From c2f8acfecff058eca806d6fbd6f9cebe4a5bd1fb Mon Sep 17 00:00:00 2001
From: root <root@f11391a1.federatedcomputer.cloud>
Date: Thu, 12 Sep 2024 18:22:11 +0000
Subject: [PATCH] Added group claims to espocrm SSO

---
 lib/espocrm.sh | 45 +++++++++------------------------------------
 1 file changed, 9 insertions(+), 36 deletions(-)

diff --git a/lib/espocrm.sh b/lib/espocrm.sh
index 2f92067..4f59b4d 100644
--- a/lib/espocrm.sh
+++ b/lib/espocrm.sh
@@ -246,6 +246,7 @@ EOF
 cat >> /federated/apps/espocrm/.env <<EOF
 ESPOCRM_CONFIG_AUTHENTICATION_METHOD=Oidc
 ESPOCRM_CONFIG_OIDC_USERNAME_CLAIM=preferred_username
+ESPOCRM_CONFIG_OIDC_GROUP_CLAIM=groups
 ESPOCRM_CONFIG_OIDC_FALLBACK=true
 ESPOCRM_CONFIG_OIDC_CLIENT_ID=espocrm
 ESPOCRM_CONFIG_OIDC_CLIENT_SECRET=$ESPOCRM_CLIENT_SECRET
@@ -261,45 +262,17 @@ ESPOCRM_CONFIG_OIDC_ALLOW_REGULAR_USER_FALLBACK=false
 ESPOCRM_CONFIG_OIDC_AUTHORIZATION_PROMPT=consent
 EOF
 
-# Add in Scopes after authenticationMethod
-sed -i "/oidcScopes/{n;N;N;N;d}" /federated/apps/espocrm/data/var/www/html/data/config.php
-sed -i "/oidcScopes/d" /federated/apps/espocrm/data/var/www/html/data/config.php
-sed -i "/authenticationMethod/a  \  'oidcScopes' => [\n\    0 => 'profile',\n\    1 => 'email',\n\    2 => 'openid'\n\  ]," /federated/apps/espocrm/data/var/www/html/data/config.php
+  # Add in Scopes after authenticationMethod
+  sed -i "/oidcScopes/{n;N;N;N;d}" /federated/apps/espocrm/data/var/www/html/data/config.php
+  sed -i "/oidcScopes/d" /federated/apps/espocrm/data/var/www/html/data/config.php
+  sed -i "/authenticationMethod/a  \  'oidcScopes' => [\n\    0 => 'profile',\n\    1 => 'email',\n\    2 => 'groups',\n\    3 => 'openid'\n\  ]," /federated/apps/espocrm/data/var/www/html/data/config.php
 
-# Add in extra_hosts to docker-compose
-[[ ! $(grep extra_hosts /federated/apps/espocrm/docker-compose.yml 2>/dev/null) ]] && sed -i "/restart: always/a  \    extra_hosts:\n\      - \"authelia.$DOMAIN:$EXTERNALIP\"" /federated/apps/espocrm/docker-compose.yml
+  # Add in extra_hosts to docker-compose
+  [[ ! $(grep extra_hosts /federated/apps/espocrm/docker-compose.yml 2>/dev/null) ]] && sed -i "/restart: always/a  \    extra_hosts:\n\      - \"authelia.$DOMAIN:$EXTERNALIP\"" /federated/apps/espocrm/docker-compose.yml
 
-# Set auth method to Oidc only
-sed -i "s/ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/#ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/g" /federated/apps/espocrm/.env
+  # Set auth method to Oidc only
+  sed -i "s/ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/#ESPOCRM_CONFIG_AUTHENTICATION_METHOD=LDAP/g" /federated/apps/espocrm/.env
 
-: '
- 'authenticationMethod' => 'Oidc',
-  'oidcJwtSignatureAlgorithmList' => [
-    0 => 'RS256'
-  ],
-  'oidcUsernameClaim' => 'preferred_username',
-  'oidcFallback' => true,
-  'oidcScopes' => [
-    0 => 'profile',
-    1 => 'email',
-    2 => 'openid'
-  ],
-    'oidcClientId' => 'espocrm',
-  'oidcAuthorizationEndpoint' => 'https://authelia.f11957a1.fedcom.net/api/oidc/authorization',
-  'oidcTokenEndpoint' => 'https://authelia.f11957a1.fedcom.net/api/oidc/token',
-  'oidcJwksEndpoint' => 'https://authelia.f11957a1.fedcom.net/jwks.json',
-  'oidcCreateUser' => true,
-  'oidcAllowAdminUser' => true,
-  'oidcLogoutUrl' => 'https://authelia.f11957a1.fedcom.net/logout',
-    'oidcSync' => false,
-  'oidcGroupClaim' => NULL,
-  'oidcSyncTeams' => false,
-  'oidcAllowRegularUserFallback' => false,
-  'oidcTeamsIds' => [],
-  'oidcTeamsNames' => (object) [],
-  'oidcTeamsColumns' => (object) [],
-    'oidcAuthorizationPrompt' => 'consent',
-'
   /federated/bin/stop espocrm
   /federated/bin/start espocrm
 }