ag-admin/OpenSlides
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Docker: Add SAML configuration

Browse Source 
To configure SAML, ENABLE_SAML must be set to True in .env.
Additionally, the following files must be provided in ./secrets/saml/:

  - sp.crt
  - sp.key
  - saml_settings.json

The files will be added as Docker secrets.

Even though saml_settings.json does not contain secret information
per se it is nonetheless added as a secret for simplicity.  Technically,
the file is equally suited to be configured as a "Docker config".

Please note:

  - This patch has not been tested yet.
  - python3-saml's version should probably be pinned.
This commit is contained in:
Gernot Schulz 2020-08-17 14:19:51 +02:00 committed by Finn Stutzenstein
parent 3cb3ef2974
commit 9a2d3a3760
No known key found for this signature in database
GPG Key ID: 9042F605C6324654
7 changed files with 49 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docker/docker-compose.yml.m4
View File

@ -99,6 +99,9 @@ services:
<< : *default-osserver-env << : *default-osserver-env
secrets: secrets:
- django - django
ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
- saml_key
- saml_config)
ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy: ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy:
replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1)) replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1))
@ -111,6 +114,9 @@ services:
- django - django
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin) ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
ifelse(USER_SECRET_AVAILABLE, 0,- os_user) ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
- saml_key
- saml_config)
depends_on: depends_on:
- pgbouncer - pgbouncer
- redis - redis
@ -226,5 +232,11 @@ secrets:
file: ./secrets/adminsecret.env) file: ./secrets/adminsecret.env)
ifelse(USER_SECRET_AVAILABLE, 0,os_user: ifelse(USER_SECRET_AVAILABLE, 0,os_user:
file: ./secrets/usersecret.env) file: ./secrets/usersecret.env)
ifelse(read_env(`ENABLE_SAML'), `True', saml_cert:
file: ./secrets/saml/sp.crt
saml_key:
file: ./secrets/saml/sp.key
saml_config:
file: ./secrets/saml/saml_settings.json)
# vim: set sw=2 et: # vim: set sw=2 et:

12
docker/docker-stack.yml.m4
View File

@ -97,6 +97,9 @@ services:
<< : *default-osserver-env << : *default-osserver-env
secrets: secrets:
- django - django
ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
- saml_key
- saml_config)
deploy: deploy:
restart_policy: restart_policy:
condition: on-failure condition: on-failure
@ -112,6 +115,9 @@ services:
- django - django
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin) ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
ifelse(USER_SECRET_AVAILABLE, 0,- os_user) ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
ifelse(read_env(`ENABLE_SAML'), `True',- saml_cert
- saml_key
- saml_config)
client: client:
image: FRONTEND_IMAGE image: FRONTEND_IMAGE
@ -260,5 +266,11 @@ secrets:
file: ./secrets/adminsecret.env) file: ./secrets/adminsecret.env)
ifelse(USER_SECRET_AVAILABLE, 0,os_user: ifelse(USER_SECRET_AVAILABLE, 0,os_user:
file: ./secrets/usersecret.env) file: ./secrets/usersecret.env)
ifelse(read_env(`ENABLE_SAML'), `True', saml_cert:
file: ./secrets/saml/sp.crt
saml_key:
file: ./secrets/saml/sp.key
saml_config:
file: ./secrets/saml/saml_settings.json)
# vim: set sw=2 et: # vim: set sw=2 et:

10
server/docker/Dockerfile
View File

@ -50,8 +50,14 @@ RUN apt-get install --no-install-recommends -y \
RUN rm -rf /var/lib/apt/lists/* RUN rm -rf /var/lib/apt/lists/*
COPY requirements /app/requirements COPY requirements /app/requirements
RUN pip install -r requirements/production.txt -r requirements/big_mode.txt && \ RUN pip install -r requirements/production.txt -r requirements/big_mode.txt \
rm -rf /root/.cache/pip -r requirements/saml.txt && \
rm -rf /root/.cache/pip
# SAML
COPY docker/saml-setup.sh /usr/local/lib/
RUN mkdir -p /app/personal_data/var/certs/ && \
chown -R openslides:openslides /app/personal_data/var/
USER openslides USER openslides
# the `empty` folder is used for the dummy http server für the migrate entrypoint to serve no files. # the `empty` folder is used for the dummy http server für the migrate entrypoint to serve no files.

3
server/docker/entrypoint
View File

@ -11,6 +11,9 @@ source /run/secrets/django
} }
export SECRET_KEY="$DJANGO_SECRET_KEY" export SECRET_KEY="$DJANGO_SECRET_KEY"
# SAML setup
. /usr/local/lib/saml-setup.sh
# TODO: env variable for this host # TODO: env variable for this host
wait-for-it -t 0 "server-setup:8000" wait-for-it -t 0 "server-setup:8000"

3
server/docker/entrypoint-db-setup
View File

@ -82,5 +82,8 @@ if [[ -f /run/secrets/os_user ]]; then
fi fi
fi fi
# SAML setup
. /usr/local/lib/saml-setup.sh
echo "Done migrating and setting up user accounts..." echo "Done migrating and setting up user accounts..."
python -m http.server --directory /app/empty --bind 0.0.0.0 8000 python -m http.server --directory /app/empty --bind 0.0.0.0 8000

10
server/docker/saml-setup.sh Normal file
View File

@ -0,0 +1,10 @@
# SAML setup
if [[ "$ENABLE_SAML" = True ]]; then
echo "Setting up SAML"
for i in /run/secrets/saml_{cert,key,config}; do
[[ -f "$i" ]] || { echo "ERROR: $i not found!"; exit 3; }
done
ln -s /run/secrets/saml_cert /app/personal_data/var/certs/sp.crt
ln -s /run/secrets/saml_key /app/personal_data/var/certs/sp.key
ln -s /run/secrets/saml_config /app/personal_data/var/saml_settings.json
fi

1
server/requirements/saml.txt Normal file
View File

@ -0,0 +1 @@
python3-saml