Version 1.11.0

CHANGELOG.md

@@ -110,3 +110,7 @@
 * Terms and privacy policy option
 * Engine hours are now calculated after computed attributes
 * Default configuration file is now removed to avoid confusion and misconfiguration
+
+[1.11.0]
+* Migrate to OIDC login
+

CloudronManifest.json

@@ -5,7 +5,7 @@
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG.md",
   "tagline": "Modern GPS Tracking Platform",
-  "version": "1.10.0",
+  "version": "1.11.0",
   "upstreamVersion": "6.2",
   "minBoxVersion": "7.1.0",
   "memoryLimit": 1073741824,
@@ -20,10 +20,10 @@
     }
   },
   "addons": {
-    "ldap": {},
     "sendmail": { "supportsDisplayName": false },
     "localstorage": {},
-    "mysql": {}
+    "mysql": {},
+    "oidc": { "loginRedirectUri": "/api/session/openid/callback" }
   },
   "optionalSso": true,
   "manifestVersion": 2,

POSTINSTALL.md

@@ -4,3 +4,7 @@ This app is pre-setup with an admin account. The initial credentials are:
 **Password**: admin<br/>
 
 Please change the admin email and password credentials immediately.
+
+<sso>
+By default, Cloudron users have regular users permissions. Permissions can be updated on the user profile page in the admin back-end.
+</sso>

start.sh

@@ -52,20 +52,29 @@ xmlstarlet ed --inplace \
 # origin
 xmlstarlet ed --inplace --update '//properties/entry[@key="web.url"]' -v "${CLOUDRON_APP_ORIGIN}" /app/data/traccar.xml
 
-# ldap
-if [[ -n "${CLOUDRON_LDAP_URL:-}" ]]; then
-    echo "=> Ensure LDAP settings"
+# get rid of ldap, can be removed in the next release
+sed -e 's/ldap.url/openid.clientId/g' \
+    -e 's/ldap.base/openid.clientSecret/g' \
+    -e 's/ldap.idAttribute/openid.issuerUrl/g' \
+    -e 's/ldap.searchFilter/openid.authUrl/g' \
+    -e 's/ldap.user/openid.tokenUrl/g' \
+    -e 's/ldap.password/openid.userInfoUrl/g' \
+    -e 's/^.*ldap\..*$//g' \
+    -i /app/data/traccar.xml
+
+# OIDC
+if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+    echo "=> Ensure OIDC settings"
     xmlstarlet ed --inplace \
-        --update '//properties/entry[@key="ldap.enable"]' -v "true" \
-        --update '//properties/entry[@key="ldap.url"]' -v "${CLOUDRON_LDAP_URL}" \
-        --update '//properties/entry[@key="ldap.base"]' -v "${CLOUDRON_LDAP_USERS_BASE_DN}" \
-        --update '//properties/entry[@key="ldap.idAttribute"]' -v "username" \
-        --update '//properties/entry[@key="ldap.searchFilter"]' -v '(|(username=:login)(mail=:login))' \
-        --update '//properties/entry[@key="ldap.user"]' -v "${CLOUDRON_LDAP_BIND_DN}" \
-        --update '//properties/entry[@key="ldap.password"]' -v "${CLOUDRON_LDAP_BIND_PASSWORD}" \
+        --update '//properties/entry[@key="openid.clientId"]' -v "${CLOUDRON_OIDC_CLIENT_ID}" \
+        --update '//properties/entry[@key="openid.clientSecret"]' -v "${CLOUDRON_OIDC_CLIENT_SECRET}" \
+        --update '//properties/entry[@key="openid.issuerUrl"]' -v "${CLOUDRON_OIDC_ISSUER}" \
+        --update '//properties/entry[@key="openid.authUrl"]' -v "${CLOUDRON_OIDC_AUTH_ENDPOINT}" \
+        --update '//properties/entry[@key="openid.tokenUrl"]' -v "${CLOUDRON_OIDC_TOKEN_ENDPOINT}" \
+        --update '//properties/entry[@key="openid.userInfoUrl"]' -v "${CLOUDRON_OIDC_PROFILE_ENDPOINT}" \
         /app/data/traccar.xml
 else
-    xmlstarlet ed --inplace --update '//properties/entry[@key="ldap.enable"]' -v "false" /app/data/traccar.xml
+    sed -e 's/^.*openid\..*$//g' -i /app/data/traccar.xml
 fi
 
 # email

test/test.js

@@ -16,8 +16,8 @@ const execSync = require('child_process').execSync,
     { Builder, By, Key, until } = require('selenium-webdriver'),
     { Options } = require('selenium-webdriver/chrome');
 
-if (!process.env.EMAIL || !process.env.PASSWORD) {
-    console.log('EMAIL and PASSWORD env vars need to be set');
+if (!process.env.USERNAME || !process.env.EMAIL || !process.env.PASSWORD) {
+    console.log('USERNAME, EMAIL and PASSWORD env vars need to be set');
     process.exit(1);
 }
 
@@ -25,16 +25,18 @@ describe('Application life cycle test', function () {
     this.timeout(0);
 
     const LOCATION = 'test';
-    const TEST_TIMEOUT = 10000;
+    const TEST_TIMEOUT = 20000;
     const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
     const DEVICE_NAME = 'FancyDevice';
     const DEVICE_IDENTIFIER = 'device1';
     const ADMIN_USERNAME = 'admin@cloudron.local';
     const ADMIN_PASSWORD = 'admin';
+    const USERNAME = process.env.USERNAME;
     const EMAIL = process.env.EMAIL;
     const PASSWORD = process.env.PASSWORD;
 
     let browser, app;
+    let athenticated_by_oidc = false;
 
     before(function () {
         const options = new Options().windowSize({ width: 1280, height: 1024 });
@@ -61,10 +63,35 @@ describe('Application life cycle test', function () {
     async function login(emailOrUsername, password) {
         await browser.get(`https://${app.fqdn}/login`);
         await waitForElement(By.xpath('//input[@name="email"]'));
-        await browser.findElement(By.xpath('//input[@name="email"]')).sendKeys(Key.CONTROL + 'a');
+        await browser.findElement(By.xpath('//input[@name="email"]')).sendKeys(Key.CONTROL + 'a' + Key.BACK_SPACE + Key.COMMAND + 'a' + Key.BACK_SPACE);
         await browser.findElement(By.xpath('//input[@name="email"]')).sendKeys(emailOrUsername);
         await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
         await browser.findElement(By.xpath('//button[text()="Login"]')).click();
+        await browser.sleep(3000);
+        await waitForElement(By.xpath('//span[text()="Account"]'));
+    }
+
+    async function loginOIDC(username, password) {
+        browser.manage().deleteAllCookies();
+        await browser.get(`https://${app.fqdn}/login`);
+        await browser.sleep(2000);
+
+        await waitForElement(By.xpath('//button[contains(., "Login with OpenID")]'));
+        await browser.findElement(By.xpath('//button[contains(., "Login with OpenID")]')).click();
+        await browser.sleep(2000);
+
+        if (!athenticated_by_oidc) {
+            await waitForElement(By.xpath('//input[@name="username"]'));
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
+            await browser.sleep(2000);
+            await browser.findElement(By.xpath('//button[@type="submit" and contains(text(), "Sign in")]')).click();
+            await browser.sleep(2000);
+
+            athenticated_by_oidc = true;
+        }
+
+        await browser.sleep(3000);
         await waitForElement(By.xpath('//span[text()="Account"]'));
     }
 
@@ -93,7 +120,8 @@ describe('Application life cycle test', function () {
     }
 
     xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
-    it('install app', function () { execSync(`cloudron install --location ${LOCATION}`, EXEC_ARGS); });
+    // no sso
+    it('install app (no sso)', function () { execSync(`cloudron install --no-sso --location ${LOCATION}`, EXEC_ARGS); });
 
     it('can get app information', getAppInfo);
     it('can login as admin', login.bind(null, ADMIN_USERNAME, ADMIN_PASSWORD));
@@ -101,10 +129,22 @@ describe('Application life cycle test', function () {
     it('device exists', deviceExists);
     it('can logout', logout);
 
-    it('can login as normal user with email', login.bind(null, process.env.EMAIL, process.env.PASSWORD));
+    it('uninstall app', async function () {
+        // ensure we don't hit NXDOMAIN in the mean time
+        await browser.get('about:blank');
+        execSync(`cloudron uninstall --app ${app.id}`, EXEC_ARGS);
+    });
+
+    // sso
+    it('install app (sso)', function () { execSync(`cloudron install --location ${LOCATION}`, EXEC_ARGS); });
+
+    it('can get app information', getAppInfo);
+    it('can login as admin', login.bind(null, ADMIN_USERNAME, ADMIN_PASSWORD));
+    it('can add device', addDevice);
+    it('device exists', deviceExists);
     it('can logout', logout);
 
-    it('can login as normal user with username', login.bind(null, process.env.USERNAME, process.env.PASSWORD));
+    it('can login as normal user via OIDC', loginOIDC.bind(null, process.env.USERNAME, process.env.PASSWORD));
     it('can logout', logout);
 
     it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`); });
@@ -126,6 +166,9 @@ describe('Application life cycle test', function () {
     it('device exists', deviceExists);
     it('can logout', logout);
 
+    it('can login as normal user via OIDC', loginOIDC.bind(null, process.env.USERNAME, process.env.PASSWORD));
+    it('can logout', logout);
+
     it('move to different location', async function () {
         // ensure we don't hit NXDOMAIN in the mean time
         await browser.get('about:blank');
@@ -137,6 +180,9 @@ describe('Application life cycle test', function () {
     it('device exists', deviceExists);
     it('can logout', logout);
 
+    it('can login as normal user via OIDC', loginOIDC.bind(null, process.env.USERNAME, process.env.PASSWORD));
+    it('can logout', logout);
+
     it('uninstall app', async function () {
         // ensure we don't hit NXDOMAIN in the mean time
         await browser.get('about:blank');
@@ -145,19 +191,25 @@ describe('Application life cycle test', function () {
 
     // test update
     it('can install app for update', function () { execSync(`cloudron install --appstore-id org.traccar.cloudronapp --location ${LOCATION}`, EXEC_ARGS); });
+
     it('can get app information', getAppInfo);
     it('can login', login.bind(null, ADMIN_USERNAME, ADMIN_PASSWORD));
     it('can add device', addDevice);
     it('device exists', deviceExists);
     it('can logout', logout);
 
+    // LDAP login
+    it('can login as normal user with email', login.bind(null, process.env.EMAIL, process.env.PASSWORD));
+    it('can logout', logout);
+
     it('can update', function () { execSync(`cloudron update --app ${app.id}`, EXEC_ARGS); });
 
     it('can login', login.bind(null, ADMIN_USERNAME, ADMIN_PASSWORD));
     it('device exists', deviceExists);
     it('can logout', logout);
 
-    it('can login as normal user with username', login.bind(null, process.env.USERNAME, process.env.PASSWORD));
+    // OIDC login
+    it('can login as normal user via OIDC', loginOIDC.bind(null, process.env.USERNAME, process.env.PASSWORD));
     it('can logout', logout);
 
     it('uninstall app', async function () {

traccar.xml.template

@@ -25,13 +25,12 @@
 
     <entry key='web.url'>##CLOUDRON_APP_ORIGIN##</entry>
 
-    <entry key='ldap.enable'>true</entry>
-    <entry key='ldap.url'>##CLOUDRON_LDAP_URL##</entry>
-    <entry key='ldap.base'>##CLOUDRON_LDAP_USERS_BASE_DN##</entry>
-    <entry key='ldap.idAttribute'>username</entry>
-    <entry key='ldap.searchFilter'>username=:login</entry>
-    <entry key='ldap.user'>##CLOUDRON_LDAP_BIND_DN##</entry>
-    <entry key='ldap.password'>##CLOUDRON_LDAP_BIND_PASSWORD##</entry>
+    <entry key='openid.clientId'>##CLOUDRON_OIDC_CLIENT_ID##</entry>
+    <entry key='openid.clientSecret'>##CLOUDRON_OIDC_CLIENT_SECRET##</entry>
+    <entry key='openid.issuerUrl'>##CLOUDRON_OIDC_ISSUER##</entry>
+    <entry key='openid.authUrl'>##CLOUDRON_OIDC_AUTH_ENDPOINT##</entry>
+    <entry key='openid.tokenUrl'>##CLOUDRON_OIDC_TOKEN_ENDPOINT##</entry>
+    <entry key='openid.userInfoUrl'>##CLOUDRON_OIDC_PROFILE_ENDPOINT##</entry>
 
     <entry key='mail.smtp.host'>smtp.gmail.com</entry>
     <entry key='mail.smtp.port'>587</entry>