From 8b8fddf1e469195156ac8ed83708ba8af7448d7e Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Wed, 22 Mar 2023 17:29:34 +0100
Subject: [PATCH] nextcloud sso blueprint

---
 .env.sample           |  5 ++++
 abra.sh               |  2 ++
 compose.nextcloud.yml | 26 ++++++++++++++++++++
 nextcloud.yaml.tmpl   | 56 +++++++++++++++++++++++++++++++++++++++++++
 release/next          | 15 ++++++++++++
 5 files changed, 104 insertions(+)
 create mode 100644 compose.nextcloud.yml
 create mode 100644 nextcloud.yaml.tmpl

diff --git a/.env.sample b/.env.sample
index 1a810dd..7e83ab0 100644
--- a/.env.sample
+++ b/.env.sample
@@ -2,6 +2,7 @@ TYPE=authentik
 LETS_ENCRYPT_ENV=production
 
 DOMAIN=authentik.example.com
+COMPOSE_FILE="compose.yml"
 AUTHENTIK_ERROR_REPORTING__ENABLED=true
 AUTHENTIK_LOG_LEVEL=info
 # AUTHENTIK_IMPERSONATION=true
@@ -38,3 +39,7 @@ COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud.yml"
+# NEXTCLOUD_DOMAIN=nextcloud.example.com
+# SECRET_NEXTCLOUD_ID_VERSION=v1
+# SECRET_NEXTCLOUD_SECRET_VERSION=v1
diff --git a/abra.sh b/abra.sh
index 8ff4ebd..14b1bf3 100644
--- a/abra.sh
+++ b/abra.sh
@@ -5,6 +5,7 @@ export FLOW_INVALIDATION_VERSION=v1
 export FLOW_RECOVERY_VERSION=v1
 export FLOW_TRANSLATION_VERSION=v1
 export SYSTEM_TENANT_VERSION=v1
+export NEXTCLOUD_CONFIG_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
@@ -102,6 +103,7 @@ delete_flows = ['default-recovery-flow' , 'custom-authentication-flow' , 'invita
 Flow.objects.filter(slug__in=delete_flows).delete()
 Stage.objects.filter(flow=None).delete()
 Prompt.objects.filter(promptstage=None).delete()
+Tenant.objects.filter(default=True).delete()
 """
 apply_blueprints
 }
diff --git a/compose.nextcloud.yml b/compose.nextcloud.yml
new file mode 100644
index 0000000..965b6c0
--- /dev/null
+++ b/compose.nextcloud.yml
@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - nextcloud_id
+      - nextcloud_secret
+    environment:
+      - NEXTCLOUD_DOMAIN
+    configs:
+      - source: nextcloud
+        target: /blueprints/nextcloud.yaml
+
+secrets:
+  nextcloud_id:
+    external: true
+    name: ${STACK_NAME}_nextcloud_id_${SECRET_NEXTCLOUD_ID_VERSION}
+  nextcloud_secret:
+    external: true
+    name: ${STACK_NAME}_nextcloud_secret_${SECRET_NEXTCLOUD_SECRET_VERSION}
+
+
+configs:
+  nextcloud:
+    name: ${STACK_NAME}_nextcloud_${NEXTCLOUD_CONFIG_VERSION}
+    file: nextcloud.yaml.tmpl
+    template_driver: golang
diff --git a/nextcloud.yaml.tmpl b/nextcloud.yaml.tmpl
new file mode 100644
index 0000000..dfb764f
--- /dev/null
+++ b/nextcloud.yaml.tmpl
@@ -0,0 +1,56 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: Nextcloud
+
+entries:
+- attrs:
+    description: nextcloud
+    expression: 'return { "nextcloud_groups": [{"gid": group.name, "displayName":
+      group.name} for group in request.user.ak_groups.all()], }'
+    managed: null
+    scope_name: nextcloud
+  conditions: []
+  id: nextcloud_group_mapping
+  identifiers:
+    name: nextcloud
+  model: authentik_providers_oauth2.scopemapping
+  state: present
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "nextcloud_id" }}
+    client_secret: {{ secret  "nextcloud_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Nextcloud
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    - !KeyOf nextcloud_group_mapping
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: user_username
+    token_validity: days=30
+  conditions: []
+  id: nextcloud_provider
+  identifiers:
+    pk: 9999
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "NEXTCLOUD_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf nextcloud_provider
+    slug: nextcloud
+  conditions: []
+  id: nextcloud_application
+  identifiers:
+    name: Nextcloud
+  model: authentik_core.application
+  state: present
diff --git a/release/next b/release/next
index d48cd21..b434fdf 100644
--- a/release/next
+++ b/release/next
@@ -1 +1,16 @@
 Run `abra app cmd <app_name> worker blueprint_cleanup` to apply the new blueprint configuration and delete the old configuration.
+
+If the nextcloud provider should be managed by abra add the following to the env:
+
+    COMPOSE_FILE="compose.yml:compose.nextcloud.yml"
+    NEXTCLOUD_DOMAIN=nextcloud.example.com
+    SECRET_NEXTCLOUD_ID_VERSION=v1
+    SECRET_NEXTCLOUD_SECRET_VERSION=v1
+
+and generate the secrets:
+
+    abra app secret generate -a <app_name>
+
+Eventuelly you need to manually remove the old nextcloud provider and application
+
+Don't forget to update the nextcloud config for authentik as well.