Docker: Add SAML configuration

To configure SAML, ENABLE_SAML must be set to True in .env. Additionally, the following files must be provided in ./secrets/saml/: - sp.crt - sp.key - saml_settings.json The files will be added as Docker secrets. Even though saml_settings.json does not contain secret information per se it is nonetheless added as a secret for simplicity. Technically, the file is equally suited to be configured as a "Docker config". Please note: - This patch has not been tested yet. - python3-saml's version should probably be pinned.
2020-08-17 14:19:51 +02:00 · 2020-08-17 14:19:51 +02:00 · 9a2d3a3760
commit 9a2d3a3760
parent 3cb3ef2974
7 changed files with 49 additions and 2 deletions
--- a/docker/docker-compose.yml.m4
+++ b/docker/docker-compose.yml.m4
@ -99,6 +99,9 @@ services:
      << : *default-osserver-env
    secrets:
      - django
+      ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
+      - saml_key
+      - saml_config)
    ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy:
      replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1))

@ -111,6 +114,9 @@ services:
      - django
      ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
      ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
+      ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
+      - saml_key
+      - saml_config)
    depends_on:
      - pgbouncer
      - redis
@ -226,5 +232,11 @@ secrets:
    file: ./secrets/adminsecret.env)
  ifelse(USER_SECRET_AVAILABLE, 0,os_user:
    file: ./secrets/usersecret.env)
+  ifelse(read_env(`ENABLE_SAML'), `True', saml_cert:
+    file: ./secrets/saml/sp.crt
+  saml_key:
+    file: ./secrets/saml/sp.key
+  saml_config:
+    file: ./secrets/saml/saml_settings.json)

 # vim: set sw=2 et:
--- a/docker/docker-stack.yml.m4
+++ b/docker/docker-stack.yml.m4
@ -97,6 +97,9 @@ services:
      << : *default-osserver-env
    secrets:
      - django
+      ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
+      - saml_key
+      - saml_config)
    deploy:
      restart_policy:
        condition: on-failure
@ -112,6 +115,9 @@ services:
      - django
      ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
      ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
+      ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
+      - saml_key
+      - saml_config)

  client:
    image: FRONTEND_IMAGE
@ -260,5 +266,11 @@ secrets:
    file: ./secrets/adminsecret.env)
  ifelse(USER_SECRET_AVAILABLE, 0,os_user:
    file: ./secrets/usersecret.env)
+  ifelse(read_env(`ENABLE_SAML'), `True', saml_cert:
+    file: ./secrets/saml/sp.crt
+  saml_key:
+    file: ./secrets/saml/sp.key
+  saml_config:
+    file: ./secrets/saml/saml_settings.json)

 # vim: set sw=2 et:
--- a/server/docker/Dockerfile
+++ b/server/docker/Dockerfile
@ -50,8 +50,14 @@ RUN apt-get install --no-install-recommends -y \
 RUN rm -rf /var/lib/apt/lists/*

 COPY requirements /app/requirements
-RUN pip install -r requirements/production.txt -r requirements/big_mode.txt && \
-      rm -rf /root/.cache/pip
+RUN pip install -r requirements/production.txt -r requirements/big_mode.txt \
+    -r requirements/saml.txt && \
+    rm -rf /root/.cache/pip
+
+# SAML
+COPY docker/saml-setup.sh /usr/local/lib/
+RUN mkdir -p /app/personal_data/var/certs/ && \
+      chown -R openslides:openslides /app/personal_data/var/

 USER openslides
 # the `empty` folder is used for the dummy http server für the migrate entrypoint to serve no files.
--- a/server/docker/entrypoint
+++ b/server/docker/entrypoint
@ -11,6 +11,9 @@ source /run/secrets/django
 }
 export SECRET_KEY="$DJANGO_SECRET_KEY"

+# SAML setup
+. /usr/local/lib/saml-setup.sh
+
 # TODO: env variable for this host
 wait-for-it -t 0 "server-setup:8000"

--- a/server/docker/entrypoint-db-setup
+++ b/server/docker/entrypoint-db-setup
@ -82,5 +82,8 @@ if [[ -f /run/secrets/os_user ]]; then
  fi
 fi

+# SAML setup
+. /usr/local/lib/saml-setup.sh
+
 echo "Done migrating and setting up user accounts..."
 python -m http.server --directory /app/empty --bind 0.0.0.0 8000
--- a/server/docker/saml-setup.sh
+++ b/server/docker/saml-setup.sh
@ -0,0 +1,10 @@
+# SAML setup
+if [[ "$ENABLE_SAML" = True ]]; then
+  echo "Setting up SAML"
+  for i in /run/secrets/saml_{cert,key,config}; do
+    [[ -f "$i" ]] || { echo "ERROR: $i not found!"; exit 3; }
+  done
+  ln -s /run/secrets/saml_cert   /app/personal_data/var/certs/sp.crt
+  ln -s /run/secrets/saml_key    /app/personal_data/var/certs/sp.key
+  ln -s /run/secrets/saml_config /app/personal_data/var/saml_settings.json
+fi
--- a/server/requirements/saml.txt
+++ b/server/requirements/saml.txt
@ -0,0 +1 @@
+python3-saml