diff --git a/Docker/README.md b/Docker/README.md new file mode 100644 index 0000000..e11b3a4 --- /dev/null +++ b/Docker/README.md @@ -0,0 +1,127 @@ +Mattermost-LDAP - Docker module +=============================== + +## Summary + +This repository provides necessary ressources to build the Docker image for Mattermost-LDAP module. This Docker image is usefull to try Mattermost-LDAP in a PoC, and is production ready. + +## Description + +The Mattermost-LDAP module is divided into two Docker images. On the one hand, the PostgreSQL database and on the other hand, the httpd server. + +The PostgreSQL image installs a PostgreSQL database and then configures the Oauth user and the Oauth server database with associated tables. The Mattermost client ID, with its associated secret ID, and the Mattermost Redirect URI are added to the oauth_clients table to allow Mattermost to use the Oauth server. +The configuration of the database is done by the init.sh script whose parameters are gathered in config_init. These two files are located in the `postgres/files/` folder in this reporsitory. + +The httpd server image is based on a CentOS 7 image on which an httpd server and the necessary dependencies are installed with yum. The Oauth server is configured from the Mattermost-LDAP project available on Github. LDAP and database configuration are provided by config_db.php and config_ldap.php in the `ouath/files/` folder in this repository. + +## Architecture + +![Docker Architecture of Mattermost-LDAP and interraction with Mattermost](docker-mattermostldap.png "Docker Architecture of Mattermost-LDAP and interraction with Mattermost") + +The Oauth container exposes port 80 and Postgres container port 5432. The user interacts with the Oauth server and the tokens generated by it are stored in the database. In addition, when a user logs in, his ID is stored with a unique ID. This behavior is necessary for authentication with Mattermost. The figure above illustrates interraction between Oauth server, Postgres database and Mattermost. + +## Image Build + +Firstly, install `docker-ce` on your host server : + - For CentOS/RHEL : https://docs.docker.com/install/linux/docker-ce/centos/ + - For Fedora : https://docs.docker.com/install/linux/docker-ce/fedora/ + - For Debian : https://docs.docker.com/install/linux/docker-ce/debian/ + - For Ubuntu : https://docs.docker.com/install/linux/docker-ce/ubuntu/ + + +Then, clone this repository on your host and go in `Docker` directory : +``` +git clone +cd Mattermost-LDAP/Docker +``` + +There are two Dockerfiles, one in `postgres/` and another in `oauth/`. These Dockerfiles must be compiled to create the corresponding images. To do this, we use the docker build command as follows: +``` +docker build -t mattermostldap-postgres:latest postgres/ +docker build -t mattermostldap-oauth:latest oauth/ +``` +Once built, images are available in the Docker daemon and be used to create container with `docker run`. To view available images you can use : +``` +docker images list +``` + +## Configuration + +Some image parameters can be changed, by specifying the desired parameters in container's environment variable, when you create a container to adapt it to your configuration. To apply custom parameters, they must be added to the container execution line with the --env (or -e) option followed by the parameter name and the desired value (-e = ). For more details, refer to the examples in the Usage section. + +### LDAP +| Parameter | Description | Default value | +|-----------------------|-----------------------------------------------------------------------|--------------------------| +| ldap_host | URL or IP to connect LDAP server | ldap://ldap.company.com/ | +| ldap_port | Port used to connect LDAP server | 389 | +| ldap_version | LDAP version or protocol version used by LDAP server | 3 | +| ldap_search_attribute | Attribute used to identify a user on the LDAP | uid | +| ldap_filter | Additional filter for LDAP search | objectClass=* | +| ldap_base_dn | The base directory name of your LDAP server | ou=People,o=Company | +| ldap_bind_dn | The LDAP Directory Name of an service account to allow LDAP search | | +| ldap_bind_pass | The password associated to the service account to allow LDAP search | | + + +### Base de données +| Paramètre | Description | Défaut | +|------------|----------------------------------------------------------------------|--------------------| +| db_host | Hostname or IP address of the Postgres container (database) | 127.0.0.1 | +| db_port | The port of your database to connect | 5432 | +| db_type | Database type to adapt PDO. Should be pgsql for Postgres container | pgsql | +| db_user | User who manages oauth database | oauth | +| db_pass | User's password to manage oauth database | oauth_secure-pass | +| db_name | Database name for oauth server | oauth_db | + + +### Client +| Paramètre | Description | Valeur par défaut | +|-----------------|--------------------------------------------------------------------|------------------------------------------------------| +| client_id | Token client ID shared with mattermost | 123456789 | +| client_secret | Token client Secret shared with mattermost | 987654321 | +| redirect_uri | The callback address where oauth will send tokens to Mattermost | http://mattermost.company.com/signup/gitlab/complete | +| grant_types | The type of authentification use by Mattermost | authorization_code | +| scope | The scope of authentification use by Mattermost | api | +| user_id | The username of the user who create the Mattermost client in Oauth | | + + +## Usage + +Both containers can be run separately, but the Mattermost-LDAP module requires both containers are working and communicating to be operational. + +### Container mattermostldap-postgres + +Once built, the mattermostldap-postgres image can be used to start a container running the postgresql database for the Mattermost-LDAP module. The image contains a default configuration specified in the configuration section. To run a container from the mattermostldap-postgres image : + +``` +docker run -d mattermostldap-postgres --name database +``` + +Image settings can be customized by passing the desired values per environment variable to the container. For example, to configure the client ID and secret ID, start the container with the following command: +``` +docker run -d mattermostldap-postgres --name database -e client_id=123456789 -e client_secret=987654321 +``` + +For more information about available parameters, refer to the configuration section or the [Mattermost-LDAP documentation](https://github.com/Crivaledaz/Mattermost-LDAP/blob/master/README.md). + +In addition, the mattermostldap-postgres container stores database entries in a volume outside the container to allow persistence of data beyond the life of the container. By default, Docker automatically creates a volume and stores the data in the postgresql database. However, the volume is destroyed as soon as no object references it. To overcome this problem, it is advisable to save the container data outside Docker, specifying the path of the folder that will be used for storage. To bind the container to the folder chosen, you can use this command: +``` +docker run -d mattermostldap-postgres --name database --volume /data/mattermostldap-postgres:/var/lib/postgresql/data +``` + +## Container mattermostldap-oauth + +Once built, the mattermostldap-oauth image can be used to build a container running the oauth server of the Mattermost-LDAP module. The image contains a default configuration specified in the configuration section. To run a container from the mattermostldap-oauth image: +``` +docker run -d mattermostldap-oauth --name oauth +``` + +To adapt the parameters of the image, youjust need to specify custom parameters in environment variables of the container at its start. For example, to configure the LDAP server, use the following command: +``` +docker run -d mattermostldap-oauth --name oauth -e ldap_host="ldap.company.com" -e ldap_port=389 +``` + +## Improvement + +In order to allow a dynamic configuration of the mattermostldap-oauth and mattermostldap-postgres images, the choice has been made to pass the parameters by environmental variables to the container. However, this method exposes all user-defined settings to all processes in the container. As a result, passwords and security tokens are exposed throughout the container and can easily be recovered by any process running in the container, including a user shell. + +Unfortunately, this is the simplest method to avoid defining static parameters in the image, forcing a recompilation of the image each time a value is changed. While waiting for a more secure solution, it is highly recommended to secure access to the container. \ No newline at end of file diff --git a/Docker/mattermostldap-docker.png b/Docker/mattermostldap-docker.png new file mode 100644 index 0000000..867466c Binary files /dev/null and b/Docker/mattermostldap-docker.png differ diff --git a/Docker/oauth/Dockerfile b/Docker/oauth/Dockerfile new file mode 100644 index 0000000..9ee9cda --- /dev/null +++ b/Docker/oauth/Dockerfile @@ -0,0 +1,31 @@ +# mattermostldap-oauth +# Create and configure a Docker image to setup an Oauth Server (Mattermost-LDAP) +# For more information, please refer to the Mattermost-LDAP project. +# > https://github.com/crivaledaz/Mattermost-LDAP + +# Start from a CentOS 7 image +FROM centos:latest + +# Update packages and install dependencies +RUN yum update -y && yum -y install httpd php postgresql php-ldap php-pdo php-pgsql git + +# Retrieve Mattermost-LDAP from git repository +RUN git clone https://github.com/crivaledaz/Mattermost-LDAP.git Mattermost-LDAP/ + +# Change workdir +WORKDIR Mattermost-LDAP/ + +# Install server Oauth +RUN cp -r oauth/ /var/www/html/ + +# Get config files with custom parameters +ADD ./files . + +# Copy config files in Oauth server +RUN cp config_ldap.php /var/www/html/oauth/LDAP/ && cp config_db.php /var/www/html/oauth/ + +# Open and expose port 80 for Apache server +EXPOSE 80 + +# Start Apache server +CMD ["/usr/sbin/httpd", "-DFOREGROUND"] diff --git a/Docker/oauth/files/config_db.php b/Docker/oauth/files/config_db.php new file mode 100644 index 0000000..36a5da8 --- /dev/null +++ b/Docker/oauth/files/config_db.php @@ -0,0 +1,14 @@ + https://github.com/crivaledaz/Mattermost-LDAP + +# Start from a minimal PostgreSQL image +FROM postgres:alpine + +# Copy init script in the container +ADD ./files /docker-entrypoint-initdb.d/ + +# Prepare data for persistence +VOLUME /var/lib/postgresql/data diff --git a/Docker/postgres/files/config_init.sh b/Docker/postgres/files/config_init.sh new file mode 100644 index 0000000..c1debcb --- /dev/null +++ b/Docker/postgres/files/config_init.sh @@ -0,0 +1,16 @@ +#####################################--CONFIGURATION FILE--######################################## + +#Client configuration +client_id=$(if [ -z $client_id ]; then echo "123456789"; else echo $client_id; fi) +client_secret=$(if [ -z $client_secret ]; then echo "987654321"; else echo $client_secret; fi) +redirect_uri=$(if [ -z $redirect_uri ]; then echo "http://mattermost.company.com/signup/gitlab/complete"; else echo $redirect_uri; fi) +grant_types=$(if [ -z $grant_types ]; then echo "authorization_code"; else echo $grant_types; fi) +scope=$(if [ -z $scope ]; then echo "api"; else echo $client_id; fi) +user_id=$(if [ -z $user_id ]; then echo ""; else echo $user_id; fi) + +#Database configuration +oauth_user=$(if [ -z $oauth_user ]; then echo "oauth"; else echo $oauth_user; fi) +oauth_db_name=$(if [ -z $oauth_db_name ]; then echo "oauth_db"; else echo $oauth_db_name; fi) +oauth_pass=$(if [ -z $oauth_pass ]; then echo "oauth_secure-pass"; else echo $oauth_pass; fi) +ip=$(if [ -z $db_host ]; then echo "localhost"; else echo $ip; fi) +port=$(if [ -z $db_port ]; then echo "5432"; else echo $port; fi) diff --git a/Docker/postgres/files/init.sh b/Docker/postgres/files/init.sh new file mode 100644 index 0000000..962b876 --- /dev/null +++ b/Docker/postgres/files/init.sh @@ -0,0 +1,62 @@ +#!/bin/bash +#This script need right to become postgres user (so root) and to read/write in httpd directory + +#######################################--Fonctions--############################################### + +ok() { echo -e '\e[32m'$1'\e[m'; } +error() { echo -e '\e[31m'$1'\e[m'; } +info() { echo -e '\e[34m'$1'\e[m'; } +warn() { echo -e '\e[33m'$1'\e[m'; } + +#######################################--SQL STATEMENT--########################################### + +#Tables creation +create_table_oauth_client="CREATE TABLE oauth_clients (client_id VARCHAR(80) NOT NULL, client_secret VARCHAR(80), redirect_uri VARCHAR(2000) NOT NULL, grant_types VARCHAR(80), scope VARCHAR(100), user_id VARCHAR(80), CONSTRAINT clients_client_id_pk PRIMARY KEY (client_id));" +create_table_oauth_access_tokens="CREATE TABLE oauth_access_tokens (access_token VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), expires TIMESTAMP NOT NULL, scope VARCHAR(2000), CONSTRAINT access_token_pk PRIMARY KEY (access_token));" +create_table_oauth_authorization_codes="CREATE TABLE oauth_authorization_codes (authorization_code VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), redirect_uri VARCHAR(2000), expires TIMESTAMP NOT NULL, scope VARCHAR(2000), CONSTRAINT auth_code_pk PRIMARY KEY (authorization_code));" +create_table_oauth_refresh_tokens="CREATE TABLE oauth_refresh_tokens (refresh_token VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), expires TIMESTAMP NOT NULL, scope VARCHAR(2000), CONSTRAINT refresh_token_pk PRIMARY KEY (refresh_token));" +create_table_users="CREATE TABLE users (id SERIAL NOT NULL, username VARCHAR(255) NOT NULL, CONSTRAINT id_pk PRIMARY KEY (id));" +create_table_oauth_scopes="CREATE TABLE oauth_scopes (scope TEXT, is_default BOOLEAN);" + +#Client creation +create_client="INSERT INTO oauth_clients (client_id,client_secret,redirect_uri,grant_types,scope,user_id) VALUES ('$client_id','$client_secret','$redirect_uri','$grant_types','$scope','$user_id');" + +################################################################################################### + +#Welcome Message +info "This script will create a new Oauth role and an associated database for Mattermost-LDAP\nTo edit configuration please edit this script before running !\n" +warn "SuperUser right must be ask to create the new role and database in postgres\n" +info "Press ctrl+c to stop the script" + +sleep 5 + +#Creating Oauth role and associated database (need admin account on postgres) +info "Creation of role $oauth_user and database $oauth_db ... (need to be root)" +psql -U postgres -c "CREATE DATABASE $oauth_db_name;" +psql -U postgres -c "CREATE USER $oauth_user WITH ENCRYPTED PASSWORD '$oauth_pass';" +psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE $oauth_db_name TO $oauth_user;" + +#Creating tables for ouath database (use oauth role) +info "Creation of tables for database $oauth_db (using $oauth_user)" +psql -U $oauth_user -d $oauth_db_name -c "$create_table_oauth_client" +psql -U $oauth_user -d $oauth_db_name -c "$create_table_oauth_access_tokens" +psql -U $oauth_user -d $oauth_db_name -c "$create_table_oauth_authorization_codes" +psql -U $oauth_user -d $oauth_db_name -c "$create_table_oauth_refresh_tokens" +psql -U $oauth_user -d $oauth_db_name -c "$create_table_users" +psql -U $oauth_user -d $oauth_db_name -c "$create_table_oauth_scopes" + +#Insert new client in the database +info "Insert new client in the database" +psql -U $oauth_user -d $oauth_db_name -c "$create_client" + +#Verification +psql -U $oauth_user -d $oauth_db_name -c "SELECT * from oauth_clients WHERE client_id='$client_id';" | grep '(1' + +if [ $? ] +then ok "Client has been created ! Oauth Database is configured.\n" +info "Client ID : $client_id" +warn "Client Secret : $client_secret\n" +info "Keep id and secret, you will need them to configure Mattermost" +warn "Beware Client Secret IS PRIVATE and MUST BE KEPT SECRET" +else error "Client has not been created ! Check log below" +fi