diff --git a/dd-apps/docker/nextcloud/saml.sh b/dd-apps/docker/nextcloud/saml.sh index f4484ad..e2c643c 100755 --- a/dd-apps/docker/nextcloud/saml.sh +++ b/dd-apps/docker/nextcloud/saml.sh @@ -7,10 +7,11 @@ if [ "${current_nc_saml}" = "{}" ] || [ "${current_nc_saml}" = "[]" ]; then fi # Gather variables ## When keycloak gets updated, /auth disappears +idp_entityid_port="https://sso.${DOMAIN}:8443/auth/realms/master" idp_entityid="https://sso.${DOMAIN}/auth/realms/master" -idp_sso_url="${idp_entityid}/protocol/saml" +idp_sso_url="https://sso.${DOMAIN}/auth/realms/master/protocol/saml" ## This one has no PEM headers or newlines -idp_x509cert="$(curl -s "${idp_entityid}/protocol/openid-connect/certs" | sed -E 's!.*RS256[^}]*x5c":\["([^"]+)".*!\1!')" +idp_x509cert="$(curl -s -k "${idp_entityid_port}/protocol/openid-connect/certs" | sed -E 's!.*RS256[^}]*x5c":\["([^"]+)".*!\1!')" ## PEM format sp_x509cert="$(cat /saml/public.crt)" diff --git a/dd-ctl b/dd-ctl index d37f512..4ec7b57 100755 --- a/dd-ctl +++ b/dd-ctl @@ -546,6 +546,8 @@ setup_keycloak(){ export PYTHONWARNINGS='ignore:Unverified HTTPS request' cd /admin/saml_scripts/ && python3 keycloak_config.py EOF + +#./kc.sh import --file ../import/realm.json --override true } saml_generate_certificates(){ diff --git a/dd-sso/docker-compose-parts/keycloak.yml b/dd-sso/docker-compose-parts/keycloak.yml index 3b53ff3..385beec 100644 --- a/dd-sso/docker-compose-parts/keycloak.yml +++ b/dd-sso/docker-compose-parts/keycloak.yml @@ -26,31 +26,39 @@ services: args: - IMG=${KEYCLOAK_IMG} container_name: dd-sso-keycloak + hostname: sso.${DOMAIN} volumes: - /etc/localtime:/etc/localtime:ro - - ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/opt/jboss/keycloak/imports - - ${BUILD_SSO_ROOT_PATH}/init/keycloak/scripts/:/opt/jboss/startup-scripts/ - - ${CUSTOM_PATH}/custom/img:/opt/jboss/keycloak/themes/dd/login/resources/custom-img - - ${BUILD_SSO_ROOT_PATH}/docker/keycloak/themes/dd-custom:/opt/jboss/keycloak/themes/dd-custom - - ${BUILD_SSO_ROOT_PATH}/docker/keycloak/extensions/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear:/opt/jboss/keycloak/standalone/deployments/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear + # - ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons/realm:/opt/keycloak/data/import/ + # - ${BUILD_SSO_ROOT_PATH}/init/keycloak/scripts/:/opt/keycloak/startup-scripts/ + - ${CUSTOM_PATH}/custom/img:/opt/keycloak/themes/dd/login/resources/custom-img + - ${BUILD_SSO_ROOT_PATH}/docker/keycloak/themes/dd-custom:/opt/keycloak/themes/dd-custom + # - ${BUILD_SSO_ROOT_PATH}/docker/keycloak/extensions/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear:/opt/keycloak/standalone/deployments/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear environment: - AVATARS_SERVER_URL=http://dd-sso-avatars:9000 - AVATARS_ACCESS_KEY=${AVATARS_ACCESS_KEY:-AKIAIOSFODNN7EXAMPLE} - AVATARS_SECRET_KEY=${AVATARS_SECRET_KEY:-wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY} - - KEYCLOAK_IMPORT=/opt/jboss/keycloak/imports/realm.json - - DB_VENDOR=POSTGRES - - DB_ADDR=${KEYCLOAK_DB_ADDR} - - DB_DATABASE=${KEYCLOAK_DB_DATABASE} - - DB_USER=${KEYCLOAK_DB_USER} - - DB_SCHEMA=public - - DB_PASSWORD=${KEYCLOAK_DB_PASSWORD} - - KEYCLOAK_USER=${KEYCLOAK_USER} - - KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD} - - PROXY_ADDRESS_FORWARDING=true - - KEYCLOAK_FRONTEND_URL=https://sso.${DOMAIN}/auth/ + - KEYCLOAK_IMPORT=/opt/keycloak/data/import/realm.json + - KC_DB=postgres + - KC_DB_URL=jdbc:postgresql://${KEYCLOAK_DB_ADDR}:5432/${KEYCLOAK_DB_DATABASE} + - KC_DB_USERNAME=${KEYCLOAK_DB_USER} + - KC_DB_PASSWORD=${KEYCLOAK_DB_PASSWORD} + - KC_TRANSACTION_XA_ENABLED=false + - KC_HOSTNAME_STRICT=false + - KC_HTTP_ENABLED=true + - KC_HTTP_PORT=8080 + - KC_HOSTNAME_STRICT_HTTPS=false + - KEYCLOAK_ADMIN=${KEYCLOAK_USER} + - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_PASSWORD} + # - PROXY_ADDRESS_FORWARDING=true + - KC_HOSTNAME_URL=https://sso.${DOMAIN}/auth/ + - KC_HOSTNAME_ADMIN_URL=https://sso.${DOMAIN}/auth/ - DDADMIN_USER=${DDADMIN_USER} - DDADMIN_PASSWORD=${DDADMIN_PASSWORD} - DDDOMAIN=${DOMAIN} + # - JAVA_OPTS_APPEND=-Dkeycloak.migration.strategy=OVERWRITE_EXISTING + command: + - start --proxy edge --hostname-strict=false --import-realm --http-relative-path=/auth depends_on: - ${KEYCLOAK_DB_ADDR} restart: unless-stopped diff --git a/dd-sso/docker/keycloak/Dockerfile b/dd-sso/docker/keycloak/Dockerfile index f61d85d..7acc24a 100644 --- a/dd-sso/docker/keycloak/Dockerfile +++ b/dd-sso/docker/keycloak/Dockerfile @@ -1,4 +1,33 @@ ARG IMG=${KEYCLOAK_IMG} -FROM ${IMG} +FROM ${IMG} as builder + +# Enable health and metrics support +ENV KC_HEALTH_ENABLED=true +ENV KC_METRICS_ENABLED=true +ENV KC_HTTP_RELATIVE_PATH=/auth +ENV KC_PROXY=edge +# Configure a database vendor +#ENV KC_DB=postgres + +WORKDIR /opt/keycloak +# for demonstration purposes only, please make sure to use proper certificates in production instead +RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore + +COPY themes/dd themes/dd + +RUN /opt/keycloak/bin/kc.sh build + +FROM ${IMG} +COPY --from=builder /opt/keycloak/ /opt/keycloak/ + + +# change these values to point to a running postgres instance +#ENV KC_DB_URL= +#ENV KC_DB_USERNAME= +#ENV KC_DB_PASSWORD= +#ENV KC_HOSTNAME=localhost +ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] + + + -COPY themes/dd /opt/jboss/keycloak/themes/dd diff --git a/dd.conf.sample b/dd.conf.sample index 407b43e..ee0298f 100644 --- a/dd.conf.sample +++ b/dd.conf.sample @@ -174,7 +174,7 @@ WORDPRESS_IMG=wordpress:5.7.2-php7.4-apache WORDPRESS_CLI_IMG=wordpress:cli-2.5.0-php7.4 ## KEYCLOAK -KEYCLOAK_IMG=quay.io/keycloak/keycloak:16.1.1 +KEYCLOAK_IMG=quay.io/keycloak/keycloak:20.0.3 ## ETHERPAD #ETHERPAD_IMG=node:16.13.2