wordpress mit openid anbindung

b8ba1589 · Christian Elberfeld · 2cf6ef28 · b8ba1589 · b8ba1589 · b8ba1589
Commit b8ba1589 authored 1 year ago by Christian Elberfeld
--- a/site.yml
+++ b/site.yml
@@ -54,6 +54,12 @@
        basedir: "/srv/{{ servicename }}",
        domain: "verwaltung-git.test-warpzone.de"
      }
+    - { 
+        role: testserver/docker_grafana, tags: [ test_grafana, docker_services ],
+        servicename: "grafana",
+        basedir: "/srv/{{ servicename }}",
+        domain: "grafana.test-warpzone.de"
+      }
    - { 
        role: testserver/docker_nextcloud, tags: [ test_nextcloud, docker_services ],
        servicename: "nextcloud",
@@ -66,6 +72,18 @@
        basedir: "/srv/{{ servicename }}",
        domain: "tandoor.test-warpzone.de" 
      }
+    - { 
+        role: testserver/docker_vpnserver, tags: [ test_vpnserver, docker_services ],
+        servicename: "vpnserver",
+        basedir: "/srv/{{ servicename }}",
+        domain: "vpn.test-warpzone.de" 
+      }
+    - { 
+        role: testserver/docker_wordpress, tags: [ test_wordpress, docker_services ],
+        servicename: "wordpress",
+        basedir: "/srv/{{ servicename }}",
+        domain: "www.test-warpzone.de" 
+      }
 ##################################################
@@ -280,12 +298,6 @@
        basedir: /srv/matrix, 
        domain: "matrix.warpzone.ms"
      }
-    - { 
-        role: webserver/docker_vpnserver, tags: [ vpnserver, docker_services ],
-        servicename: "vpnserver",
-        basedir: /srv/vpnserver, 
-        domain: "vpn.warpzone.ms"
-      }
    - { 
        role: webserver/docker_warpapi, tags: [ warpapi, docker_services ],
        servicename: "warpapi",

--- a/testserver/docker_wordpress/Documentation.md
+++ b/testserver/docker_wordpress/Documentation.md
+# Overview 
+* Authentication to Wordpress is only possible with an account in uffd, regular authentication is disabled 
+* All users with group 'wordpress_access' can access Wordpress with 'Editor' privileges, the user in Wordpress is created on first login 
+* Users with group 'wordpress_admin' get 'Administrator' privigeges. 
+# Setup OIDC Authentication via uffd 
+Uffd Reference: https://git.cccv.de/uffd
+## Setup in Wordpress 
+Wordpress Plugin: OpenID Connect Generic Client
+https://de.wordpress.org/plugins/daggerhart-openid-connect-generic
+Pluin settings:
+* Anmeldetyp:
+* Client-ID: wordpress
+* Client Secret Key: <secret key>
+* OpenID Scope: openid profile email groups
+* Endpunkt-URL zur Anmeldung: https://uffd.test-warpzone.de/oauth2/authorize
+* Endpunkt-URL zur Benutzerinfo: https://uffd.test-warpzone.de/oauth2/userinfo
+* Endpunkt-URL zur Token-Verifizierung: https://uffd.test-warpzone.de/oauth2/token
+* Endpunkt-URL zum Sitzungsende: https://uffd.test-warpzone.de/oauth2/logout
+* Identitäts-Schlüssel: preferred_username
+* Spitznamen-Schlüssel: preferred_username
+* Email-Format: {email}
+* Anzeigename-Formatierung: {preferred_username}
+* Mit Benutzername identifizieren: Ja
+* State-Zeitbeschränkung: 180
+* Aktualisierungstoken aktivieren: Ja
+* Existierende Benutzer verknüpfen: Ja
+* Benutzer erstellen, wenn er nicht existiert: Ja
+* Zur ursprünglichen Seite zurückleiten: Nein
+* Zur Anmeldeansicht weiterleiten, wenn die Sitzung abgelaufen ist: Ja
+## Setup in uffd
+Create Groups:
+- wordpress_access: General Access to Nextcloud 
+- wordpress_admin: This Group will be Mapped to the Group admin in Wordpress 
+Create a Service / OAuth Client: 
+Only Users with goup nextcloud_access can access Nextcloud 
+Client-ID: wordpress 
+Client-Secret: from file nextcloud_oidc_secret on the server
+Redirect-URIs: 
+* https://www.test-warpzone.de/wp-admin/admin-ajax.php?action=openid-connect-authorize
+## Mapping von Rollen in Wordpress
+Wordpress Plugin: WPCode 
+https://de.wordpress.org/plugins/insert-headers-and-footers/
+Additional references: 
+https://github.com/oidc-wp/openid-connect-generic/issues/164
+Um die Wordpress Berechtigungen auf Basis der Gruppen in uffd zu steuern ist ein zusätzliches Code-Snippet erforderlich. 
+Dieses Code-Snippet kann am besten mit dem addon 'WPCode' verwaltet werden. 
+In dem Plugin muss das folgenden neues PHP-Snippet erstellt und aktiviert werden.
+Benutzer, mit der Gruppe 'wordpress_admin' in uddf erhalten Administrator-Berechtigungen. 
+Alle anderen Benutzer erhalten Editor-Berechtigungen. 
+```
+add_action('openid-connect-generic-update-user-using-current-claim', function( $user, $user_claim) {
+    // Based on some data in the user_claim, modify the user.
+	foreach($user_claim as $key => $value) {
+		error_log('Openid Role mapping: User claim: ' . $key . ", Value: " . $value);
+	}
+	if ( array_key_exists( 'groups', $user_claim ) ) {
+		error_log('Openid Role mapping: Groups: ' . implode(',',$user_claim['groups']));
+		if ( in_array('wordpress_admin', $user_claim['groups'] )) {
+			error_log('Openid Role mapping: Set role: Administrator');
+        	$user->set_role( 'administrator' );
+		}
+		else {
+			error_log('Openid Role mapping: Set role: Editor');
+			$user->set_role( 'editor' );
+		}
+    }
+}, 10, 2);
+```
--- a/testserver/docker_wordpress/tasks/main.yml
+++ b/testserver/docker_wordpress/tasks/main.yml
+---
+- include_tasks: ../functions/get_secret.yml
+  with_items:
+   - { path: "/srv/shared/noreply_email_pass", length: -1 } 
+   - { path: "{{ basedir }}/mysql_root_pass",  length: 24 }
+   - { path: "{{ basedir }}/mysql_user_pass",  length: 12 }
+   - { path: "{{ basedir }}/wordpress_admin_pass",  length: 24 }
+   - { path: "{{ basedir }}/wordpress_client_secret",  length: 32 }
+- name: create folder struct for wordpress
+  file:
+    path: "{{ item }}"
+    state: "directory"
+    owner: www-data
+    group: www-data
+  with_items:
+    - "{{ basedir }}/"
+    - "{{ basedir }}/db/"
+    - "{{ basedir }}/config"
+    - "{{ basedir }}/data/"
+    - "{{ basedir }}/data/wp-content/"
+    - "{{ basedir }}/data/wp-content/plugins/"
+    - "{{ basedir }}/data/wp-content/plugins/wz-status/"
+- name: create config file
+  template:
+    src: "{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
+  with_items:
+    - Dockerfile
+    - docker-compose.yml
+    - config/uploads.ini
+    - data/wp-content/plugins/wz-status/wz-status.php
+- name: start wordpress docker
+  community.docker.docker_compose_v2:
+    project_src: "{{ basedir }}"
+    state: present
--- a/testserver/docker_wordpress/templates/Dockerfile
+++ b/testserver/docker_wordpress/templates/Dockerfile
+FROM wordpress:6.4.2-apache
+# install the PHP extensions we need
+RUN set -x \
+	&& apt-get update \
+	&& apt-get install -y libldap2-dev \
+	&& rm -rf /var/lib/apt/lists/* \
+	&& docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \
+	&& docker-php-ext-install ldap \
+	&& apt-get purge -y --auto-remove libldap2-dev
--- a/testserver/docker_wordpress/templates/config/uploads.ini
+++ b/testserver/docker_wordpress/templates/config/uploads.ini
+file_uploads = On
+memory_limit = 64M
+upload_max_filesize = 64M
+post_max_size = 64M
+max_execution_time = 600
--- a/testserver/docker_wordpress/templates/data/wp-content/plugins/wz-status/wz-status.php
+++ b/testserver/docker_wordpress/templates/data/wp-content/plugins/wz-status/wz-status.php
+<?php
+/*
+Plugin Name: WZ Status
+Plugin URI: http://www.warpzone.ms
+Description: This plugin adds a custom widget.
+Version: 1.0
+Author: Christian <void> Elberfeld
+Author URI: http://www.warpzone.ms
+License: GPL2
+Original Source: https://github.com/wpexplorer/my-widget-plugin
+*/
+// The widget class
+class WZ_Status_Widget extends WP_Widget {
+	// Main constructor
+	public function __construct() {
+		parent::__construct(
+			'wz_status_widget',
+			__( 'WZ Status Widget', 'text_domain' ),
+			array(
+				'customize_selective_refresh' => true,
+			)
+		);
+	}
+	// The widget form (for the backend )
+	public function form( $instance ) {
+		// Set widget defaults
+		$defaults = array(
+                        'title'      => '',
+			'api_url'    => '',
+		);
+		// Parse current settings with defaults
+		extract( wp_parse_args( ( array ) $instance, $defaults ) ); ?>
+		<?php // Widget Title ?>
+		<p>
+			<label for="<?php echo esc_attr( $this->get_field_id( 'title' ) ); ?>"><?php _e( 'Widget Title', 'text_domain' ); ?></label>
+			<input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'title' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'title' ) ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" />
+		</p>
+		<?php // Api Url ?>
+		<p>
+			<label for="<?php echo esc_attr( $this->get_field_id( 'api_url' ) ); ?>"><?php _e( 'Api Url:', 'api_url' ); ?></label>
+			<input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'api_url' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'api_url' ) ); ?>" type="text" value="<?php echo esc_attr( $text ); ?>" />
+		</p>
+	<?php }
+	// Update widget settings
+	public function update( $new_instance, $old_instance ) {
+		$instance = $old_instance;
+		$instance['title']    = isset( $new_instance['title'] ) ? wp_strip_all_tags( $new_instance['title'] ) : '';
+		$instance['api_url']  = isset( $new_instance['api_url'] ) ? wp_strip_all_tags( $new_instance['api_url'] ) : '';
+		return $instance;
+	}
+	// Display the widget
+	public function widget( $args, $instance ) {
+		extract( $args );
+		// Check the widget options
+		$title    = isset( $instance['title'] ) ? apply_filters( 'widget_title', $instance['title'] ) : '';
+		$api_url  = isset( $instance['api_url'] ) ? $instance['api_url'] : '';
+		$zone_status = "UNBEKANNT";
+        $zone_status_text = "Unbekannt";
+		$zone_status_color = "#000000";
+		// WordPress core before_widget hook (always include )
+		echo $before_widget;
+		// Display the widget
+		echo '<div class="widget-text wp_widget_plugin_box">';
+			// Display widget title if defined
+			if ( $title ) {
+				echo $before_title . $title . $after_title;
+			}
+			// Zone Status abrufen
+            $curl = curl_init();
+            curl_setopt_array($curl, array(
+                CURLOPT_URL => "https://api.warpzone.ms/statuswidget",
+				CURLOPT_RETURNTRANSFER => true,
+                CURLOPT_FOLLOWLOCATION => true,
+                CURLOPT_ENCODING => "",
+                CURLOPT_MAXREDIRS => 3,
+                CURLOPT_TIMEOUT => 5,
+                CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
+                CURLOPT_CUSTOMREQUEST => "GET"
+            ));
+			$response = curl_exec($curl);
+			$err = curl_error($curl);
+            curl_close($curl);
+			if ($err) {
+				$zone_status = $err;
+			} else {
+				$responseObj = json_decode($response,true);
+				$zone_status = $responseObj['zone_door_status'];
+				if ($zone_status == "OPEN") {
+					$zone_status_text =  "Offen";
+					$zone_status_color = "#00cc00";
+				}
+                if ($zone_status == "CLOSED") {
+                    $zone_status_text =  "Geschlossen";
+                    $zone_status_color = "#cc0000";
+                }
+			}
+			// Anzeige Status im Widget
+			echo "<span style='font-weight: bold; color:" . $zone_status_color . ";'>" . $zone_status_text . "</span>";
+			// Status mit in die Menueleiste fuer Mobilgeraete
+			echo "<script type='text/javascript'>jQuery(document).ready(function() { jQuery('#mainnav-toggle').text('MENU | Status: " . $zone_status_text . "'); });</script>";
+		echo '</div>';
+		// WordPress core after_widget hook (always include )
+		echo $after_widget;
+	}
+}
+// Register the widget
+function my_register_wz_status_widget() {
+	register_widget( 'WZ_Status_Widget' );
+}
+add_action( 'widgets_init', 'my_register_wz_status_widget' );
--- a/testserver/docker_wordpress/templates/docker-compose.yml
+++ b/testserver/docker_wordpress/templates/docker-compose.yml
+services:
+  db:
+    image: mariadb:11
+    restart: always
+    volumes:
+      - /srv/wordpress/db/:/var/lib/mysql
+    environment:
+      MYSQL_ROOT_PASSWORD: "{{ mysql_root_pass }}"
+      MYSQL_PASSWORD: "{{ mysql_user_pass }}"
+      MYSQL_DATABASE: wordpress
+      MYSQL_USER: wordpress
+    networks:
+      - default
+  app:
+    # values set in configuration: noreply_email_user - noreply_email_pass - smtp_host - smtp_port 
+    build: .
+    restart: always
+    volumes:
+      - /srv/wordpress/config/uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
+      - /srv/wordpress/data:/var/www/html
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: wordpress
+      WORDPRESS_DB_PASSWORD: "{{ mysql_user_pass }}"
+    labels:
+      - com.centurylinklabs.watchtower.enable=false
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
+    networks:
+      - default
+      - web
+networks:
+  web:
+    external: true
--- a/webserver/docker_wordpress/tasks/main.yml
+++ b/webserver/docker_wordpress/tasks/main.yml
@@ -2,9 +2,9 @@
 - include_tasks: ../functions/get_secret.yml
  with_items:
-   - { path: /srv/shared/noreply_email_pass, length: -1 } 
+   - { path: "/srv/shared/noreply_email_pass", length: -1 } 
-   - { path: /srv/wordpress/mysql_root_pass,  length: 24 }
+   - { path: "{{ basedir }}/mysql_root_pass",  length: 24 }
-   - { path: /srv/wordpress/mysql_user_pass,  length: 12 }
+   - { path: "{{ basedir }}/mysql_user_pass",  length: 12 }
 - name: create folder struct for wordpress
  file:
@@ -13,15 +13,18 @@
    owner: www-data
    group: www-data
  with_items:
-    - "/srv/wordpress/"
+    - "{{ basedir }}/"
-    - "/srv/wordpress/config"
+    - "{{ basedir }}/db/"
-    - "/srv/wordpress/data/"
+    - "{{ basedir }}/config"
-    - "/srv/wordpress/db/"
+    - "{{ basedir }}/data/"
+    - "{{ basedir }}/data/wp-content/"
+    - "{{ basedir }}/data/wp-content/plugins/"
+    - "{{ basedir }}/data/wp-content/plugins/wz-status/"
 - name: create config file
  template:
    src: "{{ item }}"
-    dest: "/srv/wordpress/{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
  with_items:
    - Dockerfile
    - docker-compose.yml
@@ -30,5 +33,5 @@
 - name: start wordpress docker
  community.docker.docker_compose_v2:
-    project_src: /srv/wordpress/
+    project_src: "{{ basedir }}"
    state: present