Commit 046ea6b2 authored by Dominik Pilár's avatar Dominik Pilár Committed by Tomáš Sapák
Browse files

Resolve "Integrate Apache Guacamole"

parent 9c5724d9
......@@ -18,6 +18,7 @@ kypo2-trainings/
*.ear
*.nar
hs_err_pid*
!guacamole-auth-quickconnect-1.3.0.jar
##############################
## Maven
......
......@@ -71,14 +71,31 @@ bcrypt | `pip3 install bcrypt` | 3.2+
4. Insert the content of the public part of the key to `~/.ssh/authorized_keys` file of the user, specified in the previous step on the VM (i.e. `kypo-proxy-jump`).
3. Configure DNS servers accessible from kypo-proxy-jump in [local-demo-extra-vars.yml](local-demo-extra-vars.yml)
3. Configure access to sandbox machines using Apache Guacamole remote desktop gateway.
1. Configure and run [Apache Guacamole](https://github.com/boschkundendienst/guacamole-docker-compose) on the VM that has direct access to the virtual network dedicated to sandboxes (i.e. VM configured in the previous step).
2. Create new dummy Guacamole user without no permissions.
3. Edit an [local-demo-extra-vars.yml](local-demo-extra-vars.yml) file, uncomment and set the following variables.
```yaml
# The URL of Apache Guacamole client with context path.
kypo_crp_guacamole_url:
# Name of the user without no permissions
kypo_crp_guacamole_user:
# Password for the `kypo_crp_guacamole_user`
#kypo_crp_guacamole_user_password:
```
4. Configure DNS servers accessible from kypo-proxy-jump in [local-demo-extra-vars.yml](local-demo-extra-vars.yml)
```yaml
# The list of IP addresses to custom DNS servers.
kypo_crp_dns:
```
4. Create and connect to the virtual machine.
5. Create and connect to the virtual machine.
Set the `EXTRA_VARS` environment variable as the comma-separated list of paths to the Ansible extra vars files, e.g. [local-demo-extra-vars.yml](local-demo-extra-vars.yml) and [local-demo-secrets.yml](local-demo-secrets.yml).
......
......@@ -5,9 +5,11 @@ EXTRA_VARS=ENV['EXTRA_VARS'].to_s.strip.split(',')
raw_arguments=EXTRA_VARS.map{|file| "--extra-vars=@#{File.expand_path(file)}"}
DOCKER_ANSIBLE='provisioning/docker.yml'
OIDC_ANSIBLE='provisioning-oidc/oidc.yml'
GUACAMOLE_ANSIBLE='provisioning-guacamole/playbook-guacamole.yml'
PLAYBOOK_ANSIBLE='provisioning/playbook.yml'
OIDC_LOCAL_PROVIDER_EXTRA_VARS="oidc-local-provider.yml"
GUACAMOLE_EXTRA_VARS="guacamole-remote-desktop.yml"
def ansible_provision(config, playbook, raw_arguments)
config.vm.provision :ansible do |provisioner|
......
......@@ -130,7 +130,16 @@ kypo_crp_users:
# # The boolean value that represents whether the user is admin or not.
# admin: True
#-------------------------------------------------------------------------------
# Guacamole Settings (optional)
#-------------------------------------------------------------------------------
# The URL of Apache Guacamole client with context path.
#kypo_crp_guacamole_url:
# Name of the user without no permissions
#kypo_crp_guacamole_user:
# Password for the `kypo_crp_guacamole_user`
#kypo_crp_guacamole_user_password:
#-------------------------------------------------------------------------------
# Git Settings (optional)
......
......@@ -51,7 +51,7 @@ kypo_crp_docker_services:
frontend:
restart_policy: unless-stopped
image: registry.gitlab.ics.muni.cz:443/muni-kypo-crp/kypo-crp-artifact-repository/kypo-frontend
image_tag: 'v12.0.7'
image_tag: 'v12.0.9'
elasticsearch:
container_name: kypo-elasticsearch
restart_policy: unless-stopped
......
......@@ -8,4 +8,6 @@
- name: syslog-ng
syslog_ng_docker_network_name: '{{ kypo_crp_docker_network_name }}'
- name: kypo-crp-elk
- name: kypo-crp-guacamole
when: kypo_crp_guacamole_url is not defined
- name: kypo-crp-head
---
kypo_crp_required_vars:
- kypo_crp_url
kypo_crp_guacamole_context_path: /guacamole/
kypo_crp_guacamole_port: 8080
kypo_crp_guacamole_compose_template: docker-compose-guacamole
kypo_crp_guacamole_templates_dir: '{{ role_path }}/templates'
kypo_crp_guacamole_files_dir: '{{ role_path }}/files'
kypo_crp_guacamole_config_dest: /opt/kypo
kypo_crp_guacamole_admin: guac-admin
kypo_crp_guacamole_admin_password: guac-admin
kypo_crp_guacamole_user: guac-user
kypo_crp_guacamole_user_password: guac-user
kypo_crp_guacamole_postgres_db: kypo_guacamole_db
kypo_crp_guacamole_postgres_user: kypo_guacamole_user
kypo_crp_guacamole_postgres_password: kypo_password
kypo_crp_guacamole_create_user_request_body:
username: "{{ kypo_crp_guacamole_user }}"
password: "{{ kypo_crp_guacamole_user_password }}"
attributes: {}
kypo_crp_guacamole_create_admin_request_body:
username: "{{ kypo_crp_guacamole_admin }}"
password: "{{ kypo_crp_guacamole_admin_password }}"
attributes: {}
kypo_crp_guacamole_permissions_request_body:
- op: "add"
path: "/userPermissions/{{ kypo_crp_guacamole_admin }}"
value: "UPDATE"
- op: "add"
path: "/systemPermissions"
value: "CREATE_USER"
- op: "add"
path: "/systemPermissions"
value: "CREATE_USER_GROUP"
- op: "add"
path: "/systemPermissions"
value: "CREATE_CONNECTION"
- op: "add"
path: "/systemPermissions"
value: "CREATE_CONNECTION_GROUP"
- op: "add"
path: "/systemPermissions"
value: "CREATE_SHARING_PROFILE"
- op: "add"
path: "/systemPermissions"
value: "ADMINISTER"
kypo_crp_guacamole_docker_services:
postgres:
container_name: kypo-guacamole-postgres
restart_policy: unless-stopped
image: postgres
image_tag: '13'
guacd:
container_name: kypo-guacd
restart_policy: unless-stopped
image: guacamole/guacd
image_tag: 1.3.0
guacamole:
container_name: kypo-guacamole
restart_policy: unless-stopped
image: guacamole/guacamole
image_tag: 1.3.0
nginx:
container_name: kypo-guacamole-nginx
restart_policy: unless-stopped
image: nginx
image_tag: latest
#!/bin/sh
#
echo "Preparing folder init and creating ./init/initdb.sql"
mkdir ./init >/dev/null 2>&1
mkdir -p ./nginx/ssl >/dev/null 2>&1
chmod -R +x ./init
docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > ./init/initdb.sql
echo "done"
#!/bin/bash
echo "This will delete your existing database (./data/)"
echo " delete your recordings (./record/)"
echo " delete your drive files (./drive/)"
echo " delete your certs files (./nginx/ssl/)"
echo ""
read -p "Are you sure? " -n 1 -r
echo "" # (optional) move to a new line
if [[ $REPLY =~ ^[Yy]$ ]]; then # do dangerous stuff
chmod -R +x -- ./init
sudo rm -r -f ./data/ ./drive/ ./record/ ./nginx/ssl/
fi
---
- name: Set source paths to templates
set_fact:
kypo_crp_guacamole_templates: '{{ lookup("filetree", kypo_crp_guacamole_templates_dir, wantlist=True) | selectattr("state", "eq", "file") | map(attribute="path") | list }}'
kypo_crp_guacamole_files: '{{ lookup("filetree", kypo_crp_guacamole_files_dir, wantlist=True) | selectattr("state", "eq", "file") | map(attribute="path") | list }}'
- name: Ensure the existence of necessary directories
file:
path: '{{ kypo_crp_guacamole_config_dest }}/{{ item }}'
state: directory
recurse: yes
when: item | length > 0
loop: '{{ (kypo_crp_guacamole_templates + kypo_crp_guacamole_files) | map("dirname") | unique | list }}'
- name: Ensure templates
template:
src: '{{ item }}'
dest: '{{ kypo_crp_guacamole_config_dest }}/{{ item }}'
loop: '{{ kypo_crp_guacamole_templates }}'
- name: Copy necessary files
copy:
src: '{{ item }}'
dest: '{{ kypo_crp_guacamole_config_dest }}/{{ item }}'
mode: preserve
loop: '{{ kypo_crp_guacamole_files }}'
---
- name: check existence of required variables
fail:
msg: the variable '{{ item }}' is either not defined or specified
loop: '{{ kypo_crp_required_vars }}'
when: item not in vars or not vars[item]
- include_tasks: configure.yml
- include_tasks: run.yml
- include_tasks: setup-users.yml
- set_fact:
kypo_crp_guacamole_url: "http://guacamole:{{kypo_crp_guacamole_port }}{{ kypo_crp_guacamole_context_path }}"
---
- name: Ensure existence of user
user:
name: vagrant
shell: /bin/bash
- name: Execute script prepare.sh
command:
cmd: scripts/prepare.sh
chdir: '{{ kypo_crp_guacamole_config_dest }}'
changed_when: False
- name: Run docker compose
docker_compose:
project_name: "{{ kypo_crp_guacamole_compose_template }}"
project_src: "{{ kypo_crp_guacamole_config_dest }}"
files:
- "{{ kypo_crp_guacamole_compose_template }}.yml"
- include_tasks: wait-for-guacamole.yml
---
- set_fact:
kypo_crp_guacamole_internal_url: 'http://{{ kypo_crp_guacamole_container_info.container.NetworkSettings.Networks[kypo_crp_docker_network_name].IPAddress }}:{{ kypo_crp_guacamole_port }}{{ kypo_crp_guacamole_context_path }}'
- name: Obtain token - default admin
uri:
url: "{{ kypo_crp_guacamole_internal_url }}api/tokens"
method: POST
body:
username: guacadmin
password: guacadmin
body_format: form-urlencoded
validate_certs: no
status_code:
- 200
- 403
register: token_response
- include_tasks: users/create-user.yml
when: token_response.status == 200
- include_tasks: users/create-admin.yml
when: token_response.status == 200
- include_tasks: users/delete-default-admin.yml
when: token_response.status == 200
---
- name: Create new admin
uri:
url: "{{ kypo_crp_guacamole_internal_url }}api/session/data/postgresql/users?token={{ token_response.json.authToken }}"
method: POST
body:
username: "{{ kypo_crp_guacamole_admin }}"
password: "{{ kypo_crp_guacamole_admin_password }}"
attributes: {}
body_format: json
validate_certs: no
headers:
Content-Type: "application/json"
status_code:
- 400
- 200
register: result
failed_when: result.status != 200 and result.status == 400 and result.json.message != 'User \"' + kypo_crp_guacamole_admin + '\" already exists.'
- name: Add permissions to new admin
uri:
url: "{{ kypo_crp_guacamole_internal_url }}api/session/data/postgresql/users/{{ kypo_crp_guacamole_admin }}/permissions?token={{ token_response.json.authToken }}"
method: PATCH
body: "{{ kypo_crp_guacamole_permissions_request_body | to_json }}"
body_format: json
validate_certs: no
headers:
Content-Type: "application/json"
status_code:
- 204
---
- name: Create new user
uri:
url: "{{ kypo_crp_guacamole_internal_url }}api/session/data/postgresql/users?token={{ token_response.json.authToken }}"
method: POST
body:
username: "{{ kypo_crp_guacamole_user }}"
password: "{{ kypo_crp_guacamole_user_password }}"
attributes: {}
validate_certs: no
body_format: json
headers:
Content-Type: "application/json"
register: result
failed_when: result.status != 200 and result.status == 400 and result.json.message != 'User \"' + kypo_crp_guacamole_user + '\" already exists.'
---
- name: Obtain token - new admin
uri:
url: "{{ kypo_crp_guacamole_internal_url }}api/tokens"
method: POST
body:
username: "{{ kypo_crp_guacamole_admin }}"
password: "{{ kypo_crp_guacamole_admin_password }}"
validate_certs: no
body_format: form-urlencoded
register: token_response
- name: Delete default admin
uri:
url: "{{ kypo_crp_guacamole_internal_url }}api/session/data/postgresql/users/guacadmin?token={{ token_response.json.authToken }}"
method: DELETE
status_code:
- 204
---
- name: Get docker container info
docker_container_info:
name: '{{ kypo_crp_guacamole_docker_services.guacamole.container_name }}'
register: kypo_crp_guacamole_container_info
- name: Wait for docker guacamole container to start
wait_for:
host: '{{ kypo_crp_guacamole_container_info.container.NetworkSettings.Networks[kypo_crp_docker_network_name].IPAddress }}'
port: 8080
delay: 5
timeout: 20
version: '2.0'
services:
guacd:
image: {{ kypo_crp_guacamole_docker_services.guacd.image + ":" + kypo_crp_guacamole_docker_services.guacd.image_tag }}
container_name: {{ kypo_crp_guacamole_docker_services.guacd.container_name }}
restart: {{ kypo_crp_guacamole_docker_services.guacd.restart_policy }}
volumes:
- ./drive:/drive:rw
- ./record:/record:rw
postgres:
image: {{ kypo_crp_guacamole_docker_services.postgres.image + ":" + kypo_crp_guacamole_docker_services.postgres.image_tag }}
container_name: {{ kypo_crp_guacamole_docker_services.postgres.container_name }}
restart: {{ kypo_crp_guacamole_docker_services.postgres.restart_policy }}
environment:
PGDATA: /var/lib/postgresql/data/guacamole
POSTGRES_DB: {{ kypo_crp_guacamole_postgres_db }}
POSTGRES_USER: {{ kypo_crp_guacamole_postgres_user }}
POSTGRES_PASSWORD: {{ kypo_crp_guacamole_postgres_password }}
volumes:
- ./init:/docker-entrypoint-initdb.d:ro
- ./data:/var/lib/postgresql/data:rw
guacamole:
image: {{ kypo_crp_guacamole_docker_services.guacamole.image + ":" + kypo_crp_guacamole_docker_services.guacamole.image_tag }}
container_name: {{ kypo_crp_guacamole_docker_services.guacamole.container_name }}
restart: {{ kypo_crp_guacamole_docker_services.guacamole.restart_policy }}
depends_on:
- guacd
- postgres
environment:
GUACD_HOSTNAME: kypo-guacd
POSTGRES_DATABASE: {{ kypo_crp_guacamole_postgres_db }}
POSTGRES_HOSTNAME: postgres
POSTGRES_USER: {{ kypo_crp_guacamole_postgres_user }}
POSTGRES_PASSWORD: {{ kypo_crp_guacamole_postgres_password }}
LOGBACK_LEVEL: DEBUG
ports:
## enable next line if not using nginx
## - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /.
## enable next line when using nginx
- 8080/tcp
volumes:
- ./extensions/guacamole-auth-quickconnect-1.3.0.jar:/opt/guacamole/postgresql/guacamole-auth-quickconnect-1.3.0.jar
networks:
default:
external:
name: '{{ kypo_crp_docker_network_name }}'
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment