Version 1.11.0

when importing an external traccar with on admin, this ends up
creating an admin

CHANGELOG.md

@@ -66,3 +66,51 @@
 * Update traccar to 5.9
 * [Full changelog](https://github.com/traccar/traccar/releases/tag/v5.9)
 
+[1.6.0]
+* Update base image to 4.2.0
+
+[1.7.0]
+* Update traccar to 5.10
+* [Full changelog](https://github.com/traccar/traccar/releases/tag/v5.10)
+* [Release Announcement](https://www.traccar.org/blog/traccar-5-10/)
+* Two-factor authentication using TOTP
+* Event to notify about sent queued commands
+* Option to access last position in computed attributes
+* Unification of OBD speed units
+* Event buffer limit in the web app (should improve performance)
+* Automatic update check for the web app
+
+[1.7.1]
+* Update traccar to 5.11
+* [Full changelog](https://github.com/traccar/traccar/releases/tag/v5.11)
+* Update web submodule
+
+[1.7.2]
+* Update traccar to 5.12
+* [Full changelog](https://www.traccar.org/blog/traccar-5-12/)
+
+[1.7.3]
+* Only create admin account on fresh installation
+
+[1.8.0]
+* Update traccar to 6.0
+* [Full changelog](https://www.traccar.org/blog/traccar-6-0/)
+
+[1.9.0]
+* Update traccar to 6.1
+* [Full changelog](https://www.traccar.org/blog/traccar-6-1/)
+
+[1.10.0]
+* Update traccar to 6.2
+* [Full changelog](https://www.traccar.org/blog/traccar-6-2/)
+* Computed attributes can now be ordered using priority
+* Support token authentication for WebSocket
+* Allow regular users to edit hours and total distance
+* Support for right-to-left languages on map
+* Terms and privacy policy option
+* Engine hours are now calculated after computed attributes
+* Default configuration file is now removed to avoid confusion and misconfiguration
+
+[1.11.0]
+* Migrate to OIDC login
+

CloudronManifest.json

@@ -5,8 +5,8 @@
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG.md",
   "tagline": "Modern GPS Tracking Platform",
-  "version": "1.5.1",
-  "upstreamVersion": "5.9",
+  "version": "1.11.0",
+  "upstreamVersion": "6.2",
   "minBoxVersion": "7.1.0",
   "memoryLimit": 1073741824,
   "healthCheckPath": "/",
@@ -20,10 +20,10 @@
     }
   },
   "addons": {
-    "ldap": {},
     "sendmail": { "supportsDisplayName": false },
     "localstorage": {},
-    "mysql": {}
+    "mysql": {},
+    "oidc": { "loginRedirectUri": "/api/session/openid/callback" }
   },
   "optionalSso": true,
   "manifestVersion": 2,

Dockerfile

@@ -1,9 +1,9 @@
-FROM cloudron/base:4.0.0@sha256:31b195ed0662bdb06a6e8a5ddbedb6f191ce92e8bee04c03fb02dd4e9d0286df
+FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
 
 RUN mkdir -p /app/code
 WORKDIR /app/code
 
-ARG VERSION=5.9
+ARG VERSION=6.2
 
 RUN wget https://github.com/traccar/traccar/releases/download/v${VERSION}/traccar-linux-64-${VERSION}.zip -O traccar.zip && \
     unzip traccar.zip && \

POSTINSTALL.md

@@ -4,3 +4,7 @@ This app is pre-setup with an admin account. The initial credentials are:
 **Password**: admin<br/>
 
 Please change the admin email and password credentials immediately.
+
+<sso>
+By default, Cloudron users have regular users permissions. Permissions can be updated on the user profile page in the admin back-end.
+</sso>

start.sh

@@ -28,7 +28,7 @@ ensure_admin_account() {
     wait_for_table tc_users;
 
     echo "==> Ensure admin account"
-    count=`$mysql --skip-column-names -s -e "SELECT COUNT(*) FROM tc_users WHERE name='admin';"`
+    count=`$mysql --skip-column-names -s -e "SELECT COUNT(*) FROM tc_users;"`
     if [[ "$count" = "0" ]]; then
         echo "==> Create initial admin account"
         # Values are from https://github.com/traccar/traccar/blob/master/schema/changelog-3.3.xml#L179 which is not used anymore, but we still want the admin account
@@ -52,20 +52,29 @@ xmlstarlet ed --inplace \
 # origin
 xmlstarlet ed --inplace --update '//properties/entry[@key="web.url"]' -v "${CLOUDRON_APP_ORIGIN}" /app/data/traccar.xml
 
-# ldap
-if [[ -n "${CLOUDRON_LDAP_URL:-}" ]]; then
-    echo "=> Ensure LDAP settings"
+# get rid of ldap, can be removed in the next release
+sed -e 's/ldap.url/openid.clientId/g' \
+    -e 's/ldap.base/openid.clientSecret/g' \
+    -e 's/ldap.idAttribute/openid.issuerUrl/g' \
+    -e 's/ldap.searchFilter/openid.authUrl/g' \
+    -e 's/ldap.user/openid.tokenUrl/g' \
+    -e 's/ldap.password/openid.userInfoUrl/g' \
+    -e 's/^.*ldap\..*$//g' \
+    -i /app/data/traccar.xml
+
+# OIDC
+if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+    echo "=> Ensure OIDC settings"
     xmlstarlet ed --inplace \
-        --update '//properties/entry[@key="ldap.enable"]' -v "true" \
-        --update '//properties/entry[@key="ldap.url"]' -v "${CLOUDRON_LDAP_URL}" \
-        --update '//properties/entry[@key="ldap.base"]' -v "${CLOUDRON_LDAP_USERS_BASE_DN}" \
-        --update '//properties/entry[@key="ldap.idAttribute"]' -v "username" \
-        --update '//properties/entry[@key="ldap.searchFilter"]' -v '(|(username=:login)(mail=:login))' \
-        --update '//properties/entry[@key="ldap.user"]' -v "${CLOUDRON_LDAP_BIND_DN}" \
-        --update '//properties/entry[@key="ldap.password"]' -v "${CLOUDRON_LDAP_BIND_PASSWORD}" \
+        --update '//properties/entry[@key="openid.clientId"]' -v "${CLOUDRON_OIDC_CLIENT_ID}" \
+        --update '//properties/entry[@key="openid.clientSecret"]' -v "${CLOUDRON_OIDC_CLIENT_SECRET}" \
+        --update '//properties/entry[@key="openid.issuerUrl"]' -v "${CLOUDRON_OIDC_ISSUER}" \
+        --update '//properties/entry[@key="openid.authUrl"]' -v "${CLOUDRON_OIDC_AUTH_ENDPOINT}" \
+        --update '//properties/entry[@key="openid.tokenUrl"]' -v "${CLOUDRON_OIDC_TOKEN_ENDPOINT}" \
+        --update '//properties/entry[@key="openid.userInfoUrl"]' -v "${CLOUDRON_OIDC_PROFILE_ENDPOINT}" \
         /app/data/traccar.xml
 else
-    xmlstarlet ed --inplace --update '//properties/entry[@key="ldap.enable"]' -v "false" /app/data/traccar.xml
+    sed -e 's/^.*openid\..*$//g' -i /app/data/traccar.xml
 fi
 
 # email
@@ -80,8 +89,7 @@ xmlstarlet ed --inplace \
     --update '//properties/entry[@key="mail.smtp.password"]' -v "${CLOUDRON_MAIL_SMTP_PASSWORD}" \
     /app/data/traccar.xml
 
-disable_registration &
-ensure_admin_account &
+(disable_registration; ensure_admin_account) &
 
 chown -R cloudron /run/traccar /app/data
 

test/package.json

@@ -10,10 +10,10 @@
   "license": "ISC",
   "devDependencies": {
     "expect.js": "^0.3.1",
-    "mocha": "^10.2.0",
-    "selenium-webdriver": "^4.12.0"
+    "mocha": "^10.4.0",
+    "selenium-webdriver": "^4.21.0"
   },
   "dependencies": {
-    "chromedriver": "^116.0.0"
+    "chromedriver": "^125.0.3"
   }
 }

test/test.js

@@ -10,14 +10,14 @@
 
 require('chromedriver');
 
-var execSync = require('child_process').execSync,
+const execSync = require('child_process').execSync,
     expect = require('expect.js'),
     path = require('path'),
     { Builder, By, Key, until } = require('selenium-webdriver'),
     { Options } = require('selenium-webdriver/chrome');
 
-if (!process.env.EMAIL || !process.env.PASSWORD) {
-    console.log('EMAIL and PASSWORD env vars need to be set');
+if (!process.env.USERNAME || !process.env.EMAIL || !process.env.PASSWORD) {
+    console.log('USERNAME, EMAIL and PASSWORD env vars need to be set');
     process.exit(1);
 }
 
@@ -25,16 +25,18 @@ describe('Application life cycle test', function () {
     this.timeout(0);
 
     const LOCATION = 'test';
-    const TEST_TIMEOUT = 10000;
+    const TEST_TIMEOUT = 20000;
     const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
     const DEVICE_NAME = 'FancyDevice';
     const DEVICE_IDENTIFIER = 'device1';
     const ADMIN_USERNAME = 'admin@cloudron.local';
     const ADMIN_PASSWORD = 'admin';
+    const USERNAME = process.env.USERNAME;
     const EMAIL = process.env.EMAIL;
     const PASSWORD = process.env.PASSWORD;
 
-    var browser, app;
+    let browser, app;
+    let athenticated_by_oidc = false;
 
     before(function () {
         const options = new Options().windowSize({ width: 1280, height: 1024 });
@@ -61,10 +63,35 @@ describe('Application life cycle test', function () {
     async function login(emailOrUsername, password) {
         await browser.get(`https://${app.fqdn}/login`);
         await waitForElement(By.xpath('//input[@name="email"]'));
-        await browser.findElement(By.xpath('//input[@name="email"]')).sendKeys(Key.CONTROL + 'a');
+        await browser.findElement(By.xpath('//input[@name="email"]')).sendKeys(Key.CONTROL + 'a' + Key.BACK_SPACE + Key.COMMAND + 'a' + Key.BACK_SPACE);
         await browser.findElement(By.xpath('//input[@name="email"]')).sendKeys(emailOrUsername);
         await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
         await browser.findElement(By.xpath('//button[text()="Login"]')).click();
+        await browser.sleep(3000);
+        await waitForElement(By.xpath('//span[text()="Account"]'));
+    }
+
+    async function loginOIDC(username, password) {
+        browser.manage().deleteAllCookies();
+        await browser.get(`https://${app.fqdn}/login`);
+        await browser.sleep(2000);
+
+        await waitForElement(By.xpath('//button[contains(., "Login with OpenID")]'));
+        await browser.findElement(By.xpath('//button[contains(., "Login with OpenID")]')).click();
+        await browser.sleep(2000);
+
+        if (!athenticated_by_oidc) {
+            await waitForElement(By.xpath('//input[@name="username"]'));
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
+            await browser.sleep(2000);
+            await browser.findElement(By.xpath('//button[@type="submit" and contains(text(), "Sign in")]')).click();
+            await browser.sleep(2000);
+
+            athenticated_by_oidc = true;
+        }
+
+        await browser.sleep(3000);
         await waitForElement(By.xpath('//span[text()="Account"]'));
     }
 
@@ -93,7 +120,8 @@ describe('Application life cycle test', function () {
     }
 
     xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
-    it('install app', function () { execSync(`cloudron install --location ${LOCATION}`, EXEC_ARGS); });
+    // no sso
+    it('install app (no sso)', function () { execSync(`cloudron install --no-sso --location ${LOCATION}`, EXEC_ARGS); });
 
     it('can get app information', getAppInfo);
     it('can login as admin', login.bind(null, ADMIN_USERNAME, ADMIN_PASSWORD));
@@ -101,10 +129,22 @@ describe('Application life cycle test', function () {
     it('device exists', deviceExists);
     it('can logout', logout);
 
-    it('can login as normal user with email', login.bind(null, process.env.EMAIL, process.env.PASSWORD));
+    it('uninstall app', async function () {
+        // ensure we don't hit NXDOMAIN in the mean time
+        await browser.get('about:blank');
+        execSync(`cloudron uninstall --app ${app.id}`, EXEC_ARGS);
+    });
+
+    // sso
+    it('install app (sso)', function () { execSync(`cloudron install --location ${LOCATION}`, EXEC_ARGS); });
+
+    it('can get app information', getAppInfo);
+    it('can login as admin', login.bind(null, ADMIN_USERNAME, ADMIN_PASSWORD));
+    it('can add device', addDevice);
+    it('device exists', deviceExists);
     it('can logout', logout);
 
-    it('can login as normal user with username', login.bind(null, process.env.USERNAME, process.env.PASSWORD));
+    it('can login as normal user via OIDC', loginOIDC.bind(null, process.env.USERNAME, process.env.PASSWORD));
     it('can logout', logout);
 
     it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`); });
@@ -126,6 +166,9 @@ describe('Application life cycle test', function () {
     it('device exists', deviceExists);
     it('can logout', logout);
 
+    it('can login as normal user via OIDC', loginOIDC.bind(null, process.env.USERNAME, process.env.PASSWORD));
+    it('can logout', logout);
+
     it('move to different location', async function () {
         // ensure we don't hit NXDOMAIN in the mean time
         await browser.get('about:blank');
@@ -137,6 +180,9 @@ describe('Application life cycle test', function () {
     it('device exists', deviceExists);
     it('can logout', logout);
 
+    it('can login as normal user via OIDC', loginOIDC.bind(null, process.env.USERNAME, process.env.PASSWORD));
+    it('can logout', logout);
+
     it('uninstall app', async function () {
         // ensure we don't hit NXDOMAIN in the mean time
         await browser.get('about:blank');
@@ -144,20 +190,26 @@ describe('Application life cycle test', function () {
     });
 
     // test update
-    it('can install app', function () { execSync(`cloudron install --appstore-id org.traccar.cloudronapp --location ${LOCATION}`, EXEC_ARGS); });
+    it('can install app for update', function () { execSync(`cloudron install --appstore-id org.traccar.cloudronapp --location ${LOCATION}`, EXEC_ARGS); });
+
     it('can get app information', getAppInfo);
     it('can login', login.bind(null, ADMIN_USERNAME, ADMIN_PASSWORD));
     it('can add device', addDevice);
     it('device exists', deviceExists);
     it('can logout', logout);
 
+    // LDAP login
+    it('can login as normal user with email', login.bind(null, process.env.EMAIL, process.env.PASSWORD));
+    it('can logout', logout);
+
     it('can update', function () { execSync(`cloudron update --app ${app.id}`, EXEC_ARGS); });
 
     it('can login', login.bind(null, ADMIN_USERNAME, ADMIN_PASSWORD));
     it('device exists', deviceExists);
     it('can logout', logout);
 
-    it('can login as normal user with username', login.bind(null, process.env.USERNAME, process.env.PASSWORD));
+    // OIDC login
+    it('can login as normal user via OIDC', loginOIDC.bind(null, process.env.USERNAME, process.env.PASSWORD));
     it('can logout', logout);
 
     it('uninstall app', async function () {

traccar.xml.template

@@ -25,13 +25,12 @@
 
     <entry key='web.url'>##CLOUDRON_APP_ORIGIN##</entry>
 
-    <entry key='ldap.enable'>true</entry>
-    <entry key='ldap.url'>##CLOUDRON_LDAP_URL##</entry>
-    <entry key='ldap.base'>##CLOUDRON_LDAP_USERS_BASE_DN##</entry>
-    <entry key='ldap.idAttribute'>username</entry>
-    <entry key='ldap.searchFilter'>username=:login</entry>
-    <entry key='ldap.user'>##CLOUDRON_LDAP_BIND_DN##</entry>
-    <entry key='ldap.password'>##CLOUDRON_LDAP_BIND_PASSWORD##</entry>
+    <entry key='openid.clientId'>##CLOUDRON_OIDC_CLIENT_ID##</entry>
+    <entry key='openid.clientSecret'>##CLOUDRON_OIDC_CLIENT_SECRET##</entry>
+    <entry key='openid.issuerUrl'>##CLOUDRON_OIDC_ISSUER##</entry>
+    <entry key='openid.authUrl'>##CLOUDRON_OIDC_AUTH_ENDPOINT##</entry>
+    <entry key='openid.tokenUrl'>##CLOUDRON_OIDC_TOKEN_ENDPOINT##</entry>
+    <entry key='openid.userInfoUrl'>##CLOUDRON_OIDC_PROFILE_ENDPOINT##</entry>
 
     <entry key='mail.smtp.host'>smtp.gmail.com</entry>
     <entry key='mail.smtp.port'>587</entry>