Support IDP manager configuration with configure.sh (#843)

support IDP management configuration using configure.sh script Add initial Zitadel configuration script
2024-11-25 17:43:38 +01:00 · 2023-06-02 18:34:36 +03:00 · 2023-06-02 18:34:36 +03:00 · 51502af218
commit 51502af218
parent 612ae253fe
7 changed files with 231 additions and 63 deletions
--- a/.github/workflows/test-docker-compose-linux.yml
+++ b/.github/workflows/test-docker-compose-linux.yml
@ -6,6 +6,7 @@ on:
      - main
  pull_request:
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
  cancel-in-progress: true
@ -48,6 +49,9 @@ jobs:
          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
          CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
          CI_NETBIRD_USE_AUTH0: true
          CI_NETBIRD_MGMT_IDP: "none"
          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
      - name: check values
        working-directory: infrastructure_files
@ -67,6 +71,9 @@ jobs:
          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
          CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"
          CI_NETBIRD_MGMT_IDP: "none"
          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
        run: |
          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
@ -83,6 +90,12 @@ jobs:
          grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
          grep Scope management.json | grep "$CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE"
          grep UseIDToken management.json | grep false
          grep -A 1 IdpManagerConfig management.json | grep ManagerType | grep $CI_NETBIRD_MGMT_IDP 
          grep -A 3 IdpManagerConfig management.json | grep -A 1 ClientConfig | grep Issuer | grep $CI_NETBIRD_AUTH_AUTHORITY
          grep -A 4 IdpManagerConfig management.json | grep -A 2 ClientConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
          grep -A 5 IdpManagerConfig management.json | grep -A 3 ClientConfig | grep ClientID | grep $CI_NETBIRD_IDP_MGMT_CLIENT_ID
          grep -A 6 IdpManagerConfig management.json | grep -A 4 ClientConfig | grep ClientSecret | grep $CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
          grep -A 7 IdpManagerConfig management.json | grep -A 5 ClientConfig | grep GrantType | grep client_credentials
      - name: run docker compose up
        working-directory: infrastructure_files
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@ -1,34 +1,29 @@
 #!/bin/bash
-if ! which curl > /dev/null 2>&1
+if ! which curl >/dev/null 2>&1; then
-then
+  echo "This script uses curl fetch OpenID configuration from IDP."
-    echo "This script uses curl fetch OpenID configuration from IDP."
+  echo "Please install curl and re-run the script https://curl.se/"
-    echo "Please install curl and re-run the script https://curl.se/"
+  echo ""
-    echo ""
+  exit 1
    exit 1
 fi
-if ! which jq > /dev/null 2>&1
+if ! which jq >/dev/null 2>&1; then
-then
+  echo "This script uses jq to load OpenID configuration from IDP."
-    echo "This script uses jq to load OpenID configuration from IDP."
+  echo "Please install jq and re-run the script https://stedolan.github.io/jq/"
-    echo "Please install jq and re-run the script https://stedolan.github.io/jq/"
+  echo ""
-    echo ""
+  exit 1
    exit 1
 fi
 source setup.env
 source base.setup.env
-if ! which envsubst > /dev/null 2>&1
+if ! which envsubst >/dev/null 2>&1; then
 then
  echo "envsubst is needed to run this script"
-  if [[ $(uname) == "Darwin" ]]
+  if [[ $(uname) == "Darwin" ]]; then
  then
    echo "you can install it with homebrew (https://brew.sh):"
    echo "brew install gettext"
  else
-    if which apt-get > /dev/null 2>&1
+    if which apt-get >/dev/null 2>&1; then
    then
      echo "you can install it by running"
      echo "apt-get update && apt-get install gettext-base"
    else
@ -38,8 +33,7 @@ then
  exit 1
 fi
-if [[ "x-$NETBIRD_DOMAIN" == "x-" ]]
+if [[ "x-$NETBIRD_DOMAIN" == "x-" ]]; then
 then
  echo NETBIRD_DOMAIN is not set, please update your setup.env file
  echo If you are migrating from old versions, you migh need to update your variables prefixes from
  echo WIRETRUSTEE_.. TO NETBIRD_
@ -47,8 +41,7 @@ then
 fi
 # local development or tests
-if [[ $NETBIRD_DOMAIN == "localhost" || $NETBIRD_DOMAIN == "127.0.0.1" ]]
+if [[ $NETBIRD_DOMAIN == "localhost" || $NETBIRD_DOMAIN == "127.0.0.1" ]]; then
 then
  export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN="netbird.selfhosted"
  export NETBIRD_MGMT_API_ENDPOINT=http://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
  unset NETBIRD_MGMT_API_CERT_FILE
@ -56,9 +49,8 @@ then
 fi
 # if not provided, we generate a turn password
-if [[ "x-$TURN_PASSWORD" == "x-" ]]
+if [[ "x-$TURN_PASSWORD" == "x-" ]]; then
-then
+  export TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
  export TURN_PASSWORD=$(openssl rand -base64 32|sed 's/=//g')
 fi
 MGMT_VOLUMENAME="${VOLUME_PREFIX}${MGMT_VOLUMESUFFIX}"
@ -67,13 +59,13 @@ LETSENCRYPT_VOLUMENAME="${VOLUME_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"
 # if volume with wiretrustee- prefix already exists, use it, else create new with netbird-
 OLD_PREFIX='wiretrustee-'
 if docker volume ls | grep -q "${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"; then
-    MGMT_VOLUMENAME="${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"
+  MGMT_VOLUMENAME="${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"
 fi
 if docker volume ls | grep -q "${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}"; then
-    SIGNAL_VOLUMENAME="${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}"
+  SIGNAL_VOLUMENAME="${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}"
 fi
 if docker volume ls | grep -q "${OLD_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"; then
-    LETSENCRYPT_VOLUMENAME="${OLD_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"
+  LETSENCRYPT_VOLUMENAME="${OLD_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"
 fi
 export MGMT_VOLUMENAME
@ -83,47 +75,45 @@ export LETSENCRYPT_VOLUMENAME
 #backwards compatibility after migrating to generic OIDC with Auth0
 if [[ -z "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" ]]; then
-    if [[ -z "${NETBIRD_AUTH0_DOMAIN}" ]]; then
+  if [[ -z "${NETBIRD_AUTH0_DOMAIN}" ]]; then
-       # not a backward compatible state
+    # not a backward compatible state
-       echo "NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT property must be set in the setup.env file"
+    echo "NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT property must be set in the setup.env file"
-       exit 1
+    exit 1
-    fi
+  fi
-    echo "It seems like you provided an old setup.env file."
+  echo "It seems like you provided an old setup.env file."
-    echo "Since the release of v0.8.10, we introduced a new set of properties."
+  echo "Since the release of v0.8.10, we introduced a new set of properties."
-    echo "The script is backward compatible and will continue automatically."
+  echo "The script is backward compatible and will continue automatically."
-    echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"
+  echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"
-    export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/openid-configuration"
+  export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/openid-configuration"
-    export NETBIRD_USE_AUTH0="true"
+  export NETBIRD_USE_AUTH0="true"
-    export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
+  export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
-    export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
+  export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
 fi
 echo "loading OpenID configuration from ${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT} to the openid-configuration.json file"
 curl "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" -q -o openid-configuration.json
-export NETBIRD_AUTH_AUTHORITY=$( jq -r  '.issuer' openid-configuration.json )
+export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' openid-configuration.json)
-export NETBIRD_AUTH_JWT_CERTS=$( jq -r  '.jwks_uri' openid-configuration.json )
+export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' openid-configuration.json)
-export NETBIRD_AUTH_SUPPORTED_SCOPES=$( jq -r '.scopes_supported | join(" ")' openid-configuration.json )
+export NETBIRD_AUTH_SUPPORTED_SCOPES=$(jq -r '.scopes_supported | join(" ")' openid-configuration.json)
-export NETBIRD_AUTH_TOKEN_ENDPOINT=$( jq -r  '.token_endpoint' openid-configuration.json )
+export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' openid-configuration.json)
-export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$( jq -r  '.device_authorization_endpoint' openid-configuration.json )
+export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' openid-configuration.json)
-if [ $NETBIRD_USE_AUTH0 == "true" ]
+if [ "$NETBIRD_USE_AUTH0" == "true" ]; then
-then
+  export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified"
    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified"
 else
-    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
+  export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
 fi
 if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then
-    # user enabled Device Authorization Grant feature
+  # user enabled Device Authorization Grant feature
-    export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
+  export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
 fi
 # Check if letsencrypt was disabled
-if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]
+if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]; then
 then
  export NETBIRD_DASHBOARD_ENDPOINT="https://$NETBIRD_DOMAIN:443"
  export NETBIRD_SIGNAL_ENDPOINT="https://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT"
@ -145,8 +135,31 @@ then
  unset NETBIRD_MGMT_API_CERT_KEY_FILE
 fi
 # Check if management identity provider is set
 if [ -n "$NETBIRD_MGMT_IDP" ]; then
  EXTRA_CONFIG={}
  # extract extra config from all env prefixed with NETBIRD_IDP_MGMT_EXTRA_
  for var in ${!NETBIRD_IDP_MGMT_EXTRA_*}; do
    # convert key snake case to camel case
    key=$(
      echo "${var#NETBIRD_IDP_MGMT_EXTRA_}" | awk -F "_" \
        '{for (i=1; i<=NF; i++) {output=output substr($i,1,1) tolower(substr($i,2))} print output}'
    )
    value="${!var}"
   echo "$var"
    EXTRA_CONFIG=$(jq --arg k "$key" --arg v "$value" '.[$k] = $v' <<<"$EXTRA_CONFIG")
  done
  export NETBIRD_MGMT_IDP
  export NETBIRD_IDP_MGMT_CLIENT_ID
  export NETBIRD_IDP_MGMT_CLIENT_SECRET
  export NETBIRD_IDP_MGMT_EXTRA_CONFIG=$EXTRA_CONFIG
 fi
 env | grep NETBIRD
-envsubst < docker-compose.yml.tmpl > docker-compose.yml
+envsubst <docker-compose.yml.tmpl >docker-compose.yml
-envsubst < management.json.tmpl > management.json
+envsubst <management.json.tmpl >management.json
-envsubst < turnserver.conf.tmpl > turnserver.conf
+envsubst <turnserver.conf.tmpl >turnserver.conf
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@ -38,7 +38,15 @@
        "OIDCConfigEndpoint":"$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT"
    },
    "IdpManagerConfig": {
-        "Manager": "none"
+        "ManagerType": "$NETBIRD_MGMT_IDP",
        "ClientConfig": {
            "Issuer": "$NETBIRD_AUTH_AUTHORITY",
            "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
            "ClientID": "$NETBIRD_IDP_MGMT_CLIENT_ID",
            "ClientSecret": "$NETBIRD_IDP_MGMT_CLIENT_SECRET",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": $NETBIRD_IDP_MGMT_EXTRA_CONFIG
     },
    "DeviceAuthorizationFlow": {
        "Provider": "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER",
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@ -22,6 +22,11 @@ NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
 NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
 NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
 eg. zitadel, auth0, azure, keycloak
 NETBIRD_MGMT_IDP="none"
 # Some IDPs requires different client id and client secret for management api
 NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
 NETBIRD_IDP_MGMT_CLIENT_SECRET=""
 # if your IDP provider doesn't support fragmented URIs, configure custom
 # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
--- a/infrastructure_files/tests/setup.env
+++ b/infrastructure_files/tests/setup.env
@ -17,3 +17,6 @@ NETBIRD_TOKEN_SOURCE="idToken"
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="super"
 NETBIRD_AUTH_USER_ID_CLAIM="email"
 NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid email"
 NETBIRD_MGMT_IDP=$CI_NETBIRD_MGMT_IDP
 NETBIRD_IDP_MGMT_CLIENT_ID=$CI_NETBIRD_IDP_MGMT_CLIENT_ID
 NETBIRD_IDP_MGMT_CLIENT_SECRET=$CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
--- a/infrastructure_files/zitadel.sh
+++ b/infrastructure_files/zitadel.sh
@ -0,0 +1,122 @@
 #!/bin/bash
 set -e
 request_jwt_token() {
  INSTANCE_URL=$1
  BODY="grant_type=client_credentials&scope=urn:zitadel:iam:org:project:id:zitadel:aud&client_id=$ZITADEL_CLIENT_ID&client_secret=$ZITADEL_CLIENT_SECRET"
  RESPONSE=$(
    curl -X POST "$INSTANCE_URL/oauth/v2/token" \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -d "$BODY"
  )
  echo "$RESPONSE" | jq -r '.access_token'
 }
 create_new_project() {
  INSTANCE_URL=$1
  ACCESS_TOKEN=$2
  PROJECT_NAME="NETBIRD"
  RESPONSE=$(
    curl -X POST "$INSTANCE_URL/management/v1/projects" \
      -H "Authorization: Bearer $ACCESS_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{"name": "'"$PROJECT_NAME"'"}'
  )
  echo "$RESPONSE" | jq -r '.id'
 }
 create_new_application() {
  INSTANCE_URL=$1
  ACCESS_TOKEN=$2
  APPLICATION_NAME="netbird"
  RESPONSE=$(
    curl -X POST "$INSTANCE_URL/management/v1/projects/$PROJECT_ID/apps/oidc" \
      -H "Authorization: Bearer $ACCESS_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
    "name": "'"$APPLICATION_NAME"'",
    "redirectUris": [
      "'"$BASE_REDIRECT_URL"'/auth"
    ],
    "RESPONSETypes": [
      "OIDC_RESPONSE_TYPE_CODE"
    ],
    "grantTypes": [
      "OIDC_GRANT_TYPE_AUTHORIZATION_CODE",
      "OIDC_GRANT_TYPE_REFRESH_TOKEN"
    ],
    "appType": "OIDC_APP_TYPE_USER_AGENT",
    "authMethodType": "OIDC_AUTH_METHOD_TYPE_NONE",
    "postLogoutRedirectUris": [
      "'"$BASE_REDIRECT_URL"'/silent-auth"
    ],
    "version": "OIDC_VERSION_1_0",
    "devMode": '"$ZITADEL_DEV_MODE"',
    "accessTokenType": "OIDC_TOKEN_TYPE_JWT",
    "accessTokenRoleAssertion": true,
    "skipNativeAppSuccessPage": true
  }'
  )
  echo "$RESPONSE" | jq -r '.clientId'
 }
 configure_zitadel_instance() {
  # extract zitadel instance url
  INSTANCE_URL=$(echo "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" | sed 's/\/\.well-known\/openid-configuration//')
  DOC_URL="https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-zitadel#step-4-create-a-service-user"
  echo ""
  printf "configuring zitadel instance: $INSTANCE_URL \n \
  before proceeding, please create a new service account for authorization by following the instructions (step 4 and 5
  ) in the documentation at %s\n" "$DOC_URL"
  echo "Please ensure that the new service account has 'Org Owner' permission in order for this to work."
  echo ""
  read -n 1 -s -r -p "press any key to continue..."
  echo ""
  # prompt the user to enter service account clientID
  echo ""
  read -r -p "enter service account ClientId: " ZITADEL_CLIENT_ID
  echo ""
  # Prompt the user to enter service account clientSecret
  read -r -p "enter service account ClientSecret: " ZITADEL_CLIENT_SECRET
  echo ""
  # get an access token from zitadel
  echo "retrieving access token from zitadel"
  ACCESS_TOKEN=$(request_jwt_token "$INSTANCE_URL")
  if [ "$ACCESS_TOKEN" = "null" ]; then
    echo "failed requesting access token"
    exit 1
  fi
  #  create the zitadel project
  echo "creating new zitadel project"
  PROJECT_ID=$(create_new_project "$INSTANCE_URL" "$ACCESS_TOKEN")
  if [ "$PROJECT_ID" = "null" ]; then
    echo "failed creating new zitadel project"
    exit 1
  fi
  ZITADEL_DEV_MODE=false
  if [[ $NETBIRD_DOMAIN == *"localhost"* ]]; then
    BASE_REDIRECT_URL="http://$NETBIRD_DOMAIN"
    ZITADEL_DEV_MODE=true
  else
    BASE_REDIRECT_URL="https://$NETBIRD_DOMAIN"
  fi
  # create zitadel spa application
  echo "creating new zitadel spa application"
  APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$ACCESS_TOKEN")
  if [ "$APPLICATION_CLIENT_ID" = "null" ]; then
    echo "failed creating new zitadel spa application"
    exit 1
  fi
 }
--- a/management/server/idp/idp.go
+++ b/management/server/idp/idp.go
@ -84,6 +84,10 @@ type JWTToken struct {
 // NewManager returns a new idp manager based on the configuration that it receives
 func NewManager(config Config, appMetrics telemetry.AppMetrics) (Manager, error) {
 	if config.ClientConfig != nil {
 		config.ClientConfig.Issuer = strings.TrimSuffix(config.ClientConfig.Issuer, "/")
 	}
 	switch strings.ToLower(config.ManagerType) {
 	case "none", "":
 		return nil, nil
@ -108,8 +112,8 @@ func NewManager(config Config, appMetrics telemetry.AppMetrics) (Manager, error)
 				ClientSecret:     config.ClientConfig.ClientSecret,
 				GrantType:        config.ClientConfig.GrantType,
 				TokenEndpoint:    config.ClientConfig.TokenEndpoint,
-				ObjectID:         config.ExtraConfig["ObjectID"],
+				ObjectID:         config.ExtraConfig["ObjectId"],
-				GraphAPIEndpoint: config.ExtraConfig["GraphAPIEndpoint"],
+				GraphAPIEndpoint: config.ExtraConfig["GraphApiEndpoint"],
 			}
 		}
@ -155,7 +159,7 @@ func NewManager(config Config, appMetrics telemetry.AppMetrics) (Manager, error)
 			Issuer:        config.ClientConfig.Issuer,
 			TokenEndpoint: config.ClientConfig.TokenEndpoint,
 			GrantType:     config.ClientConfig.GrantType,
-			APIToken:      config.ExtraConfig["APIToken"],
+			APIToken:      config.ExtraConfig["ApiToken"],
 		}
 		return NewOktaManager(oktaClientConfig, appMetrics)