Skip to content

Commit

Permalink
Allow to configure OIDC providers from environment variables
Browse files Browse the repository at this point in the history
  • Loading branch information
subuk committed Sep 1, 2024
1 parent 53f125a commit afa120d
Show file tree
Hide file tree
Showing 3 changed files with 100 additions and 2 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,7 @@ jobs:
no
no
no
no
$(pwd)/.dredd
admin
admin@localhost
Expand Down Expand Up @@ -352,6 +353,7 @@ jobs:
no
no
no
no
$(pwd)/.dredd
admin
admin@localhost
Expand Down Expand Up @@ -433,6 +435,7 @@ jobs:
no
no
no
no
$(pwd)/.dredd
admin
admin@localhost
Expand Down Expand Up @@ -513,6 +516,7 @@ jobs:
no
no
no
no
$(pwd)/.dredd
admin
admin@localhost
Expand Down
50 changes: 48 additions & 2 deletions cli/setup/setup.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func InteractiveSetup(conf *util.ConfigType) {
askValue("Playbook path", defaultPlaybookPath, &conf.TmpPath)
conf.TmpPath = filepath.Clean(conf.TmpPath)

askValue("Public URL (optional, example: https://example.com/semaphore)", "", &conf.WebHost)
askValue("Public URL (required for OIDC authentication, example: https://example.com/semaphore)", "", &conf.WebHost)

askConfirmation("Enable email alerts?", false, &conf.EmailAlert)
if conf.EmailAlert {
Expand All @@ -72,7 +72,7 @@ func InteractiveSetup(conf *util.ConfigType) {
askConfirmation("Enable Rocket.Chat alerts?", false, &conf.RocketChatAlert)
if conf.RocketChatAlert {
askValue("Rocket.Chat Webhook URL", "", &conf.RocketChatUrl)
}
}

askConfirmation("Enable Microsoft Team Channel alerts?", false, &conf.MicrosoftTeamsAlert)
if conf.MicrosoftTeamsAlert {
Expand All @@ -92,6 +92,7 @@ func InteractiveSetup(conf *util.ConfigType) {
askValue("LDAP mapping for full name field", "cn", &conf.LdapMappings.CN)
askValue("LDAP mapping for email field", "mail", &conf.LdapMappings.Mail)
}
scanOidcProviders(conf)
}

func scanBoltDb(conf *util.ConfigType) {
Expand Down Expand Up @@ -123,6 +124,51 @@ func scanPostgres(conf *util.ConfigType) {
}
}

func scanOidcProviders(conf *util.ConfigType) {
conf.OidcProviders = map[string]util.OidcProvider{}
for {
var addOidcProvider bool
askConfirmation("Add another OIDC provider?", false, &addOidcProvider)
if !addOidcProvider {
break
}
providerId := ""
for providerId == "" {
askValue("Provider configuration id (used in redirect url)", "", &providerId)
}
provider := util.OidcProvider{}

askValue("Display Name", "", &provider.DisplayName)
askValue("Client id", "", &provider.ClientID)
askValue("Client secret", "", &provider.ClientSecret)
askValue("Autodiscovery url", "", &provider.AutoDiscovery)
askValue("Issuer url", "", &provider.Endpoint.IssuerURL)
askValue("Auth url", "", &provider.Endpoint.AuthURL)
askValue("Token url", "", &provider.Endpoint.TokenURL)
askValue("User info url", "", &provider.Endpoint.UserInfoURL)

defaultRedirectUrl := conf.WebHost + "/api/auth/oidc/" + providerId + "/redirect/"
askValue("Redirect url", defaultRedirectUrl, &provider.RedirectURL)

rawScopes := ""
askValue("Scopes (comma separated)", "openid,profile,email", &rawScopes)
for _, scope := range strings.Split(rawScopes, ",") {
scope := strings.TrimSpace(scope)
provider.Scopes = append(provider.Scopes, scope)
}

askValue("Color", "", &provider.Color)
askValue("Icon", "", &provider.Icon)

askValue("Username claim", "", &provider.UsernameClaim)
askValue("Name claim", "", &provider.NameClaim)
askValue("Email claim", "", &provider.EmailClaim)
askValue("Order", "", &provider.Order)

conf.OidcProviders[providerId] = provider
}
}

func scanErrorChecker(n int, err error) {
if err != nil && err.Error() != "unexpected newline" {
log.Warn("An input error occurred: " + err.Error())
Expand Down
48 changes: 48 additions & 0 deletions deployment/docker/server/server-wrapper
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,54 @@ ${SEMAPHORE_LDAP_MAPPING_EMAIL}
EOF
fi;

oidcProviderNum=0
while :
do
oidcProviderNum=$((oidcProviderNum+1))
providerIdVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_ID"
providerDisplayNameVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_DISPLAY_NAME"
providerClientIdVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_CLIENT_ID"
providerClientSecretVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_CLIENT_SECRET"
providerAutodiscoveryUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_AUTODISCOVERY_URL"
providerIssuerUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_ISSUER_URL"
providerAuthUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_AUTH_URL"
providerTokenUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_TOKEN_URL"
providerUserInfoUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_USER_INFO_URL"
providerRedirectUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_REDIRECT_URL"
providerScopesVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_SCOPES"
providerColorVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_COLOR"
providerIconVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_ICON"
providerUsernameClaimVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_USERNAME_CLAIM"
providerNameClaimVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_NAME_CLAIM"
providerEmailClaimVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_EMAIL_CLAIM"
providerOrderVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_ORDER"

if [ -z "$(eval echo \$$providerIdVar)" ]; then
echo "no" >> "${SEMAPHORE_TMP_PATH}/config.stdin"
break
fi

echo "yes" >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerIdVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerDisplayNameVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerClientIdVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerClientSecretVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerAutodiscoveryUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerIssuerUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerAuthUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerTokenUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerUserInfoUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerRedirectUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerScopesVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerColorVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerIconVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerUsernameClaimVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerNameClaimVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$providerEmailClaimVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
eval echo \$$oidcProviderNum >> "${SEMAPHORE_TMP_PATH}/config.stdin"
done


cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin"
${SEMAPHORE_CONFIG_PATH}
${SEMAPHORE_ADMIN}
Expand Down

0 comments on commit afa120d

Please sign in to comment.