From c8c4cfd939a5c4fd91cbe0c892a9cc9614314f0e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it
Date: Sat, 30 Nov 2024 14:37:07 +0100
Subject: [PATCH] [Web] add ignore ssl option for keycloak and generic-oidc
provider
---
data/web/inc/functions.inc.php | 23 +++++++++++++++----
.../admin/tab-config-identity-provider.twig | 20 ++++++++++++++++
2 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 6ae49e7bc..dfe3a15ad 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2222,6 +2222,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return false;
}
+ $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
switch ($_data['authsource']) {
case "keycloak":
$_data['server_url'] = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
@@ -2230,14 +2231,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
$_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
$_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
$_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
- $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
+ $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval', 'ignore_ssl_error');
break;
case "generic-oidc":
$_data['authorize_url'] = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
$_data['token_url'] = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
$_data['userinfo_url'] = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
$_data['client_scopes'] = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
- $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
+ $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error');
break;
case "ldap":
$_data['host'] = (!empty($_data['host'])) ? str_replace(" ", "", $_data['host']) : "";
@@ -2249,7 +2250,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
$_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
$_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false;
$_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false;
- $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
$_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
$_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
$required_settings = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error');
@@ -2416,6 +2416,13 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
case "keycloak":
if ($settings['server_url'] && $settings['realm'] && $settings['client_id'] &&
$settings['client_secret'] && $settings['redirect_url'] && $settings['version']){
+ $guzzyClient = new GuzzleHttp\Client([
+ 'defaults' => [
+ \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5,
+ \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true],
+ \GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'],
+ ]
+ );
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
'authServerUrl' => $settings['server_url'],
'realm' => $settings['realm'],
@@ -2427,11 +2434,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
// 'encryptionKeyPath' => '../key.pem' // optional
// 'encryptionKey' => 'contents_of_key_or_certificate' // optional
]);
+ $provider->setHttpClient($guzzyClient);
}
break;
case "generic-oidc":
if ($settings['client_id'] && $settings['client_secret'] && $settings['redirect_url'] &&
$settings['authorize_url'] && $settings['token_url'] && $settings['userinfo_url']){
+ $guzzyClient = new GuzzleHttp\Client([
+ 'defaults' => [
+ \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5,
+ \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true],
+ \GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'],
+ ]
+ );
$provider = new \League\OAuth2\Client\Provider\GenericProvider([
'clientId' => $settings['client_id'],
'clientSecret' => $settings['client_secret'],
@@ -2441,6 +2456,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
'urlResourceOwnerDetails' => $settings['userinfo_url'],
'scopes' => $settings['client_scopes']
]);
+ $provider->setHttpClient($guzzyClient);
}
break;
case "ldap":
@@ -2468,7 +2484,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
}
break;
}
-
return $provider;
break;
case "verify-sso":
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index e2cc56838..e2cea7fa2 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -157,6 +157,16 @@
+
+
+
+
+
+
@@ -316,6 +326,16 @@
{% endif %}
+
+
+
+
+
+