feat: add keycloak support

2021-09-21 12:50:40 +02:00 · 2021-09-21 12:50:40 +02:00 · c285ec4d95
parent 58389e11fd
commit c285ec4d95
6 changed files with 67 additions and 1 deletions
--- a/.env.sample
+++ b/.env.sample
@ -14,3 +14,10 @@ COMPOSE_FILE="compose.yml:compose.mssql.yml"
 # OIDC_CLIENT_ID=
 # OIDC_ISSUER_URL=
 # SECRET_OIDC_CLIENT_SECRET=v1
+
+# Keycloak integration
+# COMPOSE_FILE="compose.yml:compose.keycloak.yml"
+# KEYCLOAK_ENABLED=1
+# KEYCLOAK_CLIENT_ID=
+# KEYCLOAK_CLIENT_TOKEN_URL=
+# SECRET_KEYCLOAK_CLIENT_SECRET=v1
--- a/abra.sh
+++ b/abra.sh
@ -1,2 +1,4 @@
-export CUSTOM_ENTRYPOINT_VERSION=v1
+export CUSTOM_ENTRYPOINT_VERSION=v2
 export OIDC_CONF_VERSION=v1
+export PAM_EXEC_OAUTH2_YAML_VERSION=v1
+export PAM_SCRIPT_AUTH_VERSION=v1
--- a/compose.keycloak.yml
+++ b/compose.keycloak.yml
@ -0,0 +1,36 @@
+---
+version: "3.8"
+
+# WARNING: Requires your own Keycloak and is a work-around for the server pro
+#          restrictions for SSO integration. This is experimental. Please speak
+#          to washnote.com folks if you need support, it is being used there.
+
+services:
+  app:
+    configs:
+      - source: pam_exec_oauth2_yaml
+        target: /opt/pam-exec-oauth2/pam-exec-oauth2.yaml
+        mode: 0600
+      - source: pam_script_auth_sh
+        target: /usr/share/libpam-script/pam_script_auth
+        mode: 0555
+    environment:
+      - KEYCLOAK_ENABLED
+      - KEYCLOAK_CLIENT_ID
+      - KEYCLOAK_TOKEN_URL
+    secrets:
+      - keycloak_client_secret
+
+configs:
+  pam_exec_oauth2_yaml:
+    name: ${STACK_NAME}_pam_exec_oauth2_yaml_${PAM_EXEC_OAUTH2_YAML_VERSION}
+    file: pam-exec-oauth2.yaml.tmpl
+    template_driver: golang
+  pam_script_auth_sh:
+    name: ${STACK_NAME}_pam_script_auth_sh_${PAM_SCRIPT_AUTH_VERSION}
+    file: pam_script_auth.sh
+
+secrets:
+  keycloak_client_secret:
+    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET}
+    external: true
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -29,4 +29,13 @@ echo 'auth-openid-issuer={{ env "OIDC_ISSUER_URL"}}' >> /etc/rstudio/rserver.con
 echo 'auth-openid-base-uri=https://{{ env "DOMAIN" }}' >> /etc/rstudio/rserver.conf
 {{ end }}

+{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
+apt install -y libpam-script
+echo 'auth sufficient pam_exec.so expose_authtok /opt/pam-exec-oauth2/pam-exec-oauth2' >> /etc/pam.d/common-auth
+echo 'auth optional pam_script.so' >> /etc/pam.d/common-auth
+mkdir -p /opt/pam-exec-oauth2/
+wget https://github.com/WASHNote/pam-exec-oauth2/releases/download/v0.0.1/pam-exec-oauth2 -O /opt/pam-exec-oauth2/pam-exec-oauth2
+chmod +x /opt/pam-exec-oauth2/pam-exec-oauth2
+{{ end }}
+
 exec "$@"
--- a/pam-exec-oauth2.yaml.tmpl
+++ b/pam-exec-oauth2.yaml.tmpl
@ -0,0 +1,8 @@
+{
+   client-id: "{{ env "KEYCLOAK_CLIENT_ID" }}",
+   client-secret: "{{ secret "keycloak_client_secret" }}",
+   scopes: ["profile"],
+   endpoint-token-url: "{{ env "KEYCLOAK_TOKEN_URL" }}",
+   extra-parameters: {
+   },
+}
--- a/pam_script_auth.sh
+++ b/pam_script_auth.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+if ! id "$PAM_USER" &>/dev/null; then
+	adduser $PAM_USER --disabled-password --quiet --gecos ""
+fi