Google Git
Sign in
apache / guacamole-client / 0c033feea72c671edf88acc1e7924878cb2920de / . / guacamole-docker / bin / start.sh
blob: a86cce0cff5c50b4453f7e7458e60ec1750dfde4 [file] [log] [blame]
#!/bin/bash -e
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
##
## @fn start.sh
##
## Automatically configures and starts Guacamole under Tomcat. Guacamole's
## guacamole.properties file will be automatically generated based on the
## linked database container (either MySQL, PostgreSQL or SQLServer) and the linked guacd
## container. The Tomcat process will ultimately replace the process of this
## script, running in the foreground until terminated.
##
GUACAMOLE_HOME_TEMPLATE="$GUACAMOLE_HOME"
GUACAMOLE_HOME="$HOME/.guacamole"
GUACAMOLE_EXT="$GUACAMOLE_HOME/extensions"
GUACAMOLE_LIB="$GUACAMOLE_HOME/lib"
GUACAMOLE_PROPERTIES="$GUACAMOLE_HOME/guacamole.properties"
##
## Sets the given property to the given value within guacamole.properties,
## creating guacamole.properties first if necessary.
##
## @param NAME
## The name of the property to set.
##
## @param VALUE
## The value to set the property to.
##
set_property() {
NAME="$1"
VALUE="$2"
# Ensure guacamole.properties exists
if [ ! -e "$GUACAMOLE_PROPERTIES" ]; then
mkdir -p "$GUACAMOLE_HOME"
echo "# guacamole.properties - generated `date`" > "$GUACAMOLE_PROPERTIES"
fi
# Set property
echo "$NAME: $VALUE" >> "$GUACAMOLE_PROPERTIES"
}
##
## Sets the given property to the given value within guacamole.properties only
## if a value is provided, creating guacamole.properties first if necessary.
##
## @param NAME
## The name of the property to set.
##
## @param VALUE
## The value to set the property to, if any. If omitted or empty, the
## property will not be set.
##
set_optional_property() {
NAME="$1"
VALUE="$2"
# Set the property only if a value is provided
if [ -n "$VALUE" ]; then
set_property "$NAME" "$VALUE"
fi
}
# Print error message regarding missing required variables for MySQL authentication
mysql_missing_vars() {
cat <<END
FATAL: Missing required environment variables
-------------------------------------------------------------------------------
If using a MySQL database, you must provide each of the following
environment variables or their corresponding Docker secrets by appending _FILE
to the environment variable, and setting the value to the path of the
corresponding secret:
MYSQL_USER The user to authenticate as when connecting to
MySQL.
MYSQL_PASSWORD The password to use when authenticating with MySQL as
MYSQL_USER.
MYSQL_DATABASE The name of the MySQL database to use for Guacamole
authentication.
END
exit 1;
}
##
## Adds properties to guacamole.properties which select the MySQL
## authentication provider, and configure it to connect to the linked MySQL
## container. If a MySQL database is explicitly specified using the
## MYSQL_HOSTNAME and MYSQL_PORT environment variables, that will be used
## instead of a linked container.
##
associate_mysql() {
# Use linked container if specified
if [ -n "$MYSQL_NAME" ]; then
MYSQL_HOSTNAME="$MYSQL_PORT_3306_TCP_ADDR"
MYSQL_PORT="$MYSQL_PORT_3306_TCP_PORT"
fi
# Use default port if none specified
MYSQL_PORT="${MYSQL_PORT-3306}"
# Verify required connection information is present
if [ -z "$MYSQL_HOSTNAME" -o -z "$MYSQL_PORT" ]; then
cat <<END
FATAL: Missing MYSQL_HOSTNAME or "mysql" link.
-------------------------------------------------------------------------------
If using a MySQL database, you must either:
(a) Explicitly link that container with the link named "mysql".
(b) If not using a Docker container for MySQL, explicitly specify the TCP
connection to your database using the following environment variables:
MYSQL_HOSTNAME The hostname or IP address of the MySQL server. If not
using a MySQL Docker container and corresponding link,
this environment variable is *REQUIRED*.
MYSQL_PORT The port on which the MySQL server is listening for TCP
connections. This environment variable is option. If
omitted, the standard MySQL port of 3306 will be used.
END
exit 1;
fi
# Verify that the required Docker secrets are present, else, default to their normal environment variables
if [ -n "$MYSQL_USER_FILE" ]; then
set_property "mysql-username" "`cat "$MYSQL_USER_FILE"`"
elif [ -n "$MYSQL_USER" ]; then
set_property "mysql-username" "$MYSQL_USER"
else
mysql_missing_vars
exit 1;
fi
if [ -n "$MYSQL_PASSWORD_FILE" ]; then
set_property "mysql-password" "`cat "$MYSQL_PASSWORD_FILE"`"
elif [ -n "$MYSQL_PASSWORD" ]; then
set_property "mysql-password" "$MYSQL_PASSWORD"
else
mysql_missing_vars
exit 1;
fi
if [ -n "$MYSQL_DATABASE_FILE" ]; then
set_property "mysql-database" "`cat "$MYSQL_DATABASE_FILE"`"
elif [ -n "$MYSQL_DATABASE" ]; then
set_property "mysql-database" "$MYSQL_DATABASE"
else
mysql_missing_vars
exit 1;
fi
# Update config file
set_property "mysql-hostname" "$MYSQL_HOSTNAME"
set_property "mysql-port" "$MYSQL_PORT"
set_optional_property \
"mysql-absolute-max-connections" \
"$MYSQL_ABSOLUTE_MAX_CONNECTIONS"
set_optional_property \
"mysql-default-max-connections" \
"$MYSQL_DEFAULT_MAX_CONNECTIONS"
set_optional_property \
"mysql-default-max-group-connections" \
"$MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS"
set_optional_property \
"mysql-default-max-connections-per-user" \
"$MYSQL_DEFAULT_MAX_CONNECTIONS_PER_USER"
set_optional_property \
"mysql-default-max-group-connections-per-user" \
"$MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER"
set_optional_property \
"mysql-user-required" \
"$MYSQL_USER_REQUIRED"
set_optional_property \
"mysql-ssl-mode" \
"$MYSQL_SSL_MODE"
set_optional_property \
"mysql-ssl-trust-store" \
"$MYSQL_SSL_TRUST_STORE"
# For SSL trust store password, check secrets, first, then standard env variable
if [ -n "$MYSQL_SSL_TRUST_PASSWORD_FILE" ]; then
set_property "mysql-ssl-trust-password" "`cat "$MYSQL_SSL_TRUST_PASSWORD_FILE"`"
elif [ -n "$MYSQL_SSL_TRUST_PASSWORD" ]; then
set_property "mysql-ssl-trust-password" "$MYSQL_SSL_TRUST_PASSWORD"
fi
set_optional_property \
"mysql-ssl-client-store" \
"$MYSQL_SSL_CLIENT_STORE"
# For SSL trust store password, check secrets, first, then standard env variable
if [ -n "$MYSQL_SSL_CLIENT_PASSWORD_FILE" ]; then
set_property "mysql-ssl-client-password" "`cat "$MYSQL_SSL_CLIENT_PASSWORD_FILE"`"
elif [ -n "$MYSQL_SSL_CLIENT_PASSWORD" ]; then
set_property "mysql-ssl-client-password" "$MYSQL_SSL_CLIENT_PASSWORD"
fi
set_optional_property \
"mysql-auto-create-accounts" \
"$MYSQL_AUTO_CREATE_ACCOUNTS"
# Add required .jar files to GUACAMOLE_LIB and GUACAMOLE_EXT
ln -s /opt/guacamole/mysql/mysql-connector-*.jar "$GUACAMOLE_LIB"
ln -s /opt/guacamole/mysql/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
# Print error message regarding missing required variables for PostgreSQL authentication
postgresql_missing_vars() {
cat <<END
FATAL: Missing required environment variables
-------------------------------------------------------------------------------
If using a PostgreSQL database, you must provide each of the following
environment variables or their corresponding Docker secrets by appending _FILE
to the environment variable, and setting the value to the path of the
corresponding secret:
POSTGRESQL_USER The user to authenticate as when connecting to
PostgreSQL.
POSTGRESQL_PASSWORD The password to use when authenticating with PostgreSQL
as POSTGRESQL_USER.
POSTGRESQL_DATABASE The name of the PostgreSQL database to use for Guacamole
authentication.
END
exit 1;
}
## Provide backward compatibility on POSTGRES_* environment variables
## In case of new deployment, please use POSTGRESQL_* equivalent variables.
for VAR_BASE in \
HOSTNAME PORT \
DATABASE USER PASSWORD \
DATABASE_FILE USER_FILE PASSWORD_FILE \
ABSOLUTE_MAX_CONNECTIONS DEFAULT_MAX_CONNECTIONS \
DEFAULT_MAX_GROUP_CONNECTIONS DEFAULT_MAX_CONNECTIONS_PER_USER \
DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER \
DEFAULT_STATEMENT_TIMEOUT SOCKET_TIMEOUT \
USER_REQUIRED \
SSL_KEY_PASSWORD_FILE SSL_KEY_PASSWORD; do
OLD_VAR="POSTGRES_$VAR_BASE"
NEW_VAR="POSTGRESQL_$VAR_BASE"
if [ -n "${!OLD_VAR}" ]; then
printf -v "$NEW_VAR" "%s" "${!OLD_VAR}"
echo "WARNING: ${OLD_VAR} detected, please use ${NEW_VAR} for further deployments."
fi
done
##
## Adds properties to guacamole.properties which select the PostgreSQL
## authentication provider, and configure it to connect to the linked
## PostgreSQL container. If a PostgreSQL database is explicitly specified using
## the POSTGRESQL_HOSTNAME and POSTGRESQL_PORT environment variables, that will be
## used instead of a linked container.
##
associate_postgresql() {
# Use linked container if specified
if [ -n "$POSTGRES_NAME" ]; then
POSTGRESQL_HOSTNAME="$POSTGRES_PORT_5432_TCP_ADDR"
POSTGRESQL_PORT="$POSTGRES_PORT_5432_TCP_PORT"
fi
# Use default port if none specified
POSTGRESQL_PORT="${POSTGRESQL_PORT-5432}"
# Verify required connection information is present
if [ -z "$POSTGRESQL_HOSTNAME" -o -z "$POSTGRESQL_PORT" ]; then
cat <<END
FATAL: Missing POSTGRESQL_HOSTNAME or "postgres" link.
-------------------------------------------------------------------------------
If using a PostgreSQL database, you must either:
(a) Explicitly link that container with the link named "postgres".
(b) If not using a Docker container for PostgreSQL, explicitly specify the TCP
connection to your database using the following environment variables:
POSTGRESQL_HOSTNAME The hostname or IP address of the PostgreSQL server. If
not using a PostgreSQL Docker container and
corresponding link, this environment variable is
*REQUIRED*.
POSTGRESQL_PORT The port on which the PostgreSQL server is listening for
TCP connections. This environment variable is option. If
omitted, the standard PostgreSQL port of 5432 will be
used.
END
exit 1;
fi
# Verify that the required Docker secrets are present, else, default to their normal environment variables
if [ -n "$POSTGRESQL_USER_FILE" ]; then
set_property "postgresql-username" "`cat "$POSTGRESQL_USER_FILE"`"
elif [ -n "$POSTGRESQL_USER" ]; then
set_property "postgresql-username" "$POSTGRESQL_USER"
else
postgresql_missing_vars
exit 1;
fi
if [ -n "$POSTGRESQL_PASSWORD_FILE" ]; then
set_property "postgresql-password" "`cat "$POSTGRESQL_PASSWORD_FILE"`"
elif [ -n "$POSTGRESQL_PASSWORD" ]; then
set_property "postgresql-password" "$POSTGRESQL_PASSWORD"
else
postgresql_missing_vars
exit 1;
fi
if [ -n "$POSTGRESQL_DATABASE_FILE" ]; then
set_property "postgresql-database" "`cat "$POSTGRESQL_DATABASE_FILE"`"
elif [ -n "$POSTGRESQL_DATABASE" ]; then
set_property "postgresql-database" "$POSTGRESQL_DATABASE"
else
postgresql_missing_vars
exit 1;
fi
# Update config file
set_property "postgresql-hostname" "$POSTGRESQL_HOSTNAME"
set_property "postgresql-port" "$POSTGRESQL_PORT"
set_optional_property \
"postgresql-absolute-max-connections" \
"$POSTGRESQL_ABSOLUTE_MAX_CONNECTIONS"
set_optional_property \
"postgresql-default-max-connections" \
"$POSTGRESQL_DEFAULT_MAX_CONNECTIONS"
set_optional_property \
"postgresql-default-max-group-connections" \
"$POSTGRESQL_DEFAULT_MAX_GROUP_CONNECTIONS"
set_optional_property \
"postgresql-default-max-connections-per-user" \
"$POSTGRESQL_DEFAULT_MAX_CONNECTIONS_PER_USER"
set_optional_property \
"postgresql-default-max-group-connections-per-user" \
"$POSTGRESQL_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER"
set_optional_property \
"postgresql-default-statement-timeout" \
"$POSTGRESQL_DEFAULT_STATEMENT_TIMEOUT"
set_optional_property \
"postgresql-user-required" \
"$POSTGRESQL_USER_REQUIRED"
set_optional_property \
"postgresql-socket-timeout" \
"$POSTGRESQL_SOCKET_TIMEOUT"
set_optional_property \
"postgresql-ssl-mode" \
"$POSTGRESQL_SSL_MODE"
set_optional_property \
"postgresql-ssl-cert-file" \
"$POSTGRESQL_SSL_CERT_FILE"
set_optional_property \
"postgresql-ssl-key-file" \
"$POSTGRESQL_SSL_KEY_FILE"
set_optional_property \
"postgresql-ssl-root-cert-file" \
"$POSTGRESQL_SSL_ROOT_CERT_FILE"
# For SSL key password, check secrets, first, then standard env variable
if [ -n "$POSTGRESQL_SSL_KEY_PASSWORD_FILE" ]; then
set_property "postgresql-ssl-key-password" "`cat "$POSTGRESQL_SSL_KEY_PASSWORD_FILE"`"
elif [ -n "$POSTGRESQL_SSL_KEY_PASSWORD" ]; then
set_property "postgresql-ssl-key-password" "$POSTGRESQL_SSL_KEY_PASSWORD"
fi
set_optional_property \
"postgresql-auto-create-accounts" \
"$POSTGRESQL_AUTO_CREATE_ACCOUNTS"
# Add required .jar files to GUACAMOLE_LIB and GUACAMOLE_EXT
ln -s /opt/guacamole/postgresql/postgresql-*.jar "$GUACAMOLE_LIB"
ln -s /opt/guacamole/postgresql/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
# Print error message regarding missing required variables for SQLServer authentication
sqlserver_missing_vars() {
cat <<END
FATAL: Missing required environment variables
-------------------------------------------------------------------------------
If using a SQLServer database, you must provide each of the following
environment variables:
SQLSERVER_USER The user to authenticate as when connecting to
SQLServer.
SQLSERVER_PASSWORD The password to use when authenticating with SQLServer
as SQLSERVER_USER.
SQLSERVER_DATABASE The name of the SQLServer database to use for Guacamole
authentication.
Alternatively, if you want to store database credentials using Docker secrets,
set the path of the corresponding secrets in the following three variables:
SQLSERVER_DATABASE_FILE The path of the docker secret containing the name
of database to use for Guacamole authentication.
SQLSERVER_USER_FILE The path of the docker secret containing the name of
the user that Guacamole will use to connect to SQLServer.
SQLSERVER_PASSWORD_FILE The path of the docker secret containing the
password that Guacamole will provide when connecting to
SQLServer as SQLSERVER_USER.
END
exit 1;
}
##
## Adds properties to guacamole.properties which select the SQLServer
## authentication provider, and configure it to connect to the linked
## SQLServer container. If a SQLServer database is explicitly specified using
## the SQLSERVER_HOSTNAME and SQLSERVER_PORT environment variables, that will
## be used instead of a linked container.
##
associate_sqlserver() {
# Use linked container if specified
if [ -n "$SQLSERVER_NAME" ]; then
SQLSERVER_HOSTNAME="$SQLSERVER_PORT_1433_TCP_ADDR"
SQLSERVER_PORT="$SQLSERVER_PORT_1433_TCP_PORT"
fi
# Use default port if none specified
SQLSERVER_PORT="${SQLSERVER_PORT-1433}"
# Verify required connection information is present
if [ -z "$SQLSERVER_HOSTNAME" -o -z "$SQLSERVER_PORT" ]; then
cat <<END
FATAL: Missing SQLSERVER_HOSTNAME or "sqlserver" link.
-------------------------------------------------------------------------------
If using a SQLServer database, you must either:
(a) Explicitly link that container with the link named "sqlserver".
(b) If not using a Docker container for SQLServer, explicitly specify the TCP
connection to your database using the following environment variables:
SQLSERVER_HOSTNAME The hostname or IP address of the SQLServer server. If
not using a SQLServer Docker container and
corresponding link, this environment variable is
*REQUIRED*.
SQLSERVER_PORT The port on which the SQLServer server is listening for
TCP connections. This environment variable is option. If
omitted, the standard SQLServer port of 1433 will be
used.
END
exit 1;
fi
# Verify that the required Docker secrets are present, else, default to their normal environment variables
if [ -n "$SQLSERVER_USER_FILE" ]; then
set_property "sqlserver-username" "`cat "$SQLSERVER_USER_FILE"`"
elif [ -n "$SQLSERVER_USER" ]; then
set_property "sqlserver-username" "$SQLSERVER_USER"
else
sqlserver_missing_vars
exit 1;
fi
if [ -n "$SQLSERVER_PASSWORD_FILE" ]; then
set_property "sqlserver-password" "`cat "$SQLSERVER_PASSWORD_FILE"`"
elif [ -n "$SQLSERVER_PASSWORD" ]; then
set_property "sqlserver-password" "$SQLSERVER_PASSWORD"
else
sqlserver_missing_vars
exit 1;
fi
if [ -n "$SQLSERVER_DATABASE_FILE" ]; then
set_property "sqlserver-database" "`cat "$SQLSERVER_DATABASE_FILE"`"
elif [ -n "$SQLSERVER_DATABASE" ]; then
set_property "sqlserver-database" "$SQLSERVER_DATABASE"
else
sqlserver_missing_vars
exit 1;
fi
# Update config file
set_property "sqlserver-hostname" "$SQLSERVER_HOSTNAME"
set_property "sqlserver-port" "$SQLSERVER_PORT"
set_property "sqlserver-driver" "microsoft2005"
set_optional_property \
"sqlserver-absolute-max-connections" \
"$SQLSERVER_ABSOLUTE_MAX_CONNECTIONS"
set_optional_property \
"sqlserver-default-max-connections" \
"$SQLSERVER_DEFAULT_MAX_CONNECTIONS"
set_optional_property \
"sqlserver-default-max-group-connections" \
"$SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS"
set_optional_property \
"sqlserver-default-max-connections-per-user" \
"$SQLSERVER_DEFAULT_MAX_CONNECTIONS_PER_USER"
set_optional_property \
"sqlserver-default-max-group-connections-per-user" \
"$SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER"
set_optional_property \
"sqlserver-user-required" \
"$SQLSERVER_USER_REQUIRED"
set_optional_property \
"sqlserver-auto-create-accounts" \
"$SQLSERVERQL_AUTO_CREATE_ACCOUNTS"
set_optional_property \
"sqlserver-instance" \
"$SQLSERVERQL_INSTANCE"
# Add required .jar files to GUACAMOLE_LIB and GUACAMOLE_EXT
ln -s /opt/guacamole/sqlserver/mssql-jdbc-*.jar "$GUACAMOLE_LIB"
ln -s /opt/guacamole/sqlserver/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
##
## Adds properties to guacamole.properties which select the LDAP
## authentication provider, and configure it to connect to the specified LDAP
## directory.
##
associate_ldap() {
# Verify required parameters are present
if [ -z "$LDAP_HOSTNAME" -o -z "$LDAP_USER_BASE_DN" ]; then
cat <<END
FATAL: Missing required environment variables
-------------------------------------------------------------------------------
If using an LDAP directory, you must provide each of the following environment
variables:
LDAP_HOSTNAME The hostname or IP address of your LDAP server.
LDAP_USER_BASE_DN The base DN under which all Guacamole users will be
located. Absolutely all Guacamole users that will
authenticate via LDAP must exist within the subtree of
this DN.
END
exit 1;
fi
# Update config file
set_property "ldap-hostname" "$LDAP_HOSTNAME"
set_property "ldap-user-base-dn" "$LDAP_USER_BASE_DN"
set_optional_property "ldap-port" "$LDAP_PORT"
set_optional_property "ldap-encryption-method" "$LDAP_ENCRYPTION_METHOD"
set_optional_property "ldap-max-search-results" "$LDAP_MAX_SEARCH_RESULTS"
set_optional_property "ldap-search-bind-dn" "$LDAP_SEARCH_BIND_DN"
set_optional_property "ldap-user-attributes" "$LDAP_USER_ATTRIBUTES"
set_optional_property "ldap-search-bind-password" "$LDAP_SEARCH_BIND_PASSWORD"
set_optional_property "ldap-username-attribute" "$LDAP_USERNAME_ATTRIBUTE"
set_optional_property "ldap-member-attribute" "$LDAP_MEMBER_ATTRIBUTE"
set_optional_property "ldap-user-search-filter" "$LDAP_USER_SEARCH_FILTER"
set_optional_property "ldap-config-base-dn" "$LDAP_CONFIG_BASE_DN"
set_optional_property "ldap-group-base-dn" "$LDAP_GROUP_BASE_DN"
set_optional_property "ldap-group-search-filter" "$LDAP_GROUP_SEARCH_FILTER"
set_optional_property "ldap-member-attribute-type" "$LDAP_MEMBER_ATTRIBUTE_TYPE"
set_optional_property "ldap-group-name-attribute" "$LDAP_GROUP_NAME_ATTRIBUTE"
set_optional_property "ldap-dereference-aliases" "$LDAP_DEREFERENCE_ALIASES"
set_optional_property "ldap-follow-referrals" "$LDAP_FOLLOW_REFERRALS"
set_optional_property "ldap-max-referral-hops" "$LDAP_MAX_REFERRAL_HOPS"
set_optional_property "ldap-operation-timeout" "$LDAP_OPERATION_TIMEOUT"
# Add required .jar files to GUACAMOLE_EXT
ln -s /opt/guacamole/ldap/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
##
## Adds properties to guacamole.properties which select the LDAP
## authentication provider, and configure it to connect to the specified LDAP
## directory.
##
associate_radius() {
# Verify required parameters are present
if [ -z "$RADIUS_SHARED_SECRET" -o -z "$RADIUS_AUTH_PROTOCOL" ]; then
cat <<END
FATAL: Missing required environment variables
-------------------------------------------------------------------------------
If using RADIUS server, you must provide each of the following environment
variables:
RADIUS_SHARED_SECRET The shared secret to use when talking to the
RADIUS server.
RADIUS_AUTH_PROTOCOL The authentication protocol to use when talking
to the RADIUS server.
Supported values are:
pap, chap, mschapv1, mschapv2, eap-md5,
eap-tls and eap-ttls.
END
exit 1;
fi
# Verify provided files do exist and are readable
if [ -n "$RADIUS_KEY_FILE" -a ! -r "$RADIUS_KEY_FILE" ]; then
cat <<END
FATAL: Provided file RADIUS_KEY_FILE=$RADIUS_KEY_FILE does not exist
or is not readable!
-------------------------------------------------------------------------------
If you provide key or CA files you need to mount those into the container and
make sure they are readable for the user in the container.
END
exit 1;
fi
if [ -n "$RADIUS_CA_FILE" -a ! -r "$RADIUS_CA_FILE" ]; then
cat <<END
FATAL: Provided file RADIUS_CA_FILE=$RADIUS_CA_FILE does not exist
or is not readable!
-------------------------------------------------------------------------------
If you provide key or CA files you need to mount those into the container and
make sure they are readable for the user in the container.
END
exit 1;
fi
if [ "$RADIUS_AUTH_PROTOCOL" = "eap-ttls" -a -z "$RADIUS_EAP_TTLS_INNER_PROTOCOL" ]; then
cat <<END
FATAL: Authentication protocol "eap-ttls" specified but
RADIUS_EAP_TTLS_INNER_PROTOCOL is not set!
-------------------------------------------------------------------------------
When EAP-TTLS is used, this parameter specifies the inner (tunneled)
protocol to use talking to the RADIUS server.
END
exit 1;
fi
# Update config file
set_optional_property "radius-hostname" "$RADIUS_HOSTNAME"
set_optional_property "radius-auth-port" "$RADIUS_AUTH_PORT"
set_property "radius-shared-secret" "$RADIUS_SHARED_SECRET"
set_property "radius-auth-protocol" "$RADIUS_AUTH_PROTOCOL"
set_optional_property "radius-key-file" "$RADIUS_KEY_FILE"
set_optional_property "radius-key-type" "$RADIUS_KEY_TYPE"
set_optional_property "radius-key-password" "$RADIUS_KEY_PASSWORD"
set_optional_property "radius-ca-file" "$RADIUS_CA_FILE"
set_optional_property "radius-ca-type" "$RADIUS_CA_TYPE"
set_optional_property "radius-ca-password" "$RADIUS_CA_PASSWORD"
set_optional_property "radius-trust-all" "$RADIUS_TRUST_ALL"
set_optional_property "radius-retries" "$RADIUS_RETRIES"
set_optional_property "radius-timeout" "$RADIUS_TIMEOUT"
set_optional_property "radius-eap-ttls-inner-protocol" "$RADIUS_EAP_TTLS_INNER_PROTOCOL"
set_optional_property "radius-nas-ip" "$RADIUS_NAS_IP"
set_optional_property \
"radius-eap-ttls-inner-protocol" \
"$RADIUS_EAP_TTLS_INNER_PROTOCOL"
# Add required .jar files to GUACAMOLE_EXT
ln -s /opt/guacamole/radius/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
## Adds properties to guacamole.properties which select the OPENID
## authentication provider, and configure it to connect to the specified OPENID
## provider.
##
associate_openid() {
# Verify required parameters are present
if [ -z "$OPENID_AUTHORIZATION_ENDPOINT" ] || \
[ -z "$OPENID_JWKS_ENDPOINT" ] || \
[ -z "$OPENID_ISSUER" ] || \
[ -z "$OPENID_CLIENT_ID" ] || \
[ -z "$OPENID_REDIRECT_URI" ]
then
cat <<END
FATAL: Missing required environment variables
-------------------------------------------------------------------------------
If using an openid authentication, you must provide each of the following
environment variables:
OPENID_AUTHORIZATION_ENDPOINT The authorization endpoint (URI) of the OpenID service.
OPENID_JWKS_ENDPOINT The endpoint (URI) of the JWKS service which defines
how received ID tokens (JSON Web Tokens or JWTs)
shall be validated.
OPENID_ISSUER The issuer to expect for all received ID tokens.
OPENID_CLIENT_ID The OpenID client ID which should be submitted
to the OpenID service when necessary.
This value is typically provided to you by the OpenID
service when OpenID credentials are generated for your application.
OPENID_REDIRECT_URI The URI that should be submitted to the OpenID service such that
they can redirect the authenticated user back to Guacamole after
the authentication process is complete. This must be the full URL
that a user would enter into their browser to access Guacamole.
END
exit 1;
fi
# Update config file
set_property "openid-authorization-endpoint" "$OPENID_AUTHORIZATION_ENDPOINT"
set_property "openid-jwks-endpoint" "$OPENID_JWKS_ENDPOINT"
set_property "openid-issuer" "$OPENID_ISSUER"
set_property "openid-client-id" "$OPENID_CLIENT_ID"
set_property "openid-redirect-uri" "$OPENID_REDIRECT_URI"
set_optional_property "openid-username-claim-type" "$OPENID_USERNAME_CLAIM_TYPE"
set_optional_property "openid-groups-claim-type" "$OPENID_GROUPS_CLAIM_TYPE"
set_optional_property "openid-scope" "$OPENID_SCOPE"
set_optional_property "openid-allowed-clock-skew" "$OPENID_ALLOWED_CLOCK_SKEW"
set_optional_property "openid-max-token-validity" "$OPENID_MAX_TOKEN_VALIDITY"
set_optional_property "openid-max-nonce-validity" "$OPENID_MAX_NONCE_VALIDITY"
# Add required .jar files to GUACAMOLE_EXT
# "1-{}" make it sorted as a first provider (only authentication)
# so it can work together with the database providers (authorization)
find /opt/guacamole/openid/ -name "*.jar" | awk -F/ '{print $NF}' | \
xargs -I '{}' ln -s "/opt/guacamole/openid/{}" "${GUACAMOLE_EXT}/1-{}"
}
##
## Adds properties to guacamole.properties which select the SAML
## authentication provider, and configure it to connect to the specified SAML
## provider.
##
associate_saml() {
# Verify required parameters are present
if [ -z "$SAML_IDP_METADATA_URL" ] && \
[ -z "$SAML_ENTITY_ID" -o -z "$SAML_CALLBACK_URL" -o -z "$SAML_IDP_URL" ]
then
cat <<END
FATAL: Missing required environment variables
-------------------------------------------------------------------------------
If using a SAML authentication, you must provide either SAML_IDP_METADATA_URL
or SAML_IDP_URL, SAML_ENTITY_ID and SAML_CALLBACK_URL environment variables:
SAML_IDP_METADATA_URL The URI of the XML metadata file that from the SAML Identity
Provider that contains all of the information the SAML
extension needs in order to know how to authenticate with
the IdP. This URI can either be a remote server (e.g. https://)
or a local file on the filesystem (e.g. file://).
SAML_IDP_URL The URL of the Identity Provider (IdP), which the user
will be redirected to in order to authenticate.
SAML_ENTITY_ID The entity ID of the Guacamole SAML client, which is
generally the URL of the Guacamole server.
SAML_CALLBACK_URL The URL that the IdP will use once authentication has
succeeded to return to the Guacamole web application and
provide the authentication details to the SAML extension.
END
exit 1;
fi
# Update config file
set_optional_property "saml-idp-metadata-url" "$SAML_IDP_METADATA_URL"
set_optional_property "saml-idp-url" "$SAML_IDP_URL"
set_optional_property "saml-entity-id" "$SAML_ENTITY_ID"
set_optional_property "saml-callback-url" "$SAML_CALLBACK_URL"
set_optional_property "saml-strict" "$SAML_STRICT"
set_optional_property "saml-debug" "$SAML_DEBUG"
set_optional_property "saml-compress-request" "$SAML_COMPRESS_REQUEST"
set_optional_property "saml-compress-response" "$SAML_COMPRESS_RESPONSE"
set_optional_property "saml-group-attribute" "$SAML_GROUP_ATTRIBUTE"
# Add required .jar files to GUACAMOLE_EXT
# "1-{}" make it sorted as a first provider (only authentication)
# so it can work together with the database providers (authorization)
find /opt/guacamole/saml/ -name "*.jar" | awk -F/ '{print $NF}' | \
xargs -I '{}' ln -s "/opt/guacamole/saml/{}" "${GUACAMOLE_EXT}/1-{}"
}
##
## Adds properties to guacamole.properties which configure the TOTP two-factor
## authentication mechanism.
##
associate_totp() {
# Update config file
set_optional_property "totp-issuer" "$TOTP_ISSUER"
set_optional_property "totp-digits" "$TOTP_DIGITS"
set_optional_property "totp-period" "$TOTP_PERIOD"
set_optional_property "totp-mode" "$TOTP_MODE"
# Add required .jar files to GUACAMOLE_EXT
ln -s /opt/guacamole/totp/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
##
## Adds properties to guacamole.properties which configure the Duo two-factor
## authentication service. Checks to see if all variables are defined and makes sure
## DUO_APPLICATION_KEY is >= 40 characters.
##
associate_duo() {
# Verify required parameters are present
if [ -z "$DUO_INTEGRATION_KEY" ] || \
[ -z "$DUO_SECRET_KEY" ] || \
[ ${#DUO_APPLICATION_KEY} -lt 40 ]
then
cat <<END
FATAL: Missing required environment variables
-------------------------------------------------------------------------------
If using the Duo authentication extension, you must provide each of the
following environment variables:
DUO_API_HOSTNAME The hostname of the Duo API endpoint.
DUO_INTEGRATION_KEY The integration key provided for Guacamole by Duo.
DUO_SECRET_KEY The secret key provided for Guacamole by Duo.
DUO_APPLICATION_KEY An arbitrary, random key.
This value must be at least 40 characters.
END
exit 1;
fi
# Update config file
set_property "duo-api-hostname" "$DUO_API_HOSTNAME"
set_property "duo-integration-key" "$DUO_INTEGRATION_KEY"
set_property "duo-secret-key" "$DUO_SECRET_KEY"
set_property "duo-application-key" "$DUO_APPLICATION_KEY"
# Add required .jar files to GUACAMOLE_EXT
ln -s /opt/guacamole/duo/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
##
## Adds properties to guacamole.properties which configure the header
## authentication provider.
##
associate_header() {
# Update config file
set_optional_property "http-auth-header" "$HTTP_AUTH_HEADER"
# Add required .jar files to GUACAMOLE_EXT
ln -s /opt/guacamole/header/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
##
## Adds properties to guacamole.properties witch configure the CAS
## authentication service.
##
associate_cas() {
# Verify required parameters are present
if [ -z "$CAS_AUTHORIZATION_ENDPOINT" ] || \
[ -z "$CAS_REDIRECT_URI" ]
then
cat <<END
FATAL: Missing required environment variables
-----------------------------------------------------------------------------------
If using the CAS authentication extension, you must provide each of the
following environment variables:
CAS_AUTHORIZATION_ENDPOINT The URL of the CAS authentication server.
CAS_REDIRECT_URI The URI to redirect back to upon successful authentication.
END
exit 1;
fi
# Update config file
set_property "cas-authorization-endpoint" "$CAS_AUTHORIZATION_ENDPOINT"
set_property "cas-redirect-uri" "$CAS_REDIRECT_URI"
set_optional_property "cas-clearpass-key" "$CAS_CLEARPASS_KEY"
set_optional_property "cas-group-attribute" "$CAS_GROUP_ATTRIBUTE"
set_optional_property "cas-group-format" "$CAS_GROUP_FORMAT"
set_optional_property "cas-group-ldap-base-dn" "$CAS_GROUP_LDAP_BASE_DN"
set_optional_property "cas-group-ldap-attribute" "$CAS_GROUP_LDAP_ATTRIBUTE"
# Add required .jar files to GUACAMOLE_EXT
ln -s /opt/guacamole/cas/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
##
## Adds properties to guacamole.properties which configure the json
## authentication provider.
##
associate_json() {
# Update config file
set_property "json-secret-key" "$JSON_SECRET_KEY"
set_optional_property "json-trusted-networks" "$JSON_TRUSTED_NETWORKS"
# Add required .jar files to GUACAMOLE_EXT
ln -s /opt/guacamole/json/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
##
## Sets up Tomcat's remote IP valve that allows gathering the remote IP
## from headers set by a remote proxy
## Upstream documentation: https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html
##
enable_remote_ip_valve() {
# Add <Valve> element
xmlstarlet edit --inplace \
--insert '/Server/Service/Engine/Host/*' --type elem -n Valve \
--insert '/Server/Service/Engine/Host/Valve[not(@className)]' --type attr -n className -v org.apache.catalina.valves.RemoteIpValve \
$CATALINA_BASE/conf/server.xml
# Allowed IPs
if [ -z "$PROXY_ALLOWED_IPS_REGEX" ]; then
echo "Using default Tomcat allowed IPs regex"
else
xmlstarlet edit --inplace \
--insert '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.RemoteIpValve"]' \
--type attr -n internalProxies -v "$PROXY_ALLOWED_IPS_REGEX" \
$CATALINA_BASE/conf/server.xml
fi
# X-Forwarded-For
if [ -z "$PROXY_IP_HEADER" ]; then
echo "Using default Tomcat proxy IP header"
else
xmlstarlet edit --inplace \
--insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \
--type attr -n remoteIpHeader -v "$PROXY_IP_HEADER" \
$CATALINA_BASE/conf/server.xml
fi
# X-Forwarded-Proto
if [ -z "$PROXY_PROTOCOL_HEADER" ]; then
echo "Using default Tomcat proxy protocol header"
else
xmlstarlet edit --inplace \
--insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \
--type attr -n protocolHeader -v "$PROXY_PROTOCOL_HEADER" \
$CATALINA_BASE/conf/server.xml
fi
# X-Forwarded-By
if [ -z "$PROXY_BY_HEADER" ]; then
echo "Using default Tomcat proxy forwarded by header"
else
xmlstarlet edit --inplace \
--insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \
--type attr -n remoteIpProxiesHeader -v "$PROXY_BY_HEADER" \
$CATALINA_BASE/conf/server.xml
fi
}
##
## Adds api-session-timeout to guacamole.properties
##
associate_apisessiontimeout() {
set_optional_property "api-session-timeout" "$API_SESSION_TIMEOUT"
}
##
## Starts Guacamole under Tomcat, replacing the current process with the
## Tomcat process. As the current process will be replaced, this MUST be the
## last function run within the script.
##
start_guacamole() {
# User-only writable CATALINA_BASE
export CATALINA_BASE=$HOME/tomcat
for dir in logs temp webapps work; do
mkdir -p $CATALINA_BASE/$dir
done
cp -R /usr/local/tomcat/conf $CATALINA_BASE
# Set up Tomcat RemoteIPValve
if [ "$REMOTE_IP_VALVE_ENABLED" = "true" ]; then
enable_remote_ip_valve
fi
# Install webapp
ln -sf /opt/guacamole/guacamole.war $CATALINA_BASE/webapps/${WEBAPP_CONTEXT:-guacamole}.war
# Start tomcat
cd /usr/local/tomcat
exec catalina.sh run
}
#
# Start with a fresh GUACAMOLE_HOME
#
rm -Rf "$GUACAMOLE_HOME"
#
# Copy contents of provided GUACAMOLE_HOME template, if any
#
if [ -n "$GUACAMOLE_HOME_TEMPLATE" ]; then
cp -a "$GUACAMOLE_HOME_TEMPLATE/." "$GUACAMOLE_HOME/"
fi
#
# Create and define Guacamole lib and extensions directories
#
mkdir -p "$GUACAMOLE_EXT"
mkdir -p "$GUACAMOLE_LIB"
#
# Point to associated guacd
#
# Use linked container for guacd if specified
if [ -n "$GUACD_NAME" ]; then
GUACD_HOSTNAME="$GUACD_PORT_4822_TCP_ADDR"
GUACD_PORT="$GUACD_PORT_4822_TCP_PORT"
fi
# Use default guacd port if none specified
GUACD_PORT="${GUACD_PORT-4822}"
# Verify required guacd connection information is present
if [ -z "$GUACD_HOSTNAME" -o -z "$GUACD_PORT" ]; then
cat <<END
FATAL: Missing GUACD_HOSTNAME or "guacd" link.
-------------------------------------------------------------------------------
Every Guacamole instance needs a corresponding copy of guacd running. To
provide this, you must either:
(a) Explicitly link that container with the link named "guacd".
(b) If not using a Docker container for guacd, explicitly specify the TCP
connection information using the following environment variables:
GUACD_HOSTNAME The hostname or IP address of guacd. If not using a guacd
Docker container and corresponding link, this environment
variable is *REQUIRED*.
GUACD_PORT The port on which guacd is listening for TCP connections.
This environment variable is optional. If omitted, the
standard guacd port of 4822 will be used.
END
exit 1;
fi
# Update config file
set_property "guacd-hostname" "$GUACD_HOSTNAME"
set_property "guacd-port" "$GUACD_PORT"
# A comma-separated list of the identifiers of authentication providers that
# should be allowed to fail internally without aborting the authentication process
set_optional_property "skip-if-unavailable" "$SKIP_IF_UNAVAILABLE"
#
# Track which authentication backends are installed
#
INSTALLED_AUTH=""
# Use MySQL if database specified
if [ -n "$MYSQL_DATABASE" -o -n "$MYSQL_DATABASE_FILE" ]; then
associate_mysql
INSTALLED_AUTH="$INSTALLED_AUTH mysql"
fi
# Use PostgreSQL if database specified
if [ -n "$POSTGRESQL_DATABASE" -o -n "$POSTGRESQL_DATABASE_FILE" ]; then
associate_postgresql
INSTALLED_AUTH="$INSTALLED_AUTH postgresql"
fi
# Use SQLServer if database specified
if [ -n "$SQLSERVER_DATABASE" -o -n "$SQLSERVER_DATABASE_FILE" ]; then
associate_sqlserver
INSTALLED_AUTH="$INSTALLED_AUTH sqlserver"
fi
# Use LDAP directory if specified
if [ -n "$LDAP_HOSTNAME" ]; then
associate_ldap
INSTALLED_AUTH="$INSTALLED_AUTH ldap"
fi
# Use RADIUS server if specified
if [ -n "$RADIUS_SHARED_SECRET" ]; then
associate_radius
INSTALLED_AUTH="$INSTALLED_AUTH radius"
fi
# Use OPENID if specified
if [ -n "$OPENID_AUTHORIZATION_ENDPOINT" ]; then
associate_openid
INSTALLED_AUTH="$INSTALLED_AUTH openid"
fi
# Use SAML if specified
if [ -n "$SAML_IDP_METADATA_URL" ] || [ -n "$SAML_ENTITY_ID" -a -n "$SAML_CALLBACK_URL" ]; then
associate_saml
INSTALLED_AUTH="$INSTALLED_AUTH saml"
fi
# Use TOTP if specified.
if [ "$TOTP_ENABLED" = "true" ]; then
associate_totp
fi
# Use Duo if specified.
if [ -n "$DUO_API_HOSTNAME" ]; then
associate_duo
fi
# Use header if specified.
if [ "$HEADER_ENABLED" = "true" ]; then
associate_header
fi
# Use CAS if specified.
if [ -n "$CAS_AUTHORIZATION_ENDPOINT" ]; then
associate_cas
fi
# Use json-auth if specified.
if [ -n "$JSON_SECRET_KEY" ]; then
associate_json
INSTALLED_AUTH="$INSTALLED_AUTH json"
fi
#
# Validate that at least one authentication backend is installed
#
if [ -z "$INSTALLED_AUTH" -a -z "$GUACAMOLE_HOME_TEMPLATE" ]; then
cat <<END
FATAL: No authentication configured
-------------------------------------------------------------------------------
The Guacamole Docker container needs at least one authentication mechanism in
order to function, such as a MySQL database, PostgreSQL database, SQLServer
database, LDAP directory or RADIUS server. Please specify at least the
MYSQL_DATABASE or POSTGRESQL_DATABASE or SQLSERVER_DATABASE environment variables,
or check Guacamole's Docker documentation regarding configuring LDAP and/or
custom extensions.
END
exit 1;
fi
# Set extension priority if specified
set_optional_property "extension-priority" "$EXTENSION_PRIORITY"
# Use api-session-timeout if specified.
if [ -n "$API_SESSION_TIMEOUT" ]; then
associate_apisessiontimeout
fi
# Maximum number of bytes to accept within the entity body of any particular HTTP request
set_optional_property "api-max-request-size" "$API_MAX_REQUEST_SIZE"
# A comma-separated list of language keys to allow as display language
# choices within the Guacamole interface
set_optional_property "allowed-languages" "$ALLOWED_LANGUAGES"
# If set to “true”, Guacamole will first evaluate its environment to obtain the value
# for any given configuration property, before using a value specified in
# guacamole.properties or falling back to a default value
set_optional_property "enable-environment-properties" "$ENABLE_ENVIRONMENT_PROPERTIES"
# Apply any overrides for default address ban behavior
set_optional_property "ban-address-duration" "$BAN_ADDRESS_DURATION"
set_optional_property "ban-max-addresses" "$BAN_MAX_ADDRESSES"
set_optional_property "ban-max-invalid-attempts" "$BAN_MAX_INVALID_ATTEMPTS"
# Always load guacamole-auth-ban extension (automatic banning can be disabled
# through seting BAN_ADDRESS_DURATION to 0). As guacamole-auth-ban performs
# its banning by handling a pre-authentication event, it is guaranteed to
# perform its checks before all other auth processing and load order does not
# matter.
ln -s /opt/guacamole/ban/guacamole-auth-*.jar "$GUACAMOLE_EXT"
# Set logback level if specified
if [ -n "$LOGBACK_LEVEL" ]; then
unzip -o -j /opt/guacamole/guacamole.war WEB-INF/classes/logback.xml -d $GUACAMOLE_HOME
sed -i "s/level=\"info\"/level=\"$LOGBACK_LEVEL\"/" $GUACAMOLE_HOME/logback.xml
fi
#
# Finally start Guacamole (under Tomcat)
#
start_guacamole