From 99b8524c16cc99ceeaf1ebf588f2fc0f2c0fbe0a Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Sat, 12 Oct 2024 08:14:59 -0400
Subject: add a bunch of hostclasses

---
 .../davical/config/administration.yml.dav_server   |   4 +
 .../local/www/davical/config/config.php.dav_server |  49 ++++++
 files/usr/local/www/tt-rss/config.php.ttrss_server |  28 ++++
 .../plugins.local/auth_idm/init.php.ttrss_server   | 177 +++++++++++++++++++++
 4 files changed, 258 insertions(+)
 create mode 100644 files/usr/local/www/davical/config/administration.yml.dav_server
 create mode 100644 files/usr/local/www/davical/config/config.php.dav_server
 create mode 100644 files/usr/local/www/tt-rss/config.php.ttrss_server
 create mode 100644 files/usr/local/www/tt-rss/plugins.local/auth_idm/init.php.ttrss_server

(limited to 'files/usr/local/www')

diff --git a/files/usr/local/www/davical/config/administration.yml.dav_server b/files/usr/local/www/davical/config/administration.yml.dav_server
new file mode 100644
index 0000000..fdd5da2
--- /dev/null
+++ b/files/usr/local/www/davical/config/administration.yml.dav_server
@@ -0,0 +1,4 @@
+admin_db_user: ${boxconf_username}
+admin_db_host: ${davical_dbhost}
+admin_db_name: ${davical_dbname}
+app_db_user: '"${davical_username}"'
diff --git a/files/usr/local/www/davical/config/config.php.dav_server b/files/usr/local/www/davical/config/config.php.dav_server
new file mode 100644
index 0000000..ec2cb26
--- /dev/null
+++ b/files/usr/local/www/davical/config/config.php.dav_server
@@ -0,0 +1,49 @@
+<?php
+\$c->pg_connect[] = 'dbname=${davical_dbname} user=${davical_username} host=${davical_dbhost}';
+\$c->admin_email = '${davical_admin_email}';
+
+\$c->restrict_setup_to_admin = true;
+
+\$c->home_calendar_name = 'calendar';
+\$c->home_addressbook_name = 'addressbook';
+\$c->default_privileges = array('read-free-busy', 'schedule-deliver');
+\$c->external_refresh = 60;
+\$c->default_locale = 'en';
+\$c->allow_get_email_visibility = true;
+
+\$c->trust_x_forwarded = true;
+
+\$c->authenticate_hook['call'] = 'LDAP_check';
+\$c->authenticate_hook['config'] = array(
+  'uri'             => '${ldap_uri}',
+  'host'            => '${ldap_hosts}',
+  'port'            => '389',
+  'sasl'            => 'yes',
+  'sasl_mech'       => 'GSSAPI',
+  'baseDNUsers'     => '${users_basedn}',
+  'baseDNGroups'    => '${groups_basedn}',
+  'scope'           => 'onelevel',
+  'protocolVersion' => 3,
+  'optReferrals'    => 0,
+  'filterUsers'     => '(memberOf=cn=${davical_access_role},${roles_basedn})',
+  'filterGroups'    => '(objectclass=groupOfMembers)',
+  'mapping_field' => array('username' => 'uid',
+                           'modified' => 'modifyTimestamp',
+                           'fullname' => 'cn',
+                           'email'    => 'mailAddress'),
+  'group_mapping_field' => array('name'     => 'cn',
+                                 'fullname' => 'cn',
+                                 'modified' => 'modifyTimestamp',
+                                 'email'    => 'mailAddress',
+                                 'members'  => 'member'),
+  'group_member_dnfix' => true,
+  'default_value' => array('date_format_type' => 'I','locale' => 'en'),
+  'format_updated' => array('Y' => array(0,4),
+                            'm' => array(4,2),
+                            'd' => array(6,2),
+                            'H' => array(8,2),
+                            'M' => array(10,2),
+                            'S' => array(12,2)),
+  'i_use_mode_kerberos' => 'i_know_what_i_am_doing',
+);
+include_once('drivers_ldap.php');
diff --git a/files/usr/local/www/tt-rss/config.php.ttrss_server b/files/usr/local/www/tt-rss/config.php.ttrss_server
new file mode 100644
index 0000000..3598ef2
--- /dev/null
+++ b/files/usr/local/www/tt-rss/config.php.ttrss_server
@@ -0,0 +1,28 @@
+<?php
+putenv('TTRSS_DB_TYPE=pgsql');
+putenv('TTRSS_DB_HOST=${ttrss_dbhost}');
+putenv('TTRSS_DB_USER=${ttrss_username}');
+putenv('TTRSS_DB_NAME=${ttrss_dbname}');
+
+putenv('TTRSS_SELF_URL_PATH=https://${ttrss_fqdn}/');
+putenv('TTRSS_PHP_EXECUTABLE=/usr/local/bin/php');
+
+putenv('TTRSS_SESSION_COOKIE_LIFETIME=604800');
+
+putenv('TTRSS_SMTP_FROM_NAME=Tiny Tiny RSS');
+putenv('TTRSS_SMTP_FROM_ADDRESS=${ttrss_mail_from}');
+
+putenv('TTRSS_CHECK_FOR_UPDATES=false');
+putenv('TTRSS_CHECK_FOR_PLUGIN_UPDATES=false');
+putenv('TTRSS_ENABLE_PLUGIN_INSTALLER=false');
+putenv('TTRSS_ENABLE_GZIP_OUTPUT=false');
+putenv('TTRSS_PLUGINS=auth_idm');
+
+putenv('TTRSS_LOG_DESTINATION=syslog');
+
+putenv('TTRSS_AUTH_IDM_URI=${ldap_uri}');
+putenv('TTRSS_AUTH_IDM_STARTTLS=false');
+putenv('TTRSS_AUTH_IDM_BASEDN=${users_basedn}');
+putenv('TTRSS_AUTH_IDM_SCOPE=sub');
+putenv('TTRSS_AUTH_IDM_FILTER=(memberOf=cn=${ttrss_access_role},${roles_basedn})');
+putenv('TTRSS_AUTH_IDM_ADMIN_FILTER=(memberOf=cn=${ttrss_admin_role},${roles_basedn})');
diff --git a/files/usr/local/www/tt-rss/plugins.local/auth_idm/init.php.ttrss_server b/files/usr/local/www/tt-rss/plugins.local/auth_idm/init.php.ttrss_server
new file mode 100644
index 0000000..c025026
--- /dev/null
+++ b/files/usr/local/www/tt-rss/plugins.local/auth_idm/init.php.ttrss_server
@@ -0,0 +1,177 @@
+<?php
+/**
+ * The following options may be specified in config.php:
+ *
+ *   putenv('TTRSS_AUTH_IDM_URI=ldap://ldap.idm.example.com');
+ *   putenv('TTRSS_AUTH_IDM_BASEDN=ou=users,dc=idm,dc=example,dc=com');
+ *   putenv('TTRSS_AUTH_IDM_FILTER=(memberOf=cn=ttrss-users,ou=groups,dc=idm,dc=example,dc=com)');
+ *   putenv('TTRSS_AUTH_IDM_ADMIN_FILTER=(memberOf=cn=ttrss-admins,ou=groups,dc=idm,dc=example,dc=com)');
+ *   putenv('TTRSS_AUTH_IDM_FULLNAME_ATTRIBUTE=cn');
+ *   putenv('TTRSS_AUTH_IDM_EMAIL_ATTRIBUTE=mail');
+ */
+
+class Auth_Idm extends Auth_Base {
+
+  const AUTH_IDM_URI           = 'AUTH_IDM_URI';
+  const AUTH_IDM_STARTTLS      = 'AUTH_IDM_STARTTLS';
+  const AUTH_IDM_BASEDN        = 'AUTH_IDM_BASEDN';
+  const AUTH_IDM_SCOPE         = 'AUTH_IDM_SCOPE';
+  const AUTH_IDM_FILTER        = 'AUTH_IDM_FILTER';
+  const AUTH_IDM_ADMIN_FILTER  = 'AUTH_IDM_ADMIN_FILTER';
+  const AUTH_IDM_USERNAME_ATTR = 'AUTH_IDM_USERNAME_ATTRIBUTE';
+  const AUTH_IDM_FULLNAME_ATTR = 'AUTH_IDM_FULLNAME_ATTRIBUTE';
+  const AUTH_IDM_EMAIL_ATTR    = 'AUTH_IDM_EMAIL_ATTRIBUTE';
+
+  function about() {
+    return array(null,
+      'Authenticates against REMOTE_USER variable and LDAP server',
+      'cullum@sacredheartsc.com',
+      true);
+  }
+
+  function init($host) {
+    $host->add_hook($host::HOOK_AUTH_USER, $this);
+
+    Config::add(self::AUTH_IDM_URI,           '',            Config::T_STRING);
+    Config::add(self::AUTH_IDM_STARTTLS,      false,         Config::T_BOOL);
+    Config::add(self::AUTH_IDM_BASEDN,        '',            Config::T_STRING);
+    Config::add(self::AUTH_IDM_SCOPE,         'sub',         Config::T_STRING);
+    Config::add(self::AUTH_IDM_FILTER,        '',            Config::T_STRING);
+    Config::add(self::AUTH_IDM_ADMIN_FILTER,  '',            Config::T_STRING);
+    Config::add(self::AUTH_IDM_USERNAME_ATTR, 'uid',         Config::T_STRING);
+    Config::add(self::AUTH_IDM_FULLNAME_ATTR, 'cn',          Config::T_STRING);
+    Config::add(self::AUTH_IDM_EMAIL_ATTR,    'mail',        Config::T_STRING);
+  }
+
+  private function ldap_get_user($username, $filter = null) {
+    switch ($this->scope) {
+    case 'sub':
+      $searchfunc = 'ldap_search'; break;
+    case 'one':
+      $searchfunc = 'ldap_list'; break;
+    case 'base':
+      $searchfunc = 'ldap_read'; break;
+    default:
+      Logger::log(E_USER_ERROR, "auth_idm: invalid search scope: $scope");
+      return null;
+    }
+
+    $uid_filter = '('
+      . ldap_escape($this->username_attr, '', LDAP_ESCAPE_FILTER)
+      . '='
+      . ldap_escape($username, '', LDAP_ESCAPE_FILTER)
+      . ')';
+
+    if (empty($filter)) {
+      $filter = $uid_filter;
+    } else {
+      $filter = "(&$filter$uid_filter)";
+    }
+
+    $results = $searchfunc($this->conn, $this->basedn, $filter, [$this->fullname_attr, $this->email_attr]);
+    if ($results && ldap_count_entries($this->conn, $results) == 1) {
+      if ($entry = ldap_first_entry($this->conn, $results)) {
+        if ($dn = ldap_get_dn($this->conn, $entry)) {
+          if ($attrs = ldap_get_attributes($this->conn, $entry)) {
+            return array(
+              'dn'       => $dn,
+              'email'    => $attrs[$this->email_attr][0],
+              'fullname' => $attrs[$this->fullname_attr][0]
+            );
+          }
+        }
+      }
+    }
+    return null;
+  }
+
+  function authenticate($username = null, $password = null, $service = '') {
+    $this->basedn        = Config::get(self::AUTH_IDM_BASEDN);
+    $this->scope         = Config::get(self::AUTH_IDM_SCOPE);
+    $this->username_attr = Config::get(self::AUTH_IDM_USERNAME_ATTR);
+    $this->fullname_attr = Config::get(self::AUTH_IDM_FULLNAME_ATTR);
+    $this->email_attr    = Config::get(self::AUTH_IDM_EMAIL_ATTR);
+    $uri                 = Config::get(self::AUTH_IDM_URI);
+    $starttls            = Config::get(self::AUTH_IDM_STARTTLS);
+    $filter              = Config::get(self::AUTH_IDM_FILTER);
+    $admin_filter        = Config::get(self::AUTH_IDM_ADMIN_FILTER);
+
+    // Get ldap connection handle.
+    if (!$this->conn = ldap_connect($uri)) {
+      return false;
+    }
+
+    // Set protocol version 3.
+    if (!ldap_set_option($this->conn, LDAP_OPT_PROTOCOL_VERSION, 3)) {
+      return false;
+    }
+
+    // Bind using kerberos credentials from the environment.
+    if (!ldap_sasl_bind($this->conn, null, null, 'GSSAPI')) {
+      return false;
+    }
+
+    // Initiate STARTTLS (if requested)
+    if ($starttls and !ldap_start_tls($this->conn)) {
+      return false;
+    }
+
+    // If REMOTE_USER was set by the webserver, use that.
+    if (!empty($_SERVER['REMOTE_USER'])) {
+      $username = $_SERVER['REMOTE_USER'];
+    } elseif (empty($username)) {
+      return false;
+    }
+
+    $is_admin = false;
+    $user = null;
+
+    // First, check if the ADIN_FILTER matches (if set).
+    if (!empty($admin_filter)) {
+      $user = $this->ldap_get_user($username, $admin_filter);
+      isset($user) && $is_admin = true;
+    }
+
+    // If ADMIN_FILTER didn't match, try FILTER.
+    if (!isset($user)) {
+      $user = $this->ldap_get_user($username, $filter);
+    }
+
+    // If no matching user from LDAP, reject.
+    if (!isset($user)) {
+      return false;
+    }
+
+    // If webserver didn't validate the password, try an LDAP bind with the provided creds.
+    if (empty($_SERVER['REMOTE_USER']) and !ldap_bind($this->conn, $user['dn'], $password)) {
+      return false;
+    }
+
+    // Get the TTRSS internal user ID.
+    if (!($userid = $this->auto_create_user($username))) {
+      return false;
+    }
+
+    // Populate user details using the LDAP attributes.
+    if (Config::get(Config::AUTH_AUTO_CREATE)) {
+      if (!empty($user['fullname'])) {
+        $sth = $this->pdo->prepare('UPDATE ttrss_users SET full_name = ? WHERE id = ?');
+        $sth->execute([$user['fullname'], $userid]);
+      }
+
+      if (!empty($user['email'])) {
+        $sth = $this->pdo->prepare('UPDATE ttrss_users SET email = ? WHERE id = ?');
+        $sth->execute([$user['email'], $userid]);
+      }
+
+      $sth = $this->pdo->prepare('UPDATE ttrss_users SET access_level = ? WHERE id = ?');
+      $sth->execute([$is_admin ? 10 : 0, $userid]);
+    }
+
+    return $userid;
+  }
+
+  function api_version() {
+    return 2;
+  }
+}
-- 
cgit v1.2.3