mike-jumper closed pull request #351: GUACAMOLE-683: Add OpenID support in
Docker Build Scripts
URL: https://github.com/apache/guacamole-client/pull/351
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/guacamole-docker/bin/build-guacamole.sh
b/guacamole-docker/bin/build-guacamole.sh
index f72fb673d..c5ff255d4 100755
--- a/guacamole-docker/bin/build-guacamole.sh
+++ b/guacamole-docker/bin/build-guacamole.sh
@@ -126,3 +126,11 @@ if [ -f
extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar ]; th
mkdir -p "$DESTINATION/radius"
cp extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar
"$DESTINATION/radius"
fi
+
+# Copy OPENID auth extension and schema modifications
+#
+
+if [ -f extensions/guacamole-auth-openid/target/guacamole-auth-openid*.jar ];
then
+ mkdir -p "$DESTINATION/openid"
+ cp extensions/guacamole-auth-openid/target/guacamole-auth-openid*.jar
"$DESTINATION/openid"
+fi
diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh
index 0732283a7..2ed50a929 100755
--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -404,6 +404,62 @@ END
ln -s /opt/guacamole/radius/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
+## Adds properties to guacamole.properties which select the OPENID
+## authentication provider, and configure it to connect to the specified OPENID
+## provider.
+##
+associate_openid() {
+
+ # Verify required parameters are present
+ if [ -z "$OPENID_AUTHORIZATION_ENDPOINT" ] || \
+ [ -z "$OPENID_JWKS_ENDPOINT" ] || \
+ [ -z "$OPENID_ISSUER" ] || \
+ [ -z "$OPENID_CLIENT_ID" ] || \
+ [ -z "$OPENID_REDIRECT_URI" ]
+ then
+ cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using an openid authentication, you must provide each of the following
+environment variables:
+
+ OPENID_AUTHORIZATION_ENDPOINT The authorization endpoint (URI) of the
OpenID service.
+
+ OPENID_JWKS_ENDPOINT The endpoint (URI) of the JWKS service
which defines
+ how received ID tokens (JSON Web Tokens or
JWTs)
+ shall be validated.
+
+ OPENID_ISSUER The issuer to expect for all received ID
tokens.
+
+ OPENID_CLIENT_ID The OpenID client ID which should be
submitted
+ to the OpenID service when necessary.
+ This value is typically provided to you by
the OpenID
+ service when OpenID credentials are
generated for your application.
+
+ OPENID_REDIRECT_URI The URI that should be submitted to the
OpenID service such that
+ they can redirect the authenticated user
back to Guacamole after
+ the authentication process is complete.
This must be the full URL
+ that a user would enter into their browser
to access Guacamole.
+END
+ exit 1;
+ fi
+
+ # Update config file
+ set_property "openid-authorization-endpoint"
"$OPENID_AUTHORIZATION_ENDPOINT"
+ set_property "openid-jwks-endpoint"
"$OPENID_JWKS_ENDPOINT"
+ set_property "openid-issuer" "$OPENID_ISSUER"
+ set_property "openid-client-id"
"$OPENID_CLIENT_ID"
+ set_property "openid-redirect-uri"
"$OPENID_REDIRECT_URI"
+ set_optional_property "openid-username-claim-type"
"$OPENID_USERNAME_CLAIM_TYPE"
+
+ # Add required .jar files to GUACAMOLE_EXT
+ # "1-{}" make it sorted as a first provider (only authentication)
+ # so it can work together with the database providers (authorization)
+ find /opt/guacamole/openid/ -name "*.jar" | awk -F/ '{print $NF}' | \
+ xargs -I '{}' ln -s "/opt/guacamole/openid/{}" "${GUACAMOLE_EXT}/1-{}"
+
+}
+
##
## Starts Guacamole under Tomcat, replacing the current process with the
## Tomcat process. As the current process will be replaced, this MUST be the
@@ -512,6 +568,12 @@ if [ -n "$RADIUS_SHARED_SECRET" ]; then
INSTALLED_AUTH="$INSTALLED_AUTH radius"
fi
+# Use OPENID if specified
+if [ -n "$OPENID_AUTHORIZATION_ENDPOINT" ]; then
+ associate_openid
+ INSTALLED_AUTH="$INSTALLED_AUTH openid"
+fi
+
#
# Validate that at least one authentication backend is installed
#
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
