nextcloud · nickvergessen · Jul 4, 2024 · Jul 4, 2024 · Jul 8, 2024
diff --git a/.github/workflows/smb-kerberos.yml b/.github/workflows/smb-kerberos.yml
@@ -6,20 +6,24 @@ on:
       - stable*
     paths:
       - 'apps/files_external/**'
+      - '.github/workflows/smb-kerberos.yml'
   pull_request:
     paths:
       - 'apps/files_external/**'
+      - '.github/workflows/smb-kerberos.yml'
 
 jobs:
   smb-kerberos-tests:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+
+    if: ${{ github.repository_owner != 'nextcloud-gmbh' }}
 
     strategy:
       fail-fast: false
       matrix:
         php-versions: ['7.4', '8.0']
 
-    name: php${{ matrix.php-versions }}-${{ matrix.ftpd }}
+    name: php${{ matrix.php-versions }}-smb-kerberos
 
     steps:
       - name: Checkout server
@@ -29,44 +33,52 @@ jobs:
       - name: Pull images
         run: |
           docker pull icewind1991/samba-krb-test-dc
-          docker pull icewind1991/samba-krb-test-apache
+          docker pull icewind1991/samba-krb-test-apache:${{ matrix.php-versions }}
           docker pull icewind1991/samba-krb-test-client
       - name: Setup AD-DC
         run: |
+          cp apps/files_external/tests/*.sh .
           mkdir data
           sudo chown -R 33 data apps config
-          apps/files_external/tests/setup-krb.sh
+          DC_IP=$(./start-dc.sh)
+          ./start-apache.sh $DC_IP $PWD ${{ matrix.php-versions }}
+          echo "DC_IP=$DC_IP" >> $GITHUB_ENV
+
       - name: Set up Nextcloud
         run: |
           docker exec --user 33 apache ./occ maintenance:install --verbose --database=sqlite --database-name=nextcloud --database-host=127.0.0.1 --database-user=root --database-pass=rootpassword --admin-user admin --admin-pass password
           docker exec --user 33 apache ./occ config:system:set trusted_domains 1 --value 'httpd.domain.test'
 
-          # setup user_saml
+      - name: Set up user_saml
+        run: |
+          # Avoid DNS issue inside the image
+          docker exec --user 33 apache ./occ config:system:set allow_local_remote_servers --value true --type bool
           docker exec --user 33 apache ./occ app:enable user_saml --force
+          docker exec --user 33 apache ./occ config:system:delete allow_local_remote_servers
           docker exec --user 33 apache ./occ config:app:set user_saml type --value 'environment-variable'
-          docker exec --user 33 apache ./occ config:app:set user_saml general-uid_mapping --value REMOTE_USER
+          docker exec --user 33 apache ./occ saml:config:create
+          docker exec --user 33 apache ./occ saml:config:set 1 --general-uid_mapping=REMOTE_USER
 
-          # setup external storage
+      - name: Set up files_external
+        run: |
           docker exec --user 33 apache ./occ app:enable files_external --force
           docker exec --user 33 apache ./occ files_external:create smb smb smb::kerberosapache
           docker exec --user 33 apache ./occ files_external:config 1 host krb.domain.test
           docker exec --user 33 apache ./occ files_external:config 1 share netlogon
           docker exec --user 33 apache ./occ files_external:list
+
       - name: Test SSO
         run: |
-          mkdir cookies
-          chmod 0777 cookies
+          mkdir /tmp/shared/cookies
+          chmod 0777 /tmp/shared/cookies
 
-          DC_IP=$(docker inspect dc --format '{{.NetworkSettings.IPAddress}}')
-          docker run --rm --name client -v $PWD/cookies:/cookies -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client \
-            curl -c /cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login
-          CONTENT=$(docker run --rm --name client -v $PWD/cookies:/cookies -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client \
-            curl -b /cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
-          echo $CONTENT
-          CONTENT=$(echo $CONTENT | tr -d '[:space:]')
+          echo 'SAML login'
+          ./client-cmd.sh ${{ env.DC_IP }} curl -c /shared/cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login
+          echo 'Check we are logged in'
+          CONTENT=$(./client-cmd.sh ${{ env.DC_IP }} curl -b /shared/cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
+          CONTENT=$(echo $CONTENT | head -n 1 | tr -d '[:space:]')
           [[ $CONTENT == "testfile" ]]
 
-
   smb-kerberos-summary:
     runs-on: ubuntu-latest
     needs: smb-kerberos-tests

diff --git a/apps/files_external/tests/client-cmd.sh b/apps/files_external/tests/client-cmd.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+DC_IP=$1
+shift
+
+docker run --rm --name client -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client $@
diff --git a/apps/files_external/tests/setup-krb.sh b/apps/files_external/tests/setup-krb.sh
diff --git a/apps/files_external/tests/start-apache.sh b/apps/files_external/tests/start-apache.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+docker rm -f apache 2>/dev/null > /dev/null
+
+docker run -d --name apache -v $2:/var/www/html -v /tmp/shared:/shared --dns $1 --hostname httpd.domain.test icewind1991/samba-krb-test-apache:$3 1>&2
+APACHE_IP=$(docker inspect apache --format '{{.NetworkSettings.IPAddress}}')
+
+# add the dns record for apache
+docker exec dc samba-tool dns add krb.domain.test domain.test httpd A $APACHE_IP -U administrator --password=passwOrd1 1>&2
+
+echo $APACHE_IP
diff --git a/apps/files_external/tests/start-dc.sh b/apps/files_external/tests/start-dc.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+function getContainerHealth {
+  docker inspect --format "{{.State.Health.Status}}" $1
+}
+
+function waitContainer {
+  while STATUS=$(getContainerHealth $1); [ $STATUS != "healthy" ]; do
+    if [ $STATUS == "unhealthy" ]; then
+      echo "Failed!" 1>&2
+      exit -1
+    fi
+    printf . 1>&2
+    lf=$'\n'
+    sleep 1
+  done
+  printf "$lf" 1>&2
+}
+
+docker rm -f dc 2>/dev/null > /dev/null
+
+mkdir -p /tmp/shared
+
+# start the dc
+docker run -dit --name dc -v /tmp/shared:/shared --hostname krb.domain.test --cap-add SYS_ADMIN icewind1991/samba-krb-test-dc 1>&2
+
+waitContainer dc
+
+docker inspect dc --format '{{.NetworkSettings.IPAddress}}'