Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions multi-ingress-idp-provisioning/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
Provisioning IdP for teams in Mobtown deployment

# Prerequisites

## Wire server

- Multi-ingress SSO configuration
- Teams credentials

## Dependencies

- jq
- curl
- domains
- idp metadata files

# How to run the scripts

## idp-provisioner.sh

This script provides two subcommands:

- get: List the IdPs configured for a team
- set: Add an IdP to a team.

This script require NGINZ_HOST env. In a multi-ingress deployment, you can use any available domain as the value of NGINZ_HOST to get or configure IdP for a team

### get

The subcommand accepts team credentials as parameters and send api request to NGINZ_HOST.

### set

The set subcommand accepts the team credentials and two additional parameters:

- domain: the domain associated with the IdP
- The IdP metadata file

Example:

```
./idp-provisioner get team-a team-a-password
./idp-provisioner set team-a team-a-password blueberry.domain.com blueberry.domain.com.xml

```

## Authentication

Before making any api call, this script authenticates using provided team credentials. The successful authentication response is sotored in temporary file. The script reuses the access_token for subsequent requests or and automatically obtains a new one when the existing token expires.

## Tmp folder

By default, this script stores temporairy files in the system's `/tmp`. You can override this location by setting the TMP_DIR env.

## domain-wrapper.sh

This script wraps idp-provisioner.sh and allows you to config multiple IdPs for a single team.

It requires the team credentials and the directory containing the IdP metadata files.

The script assumes that each metadata file is named after its corresponding domain. For instance:

- Domain: blueberry.domain.com
- Idp metadata file: blueberry.domain.com.xml


Example:

```
./domain-wrapper.sh set team-a team-a-password ./idps

```

## team-wrapper.sh

This script wraps domain-wrapper.sh and iterates over a list of team to provision all available IdPs for each team.

This script requires:

- A teams.json file containing the team credentials
- The directory containing the IdP metadata files.

Team credentials are stored in a JSON file to avoid issues with special characters in team passwords.

Example:

```
./team-wrapper.sh set ./teams/teams.json ./idps

```
80 changes: 80 additions & 0 deletions multi-ingress-idp-provisioning/domain-wrapper.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
#!/usr/bin/env bash

set -o pipefail

PROVISIONER_SCRIPT="idp-provisioner.sh"

check_dependencies() {
if [[ ! -f "$PROVISIONER_SCRIPT" ]]; then
echo "Error: Provisioner script '$PROVISIONER_SCRIPT' not found."
exit 1
fi

# check if file is readable
if [[ ! -r "$PROVISIONER_SCRIPT" ]]; then
echo "Error: Provisioner script '$PROVISIONER_SCRIPT' is not readable."
exit 1
fi
}

set_idps() {
local team_admin="$1"
local team_password="$2"
local idp_domains_location=$3

if [[ -z "$team_admin" || -z "$team_password" || -z "$idp_domains_location" ]]; then
echo "Error: Missing required arguments for 'set' command."
usage
exit $ERR_INVALID_ARGS
fi

# iterate over all files in the directory and call the provisioner script for each file
for idp_domain_file in "$idp_domains_location"/*.xml; do
if [[ -f "$idp_domain_file" ]]; then
local domain=$(basename "$idp_domain_file" .xml)
echo "Info: Setting IDP file '$idp_domain_file' for domain '$domain'" >&2
bash "$PROVISIONER_SCRIPT" set "$team_admin" "$team_password" "$domain" "$idp_domain_file"

echo "" >&2
# slow down the requests to avoid rate-limiting
sleep 0.5
else
echo "Warning: 'idp_domain_file' is not a file. Skipping." >&2
fi
done
}

usage() {
echo "Usage:
$0 set <team_admin> <team_password> <idp_domains_location>

<idp_domains_location> is the directory containing the IDP metadata files for each domain. Each file should be named as '<domain>.xml'.
For example, if your SSO login URL is 'https://nginz-https.example.com/sso', then the file should be named 'example.com.xml'.
Examples:
$0 set"
}

main() {
# check dependencies
check_dependencies

if (("$# < 1")); then
usage
exit $ERR_INVALID_ARGS
fi

local command="$1"
shift

case "$command" in
set)
set_idps "$@"
;;
*)
echo "Error: Unknown command '$command'. Use 'set'."
exit $ERR_INVALID_ARGS
;;
esac
}

main "$@"
Loading