From b742ffd4767ab292702519b7ef3d3380dc41c051 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Sun, 26 Jan 2025 20:57:34 +0100
Subject: [PATCH] Implemented OAuth2-Proxy and other security measures for
 phpmyadmin

---
 group_vars/all                                | 17 +++++++----
 playbook.servers.yml                          |  3 +-
 .../templates/docker-compose.yml.j2           |  2 ++
 roles/docker-mailu/README.md                  |  1 +
 .../templates/oauth2-proxy-keycloak.cfg.j2    | 30 +++++++++++--------
 .../templates/docker-compose.yml.j2           |  5 ++++
 roles/docker-phpmyadmin/vars/main.yml         |  8 ++++-
 7 files changed, 45 insertions(+), 21 deletions(-)

diff --git a/group_vars/all b/group_vars/all
index 1731210a..fae14fd9 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -297,21 +297,26 @@ nextcloud_version:          "production"  # @see https://nextcloud.com/blog/next
 
 #### OAuth2 Proxy
 oauth2_configuration_file:            "oauth2-proxy-keycloak.cfg"
-oauth2_proxy_active:                  false       # Needs to be set true in the roles which use it
+oauth2_proxy_active:                  false   # Needs to be set true in the roles which use it
 oauth2_version:                       "latest"
 oauth2_proxy_redirect_url:            "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
-# oauth2_proxy_port:                  >= 4180     # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
-# oauth2_proxy_upstream_application_and_port:  # The name of the application which the server redirects to. Needs to be defined in role vars.
+# oauth2_proxy_port:                  >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
+# oauth2_proxy_upstream_application_and_port: # The name of the application which the server redirects to. Needs to be defined in role vars.
+oauth2_proxy_allowed_roles:           admin   # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
 
 #### Open Project
 # openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
-# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application.
+# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application: 0dc07dc3b323921acbd96656f33dc55a
+
 
 #### Peertube
-peertube_version:           "bookworm"
+peertube_version:                         "bookworm"
 
 #### PHPMyAdmin
-phpmyadmin_version:         "latest"
+phpmyadmin_version:                       "latest"
+phpmyadmin_autologin:                     false     # This is a high security risk. Just activate this option if you know what you're doing
+# phpmyadmin_oauth2_proxy_client_secret:    Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
+# phpmyadmin_oauth2_proxy_cookie_secret:    Needs to be defined in inventory # The client secret configured in Keycloak for the application.
 
 #### Pixelfed
 pixelfed_app_name:          "Pictures on {{primary_domain}}"
diff --git a/playbook.servers.yml b/playbook.servers.yml
index de661077..83b02a02 100644
--- a/playbook.servers.yml
+++ b/playbook.servers.yml
@@ -323,7 +323,8 @@
    -  role: docker-phpmyadmin
       vars:
         domain: "{{domain_phpmyadmin}}"
-        http_port: 8034
+        http_port:          8034
+        oauth2_proxy_port:  4181
 
 # Native Webserver Roles
 - name: setup nginx-static-repositorys
diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2
index 69c25cef..028b7256 100644
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@@ -24,6 +24,7 @@ services:
       LDAP_ADMIN_PASSWORD: {{ldap_administrator_database_password}}  # LDAP admin password
 {% elif ldap_webinterface == 'phpldapadmin' %}
   phpldapadmin:
+    name: phpldapadmin
     image: leenooks/phpldapadmin:{{ldap_phpldapadmin_version}}
     logging:
       driver: journald
@@ -37,6 +38,7 @@ services:
 {% endif %}
   openldap:
     image: bitnami/openldap:{{ldap_openldap_version}}
+    name: openldap
     logging:
       driver: journald
     restart: {{docker_restart_policy}}
diff --git a/roles/docker-mailu/README.md b/roles/docker-mailu/README.md
index 1ca37df0..adf9bdd0 100644
--- a/roles/docker-mailu/README.md
+++ b/roles/docker-mailu/README.md
@@ -177,6 +177,7 @@ If your IP or domain is flagged by Cloudmark, you can submit a **reset request**
 - [Mailu GitHub repository](https://github.com/Mailu/Mailu)
 - [Plesk support article on RoundCube connection issue](https://support.plesk.com/hc/en-us/articles/115001264814-Unable-to-log-into-RoundCube-Connection-to-storage-server-failed)
 - [Gist by marienfressinaud](https://gist.github.com/marienfressinaud/f284a59b18aad395eb0de2d22836ae6b)
+- [Implementing OpenID with Mailu](https://github.com/heviat/Mailu-OIDC)
 
 For more information about this role, visit the [GitHub repository](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu).
 
diff --git a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
index d35289da..cc9e075a 100644
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@@ -1,15 +1,19 @@
-http_address="0.0.0.0:4180"
-cookie_secret="{{oauth2_proxy_cookie_secret}}"
-email_domains="{{primary_domain}}"
-cookie_secure="false"
-upstreams="http://{{oauth2_proxy_upstream_application_and_port}}"
-cookie_domains=["{{domain}}", "{{domain_keycloak}}"]                # Required so cookie can be read on all subdomains.
-whitelist_domains=[".{{primary_domain}}"]                           # Required to allow redirection back to original requested target.
+http_address            =   "0.0.0.0:4180"
+cookie_secret           =   "{{oauth2_proxy_cookie_secret}}"
+email_domains           =   "{{primary_domain}}"
+cookie_secure           =   "false"
+upstreams               =   "http://{{oauth2_proxy_upstream_application_and_port}}"
+cookie_domains          =   ["{{domain}}", "{{domain_keycloak}}"]                   # Required so cookie can be read on all subdomains.
+whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.
 
 # keycloak provider
-client_secret="{{oauth2_proxy_client_secret}}"
-client_id="{{domain}}"
-redirect_url="https://{{domain}}/oauth2/callback"
-oidc_issuer_url="https://{{domain_keycloak}}/realms/{{primary_domain}}"
-provider="oidc"
-provider_display_name="Keycloak"
\ No newline at end of file
+client_secret           =   "{{oauth2_proxy_client_secret}}"
+client_id               =   "{{domain}}"
+redirect_url            =   "https://{{domain}}/oauth2/callback"
+oidc_issuer_url         =   "https://{{domain_keycloak}}/realms/{{primary_domain}}"
+provider                =   "oidc"
+provider_display_name   =   "Keycloak"
+
+# role restrictions
+cookie_roles            =   "realm_access.roles"
+allowed_roles           =   "{{oauth2_proxy_allowed_roles}}"
\ No newline at end of file
diff --git a/roles/docker-phpmyadmin/templates/docker-compose.yml.j2 b/roles/docker-phpmyadmin/templates/docker-compose.yml.j2
index 0103a44f..c2904920 100644
--- a/roles/docker-phpmyadmin/templates/docker-compose.yml.j2
+++ b/roles/docker-phpmyadmin/templates/docker-compose.yml.j2
@@ -1,4 +1,7 @@
 services:
+
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
   application:
     logging:
       driver: journald
@@ -6,8 +9,10 @@ services:
     container_name: phpmyadmin
     environment:
       PMA_HOST: central-mariadb
+{% if phpmyadmin_autologin | bool %}
       PMA_USER: root
       PMA_PASSWORD: "{{central_mariadb_root_password}}"
+{% endif %}
     restart: {{docker_restart_policy}}
     ports:
       - "127.0.0.1:{{http_port}}:80"
diff --git a/roles/docker-phpmyadmin/vars/main.yml b/roles/docker-phpmyadmin/vars/main.yml
index eddd4d00..b9ec4d1c 100644
--- a/roles/docker-phpmyadmin/vars/main.yml
+++ b/roles/docker-phpmyadmin/vars/main.yml
@@ -1,2 +1,8 @@
 docker_compose_project_name:  "phpmyadmin"
-database_type:                "mariadb"
\ No newline at end of file
+database_type:                "mariadb"
+database_host:                "{{ 'central-' + database_type if enable_central_database}}"
+# OAuth2 Proxy Configuration
+oauth2_proxy_client_secret:                   "{{phpmyadmin_oauth2_proxy_client_secret}}"
+oauth2_proxy_cookie_secret:                   "{{phpmyadmin_oauth2_proxy_cookie_secret}}"
+oauth2_proxy_upstream_application_and_port:   "application:80"
+oauth2_proxy_active:                          true
\ No newline at end of file