You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by GitBox <gi...@apache.org> on 2019/01/13 10:14:57 UTC

[GitHub] mike-jumper closed pull request #351: GUACAMOLE-683: Add OpenID support in Docker Build Scripts

mike-jumper closed pull request #351: GUACAMOLE-683: Add OpenID support in Docker Build Scripts
URL: https://github.com/apache/guacamole-client/pull/351
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/guacamole-docker/bin/build-guacamole.sh b/guacamole-docker/bin/build-guacamole.sh
index f72fb673d..c5ff255d4 100755
--- a/guacamole-docker/bin/build-guacamole.sh
+++ b/guacamole-docker/bin/build-guacamole.sh
@@ -126,3 +126,11 @@ if [ -f extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar ]; th
     mkdir -p "$DESTINATION/radius"
     cp extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar "$DESTINATION/radius"
 fi
+
+# Copy OPENID auth extension and schema modifications
+#
+
+if [ -f extensions/guacamole-auth-openid/target/guacamole-auth-openid*.jar ]; then
+    mkdir -p "$DESTINATION/openid"
+    cp extensions/guacamole-auth-openid/target/guacamole-auth-openid*.jar "$DESTINATION/openid"
+fi
diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh
index 0732283a7..2ed50a929 100755
--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -404,6 +404,62 @@ END
     ln -s /opt/guacamole/radius/guacamole-auth-*.jar "$GUACAMOLE_EXT"
 }
 
+## Adds properties to guacamole.properties which select the OPENID
+## authentication provider, and configure it to connect to the specified OPENID
+## provider.
+##
+associate_openid() {
+
+    # Verify required parameters are present
+    if [ -z "$OPENID_AUTHORIZATION_ENDPOINT" ] || \
+       [ -z "$OPENID_JWKS_ENDPOINT" ]          || \
+       [ -z "$OPENID_ISSUER" ]                 || \
+       [ -z "$OPENID_CLIENT_ID" ]              || \          
+       [ -z "$OPENID_REDIRECT_URI" ]
+    then
+        cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using an openid authentication, you must provide each of the following
+environment variables:
+
+    OPENID_AUTHORIZATION_ENDPOINT   The authorization endpoint (URI) of the OpenID service.
+
+    OPENID_JWKS_ENDPOINT            The endpoint (URI) of the JWKS service which defines
+                                    how received ID tokens (JSON Web Tokens or JWTs) 
+                                    shall be validated.
+
+    OPENID_ISSUER                   The issuer to expect for all received ID tokens.
+
+    OPENID_CLIENT_ID                The OpenID client ID which should be submitted 
+                                    to the OpenID service when necessary. 
+                                    This value is typically provided to you by the OpenID 
+                                    service when OpenID credentials are generated for your application.
+
+    OPENID_REDIRECT_URI             The URI that should be submitted to the OpenID service such that 
+                                    they can redirect the authenticated user back to Guacamole after 
+                                    the authentication process is complete. This must be the full URL 
+                                    that a user would enter into their browser to access Guacamole.
+END
+        exit 1;
+    fi
+
+    # Update config file
+    set_property          "openid-authorization-endpoint"    "$OPENID_AUTHORIZATION_ENDPOINT"
+    set_property          "openid-jwks-endpoint"             "$OPENID_JWKS_ENDPOINT"
+    set_property          "openid-issuer"                    "$OPENID_ISSUER"
+    set_property          "openid-client-id"                 "$OPENID_CLIENT_ID"
+    set_property          "openid-redirect-uri"              "$OPENID_REDIRECT_URI"
+    set_optional_property "openid-username-claim-type"       "$OPENID_USERNAME_CLAIM_TYPE"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    # "1-{}" make it sorted as a first provider (only authentication)
+    # so it can work together with the database providers (authorization)
+    find /opt/guacamole/openid/ -name "*.jar" | awk -F/ '{print $NF}' | \
+    xargs -I '{}' ln -s "/opt/guacamole/openid/{}" "${GUACAMOLE_EXT}/1-{}"
+
+}
+
 ##
 ## Starts Guacamole under Tomcat, replacing the current process with the
 ## Tomcat process. As the current process will be replaced, this MUST be the
@@ -512,6 +568,12 @@ if [ -n "$RADIUS_SHARED_SECRET" ]; then
     INSTALLED_AUTH="$INSTALLED_AUTH radius"
 fi
 
+# Use OPENID if specified
+if [ -n "$OPENID_AUTHORIZATION_ENDPOINT" ]; then
+    associate_openid
+    INSTALLED_AUTH="$INSTALLED_AUTH openid"
+fi
+
 #
 # Validate that at least one authentication backend is installed
 #


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services