Repository: guacamole-client Updated Branches: refs/heads/master fd2198d62 -> 78f1ae1b4
GUACAMOLE-682: add option to include RADIUS authentication in docker To include library for RADIUS authentication in the docker image the build needs to activate the maven profile "lgpl-extentions" and copy the library into the image. The docker start script needs to pass through settings and link the library to GUACAMOLE_HOME. Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/0f310285 Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/0f310285 Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/0f310285 Branch: refs/heads/master Commit: 0f31028565a539c25a9a67d72b4901db024506e1 Parents: fd2198d Author: Joern Lentes <joern.len...@web.de> Authored: Fri Dec 21 11:15:25 2018 +0100 Committer: Joern Lentes <joern.len...@web.de> Committed: Fri Dec 21 11:15:25 2018 +0100 ---------------------------------------------------------------------- guacamole-docker/bin/build-guacamole.sh | 15 ++++- guacamole-docker/bin/start.sh | 96 ++++++++++++++++++++++++++-- 2 files changed, 106 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0f310285/guacamole-docker/bin/build-guacamole.sh ---------------------------------------------------------------------- diff --git a/guacamole-docker/bin/build-guacamole.sh b/guacamole-docker/bin/build-guacamole.sh index 79115df..1f4ab77 100755 --- a/guacamole-docker/bin/build-guacamole.sh +++ b/guacamole-docker/bin/build-guacamole.sh @@ -53,7 +53,12 @@ mkdir -p "$DESTINATION" # cd "$BUILD_DIR" -mvn package + +if [ -z "$BUILD_PROFILE" ]; then + mvn package +else + mvn -P "$BUILD_PROFILE" package +fi # # Copy guacamole.war to destination @@ -107,3 +112,11 @@ tar -xzf extensions/guacamole-auth-ldap/target/*.tar.gz \ "*.jar" \ "*.ldif" +# +# Copy Radius auth extension if it was build +# + +if [[ "$BUILD_PROFILE ~= "lgpl-extentions" ]]; then + mkdir -p "$DESTINATION/radius" + cp extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar "$DESTINATION/radius" +fi http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0f310285/guacamole-docker/bin/start.sh ---------------------------------------------------------------------- diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh index 1fbcc85..8fb3bc1 100755 --- a/guacamole-docker/bin/start.sh +++ b/guacamole-docker/bin/start.sh @@ -323,6 +323,88 @@ END } ## +## Adds properties to guacamole.properties which select the LDAP +## authentication provider, and configure it to connect to the specified LDAP +## directory. +## +associate_radius() { + + # Verify required parameters are present + if [ -z "$RADIUS_SHARED_SECRET" -o -z "$RADIUS_AUTH_PROTOCOL" ]; then + cat <<END +FATAL: Missing required environment variables +------------------------------------------------------------------------------- +If using RADIUS server, you must provide each of the following environment +variables: + + RADIUS_SHARED_SECRET The shared secret to use when talking to the + RADIUS server. + + RADIUS_AUTH_PROTOCOL The authentication protocol to use when talking + to the RADIUS server. + Supported values are: + pap, chap, mschapv1, mschapv2, eap-md5, + eap-tls and eap-ttls. +END + exit 1; + fi + + # Verify provided files do exist and are readable + if [ -n "$RADIUS_KEY_FILE" -a ! -r "$RADIUS_KEY_FILE" ]; then + cat <<END +FATAL: Provided file RADIUS_KEY_FILE=$RADIUS_KEY_FILE does not exist + or is not readable! +------------------------------------------------------------------------------- +If you provide key or CA files you need to mount those into the container and +make sure they are readable for the user in the container. +END + exit 1; + fi + if [ -n "$RADIUS_CA_FILE" -a ! -r "$RADIUS_CA_FILE" ]; then + cat <<END +FATAL: Provided file RADIUS_CA_FILE=$RADIUS_CA_FILE does not exist + or is not readable! +------------------------------------------------------------------------------- +If you provide key or CA files you need to mount those into the container and +make sure they are readable for the user in the container. +END + exit 1; + fi + if [ $RADIUS_AUTH_PROTOCOL == "eap-ttls" -a -z "$RADIUS_EAP_TTLS_INNER_PROTOCOL" ]; then + cat <<END +FATAL: Authentication protocol "eap-ttls" specified but + RADIUS_EAP_TTLS_INNER_PROTOCOL is not set! +------------------------------------------------------------------------------- +When EAP-TTLS is used, this parameter specifies the inner (tunneled) +protocol to use talking to the RADIUS server. +END + exit 1; + fi + + # Update config file + set_optional_property "radius-hostname" "$RADIUS_HOSTNAME" + set_optional_property "radius-auth-port" "$RADIUS_AUTH_PORT" + set_property "radius-shared-secret" "$RADIUS_SHARED_SECRET" + set_property "radius-auth-protocol" "$RADIUS_AUTH_PROTOCOL" + set_optional_property "radius-key-file" "$RADIUS_KEY_FILE" + set_optional_property "radius-key-type" "$RADIUS_KEY_TYPE" + set_optional_property "radius-key-password" "$RADIUS_KEY_PASSWORD" + set_optional_property "radius-ca-file" "$RADIUS_CA_FILE" + set_optional_property "radius-ca-type" "$RADIUS_CA_TYPE" + set_optional_property "radius-ca-password" "$RADIUS_CA_PASSWORD" + set_optional_property "radius-trust-all" "$RADIUS_TRUST_ALL" + set_optional_property "radius-retries" "$RADIUS_RETRIES" + set_optional_property "radius-timeout" "$RADIUS_TIMEOUT" + + set_optional_property \ + "radius-eap-ttls-inner-protocol" \ + "$RADIUS_EAP_TTLS_INNER_PROTOCOL" + + # Add required .jar files to GUACAMOLE_EXT + ln -s /opt/guacamole/radius/guacamole-auth-*.jar "$GUACAMOLE_EXT" +} + +## ## Starts Guacamole under Tomcat, replacing the current process with the ## Tomcat process. As the current process will be replaced, this MUST be the ## last function run within the script. @@ -424,6 +506,12 @@ if [ -n "$LDAP_HOSTNAME" ]; then INSTALLED_AUTH="$INSTALLED_AUTH ldap" fi +# Use RADIUS server if specified +if [ -n "$RADIUS_SHARED_SECRET" ]; then + associate_radius + INSTALLED_AUTH="$INSTALLED_AUTH radius" +fi + # # Validate that at least one authentication backend is installed # @@ -433,10 +521,10 @@ if [ -z "$INSTALLED_AUTH" -a -z "$GUACAMOLE_HOME_TEMPLATE" ]; then FATAL: No authentication configured ------------------------------------------------------------------------------- The Guacamole Docker container needs at least one authentication mechanism in -order to function, such as a MySQL database, PostgreSQL database, or LDAP -directory. Please specify at least the MYSQL_DATABASE or POSTGRES_DATABASE -environment variables, or check Guacamole's Docker documentation regarding -configuring LDAP and/or custom extensions. +order to function, such as a MySQL database, PostgreSQL database, LDAP +directory or RADIUS server. Please specify at least the MYSQL_DATABASE or +POSTGRES_DATABASE environment variables, or check Guacamole's Docker +documentation regarding configuring LDAP and/or custom extensions. END exit 1; fi