From 17a52f8f9cc19e014d2b10a7cab3edc525c5f05d Mon Sep 17 00:00:00 2001
From: Bence <robot9706@gmail.com>
Date: Tue, 10 Dec 2024 12:57:30 +0100
Subject: [PATCH] feat: sso setup (#1026)

* feat: sso setup

* feat: refactor script
---
 web/kratos/Dockerfile           |  1 +
 web/kratos/entrypoint.sh        |  2 +
 web/kratos/kratos.template.yaml | 48 ----------------------
 web/kratos/oidc-setup.sh        | 71 +++++++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 48 deletions(-)
 create mode 100644 web/kratos/oidc-setup.sh

diff --git a/web/kratos/Dockerfile b/web/kratos/Dockerfile
index 3ee0281aa..745cddaa1 100644
--- a/web/kratos/Dockerfile
+++ b/web/kratos/Dockerfile
@@ -7,6 +7,7 @@ RUN apk add gettext
 COPY . /usr/bin/app/kratos
 
 RUN mkdir -p /etc/config/kratos && chmod a+x /usr/bin/app/kratos/entrypoint.sh && \
+    chmod a+x /usr/bin/app/kratos/oidc-setup.sh && \
     chown -R 10000:10000 /etc/config/kratos && \
     chmod -R 700 /etc/config/kratos
 
diff --git a/web/kratos/entrypoint.sh b/web/kratos/entrypoint.sh
index d98795f01..af2f71208 100644
--- a/web/kratos/entrypoint.sh
+++ b/web/kratos/entrypoint.sh
@@ -15,6 +15,8 @@ export OIDC_GOOGLE_SCHEMA_MAPPER
 OIDC_AZURE_SCHEMA_MAPPER=$(base64 -w 0 /usr/bin/app/kratos/oidc/azure.schema.jsonnet)
 export OIDC_AZURE_SCHEMA_MAPPER
 
+source "/usr/bin/app/kratos/oidc-setup.sh" || exit 1
+
 envsubst '${KRATOS_URL}, ${KRATOS_ADMIN_URL}, ${CRUX_UI_URL}, ${FROM_EMAIL}, ${FROM_NAME}, ${OIDC_GITLABHUB_SCHEMA_MAPPER}, ${OIDC_GOOGLE_SCHEMA_MAPPER}, ${OIDC_AZURE_SCHEMA_MAPPER}' < /usr/bin/app/kratos/kratos.template.yaml > /etc/config/kratos/kratos.yaml
 
 exec kratos $@
diff --git a/web/kratos/kratos.template.yaml b/web/kratos/kratos.template.yaml
index d5d054dca..cdef7b0f1 100644
--- a/web/kratos/kratos.template.yaml
+++ b/web/kratos/kratos.template.yaml
@@ -15,54 +15,6 @@ selfservice:
       enabled: false
       config:
         base_redirect_uri: ${KRATOS_URL}
-        providers:
-          - id: gitlab
-            provider: gitlab
-            mapper_url: "base64://${OIDC_GITLABHUB_SCHEMA_MAPPER}"
-            auth_url: https://gitlab.com/oauth/authorize
-            token_url: https://gitlab.com/oauth/token
-            issuer_url: https://gitlab.com
-            client_id: ""
-            client_secret: ""
-            scope:
-              - read_user
-              - openid
-              - email
-              - profile
-          - id: github
-            provider: github
-            mapper_url: "base64://${OIDC_GITLABHUB_SCHEMA_MAPPER}"
-            auth_url: https://github.com/login/oauth/authorize
-            token_url: https://github.com/login/oauth/access_token
-            issuer_url: https://github.com
-            client_id: ""
-            client_secret: ""
-            scope:
-              - read:user
-              - user:email
-          - id: google
-            provider: google
-            mapper_url: "base64://${OIDC_GOOGLE_SCHEMA_MAPPER}"
-            auth_url: https://accounts.google.com/o/oauth2/v2/auth
-            token_url: https://www.googleapis.com/oauth2/v4/token
-            issuer_url: https://accounts.google.com
-            client_id: ""
-            client_secret: ""
-            scope:
-              - openid
-              - email
-              - profile
-          - id: azure
-            provider: microsoft
-            mapper_url: "base64://${OIDC_AZURE_SCHEMA_MAPPER}"
-            client_id: ""
-            client_secret: ""
-            microsoft_tenant: common
-            subject_source: userinfo
-            scope:
-              - openid
-              - email
-              - profile
     code:
       enabled: true
   flows:
diff --git a/web/kratos/oidc-setup.sh b/web/kratos/oidc-setup.sh
new file mode 100644
index 000000000..725954c01
--- /dev/null
+++ b/web/kratos/oidc-setup.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env sh
+set +eu
+
+# Define templates for each provider, make sure to not resolve envs here as not all of them might be needed
+TEMPLATES_GITLAB="{\"id\":\"gitlab\",\"provider\":\"gitlab\",\"mapper_url\":\"base64://\${OIDC_GITLABHUB_SCHEMA_MAPPER}\",\"client_id\":\"\${TEMPLATE_CLIENT_ID}\",\"client_secret\":\"\${TEMPLATE_CLIENT_SECRET}\",\"scope\":[\"read_user\",\"openid\",\"email\",\"profile\"],\"auth_url\":\"https://gitlab.com/oauth/authorize\",\"token_url\":\"https://gitlab.com/oauth/token\",\"issuer_url\":\"https://gitlab.com\"}"
+TEMPLATES_GITHUB="{\"id\":\"github\",\"provider\":\"github\",\"mapper_url\":\"base64://\${OIDC_GITLABHUB_SCHEMA_MAPPER}\",\"client_id\":\"\${TEMPLATE_CLIENT_ID}\",\"client_secret\":\"\${TEMPLATE_CLIENT_SECRET}\",\"scope\":[\"read:user\",\"user:email\"],\"auth_url\":\"https://github.com/login/oauth/authorize\",\"token_url\":\"https://github.com/login/oauth/access_token\",\"issuer_url\":\"https://github.com\"}"
+TEMPLATES_GOOGLE="{\"id\":\"google\",\"provider\":\"google\",\"mapper_url\":\"base64://\${OIDC_GOOGLE_SCHEMA_MAPPER}\",\"client_id\":\"\${TEMPLATE_CLIENT_ID}\",\"client_secret\":\"\${TEMPLATE_CLIENT_SECRET}\",\"scope\":[\"openid\",\"email\",\"profile\"],\"auth_url\":\"https://accounts.google.com/o/oauth2/v2/auth\",\"token_url\":\"https://www.googleapis.com/oauth2/v4/token\",\"issuer_url\":\"https://accounts.google.com\"}"
+TEMPLATES_AZURE="{\"id\":\"azure\",\"provider\":\"microsoft\",\"mapper_url\":\"base64://\${OIDC_AZURE_SCHEMA_MAPPER}\",\"client_id\":\"\${TEMPLATE_CLIENT_ID}\",\"client_secret\":\"\${TEMPLATE_CLIENT_SECRET}\",\"scope\":[\"openid\",\"email\",\"profile\"],\"microsoft_tenant\":\"common\",\"subject_source\":\"userinfo\"}"
+
+# Checks the given provider environment variables and appends the JSON object to the PROVIDERS variable
+# based on the template defined above.
+# Arguments: $1 = upper case provider name, $2 = mapper environment variable name
+# ClientID env is "OIDC_[provider]_CLIENT_ID", secret env is "OIDC_[provider]_CLIENT_SECRET"
+checkProvider() {
+    envClientId="OIDC_$1_CLIENT_ID"
+    envClientSecret="OIDC_$1_CLIENT_SECRET"
+
+    set +eu # Disable unset variables check as client ID and secret might be unset
+    [ -z "$(eval echo \$$envClientId)" ]
+    clientIdSet=$?
+
+    [ -z "$(eval echo \$$envClientSecret)" ]
+    clientSecretSet=$?
+    set -eu
+
+    if [ "$clientIdSet" -ne "$clientSecretSet" ]; then
+        echo "$envClientId or $envClientSecret not set"
+        exit 1
+    fi
+
+    if [ "$clientIdSet" = 1 ] && [ "$clientSecretSet" = 1 ]; then
+        set +eu
+        mapperValue=$(eval echo \$$2)
+
+        if [ -z "$mapperValue" ]; then
+            echo "$2 missing"
+            exit 1
+        fi
+        set -eu
+
+        clientId="$(eval echo \$$envClientId)"
+        clientSecret="$(eval echo \$$envClientSecret)"
+
+        templateString=$(eval echo \$TEMPLATES_$1)
+
+        newTemplateString=$(echo $templateString | sed -e "s/\${TEMPLATE_CLIENT_ID}/$clientId/g")
+        newTemplateString=$(echo $newTemplateString | sed -e "s/\${TEMPLATE_CLIENT_SECRET}/$clientSecret/g")
+        newTemplateString=$(echo $newTemplateString | sed -e "s/\${$2}/$mapperValue/g")
+
+        PROVIDERS="${PROVIDERS}$newTemplateString,"
+
+        echo "$1 OIDC client setup"
+    fi
+}
+
+PROVIDERS="["
+
+checkProvider "GITLAB" "OIDC_GITLABHUB_SCHEMA_MAPPER"
+checkProvider "GITHUB" "OIDC_GITLABHUB_SCHEMA_MAPPER"
+checkProvider "GOOGLE" "OIDC_GOOGLE_SCHEMA_MAPPER"
+checkProvider "AZURE" "OIDC_AZURE_SCHEMA_MAPPER"
+
+# Strip ',' at the end of PROVIDERS
+if [ "${#PROVIDERS}" -gt 1 ]; then
+    PROVIDERS="${PROVIDERS::-1}"
+    export SELFSERVICE_METHODS_OIDC_ENABLED=true
+else
+    unset SELFSERVICE_METHODS_OIDC_ENABLED
+fi
+
+export SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS="${PROVIDERS}]"