From 5ac87160672d974eddbf9efac00ebf7178f4bba9 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Tue, 8 Aug 2023 23:37:39 -0400 Subject: [PATCH 01/10] Pass OIDC config from .env to Backend and Frontend --- .env.template | 6 ++++++ docker-compose.yml | 5 +++++ files/service/config.json.template | 6 ++++++ files/service/scripts/start-odk.sh | 2 +- 4 files changed, 18 insertions(+), 1 deletion(-) diff --git a/.env.template b/.env.template index 049afcd9..d114200b 100644 --- a/.env.template +++ b/.env.template @@ -29,6 +29,12 @@ HTTPS_PORT=443 # EMAIL_USER= # EMAIL_PASSWORD= +# Optional: configure Single Sign-on with OpenID Connect +# OIDC_ENABLED= +# OIDC_DISCOVERY_URL= +# OIDC_CLIENT_ID= +# OIDC_CLIENT_SECRET= + # Optional: configure error reporting # SENTRY_ORG_SUBDOMAIN= # SENTRY_KEY= diff --git a/docker-compose.yml b/docker-compose.yml index 4a640b31..b6ee2917 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -64,6 +64,10 @@ services: - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true} - EMAIL_USER=${EMAIL_USER:-''} - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''} + - OIDC_ENABLED=${OIDC_ENABLED:-false} + - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''} + - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} + - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137} - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee} - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632} @@ -85,6 +89,7 @@ services: - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137} - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee} - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632} + - OIDC_ENABLED=${OIDC_ENABLED:-false} ports: - "${HTTP_PORT:-80}:80" - "${HTTPS_PORT:-443}:443" diff --git a/files/service/config.json.template b/files/service/config.json.template index 1e1f9d53..235a7a17 100644 --- a/files/service/config.json.template +++ b/files/service/config.json.template @@ -33,6 +33,12 @@ "domain": "${BASE_URL}", "sysadminAccount": "${SYSADMIN_EMAIL}" }, + "oidc": { + "enabled": ${OIDC_ENABLED}, + "discoveryUrl": "${OIDC_DISCOVERY_URL}", + "clientId": "${OIDC_CLIENT_ID}", + "clientSecret": "${OIDC_CLIENT_SECRET}" + }, "external": { "sentry": { "orgSubdomain": "${SENTRY_ORG_SUBDOMAIN}", diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh index 86a6b35b..935d5486 100755 --- a/files/service/scripts/start-odk.sh +++ b/files/service/scripts/start-odk.sh @@ -4,7 +4,7 @@ echo "generating local service configuration.." ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \ BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \ -envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ +envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ < /usr/share/odk/config.json.template \ > /usr/odk/config/local.json From f666accadeedac1af01c784c3830dc7ded3cbc9b Mon Sep 17 00:00:00 2001 From: Matthew White Date: Wed, 9 Aug 2023 18:25:05 -0400 Subject: [PATCH 02/10] Prefix $OIDC_ENABLED with VUE_APP_ for Vue CLI --- docker-compose.yml | 3 ++- files/prebuild/build-frontend.sh | 2 +- nginx.dockerfile | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index b6ee2917..b38b662c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -78,6 +78,8 @@ services: nginx: build: context: . + args: + - OIDC_ENABLED=${OIDC_ENABLED:-false} dockerfile: nginx.dockerfile depends_on: - service @@ -89,7 +91,6 @@ services: - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137} - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee} - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632} - - OIDC_ENABLED=${OIDC_ENABLED:-false} ports: - "${HTTP_PORT:-80}:80" - "${HTTPS_PORT:-443}:443" diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh index 6122c321..041cdac6 100755 --- a/files/prebuild/build-frontend.sh +++ b/files/prebuild/build-frontend.sh @@ -1,4 +1,4 @@ #!/bin/bash -eu cd client npm clean-install --no-audit --fund=false --update-notifier=false -npm run build +VUE_APP_OIDC_ENABLED="$OIDC_ENABLED" npm run build diff --git a/nginx.dockerfile b/nginx.dockerfile index b07979d7..72b4ecd9 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,8 +1,9 @@ +ARG OIDC_ENABLED FROM node:18.17 as intermediate COPY ./ ./ RUN files/prebuild/write-version.sh -RUN files/prebuild/build-frontend.sh +RUN OIDC_ENABLED="$OIDC_ENABLED" files/prebuild/build-frontend.sh # when upgrading, look for upstream changes to redirector.conf # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location From cb643b7f499968cf9bfe5a3b6b9c8cd53aa388de Mon Sep 17 00:00:00 2001 From: Matthew White Date: Thu, 10 Aug 2023 18:42:17 -0400 Subject: [PATCH 03/10] Remove OIDC_ENABLED config --- .env.template | 1 - docker-compose.yml | 5 +++-- files/prebuild/build-frontend.sh | 5 ++++- files/service/config.json.template | 1 - files/service/scripts/start-odk.sh | 2 +- nginx.dockerfile | 7 +++++-- 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/.env.template b/.env.template index d114200b..a8048486 100644 --- a/.env.template +++ b/.env.template @@ -30,7 +30,6 @@ HTTPS_PORT=443 # EMAIL_PASSWORD= # Optional: configure Single Sign-on with OpenID Connect -# OIDC_ENABLED= # OIDC_DISCOVERY_URL= # OIDC_CLIENT_ID= # OIDC_CLIENT_SECRET= diff --git a/docker-compose.yml b/docker-compose.yml index b38b662c..6d317637 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -64,7 +64,6 @@ services: - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true} - EMAIL_USER=${EMAIL_USER:-''} - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''} - - OIDC_ENABLED=${OIDC_ENABLED:-false} - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''} - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} @@ -79,7 +78,9 @@ services: build: context: . args: - - OIDC_ENABLED=${OIDC_ENABLED:-false} + - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''} + - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} + - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} dockerfile: nginx.dockerfile depends_on: - service diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh index 041cdac6..799d7ebb 100755 --- a/files/prebuild/build-frontend.sh +++ b/files/prebuild/build-frontend.sh @@ -1,4 +1,7 @@ #!/bin/bash -eu cd client npm clean-install --no-audit --fund=false --update-notifier=false -VUE_APP_OIDC_ENABLED="$OIDC_ENABLED" npm run build +if [[ -n $OIDC_DISCOVERY_URL && -n $OIDC_CLIENT_ID && -n $OIDC_CLIENT_SECRET ]]; then + export VUE_APP_OIDC_ENABLED=true +fi +npm run build diff --git a/files/service/config.json.template b/files/service/config.json.template index 235a7a17..423374d7 100644 --- a/files/service/config.json.template +++ b/files/service/config.json.template @@ -34,7 +34,6 @@ "sysadminAccount": "${SYSADMIN_EMAIL}" }, "oidc": { - "enabled": ${OIDC_ENABLED}, "discoveryUrl": "${OIDC_DISCOVERY_URL}", "clientId": "${OIDC_CLIENT_ID}", "clientSecret": "${OIDC_CLIENT_SECRET}" diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh index 935d5486..f8669fde 100755 --- a/files/service/scripts/start-odk.sh +++ b/files/service/scripts/start-odk.sh @@ -4,7 +4,7 @@ echo "generating local service configuration.." ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \ BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \ -envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ +envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ < /usr/share/odk/config.json.template \ > /usr/odk/config/local.json diff --git a/nginx.dockerfile b/nginx.dockerfile index 72b4ecd9..6ddfb91e 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,9 +1,12 @@ -ARG OIDC_ENABLED FROM node:18.17 as intermediate +ARG OIDC_DISCOVERY_URL +ARG OIDC_CLIENT_ID +ARG OIDC_CLIENT_SECRET COPY ./ ./ RUN files/prebuild/write-version.sh -RUN OIDC_ENABLED="$OIDC_ENABLED" files/prebuild/build-frontend.sh +RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" OIDC_CLIENT_ID="$OIDC_CLIENT_ID" OIDC_CLIENT_SECRET="$OIDC_CLIENT_SECRET" \ + files/prebuild/build-frontend.sh # when upgrading, look for upstream changes to redirector.conf # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location From 735cbe72ad0b974f6905826c026b5733af1bbc17 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Thu, 10 Aug 2023 22:48:00 -0400 Subject: [PATCH 04/10] Can we echo OIDC_DISCOVERY_URL if we pass it via environment? --- docker-compose.yml | 7 +++---- files/prebuild/build-frontend.sh | 7 ++++--- nginx.dockerfile | 7 ++----- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6d317637..e1e5c76e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -77,10 +77,6 @@ services: nginx: build: context: . - args: - - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''} - - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} - - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} dockerfile: nginx.dockerfile depends_on: - service @@ -92,6 +88,9 @@ services: - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137} - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee} - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632} + - OIDC_DISCOVERY_URL=foobar + - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} + - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} ports: - "${HTTP_PORT:-80}:80" - "${HTTPS_PORT:-443}:443" diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh index 799d7ebb..f5e51696 100755 --- a/files/prebuild/build-frontend.sh +++ b/files/prebuild/build-frontend.sh @@ -1,7 +1,8 @@ #!/bin/bash -eu +echo "\$OIDC_DISCOVERY_URL in build-frontend.sh: [${OIDC_DISCOVERY_URL:-blank}]" cd client npm clean-install --no-audit --fund=false --update-notifier=false -if [[ -n $OIDC_DISCOVERY_URL && -n $OIDC_CLIENT_ID && -n $OIDC_CLIENT_SECRET ]]; then - export VUE_APP_OIDC_ENABLED=true -fi +# if [[ -n $OIDC_DISCOVERY_URL && -n $OIDC_CLIENT_ID && -n $OIDC_CLIENT_SECRET ]]; then +# export VUE_APP_OIDC_ENABLED=true +# fi npm run build diff --git a/nginx.dockerfile b/nginx.dockerfile index 6ddfb91e..fd842e4a 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,12 +1,9 @@ FROM node:18.17 as intermediate -ARG OIDC_DISCOVERY_URL -ARG OIDC_CLIENT_ID -ARG OIDC_CLIENT_SECRET COPY ./ ./ RUN files/prebuild/write-version.sh -RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" OIDC_CLIENT_ID="$OIDC_CLIENT_ID" OIDC_CLIENT_SECRET="$OIDC_CLIENT_SECRET" \ - files/prebuild/build-frontend.sh +RUN echo "\$OIDC_DISCOVERY_URL in the Dockerfile: [${OIDC_DISCOVERY_URL:-blank}]" +RUN files/prebuild/build-frontend.sh # when upgrading, look for upstream changes to redirector.conf # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location From 8171f6c4614f48298d96ea6378af7ad1f0529415 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Thu, 10 Aug 2023 23:17:51 -0400 Subject: [PATCH 05/10] Can we echo OIDC_DISCOVERY_URL if we pass it via build.args? --- docker-compose.yml | 7 ++++--- files/prebuild/build-frontend.sh | 6 +++--- nginx.dockerfile | 6 +++++- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index e1e5c76e..b2309a15 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -77,6 +77,10 @@ services: nginx: build: context: . + args: + - OIDC_DISCOVERY_URL=foobar + - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} + - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} dockerfile: nginx.dockerfile depends_on: - service @@ -88,9 +92,6 @@ services: - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137} - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee} - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632} - - OIDC_DISCOVERY_URL=foobar - - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} - - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} ports: - "${HTTP_PORT:-80}:80" - "${HTTPS_PORT:-443}:443" diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh index f5e51696..de4bb76f 100755 --- a/files/prebuild/build-frontend.sh +++ b/files/prebuild/build-frontend.sh @@ -2,7 +2,7 @@ echo "\$OIDC_DISCOVERY_URL in build-frontend.sh: [${OIDC_DISCOVERY_URL:-blank}]" cd client npm clean-install --no-audit --fund=false --update-notifier=false -# if [[ -n $OIDC_DISCOVERY_URL && -n $OIDC_CLIENT_ID && -n $OIDC_CLIENT_SECRET ]]; then -# export VUE_APP_OIDC_ENABLED=true -# fi +if [[ -n $OIDC_DISCOVERY_URL && -n $OIDC_CLIENT_ID && -n $OIDC_CLIENT_SECRET ]]; then + export VUE_APP_OIDC_ENABLED=true +fi npm run build diff --git a/nginx.dockerfile b/nginx.dockerfile index fd842e4a..b7222f79 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,9 +1,13 @@ FROM node:18.17 as intermediate +ARG OIDC_DISCOVERY_URL +ARG OIDC_CLIENT_ID +ARG OIDC_CLIENT_SECRET COPY ./ ./ RUN files/prebuild/write-version.sh RUN echo "\$OIDC_DISCOVERY_URL in the Dockerfile: [${OIDC_DISCOVERY_URL:-blank}]" -RUN files/prebuild/build-frontend.sh +RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" OIDC_CLIENT_ID="$OIDC_CLIENT_ID" OIDC_CLIENT_SECRET="$OIDC_CLIENT_SECRET" \ + files/prebuild/build-frontend.sh # when upgrading, look for upstream changes to redirector.conf # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location From e287887ab6d182cac1709781705ebfa39e2d4ff5 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Thu, 10 Aug 2023 23:42:51 -0400 Subject: [PATCH 06/10] Revert echo experiments --- docker-compose.yml | 2 +- files/prebuild/build-frontend.sh | 1 - nginx.dockerfile | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index b2309a15..6d317637 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -78,7 +78,7 @@ services: build: context: . args: - - OIDC_DISCOVERY_URL=foobar + - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''} - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} dockerfile: nginx.dockerfile diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh index de4bb76f..799d7ebb 100755 --- a/files/prebuild/build-frontend.sh +++ b/files/prebuild/build-frontend.sh @@ -1,5 +1,4 @@ #!/bin/bash -eu -echo "\$OIDC_DISCOVERY_URL in build-frontend.sh: [${OIDC_DISCOVERY_URL:-blank}]" cd client npm clean-install --no-audit --fund=false --update-notifier=false if [[ -n $OIDC_DISCOVERY_URL && -n $OIDC_CLIENT_ID && -n $OIDC_CLIENT_SECRET ]]; then diff --git a/nginx.dockerfile b/nginx.dockerfile index b7222f79..6ddfb91e 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -5,7 +5,6 @@ ARG OIDC_CLIENT_SECRET COPY ./ ./ RUN files/prebuild/write-version.sh -RUN echo "\$OIDC_DISCOVERY_URL in the Dockerfile: [${OIDC_DISCOVERY_URL:-blank}]" RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" OIDC_CLIENT_ID="$OIDC_CLIENT_ID" OIDC_CLIENT_SECRET="$OIDC_CLIENT_SECRET" \ files/prebuild/build-frontend.sh From f59a7a5ff2d73fed1a4184f1df87d2d7f2ffb823 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Tue, 15 Aug 2023 20:56:14 -0400 Subject: [PATCH 07/10] Only pass OIDC_DISCOVERY_URL to nginx.dockerfile --- docker-compose.yml | 2 -- files/prebuild/build-frontend.sh | 2 +- nginx.dockerfile | 5 +---- 3 files changed, 2 insertions(+), 7 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6d317637..1d44d7ac 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -79,8 +79,6 @@ services: context: . args: - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''} - - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} - - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} dockerfile: nginx.dockerfile depends_on: - service diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh index 799d7ebb..a4b36a59 100755 --- a/files/prebuild/build-frontend.sh +++ b/files/prebuild/build-frontend.sh @@ -1,7 +1,7 @@ #!/bin/bash -eu cd client npm clean-install --no-audit --fund=false --update-notifier=false -if [[ -n $OIDC_DISCOVERY_URL && -n $OIDC_CLIENT_ID && -n $OIDC_CLIENT_SECRET ]]; then +if [[ -n $OIDC_DISCOVERY_URL ]]; then export VUE_APP_OIDC_ENABLED=true fi npm run build diff --git a/nginx.dockerfile b/nginx.dockerfile index 6ddfb91e..137aca11 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,12 +1,9 @@ FROM node:18.17 as intermediate ARG OIDC_DISCOVERY_URL -ARG OIDC_CLIENT_ID -ARG OIDC_CLIENT_SECRET COPY ./ ./ RUN files/prebuild/write-version.sh -RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" OIDC_CLIENT_ID="$OIDC_CLIENT_ID" OIDC_CLIENT_SECRET="$OIDC_CLIENT_SECRET" \ - files/prebuild/build-frontend.sh +RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" files/prebuild/build-frontend.sh # when upgrading, look for upstream changes to redirector.conf # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location From 6b3b2950f242616996233338510e813ca59bae7f Mon Sep 17 00:00:00 2001 From: Matthew White Date: Mon, 21 Aug 2023 10:57:33 -0400 Subject: [PATCH 08/10] Move ARG to immediately before use --- nginx.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.dockerfile b/nginx.dockerfile index 137aca11..5c407f6d 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,8 +1,8 @@ FROM node:18.17 as intermediate -ARG OIDC_DISCOVERY_URL COPY ./ ./ RUN files/prebuild/write-version.sh +ARG OIDC_DISCOVERY_URL RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" files/prebuild/build-frontend.sh # when upgrading, look for upstream changes to redirector.conf From 44c7353a2d3b77d0990e57f6e6ab3283f71d226f Mon Sep 17 00:00:00 2001 From: Matthew White Date: Mon, 21 Aug 2023 16:40:19 -0400 Subject: [PATCH 09/10] Add back OIDC_ENABLED variable --- .env.template | 1 + docker-compose.yml | 3 ++- files/prebuild/build-frontend.sh | 5 +---- files/service/config.json.template | 1 + files/service/scripts/start-odk.sh | 2 +- nginx.dockerfile | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.env.template b/.env.template index a8048486..d114200b 100644 --- a/.env.template +++ b/.env.template @@ -30,6 +30,7 @@ HTTPS_PORT=443 # EMAIL_PASSWORD= # Optional: configure Single Sign-on with OpenID Connect +# OIDC_ENABLED= # OIDC_DISCOVERY_URL= # OIDC_CLIENT_ID= # OIDC_CLIENT_SECRET= diff --git a/docker-compose.yml b/docker-compose.yml index 1d44d7ac..b38b662c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -64,6 +64,7 @@ services: - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true} - EMAIL_USER=${EMAIL_USER:-''} - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''} + - OIDC_ENABLED=${OIDC_ENABLED:-false} - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''} - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} @@ -78,7 +79,7 @@ services: build: context: . args: - - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''} + - OIDC_ENABLED=${OIDC_ENABLED:-false} dockerfile: nginx.dockerfile depends_on: - service diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh index a4b36a59..041cdac6 100755 --- a/files/prebuild/build-frontend.sh +++ b/files/prebuild/build-frontend.sh @@ -1,7 +1,4 @@ #!/bin/bash -eu cd client npm clean-install --no-audit --fund=false --update-notifier=false -if [[ -n $OIDC_DISCOVERY_URL ]]; then - export VUE_APP_OIDC_ENABLED=true -fi -npm run build +VUE_APP_OIDC_ENABLED="$OIDC_ENABLED" npm run build diff --git a/files/service/config.json.template b/files/service/config.json.template index 423374d7..235a7a17 100644 --- a/files/service/config.json.template +++ b/files/service/config.json.template @@ -34,6 +34,7 @@ "sysadminAccount": "${SYSADMIN_EMAIL}" }, "oidc": { + "enabled": ${OIDC_ENABLED}, "discoveryUrl": "${OIDC_DISCOVERY_URL}", "clientId": "${OIDC_CLIENT_ID}", "clientSecret": "${OIDC_CLIENT_SECRET}" diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh index f8669fde..935d5486 100755 --- a/files/service/scripts/start-odk.sh +++ b/files/service/scripts/start-odk.sh @@ -4,7 +4,7 @@ echo "generating local service configuration.." ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \ BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \ -envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ +envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ < /usr/share/odk/config.json.template \ > /usr/odk/config/local.json diff --git a/nginx.dockerfile b/nginx.dockerfile index 5c407f6d..cced9345 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -2,8 +2,8 @@ FROM node:18.17 as intermediate COPY ./ ./ RUN files/prebuild/write-version.sh -ARG OIDC_DISCOVERY_URL -RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" files/prebuild/build-frontend.sh +ARG OIDC_ENABLED +RUN OIDC_ENABLED="$OIDC_ENABLED" files/prebuild/build-frontend.sh # when upgrading, look for upstream changes to redirector.conf # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location From 7fcfeaffeb231cf65e1bfa4ba311f6d32480e176 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Mon, 21 Aug 2023 19:00:44 -0400 Subject: [PATCH 10/10] Rename OIDC_DISCOVERY_URL to OIDC_ISSUER_URL --- .env.template | 2 +- docker-compose.yml | 2 +- files/service/config.json.template | 2 +- files/service/scripts/start-odk.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.env.template b/.env.template index d114200b..ca710a43 100644 --- a/.env.template +++ b/.env.template @@ -31,7 +31,7 @@ HTTPS_PORT=443 # Optional: configure Single Sign-on with OpenID Connect # OIDC_ENABLED= -# OIDC_DISCOVERY_URL= +# OIDC_ISSUER_URL= # OIDC_CLIENT_ID= # OIDC_CLIENT_SECRET= diff --git a/docker-compose.yml b/docker-compose.yml index b38b662c..28755a1b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -65,7 +65,7 @@ services: - EMAIL_USER=${EMAIL_USER:-''} - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''} - OIDC_ENABLED=${OIDC_ENABLED:-false} - - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''} + - OIDC_ISSUER_URL=${OIDC_ISSUER_URL:-''} - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''} - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''} - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137} diff --git a/files/service/config.json.template b/files/service/config.json.template index 235a7a17..c4500224 100644 --- a/files/service/config.json.template +++ b/files/service/config.json.template @@ -35,7 +35,7 @@ }, "oidc": { "enabled": ${OIDC_ENABLED}, - "discoveryUrl": "${OIDC_DISCOVERY_URL}", + "issuerUrl": "${OIDC_ISSUER_URL}", "clientId": "${OIDC_CLIENT_ID}", "clientSecret": "${OIDC_CLIENT_SECRET}" }, diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh index 935d5486..dd92d804 100755 --- a/files/service/scripts/start-odk.sh +++ b/files/service/scripts/start-odk.sh @@ -4,7 +4,7 @@ echo "generating local service configuration.." ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \ BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \ -envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ +envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_ISSUER_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ < /usr/share/odk/config.json.template \ > /usr/odk/config/local.json