Support passing oidc credentials with env vars

cli/setup/setup.go

@@ -49,7 +49,7 @@ func InteractiveSetup(conf *util.ConfigType) {
  askValue("Playbook path", defaultPlaybookPath, &conf.TmpPath)
  conf.TmpPath = filepath.Clean(conf.TmpPath)
 
- askValue("Public URL (optional, example: https://example.com/semaphore)", "", &conf.WebHost)
+ askValue("Public URL (required for OIDC authentication, example: https://example.com/semaphore)", "", &conf.WebHost)
 
  askConfirmation("Enable email alerts?", false, &conf.EmailAlert)
  if conf.EmailAlert {
@@ -72,7 +72,7 @@ func InteractiveSetup(conf *util.ConfigType) {
  askConfirmation("Enable Rocket.Chat alerts?", false, &conf.RocketChatAlert)
  if conf.RocketChatAlert {
  askValue("Rocket.Chat Webhook URL", "", &conf.RocketChatUrl)
- } 
+ }
 
  askConfirmation("Enable Microsoft Team Channel alerts?", false, &conf.MicrosoftTeamsAlert)
  if conf.MicrosoftTeamsAlert {
@@ -92,6 +92,7 @@ func InteractiveSetup(conf *util.ConfigType) {
  askValue("LDAP mapping for full name field", "cn", &conf.LdapMappings.CN)
  askValue("LDAP mapping for email field", "mail", &conf.LdapMappings.Mail)
  }
+ scanOidcProviders(conf)
 }
 
 func scanBoltDb(conf *util.ConfigType) {
@@ -123,6 +124,51 @@ func scanPostgres(conf *util.ConfigType) {
  }
 }
 
+func scanOidcProviders(conf *util.ConfigType) {
+ conf.OidcProviders = map[string]util.OidcProvider{}
+ for {
+ var addOidcProvider bool
+ askConfirmation("Add another OIDC provider?", false, &addOidcProvider)
+ if !addOidcProvider {
+ break
+ }
+ providerId := ""
+ for providerId == "" {
+ askValue("Provider configuration id (used in redirect url)", "", &providerId)
+ }
+ provider := util.OidcProvider{}
+
+ askValue("Display Name", "", &provider.DisplayName)
+ askValue("Client id", "", &provider.ClientID)
+ askValue("Client secret", "", &provider.ClientSecret)
+ askValue("Autodiscovery url", "", &provider.AutoDiscovery)
+ askValue("Issuer url", "", &provider.Endpoint.IssuerURL)
+ askValue("Auth url", "", &provider.Endpoint.AuthURL)
+ askValue("Token url", "", &provider.Endpoint.TokenURL)
+ askValue("User info url", "", &provider.Endpoint.UserInfoURL)
+
+ defaultRedirectUrl := conf.WebHost + "/api/auth/oidc/" + providerId + "/redirect/"
+ askValue("Redirect url", defaultRedirectUrl, &provider.RedirectURL)
+
+ rawScopes := ""
+ askValue("Scopes (comma separated)", "openid,profile,email", &rawScopes)
+ for _, scope := range strings.Split(rawScopes, ",") {
+ scope := strings.TrimSpace(scope)
+ provider.Scopes = append(provider.Scopes, scope)
+ }
+
+ askValue("Color", "", &provider.Color)
+ askValue("Icon", "", &provider.Icon)
+
+ askValue("Username claim", "", &provider.UsernameClaim)
+ askValue("Name claim", "", &provider.NameClaim)
+ askValue("Email claim", "", &provider.EmailClaim)
+ askValue("Order", "", &provider.Order)
+
+ conf.OidcProviders[providerId] = provider
+ }
+}
+
 func scanErrorChecker(n int, err error) {
  if err != nil && err.Error() != "unexpected newline" {
  log.Warn("An input error occurred: " + err.Error())

deployment/docker/server/server-wrapper

@@ -164,6 +164,54 @@ ${SEMAPHORE_LDAP_MAPPING_EMAIL}
 EOF
  fi;
 
+ oidcProviderNum=0
+ while :
+ do
+ oidcProviderNum=$((oidcProviderNum+1))
+ providerIdVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_ID"
+ providerDisplayNameVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_DISPLAY_NAME"
+ providerClientIdVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_CLIENT_ID"
+ providerClientSecretVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_CLIENT_SECRET"
+ providerAutodiscoveryUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_AUTODISCOVERY_URL"
+ providerIssuerUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_ISSUER_URL"
+ providerAuthUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_AUTH_URL"
+ providerTokenUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_TOKEN_URL"
+ providerUserInfoUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_USER_INFO_URL"
+ providerRedirectUrlVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_REDIRECT_URL"
+ providerScopesVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_SCOPES"
+ providerColorVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_COLOR"
+ providerIconVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_ICON"
+ providerUsernameClaimVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_USERNAME_CLAIM"
+ providerNameClaimVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_NAME_CLAIM"
+ providerEmailClaimVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_EMAIL_CLAIM"
+ providerOrderVar="SEMAPHORE_OIDC_PROVIDER_${oidcProviderNum}_ORDER"
+
+ if [ -z "$(eval echo \$$providerIdVar)" ]; then
+ echo "no" >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ break
+ fi
+
+ echo "yes" >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerIdVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerDisplayNameVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerClientIdVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerClientSecretVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerAutodiscoveryUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerIssuerUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerAuthUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerTokenUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerUserInfoUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerRedirectUrlVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerScopesVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerColorVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerIconVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerUsernameClaimVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerNameClaimVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$providerEmailClaimVar >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ eval echo \$$oidcProviderNum >> "${SEMAPHORE_TMP_PATH}/config.stdin"
+ done
+
+
  cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin"
 ${SEMAPHORE_CONFIG_PATH}
 ${SEMAPHORE_ADMIN}