diff --git a/.env.sample b/.env.sample index 682ce02..e7edec9 100644 --- a/.env.sample +++ b/.env.sample @@ -1,6 +1,6 @@ TYPE=civicrm-wordpress -DOMAIN=civicrm.example.com +DOMAIN=civicrm-wordpress.example.com ## Domain aliases #EXTRA_DOMAINS=', `www.civicrm.example.com`' @@ -37,3 +37,20 @@ SECRET_CIVICRM_SITE_KEY_VERSION=v1 # length=16 SECRET_CIVICRM_CRED_KEY_VERSION=v1 # length=43 SECRET_CIVICRM_SIGN_KEY_VERSION=v1 # length=43 SECRET_WORDPRESS_ADMIN_PASSWORD_VERSION=v1 + +## -- OpenId Connect -- + +#COMPOSE_FILE="compose.yml:compose.openidconnect.yml" +#OPEN_ID_CLIENT_ID= +#SECRET_OPEN_ID_CLIENT_SECRET_VERSION=v1 + +# If you are using authentik, just set this +#AUTHENTIK_DOMAIN=authentik.company + +# Otherwise, you must set all of these +#OPEN_ID_PROVIDER_LOGIN_URL=https://authentik.company/application/o/authorize/ +#OPEN_ID_USERINFO_URL=https://authentik.company/application/o/userinfo/ +#OPEN_ID_TOKEN_ENDPOINT_URL=https://authentik.company/application/o/token/ +#OPEN_ID_END_SESSION_URL=https://authentik.company/application/o/wordpress/end-session/ + +## -- OpenId Connect -- diff --git a/abra.sh b/abra.sh index 03a1ae3..af8f31e 100644 --- a/abra.sh +++ b/abra.sh @@ -31,6 +31,7 @@ file_env "SMTP_PASSWORD" export APACHE_SITES_AVAILABLE_CONF_VERSION=v1 export CIVICRM_SETTINGS_PHP_VERSION=v1 export ENTRYPOINT_VERSION=v1 +export OPENID_SETTINGS_VERSION=v1 change_password(){ echo "Changing password for $1" diff --git a/compose.openidconnect.yml b/compose.openidconnect.yml new file mode 100644 index 0000000..fe2eb3b --- /dev/null +++ b/compose.openidconnect.yml @@ -0,0 +1,14 @@ +--- +version: "3.8" + +services: + app: + environment: + - OPEN_ID_CLIENT_SECRET_FILE=/run/secrets/openid_client_secret + secrets: + - openid_client_secret + +secrets: + openid_client_secret: + external: true + name: ${STACK_NAME}_openid_client_secret_${SECRET_OPEN_ID_CLIENT_SECRET_VERSION} \ No newline at end of file diff --git a/compose.yml b/compose.yml index 06753ce..de2f433 100644 --- a/compose.yml +++ b/compose.yml @@ -45,6 +45,8 @@ services: mode: 555 - source: civicrm-settings-php target: /usr/local/etc/civicrm/civicrm.settings.php + - source: openid-settings + target: /usr/local/etc/civicrm/openid_settings.json entrypoint: /usr/local/bin/entrypoint.sh deploy: restart_policy: @@ -139,6 +141,10 @@ configs: name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} file: entrypoint.sh template_driver: golang + openid-settings: + name: ${STACK_NAME}_openid_settings_${OPENID_SETTINGS_VERSION} + file: openid_settings.json + template_driver: golang secrets: db_root_password: diff --git a/entrypoint.sh b/entrypoint.sh index 3f7bd4d..78b88cc 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -29,6 +29,7 @@ file_env "CIVICRM_SITE_KEY" file_env "CIVICRM_CRED_KEYS" file_env "SMTP_PASSWORD" file_env "WORDPRESS_ADMIN_PASSWORD" +file_env "OPEN_ID_CLIENT_SECRET" if [[ "${1-default}" == "cron" ]]; then echo "============ Running cron job ============" @@ -88,6 +89,35 @@ pushd /var/www/html/wp-content/uploads/civicrm/ fi popd +if [[ -n "${OPEN_ID_CLIENT_ID}" ]]; then + # install OpenID Connect Generic plugin + if ! su civicrm -c "wp plugin is-installed daggerhart-openid-connect-generic"; then + echo "============ Running OpenId Connect Install ============" + su civicrm -c "wp plugin install daggerhart-openid-connect-generic --activate" + fi + + # if openid connect hasn't been configured, insert default settings + if ! su civicrm -c "wp option get openid_connect_generic_settings"; then + su civicrm -c "wp option add openid_connect_generic_settings --format=json < /usr/local/etc/civicrm/openid_settings.json" + fi + + echo "============ Configuring OpenId Connect ============" + su civicrm -c "wp option patch update openid_connect_generic_settings client_id $OPEN_ID_CLIENT_ID" + su civicrm -c "wp option patch update openid_connect_generic_settings client_secret $OPEN_ID_CLIENT_SECRET" + + if [[ -n "${AUTHENTIK_DOMAIN}" ]]; then + su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_login https://$AUTHENTIK_DOMAIN/application/o/authorize/" + su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_userinfo https://$AUTHENTIK_DOMAIN/application/o/userinfo/" + su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_token https://$AUTHENTIK_DOMAIN/application/o/token/" + su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_end_session https://$AUTHENTIK_DOMAIN/application/o/wordpress/end-session/" + else + su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_login $OPEN_ID_PROVIDER_LOGIN_URL" + su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_userinfo $OPEN_ID_USERINFO_URL" + su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_token $OPEN_ID_TOKEN_ENDPOINT_URL" + su civicrm -c "wp option patch update openid_connect_generic_settings endpoint_end_session $OPEN_ID_END_SESSION_URL" + fi +fi + echo "============ Setting up cron ============" printenv > /etc/environment apt update && apt install -y cron diff --git a/openid_settings.json b/openid_settings.json new file mode 100644 index 0000000..9740478 --- /dev/null +++ b/openid_settings.json @@ -0,0 +1,29 @@ + +{ + "login_type":"button", + "client_id":"", + "client_secret":"", + "scope":"email profile openid offline_access", + "endpoint_login":"", + "endpoint_userinfo":"", + "endpoint_token":"", + "endpoint_end_session":"", + "acr_values":"", + "identity_key":"preferred_username", + "no_sslverify":"0", + "http_request_timeout":"5", + "enforce_privacy":"0", + "alternate_redirect_uri":"0", + "nickname_key":"preferred_username", + "email_format":"{email}", + "displayname_format":"", + "identify_with_username":"0", + "state_time_limit":"180", + "token_refresh_enable":"1", + "link_existing_users":"0", + "create_if_does_not_exist":"1", + "redirect_user_back":"0", + "redirect_on_logout":"1", + "enable_logging":"0", + "log_limit":"1000" +} \ No newline at end of file