From 6927e29796a19b309a74b48ff2cf769cb19fc6aa Mon Sep 17 00:00:00 2001
From: Philipp Rothmann <philipprothmann@posteo.de>
Date: Thu, 30 Jun 2022 20:02:47 +0200
Subject: [PATCH] add sso saml config

---
 .env.sample     |  6 +++++
 README.md       |  6 +++++
 abra.sh         |  1 +
 compose.yml     | 12 +++++++++
 local.yaml.tmpl | 66 +++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 91 insertions(+)
 create mode 100644 local.yaml.tmpl

diff --git a/.env.sample b/.env.sample
index 71a9f93..703815d 100644
--- a/.env.sample
+++ b/.env.sample
@@ -8,3 +8,9 @@ LETS_ENCRYPT_ENV=production
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
+
+# SSO_ENABLED=0
+# SSO_PROVIDER_URL=https://sso.example.org/
+# SSO_SAML_URL=https://sso.example.org/application/saml/<application-slug>/sso/binding/redirect/
+# SSO_LOGOUT_URL=https://sso.example.org/if/session-end/<application-slug>/
+# SSO_CERT="muchmuchbase64certificatefoobar=="
diff --git a/README.md b/README.md
index 85c384a..51d9730 100644
--- a/README.md
+++ b/README.md
@@ -28,3 +28,9 @@ Based on the recommended [`tobybatch/kimai2`] compose file.
 [`tobybatch/kimai2`]: https://tobybatch.github.io/kimai2/docker-compose.html#docker-compose
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
+
+
+run from within container:
+
+export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
+/opt/kimai/bin/console kimai:create-user admin admin@example.com ROLE_SUPER_ADMIN
diff --git a/abra.sh b/abra.sh
index 5c54e9d..13741a6 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1 +1,2 @@
 export ENTRYPOINT_CONF_VERSION=v1
+export LOCAL_CONF_VERSION=v1
diff --git a/compose.yml b/compose.yml
index 266fb71..70cfc5e 100644
--- a/compose.yml
+++ b/compose.yml
@@ -13,6 +13,12 @@ services:
       - DATABASE_NAME=kimai
       - DATABASE_USER=kimai
       - DATABASE_PASSWORD_FILE=/run/secrets/db_password
+      - DOMAIN
+      - SSO_ENABLED
+      - SSO_PROVIDER_URL
+      - SSO_SAML_URL
+      - SSO_LOGOUT_URL
+      - SSO_CERT
     volumes:
       - kimai_public:/opt/kimai/public
       - kimai_var:/opt/kimai/var
@@ -23,6 +29,8 @@ services:
       - source: entrypoint_conf
         target: /docker-entrypoint.sh
         mode: 0555
+      - source: local_conf
+        target: /opt/kimai/config/packages/local.yaml
     secrets:
       - db_password
       - admin_password
@@ -98,3 +106,7 @@ configs:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
     file: entrypoint.sh.tmpl
     template_driver: golang
+  local_conf:
+    name: ${STACK_NAME}_local_config_${LOCAL_CONF_VERSION}
+    file: local.yaml.tmpl
+    template_driver: golang
diff --git a/local.yaml.tmpl b/local.yaml.tmpl
new file mode 100644
index 0000000..011d289
--- /dev/null
+++ b/local.yaml.tmpl
@@ -0,0 +1,66 @@
+kimai:
+{{ if eq (env "SSO_ENABLED") "1" }}
+  saml:
+    activate: true
+    title: Login with SAML
+    mapping:
+      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
+      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
+    roles:
+      attribute: http://schemas.xmlsoap.org/claims/Group
+      mapping:
+      # Insert your roles here (ROLE_USER is added automatically)
+        - { saml: admin.group, kimai: ROLE_ADMIN }
+    connection:
+      # You SAML provider
+      # Your Authentik instance, replace https://authentik.company with your authentik URL
+      idp:
+        entityId: "{{ env "SSO_PROVIDER_URL" }}"
+        singleSignOnService:
+          url: "{{ env "SSO_SAML_URL" }}"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        # the "single logout" feature was not yet tested, if you want to help, please let me know!
+        singleLogoutService:
+          url: "{{ env "SSO_LOGOUT_URL" }}"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        # Signing certificate from *Advanced protocol settings*
+        x509cert: "{{ env "SSO_CERT" }}"
+      # Service Provider Data that we are deploying.
+      # Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
+      sp:
+        entityId: "https://{{ env "DOMAIN" }}"
+        assertionConsumerService:
+          url: "https://{{ env "DOMAIN" }}/auth/saml/acs"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        singleLogoutService:
+          url: "https://{{ env "DOMAIN" }}/auth/saml/logout"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        #privateKey: ''
+      # only set baseurl, if auto-detection doesn't work
+      baseurl: "https://{{ env "DOMAIN" }}/auth/saml/"
+      strict: false
+      debug: true
+      security:
+        nameIdEncrypted: false
+        authnRequestsSigned: false
+        logoutRequestSigned: false
+        logoutResponseSigned: false
+        wantMessagesSigned: false
+        wantAssertionsSigned: false
+        wantNameIdEncrypted: false
+        requestedAuthnContext: true
+        signMetadata: false
+        wantXMLValidation: true
+        signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+        digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
+      contactPerson:
+        technical:
+          givenName: "Kimai Admin"
+          emailAddress: "admin@example.com"
+      organization:
+        en:
+          name: "Kimai"
+          displayname: "Kimai"
+          url: "https://{{ env "DOMAIN" }}"
+{{ end }}
+