Added SSO for espocrm

2024-09-12 16:39:44 +00:00 · 2024-09-12 16:39:44 +00:00 · 889430e857
commit 889430e857
parent f6b7291921
1 changed files with 107 additions and 3 deletions
--- a/lib/espocrm.sh
+++ b/lib/espocrm.sh
@ -43,7 +43,7 @@ EOF
 ESPOCRM_SECRET=$(create_password);

 cat > /federated/apps/espocrm/.env <<EOF
-IMAGE_VERSION="8.0.5-apache"
+IMAGE_VERSION="8.4.0-apache"
 ESPOCRM_DATABASE_HOST=pdnsmysql.$DOMAIN
 ESPOCRM_DATABASE_NAME=espocrm
 ESPOCRM_DATABASE_USER=espocrm
@ -190,12 +190,116 @@ uninstall_espocrm() {
  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e 'drop database espocrm;'" &> /dev/null
  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e 'drop user espocrm;'" &> /dev/null

+  # Delete the app directory
+  rm -rf /federated/apps/espocrm
+
+  # Delete the image
+  docker image rm espocrm/espocrm:${IMAGE_VERSION} &> /dev/null
+
+  # Delete the DNS record
+  docker exec pdns pdnsutil delete-rrset $DOMAIN espocrm A
+
  # Remove cronjob
  crontab -l | grep -v 'espocrm /usr/local/bin/php -f /var/www/html/cron.php'  | crontab -

-  # Delete the app directory
-  rm -rf /federated/apps/espocrm
+  # Uninstall the SSO configuration if it exists in authelia (authelia must exist too)
+  if [[ $(grep "### Espocrm" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]]; then
+    sed -i '/### Espocrm/,/### /{/### PowerDNS/!{/### /!d}}' /federated/apps/authelia/data/config/idproviders.yml
+    sed -i '/### Espocrm/d' /federated/apps/authelia/data/config/idproviders.yml
+    /federated/bin/stop authelia
+    /federated/bin/start authelia
+  fi

  kill -9 $SPINPID &> /dev/null
  echo -ne "done.\n"
 }
+configsso_espocrm() {
+  [ ! -d "/federated/apps/authelia" ] && failcheck "Authelia is not installed. You need this first before continuing."
+  [ ! -f "/federated/apps/authelia/data/config/idproviders.yml" ] && failcheck "Authelia idproviders.yml is missing."
+  [[ $(grep "### Espocrm" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]] && failcheck "Authelia already has a Espocrm configuration."
+
+  ESPOCRM_CLIENT_SECRET=$(create_password);
+  ESPOCRM_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $ESPOCRM_CLIENT_SECRET | awk '{ print $2 }')
+
+cat >> /federated/apps/authelia/data/config/idproviders.yml <<EOF
+     ### Espocrm
+      - client_id: 'espocrm'
+        client_name: 'Espocrm'
+        client_secret: $ESPOCRM_CLIENT_SECRET_HASH
+        consent_mode: 'implicit'
+        public: false
+        authorization_policy: 'one_factor'
+        redirect_uris:
+          - 'https://espocrm.$DOMAIN/oauth-callback.php'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
+EOF
+
+  # Restart Authelia for changes to take the above configuration
+  /federated/bin/stop authelia
+  /federated/bin/start authelia
+
+cat >> /federated/apps/espocrm/.env <<EOF
+ESPOCRM_CONFIG_AUTHENTICATION_METHOD=Oidc
+ESPOCRM_CONFIG_OIDC_USERNAME_CLAIM=preferred_username
+ESPOCRM_CONFIG_OIDC_FALLBACK=true
+ESPOCRM_CONFIG_OIDC_CLIENT_ID=espocrm
+ESPOCRM_CONFIG_OIDC_CLIENT_SECRET=$ESPOCRM_CLIENT_SECRET
+ESPOCRM_CONFIG_OIDC_AUTHORIZATION_ENDPOINT=https://authelia.$DOMAIN/api/oidc/authorization
+ESPOCRM_CONFIG_OIDC_TOKEN_ENDPOINT=https://authelia.$DOMAIN/api/oidc/token
+ESPOCRM_CONFIG_OIDC_JWKS_ENDPOINT=https://authelia.$DOMAIN/jwks.json
+ESPOCRM_CONFIG_OIDC_LOGOUT_URL=https://authelia.$DOMAIN/logout
+ESPOCRM_CONFIG_OIDC_CREATE_USER=true
+ESPOCRM_CONFIG_OIDC_ALLOW_ADMIN_USER=true
+ESPOCRM_CONFIG_OIDC_SYNC=false
+ESPOCRM_CONFIG_OIDC_SYNC_TEAMS=false
+ESPOCRM_CONFIG_OIDC_ALLOW_REGULAR_USER_FALLBACK=false
+ESPOCRM_CONFIG_OIDC_AUTHORIZATION_PROMPT=consent
+EOF
+
+# Add in Scopes after authenticationMethod
+sed -i "/oidcScopes/{n;N;N;N;d}" /federated/apps/espocrm/data/var/www/html/data/config.php
+sed -i "/oidcScopes/d" /federated/apps/espocrm/data/var/www/html/data/config.php
+sed -i "/authenticationMethod/a  \  'oidcScopes' => [\n\    0 => 'profile',\n\    1 => 'email',\n\    2 => 'openid'\n\  ]," /federated/apps/espocrm/data/var/www/html/data/config.php
+
+# Add in extra_hosts to docker-compose
+[[ ! $(grep extra_hosts /federated/apps/espocrm/docker-compose.yml 2>/dev/null) ]] && sed -i "/restart: always/a  \    extra_hosts:\n\      - \"authelia.$DOMAIN:$EXTERNALIP\"" /federated/apps/espocrm/docker-compose.yml
+
+# Set auth method to Oidc only
+sed -i "s/ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/#ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/g" /federated/apps/espocrm/.env
+
+: '
+ 'authenticationMethod' => 'Oidc',
+  'oidcJwtSignatureAlgorithmList' => [
+    0 => 'RS256'
+  ],
+  'oidcUsernameClaim' => 'preferred_username',
+  'oidcFallback' => true,
+  'oidcScopes' => [
+    0 => 'profile',
+    1 => 'email',
+    2 => 'openid'
+  ],
+    'oidcClientId' => 'espocrm',
+  'oidcAuthorizationEndpoint' => 'https://authelia.f11957a1.fedcom.net/api/oidc/authorization',
+  'oidcTokenEndpoint' => 'https://authelia.f11957a1.fedcom.net/api/oidc/token',
+  'oidcJwksEndpoint' => 'https://authelia.f11957a1.fedcom.net/jwks.json',
+  'oidcCreateUser' => true,
+  'oidcAllowAdminUser' => true,
+  'oidcLogoutUrl' => 'https://authelia.f11957a1.fedcom.net/logout',
+    'oidcSync' => false,
+  'oidcGroupClaim' => NULL,
+  'oidcSyncTeams' => false,
+  'oidcAllowRegularUserFallback' => false,
+  'oidcTeamsIds' => [],
+  'oidcTeamsNames' => (object) [],
+  'oidcTeamsColumns' => (object) [],
+    'oidcAuthorizationPrompt' => 'consent',
+'
+  /federated/bin/stop espocrm
+  /federated/bin/start espocrm
+}