kerberos sso ci fixes

Signed-off-by: Robin Appelman <[email protected]>

Author: icewind1991

.github/workflows/smb-kerberos.yml

@@ -27,48 +27,26 @@ jobs:
           submodules: true
       - name: Pull images
         run: |
-          docker pull icewind1991/samba-krb-test-dc
-          docker pull icewind1991/samba-krb-test-apache
-          docker pull icewind1991/samba-krb-test-client
+          docker pull ghcr.io/icewind1991/samba-krb-test-dc
+          docker pull ghcr.io/icewind1991/samba-krb-test-apache
+          docker pull ghcr.io/icewind1991/samba-krb-test-client
+          docker tag ghcr.io/icewind1991/samba-krb-test-dc icewind1991/samba-krb-test-dc
+          docker tag ghcr.io/icewind1991/samba-krb-test-apache icewind1991/samba-krb-test-apache
+          docker tag ghcr.io/icewind1991/samba-krb-test-client icewind1991/samba-krb-test-client
       - name: Setup AD-DC
         run: |
-          cp apps/files_external/tests/*.sh .
-          mkdir data
-          sudo chown -R 33 data apps config
-          DC_IP=$(./start-dc.sh)
-          ./start-apache.sh $DC_IP $PWD
+          DC_IP=$(apps/files_external/tests/sso-setup/start-dc.sh)
+          apps/files_external/tests/sso-setup/start-apache.sh $DC_IP $PWD
           echo "DC_IP=$DC_IP" >> $GITHUB_ENV
       - name: Set up Nextcloud
         run: |
-          docker exec --user 33 apache ./occ maintenance:install --verbose --database=sqlite --database-name=nextcloud --database-host=127.0.0.1 --database-user=root --database-pass=rootpassword --admin-user admin --admin-pass password
-          docker exec --user 33 apache ./occ config:system:set trusted_domains 1 --value 'httpd.domain.test'
-
-          # setup user_saml
-          docker exec --user 33 apache ./occ app:enable user_saml --force
-          docker exec --user 33 apache ./occ config:app:set user_saml type --value 'environment-variable'
-          docker exec --user 33 apache ./occ saml:config:create
-          docker exec --user 33 apache ./occ saml:config:set 1 --general-uid_mapping=REMOTE_USER
-
-          # setup external storage
-          docker exec --user 33 apache ./occ app:enable files_external --force
-          docker exec --user 33 apache ./occ files_external:create smb smb smb::kerberosapache
-          docker exec --user 33 apache ./occ files_external:config 1 host krb.domain.test
-          docker exec --user 33 apache ./occ files_external:config 1 share netlogon
-          docker exec --user 33 apache ./occ files_external:list
+          apps/files_external/tests/sso-setup/setup-sso-nc.sh
       - name: Test SSO
         run: |
-          mkdir /tmp/shared/cookies
-          chmod 0777 /tmp/shared/cookies
-
-          echo "SAML login"
-          ./client-cmd.sh ${{ env.DC_IP }} curl -c /shared/cookies/jar -s --negotiate -u [email protected]: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login
-          echo "Check we are logged in"
-          CONTENT=$(./client-cmd.sh ${{ env.DC_IP }} curl -b /shared/cookies/jar -s --negotiate -u [email protected]: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
-          CONTENT=$(echo $CONTENT | head -n 1 | tr -d '[:space:]')
-          [[ $CONTENT == "testfile" ]]
+          apps/files_external/tests/sso-setup/test-sso-smb.sh ${{ env.DC_IP }}
       - name: Show logs
         if: failure()
         run: |
-          docker exec --user 33 apache ./occ log:file
           FILEPATH=$(docker exec --user 33 apache ./occ log:file | grep "Log file:" | cut -d' ' -f3)
+          echo "$FILEPATH:"
           docker exec --user 33 apache cat $FILEPATH

apps/files_external/tests/sso-setup/apps.config.php

@@ -0,0 +1,15 @@
+<?php
+$CONFIG = [
+	"apps_paths" => [
+		[
+			"path"     => "/var/www/html/apps",
+			"url"      => "/apps",
+			"writable" => false,
+		],
+		[
+			"path"     => "/var/www/html/extra-apps",
+			"url"      => "/extra-apps",
+			"writable" => true,
+		],
+	],
+];

apps/files_external/tests/client-cmd.sh …s_external/tests/sso-setup/client-cmd.shapps/files_external/tests/client-cmd.sh renamed to apps/files_external/tests/sso-setup/client-cmd.sh apps/files_external/tests/client-cmd.sh renamed to apps/files_external/tests/sso-setup/client-cmd.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env sh
+set -e
+
+SCRIPT_DIR="${0%/*}"
+
+DC_IP=$("$SCRIPT_DIR"/start-dc.sh)
+"$SCRIPT_DIR"/start-apache.sh "$DC_IP" "$PWD"
+"$SCRIPT_DIR"/setup-sso-nc.sh
+"$SCRIPT_DIR"/test-sso-smb.sh "$DC_IP"

apps/files_external/tests/sso-setup/run.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -e
+
+docker exec --user 33 apache ./occ maintenance:install --verbose --database=sqlite --database-name=nextcloud --database-host=127.0.0.1 --database-user=root --database-pass=rootpassword --admin-user admin --admin-pass password
+docker exec --user 33 apache ./occ config:system:set trusted_domains 1 --value 'httpd.domain.test'
+
+# setup user_saml
+docker exec --user 33 apache ./occ app:enable user_saml --force
+docker exec --user 33 apache ./occ config:app:set user_saml type --value 'environment-variable'
+docker exec --user 33 apache ./occ saml:config:create
+docker exec --user 33 apache ./occ saml:config:set 1 --general-uid_mapping=REMOTE_USER
+
+# create user
+docker exec -e OC_PASS=test --user 33 apache ./occ user:add '[email protected]' --password-from-env
+
+# setup external storage
+docker exec --user 33 apache ./occ app:enable files_external --force
+docker exec --user 33 apache ./occ files_external:create smb smb smb::kerberosapache
+docker exec --user 33 apache ./occ files_external:config 1 host krb.domain.test
+docker exec --user 33 apache ./occ files_external:config 1 share netlogon
+docker exec --user 33 apache ./occ files_external:list

apps/files_external/tests/sso-setup/setup-sso-nc.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -e
+
+SCRIPT_DIR="${0%/*}"
+
+docker rm -f apache 2>/dev/null > /dev/null
+
+docker run -d --name apache -v $2:/var/www/html -v /var/www/html/data -v /var/www/html/config -v /var/www/html/extra-apps -v /tmp/shared:/shared --dns $1 --hostname httpd.domain.test icewind1991/samba-krb-test-apache 1>&2
+APACHE_IP=$(docker inspect apache --format '{{.NetworkSettings.IPAddress}}')
+docker exec apache chown 33 /var/www/html/config /var/www/html/data /var/www/html/extra-apps
+docker cp "$SCRIPT_DIR/apps.config.php" apache:/var/www/html/config/apps.config.php
+
+# add the dns record for apache
+docker exec dc samba-tool dns add krb.domain.test domain.test httpd A $APACHE_IP -U administrator --password=passwOrd1 1>&2
+
+echo $APACHE_IP

apps/files_external/tests/sso-setup/start-apache.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -e
 
 function getContainerHealth {
   docker inspect --format "{{.State.Health.Status}}" $1

apps/files_external/tests/start-dc.sh …les_external/tests/sso-setup/start-dc.shapps/files_external/tests/start-dc.sh renamed to apps/files_external/tests/sso-setup/start-dc.sh apps/files_external/tests/start-dc.sh renamed to apps/files_external/tests/sso-setup/start-dc.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -e
+
+DC_IP="$1"
+SCRIPT_DIR="${0%/*}"
+
+echo -n "Checking that we can authenticate using kerberos: "
+LOGIN_CONTENT=$("$SCRIPT_DIR/client-cmd.sh" $DC_IP curl -i -s --negotiate -u [email protected]: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login?originalUrl=success)
+if [[ "$LOGIN_CONTENT" =~ "Location: success" ]]; then
+  echo "✔️"
+else
+  echo "❌"
+  exit 1
+fi
+echo -n "Getting test file: "
+CONTENT=$("$SCRIPT_DIR/client-cmd.sh" $DC_IP curl -s --negotiate -u [email protected]: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
+CONTENT=$(echo $CONTENT | head -n 1 | tr -d '[:space:]')
+
+if [[ $CONTENT == "testfile" ]]; then
+  echo "✔️"
+else
+  echo "❌"
+  exit 1
+fi