From 889430e8573bd78040153afa789ee2246528aa9e Mon Sep 17 00:00:00 2001
From: root <root@f11391a1.federatedcomputer.cloud>
Date: Thu, 12 Sep 2024 16:39:44 +0000
Subject: [PATCH] Added SSO for espocrm

---
 lib/espocrm.sh | 110 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 107 insertions(+), 3 deletions(-)

diff --git a/lib/espocrm.sh b/lib/espocrm.sh
index 5ca282a..2f92067 100644
--- a/lib/espocrm.sh
+++ b/lib/espocrm.sh
@@ -43,7 +43,7 @@ EOF
 ESPOCRM_SECRET=$(create_password);
 
 cat > /federated/apps/espocrm/.env <<EOF
-IMAGE_VERSION="8.0.5-apache"
+IMAGE_VERSION="8.4.0-apache"
 ESPOCRM_DATABASE_HOST=pdnsmysql.$DOMAIN
 ESPOCRM_DATABASE_NAME=espocrm
 ESPOCRM_DATABASE_USER=espocrm
@@ -190,12 +190,116 @@ uninstall_espocrm() {
   docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e 'drop database espocrm;'" &> /dev/null
   docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e 'drop user espocrm;'" &> /dev/null
 
+  # Delete the app directory
+  rm -rf /federated/apps/espocrm
+
+  # Delete the image
+  docker image rm espocrm/espocrm:${IMAGE_VERSION} &> /dev/null
+
+  # Delete the DNS record
+  docker exec pdns pdnsutil delete-rrset $DOMAIN espocrm A
+
   # Remove cronjob
   crontab -l | grep -v 'espocrm /usr/local/bin/php -f /var/www/html/cron.php'  | crontab -
 
-  # Delete the app directory
-  rm -rf /federated/apps/espocrm
+  # Uninstall the SSO configuration if it exists in authelia (authelia must exist too)
+  if [[ $(grep "### Espocrm" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]]; then
+    sed -i '/### Espocrm/,/### /{/### PowerDNS/!{/### /!d}}' /federated/apps/authelia/data/config/idproviders.yml
+    sed -i '/### Espocrm/d' /federated/apps/authelia/data/config/idproviders.yml
+    /federated/bin/stop authelia
+    /federated/bin/start authelia
+  fi
 
   kill -9 $SPINPID &> /dev/null
   echo -ne "done.\n"
 }
+configsso_espocrm() {
+  [ ! -d "/federated/apps/authelia" ] && failcheck "Authelia is not installed. You need this first before continuing."
+  [ ! -f "/federated/apps/authelia/data/config/idproviders.yml" ] && failcheck "Authelia idproviders.yml is missing."
+  [[ $(grep "### Espocrm" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]] && failcheck "Authelia already has a Espocrm configuration."
+
+  ESPOCRM_CLIENT_SECRET=$(create_password);
+  ESPOCRM_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $ESPOCRM_CLIENT_SECRET | awk '{ print $2 }')
+
+cat >> /federated/apps/authelia/data/config/idproviders.yml <<EOF
+     ### Espocrm
+      - client_id: 'espocrm'
+        client_name: 'Espocrm'
+        client_secret: $ESPOCRM_CLIENT_SECRET_HASH
+        consent_mode: 'implicit'
+        public: false
+        authorization_policy: 'one_factor'
+        redirect_uris:
+          - 'https://espocrm.$DOMAIN/oauth-callback.php'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
+EOF
+
+  # Restart Authelia for changes to take the above configuration
+  /federated/bin/stop authelia
+  /federated/bin/start authelia
+
+cat >> /federated/apps/espocrm/.env <<EOF
+ESPOCRM_CONFIG_AUTHENTICATION_METHOD=Oidc
+ESPOCRM_CONFIG_OIDC_USERNAME_CLAIM=preferred_username
+ESPOCRM_CONFIG_OIDC_FALLBACK=true
+ESPOCRM_CONFIG_OIDC_CLIENT_ID=espocrm
+ESPOCRM_CONFIG_OIDC_CLIENT_SECRET=$ESPOCRM_CLIENT_SECRET
+ESPOCRM_CONFIG_OIDC_AUTHORIZATION_ENDPOINT=https://authelia.$DOMAIN/api/oidc/authorization
+ESPOCRM_CONFIG_OIDC_TOKEN_ENDPOINT=https://authelia.$DOMAIN/api/oidc/token
+ESPOCRM_CONFIG_OIDC_JWKS_ENDPOINT=https://authelia.$DOMAIN/jwks.json
+ESPOCRM_CONFIG_OIDC_LOGOUT_URL=https://authelia.$DOMAIN/logout
+ESPOCRM_CONFIG_OIDC_CREATE_USER=true
+ESPOCRM_CONFIG_OIDC_ALLOW_ADMIN_USER=true
+ESPOCRM_CONFIG_OIDC_SYNC=false
+ESPOCRM_CONFIG_OIDC_SYNC_TEAMS=false
+ESPOCRM_CONFIG_OIDC_ALLOW_REGULAR_USER_FALLBACK=false
+ESPOCRM_CONFIG_OIDC_AUTHORIZATION_PROMPT=consent
+EOF
+
+# Add in Scopes after authenticationMethod
+sed -i "/oidcScopes/{n;N;N;N;d}" /federated/apps/espocrm/data/var/www/html/data/config.php
+sed -i "/oidcScopes/d" /federated/apps/espocrm/data/var/www/html/data/config.php
+sed -i "/authenticationMethod/a  \  'oidcScopes' => [\n\    0 => 'profile',\n\    1 => 'email',\n\    2 => 'openid'\n\  ]," /federated/apps/espocrm/data/var/www/html/data/config.php
+
+# Add in extra_hosts to docker-compose
+[[ ! $(grep extra_hosts /federated/apps/espocrm/docker-compose.yml 2>/dev/null) ]] && sed -i "/restart: always/a  \    extra_hosts:\n\      - \"authelia.$DOMAIN:$EXTERNALIP\"" /federated/apps/espocrm/docker-compose.yml
+
+# Set auth method to Oidc only
+sed -i "s/ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/#ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/g" /federated/apps/espocrm/.env
+
+: '
+ 'authenticationMethod' => 'Oidc',
+  'oidcJwtSignatureAlgorithmList' => [
+    0 => 'RS256'
+  ],
+  'oidcUsernameClaim' => 'preferred_username',
+  'oidcFallback' => true,
+  'oidcScopes' => [
+    0 => 'profile',
+    1 => 'email',
+    2 => 'openid'
+  ],
+    'oidcClientId' => 'espocrm',
+  'oidcAuthorizationEndpoint' => 'https://authelia.f11957a1.fedcom.net/api/oidc/authorization',
+  'oidcTokenEndpoint' => 'https://authelia.f11957a1.fedcom.net/api/oidc/token',
+  'oidcJwksEndpoint' => 'https://authelia.f11957a1.fedcom.net/jwks.json',
+  'oidcCreateUser' => true,
+  'oidcAllowAdminUser' => true,
+  'oidcLogoutUrl' => 'https://authelia.f11957a1.fedcom.net/logout',
+    'oidcSync' => false,
+  'oidcGroupClaim' => NULL,
+  'oidcSyncTeams' => false,
+  'oidcAllowRegularUserFallback' => false,
+  'oidcTeamsIds' => [],
+  'oidcTeamsNames' => (object) [],
+  'oidcTeamsColumns' => (object) [],
+    'oidcAuthorizationPrompt' => 'consent',
+'
+  /federated/bin/stop espocrm
+  /federated/bin/start espocrm
+}