+      "integrity": "sha512-58MUSCEE3oB3G3Y/Jo3URJ2Oa1VLHcVBufyYt7vNfGrABSJm7ienQLF9IQ8LPDlPVgLUXt2OBfggK3p2/SlEBg==",
      "requires": {
        "@testim/chrome-version": "^1.1.4",
        "axios": "^1.6.5",
--- a/test/package.json
+++ b/test/package.json
@ -9,7 +9,7 @@
  "author": "",
  "license": "ISC",
  "dependencies": {
-    "chromedriver": "^121.0.1",
+    "chromedriver": "^121.0.2",
    "expect.js": "^0.3.1",
    "mocha": "^10.3.0",
    "selenium-webdriver": "^4.17.0",
--- a/test/test.js
+++ b/test/test.js
@ -20,6 +20,11 @@ const execSync = require('child_process').execSync,
    { Builder, By, until } = require('selenium-webdriver'),
    { Options } = require('selenium-webdriver/chrome');

+if (!process.env.USERNAME || !process.env.PASSWORD) {
+    console.log('USERNAME and PASSWORD env vars need to be set');
+    process.exit(1);
+}
+
 describe('Application life cycle test', function () {
    this.timeout(0);

@ -29,6 +34,9 @@ describe('Application life cycle test', function () {
    const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };

    let browser, app;
+    var athenticated_by_oidc = false;
+    let username = process.env.USERNAME;
+    let password = process.env.PASSWORD;

    before(function () {
        browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
@ -51,6 +59,14 @@ describe('Application life cycle test', function () {

    async function login(accessKey='minioadmin', secretKey='minioadmin') {
        await browser.get(`https://${app.fqdn}/login`);
+        await browser.sleep(2000);
+
+        if (await browser.findElements(By.id('accessKey')).then(found => !found.length) && await browser.findElements(By.id('alternativeMethods-select')).then(found => !!found.length)) {
+            await browser.findElement(By.xpath('//div[@id="alternativeMethods-select"]/div[contains(., "Other Authentication Methods")]')).click();
+            await browser.sleep(2000);
+            await browser.findElement(By.xpath('//li[contains(., "Use Credentials")] | //div[@label="Use Credentials"]')).click();
+            await browser.sleep(2000);
+        }
        await waitForElement(By.id('accessKey'));
        await browser.findElement(By.id('accessKey')).sendKeys(accessKey);
        await browser.findElement(By.id('secretKey')).sendKeys(secretKey);
@ -59,13 +75,35 @@ describe('Application life cycle test', function () {
        await timers.setTimeout(5000);
    }

+    async function loginOIDC(username, password) {
+        browser.manage().deleteAllCookies();
+        await browser.get(`https://${app.fqdn}/login`);
+        await browser.sleep(4000);
+
+        await browser.findElement(By.xpath('//button[contains(., "Cloudron")]')).click();
+        await browser.sleep(4000);
+
+        if (!athenticated_by_oidc) {
+            await waitForElement(By.xpath('//input[@name="username"]'));
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
+            await browser.sleep(2000);
+            await browser.findElement(By.id('loginSubmitButton')).click();
+            await browser.sleep(2000);
+
+            athenticated_by_oidc = true;
+        }
+
+        await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
+    }
+
    async function logout() {
        await browser.get(`https://${app.fqdn}/`);
        await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
        const button = await browser.findElement(By.xpath('//button[@id="sign-out"]'));
        await browser.executeScript('arguments[0].scrollIntoView(false)', button);
        await button.click();
-        await waitForElement(By.id('accessKey'));
+        await waitForElement(By.xpath('//*[@id="accessKey"] | //button[contains(., "Cloudron")]'));
    }

    async function addBucket() {
@ -104,13 +142,17 @@ describe('Application life cycle test', function () {

    it('can get app information', getAppInfo);

-    it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
+    it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin'));
    it('can add bucket', addBucket);
    it('can logout', logout);
    it('does redirect', checkRedirect);
    it('check api', checkApi);

-    it('can change credentials', async function () {
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+
+    it('can change Admin credentials', async function () {
        let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8');
        data = data
            .replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey')
@ -123,12 +165,16 @@ describe('Application life cycle test', function () {

    it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); });

-    it('can login', login.bind(null, 'minioakey', 'minioskey'));
+    it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
    it('has bucket', checkBucket);
    it('can logout', logout);
    it('does redirect', checkRedirect);
    it('check api', checkApi);

+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+
    it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
    it('restore app', async function () {
        const backups = JSON.parse(execSync(`cloudron backup list --raw --app ${app.id}`));
@ -139,9 +185,15 @@ describe('Application life cycle test', function () {
        await timers.setTimeout(10000);
    });

-    it('can login', login.bind(null, 'minioakey', 'minioskey'));
+    it('can get app information', getAppInfo);
+    it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
    it('has bucket', checkBucket);
    it('can logout', logout);
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+
    it('does redirect', checkRedirect);
    it('check api', checkApi);

@ -152,9 +204,14 @@ describe('Application life cycle test', function () {
    });
    it('can get app information', getAppInfo);

-    it('can login', login.bind(null, 'minioakey', 'minioskey'));
+    it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
    it('has bucket', checkBucket);
    it('can logout', logout);
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+
    it('does redirect', checkRedirect);
    it('check api', checkApi);

@ -167,13 +224,27 @@ describe('Application life cycle test', function () {
    it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
    it('can add buckets', addBucket);
    it('can logout', logout);
+
+    /* should be added on the next release
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+    */
+
    it('can update', function () { execSync(`cloudron update --app ${LOCATION}`, EXEC_ARGS); });
    it('can configure', function () { execSync(`cloudron configure --app ${LOCATION} --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); });
    it('can get app information', getAppInfo);

-    it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
+    it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin'));
    it('has bucket', checkBucket);
    it('can logout', logout);
+
+    /* should be added on the next release
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+    */
+
    it('does redirect', checkRedirect);
    it('check api', checkApi);