From 0f31028565a539c25a9a67d72b4901db024506e1 Mon Sep 17 00:00:00 2001
From: Joern Lentes <joern.lentes@web.de>
Date: Fri, 21 Dec 2018 11:15:25 +0100
Subject: [PATCH 1/5] GUACAMOLE-682: add option to include RADIUS
 authentication in docker

To include library for RADIUS authentication in the docker image the
build needs to activate the maven profile "lgpl-extentions" and copy
the library into the image.
The docker start script needs to pass through settings and link the
library to GUACAMOLE_HOME.
---
 guacamole-docker/bin/build-guacamole.sh | 15 +++-
 guacamole-docker/bin/start.sh           | 96 +++++++++++++++++++++++--
 2 files changed, 106 insertions(+), 5 deletions(-)

diff --git a/guacamole-docker/bin/build-guacamole.sh b/guacamole-docker/bin/build-guacamole.sh
index 79115df41..1f4ab7798 100755
--- a/guacamole-docker/bin/build-guacamole.sh
+++ b/guacamole-docker/bin/build-guacamole.sh
@@ -53,7 +53,12 @@ mkdir -p "$DESTINATION"
 #
 
 cd "$BUILD_DIR"
-mvn package
+
+if [ -z "$BUILD_PROFILE" ]; then
+  mvn package
+else
+  mvn -P "$BUILD_PROFILE" package
+fi
 
 #
 # Copy guacamole.war to destination
@@ -107,3 +112,11 @@ tar -xzf extensions/guacamole-auth-ldap/target/*.tar.gz \
     "*.jar"                                             \
     "*.ldif"
 
+#
+# Copy Radius auth extension if it was build
+#
+
+if [[ "$BUILD_PROFILE ~= "lgpl-extentions" ]]; then
+  mkdir -p "$DESTINATION/radius"
+  cp extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar "$DESTINATION/radius"
+fi
diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh
index 1fbcc8581..8fb3bc108 100755
--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -322,6 +322,88 @@ END
 
 }
 
+##
+## Adds properties to guacamole.properties which select the LDAP
+## authentication provider, and configure it to connect to the specified LDAP
+## directory.
+##
+associate_radius() {
+
+    # Verify required parameters are present
+    if [ -z "$RADIUS_SHARED_SECRET" -o -z "$RADIUS_AUTH_PROTOCOL" ]; then
+        cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using RADIUS server, you must provide each of the following environment
+variables:
+
+    RADIUS_SHARED_SECRET   The shared secret to use when talking to the 
+                           RADIUS server.
+
+    RADIUS_AUTH_PROTOCOL   The authentication protocol to use when talking 
+                           to the RADIUS server.
+                           Supported values are: 
+                             pap, chap, mschapv1, mschapv2, eap-md5, 
+                             eap-tls and eap-ttls.
+END
+        exit 1;
+    fi
+
+    # Verify provided files do exist and are readable
+    if [ -n "$RADIUS_KEY_FILE" -a ! -r "$RADIUS_KEY_FILE" ]; then
+       cat <<END
+FATAL: Provided file RADIUS_KEY_FILE=$RADIUS_KEY_FILE does not exist 
+       or is not readable!
+-------------------------------------------------------------------------------
+If you provide key or CA files you need to mount those into the container and
+make sure they are readable for the user in the container.
+END
+        exit 1;
+    fi
+    if [ -n "$RADIUS_CA_FILE" -a ! -r "$RADIUS_CA_FILE" ]; then
+       cat <<END
+FATAL: Provided file RADIUS_CA_FILE=$RADIUS_CA_FILE does not exist 
+       or is not readable!
+-------------------------------------------------------------------------------
+If you provide key or CA files you need to mount those into the container and
+make sure they are readable for the user in the container.
+END
+        exit 1;
+    fi
+    if [ $RADIUS_AUTH_PROTOCOL == "eap-ttls" -a -z "$RADIUS_EAP_TTLS_INNER_PROTOCOL" ]; then
+       cat <<END
+FATAL: Authentication protocol "eap-ttls" specified but
+       RADIUS_EAP_TTLS_INNER_PROTOCOL is not set!
+-------------------------------------------------------------------------------
+When EAP-TTLS is used, this parameter specifies the inner (tunneled)
+protocol to use talking to the RADIUS server.
+END
+        exit 1;
+    fi
+
+    # Update config file
+    set_optional_property "radius-hostname"         "$RADIUS_HOSTNAME"
+    set_optional_property "radius-auth-port"        "$RADIUS_AUTH_PORT"
+    set_property          "radius-shared-secret"    "$RADIUS_SHARED_SECRET"
+    set_property          "radius-auth-protocol"    "$RADIUS_AUTH_PROTOCOL"
+    set_optional_property "radius-key-file"         "$RADIUS_KEY_FILE"
+    set_optional_property "radius-key-type"         "$RADIUS_KEY_TYPE"
+    set_optional_property "radius-key-password"     "$RADIUS_KEY_PASSWORD"
+    set_optional_property "radius-ca-file"          "$RADIUS_CA_FILE"
+    set_optional_property "radius-ca-type"          "$RADIUS_CA_TYPE"
+    set_optional_property "radius-ca-password"      "$RADIUS_CA_PASSWORD"
+    set_optional_property "radius-trust-all"        "$RADIUS_TRUST_ALL"
+    set_optional_property "radius-retries"          "$RADIUS_RETRIES"
+    set_optional_property "radius-timeout"          "$RADIUS_TIMEOUT"
+
+    set_optional_property \
+       "radius-eap-ttls-inner-protocol" \
+       "$RADIUS_EAP_TTLS_INNER_PROTOCOL"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    ln -s /opt/guacamole/radius/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+}
+
 ##
 ## Starts Guacamole under Tomcat, replacing the current process with the
 ## Tomcat process. As the current process will be replaced, this MUST be the
@@ -424,6 +506,12 @@ if [ -n "$LDAP_HOSTNAME" ]; then
     INSTALLED_AUTH="$INSTALLED_AUTH ldap"
 fi
 
+# Use RADIUS server if specified
+if [ -n "$RADIUS_SHARED_SECRET" ]; then
+    associate_radius
+    INSTALLED_AUTH="$INSTALLED_AUTH radius"
+fi
+
 #
 # Validate that at least one authentication backend is installed
 #
@@ -433,10 +521,10 @@ if [ -z "$INSTALLED_AUTH" -a -z "$GUACAMOLE_HOME_TEMPLATE" ]; then
 FATAL: No authentication configured
 -------------------------------------------------------------------------------
 The Guacamole Docker container needs at least one authentication mechanism in
-order to function, such as a MySQL database, PostgreSQL database, or LDAP
-directory.  Please specify at least the MYSQL_DATABASE or POSTGRES_DATABASE
-environment variables, or check Guacamole's Docker documentation regarding
-configuring LDAP and/or custom extensions.
+order to function, such as a MySQL database, PostgreSQL database, LDAP
+directory or RADIUS server. Please specify at least the MYSQL_DATABASE or 
+POSTGRES_DATABASE environment variables, or check Guacamole's Docker 
+documentation regarding configuring LDAP and/or custom extensions.
 END
     exit 1;
 fi

From 95611f2d936e2434829209ad6caa5f9b4a586efa Mon Sep 17 00:00:00 2001
From: Joern Lentes <joern.lentes@web.de>
Date: Fri, 21 Dec 2018 14:50:46 +0100
Subject: [PATCH 2/5] GUACAMOLE-682: fix env variable passing

---
 Dockerfile                              | 4 +++-
 guacamole-docker/bin/build-guacamole.sh | 3 ++-
 guacamole-docker/bin/start.sh           | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 7eefcc809..8c12c750b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,6 +30,8 @@ ARG TOMCAT_JRE=jre8
 # Use official maven image for the build
 FROM maven:3-jdk-8 AS builder
 
+ARG BUILD_PROFILE
+
 # Build environment variables
 ENV \
     BUILD_DIR=/tmp/guacamole-docker-BUILD
@@ -41,7 +43,7 @@ COPY guacamole-docker/bin/ /opt/guacamole/bin/
 COPY . "$BUILD_DIR"
 
 # Run the build itself
-RUN /opt/guacamole/bin/build-guacamole.sh "$BUILD_DIR" /opt/guacamole
+RUN /opt/guacamole/bin/build-guacamole.sh "$BUILD_DIR" /opt/guacamole "$BUILD_PROFILE"
 
 # For the runtime image, we start with the official Tomcat distribution
 FROM tomcat:${TOMCAT_VERSION}-${TOMCAT_JRE}
diff --git a/guacamole-docker/bin/build-guacamole.sh b/guacamole-docker/bin/build-guacamole.sh
index 1f4ab7798..acb1d3f21 100755
--- a/guacamole-docker/bin/build-guacamole.sh
+++ b/guacamole-docker/bin/build-guacamole.sh
@@ -41,6 +41,7 @@
 
 BUILD_DIR="$1"
 DESTINATION="$2"
+BUILD_PROFILE="$3"
 
 #
 # Create destination, if it does not yet exist
@@ -116,7 +117,7 @@ tar -xzf extensions/guacamole-auth-ldap/target/*.tar.gz \
 # Copy Radius auth extension if it was build
 #
 
-if [[ "$BUILD_PROFILE ~= "lgpl-extentions" ]]; then
+if [ -f extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar ]; then
   mkdir -p "$DESTINATION/radius"
   cp extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar "$DESTINATION/radius"
 fi
diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh
index 8fb3bc108..0732283a7 100755
--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -370,7 +370,7 @@ make sure they are readable for the user in the container.
 END
         exit 1;
     fi
-    if [ $RADIUS_AUTH_PROTOCOL == "eap-ttls" -a -z "$RADIUS_EAP_TTLS_INNER_PROTOCOL" ]; then
+    if [ "$RADIUS_AUTH_PROTOCOL" == "eap-ttls" -a -z "$RADIUS_EAP_TTLS_INNER_PROTOCOL" ]; then
        cat <<END
 FATAL: Authentication protocol "eap-ttls" specified but
        RADIUS_EAP_TTLS_INNER_PROTOCOL is not set!

From 2e98f6f8a0153d8a3c9f24c8dbb0658acd085b6d Mon Sep 17 00:00:00 2001
From: Joern Lentes <joern.lentes@web.de>
Date: Fri, 21 Dec 2018 15:04:28 +0100
Subject: [PATCH 3/5] GUACAMOLE-682: added comment with example to build with
 RADIUS

---
 Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 8c12c750b..0943dc3bc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,6 +30,8 @@ ARG TOMCAT_JRE=jre8
 # Use official maven image for the build
 FROM maven:3-jdk-8 AS builder
 
+# Use args to build radius auth extension such as
+# `--build-arg BUILD_PROFILE=lgpl-extensions`
 ARG BUILD_PROFILE
 
 # Build environment variables

From 516dbfd5c7f8eca91c93f63b81bb5773d4a21d08 Mon Sep 17 00:00:00 2001
From: Joern Lentes <joern.lentes@web.de>
Date: Sat, 22 Dec 2018 09:58:27 +0100
Subject: [PATCH 4/5] GUACAMOLE-682: adapted indent to be consistent

---
 guacamole-docker/bin/build-guacamole.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/guacamole-docker/bin/build-guacamole.sh b/guacamole-docker/bin/build-guacamole.sh
index acb1d3f21..c0c75974a 100755
--- a/guacamole-docker/bin/build-guacamole.sh
+++ b/guacamole-docker/bin/build-guacamole.sh
@@ -56,9 +56,9 @@ mkdir -p "$DESTINATION"
 cd "$BUILD_DIR"
 
 if [ -z "$BUILD_PROFILE" ]; then
-  mvn package
+    mvn package
 else
-  mvn -P "$BUILD_PROFILE" package
+    mvn -P "$BUILD_PROFILE" package
 fi
 
 #
@@ -118,6 +118,6 @@ tar -xzf extensions/guacamole-auth-ldap/target/*.tar.gz \
 #
 
 if [ -f extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar ]; then
-  mkdir -p "$DESTINATION/radius"
-  cp extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar "$DESTINATION/radius"
+    mkdir -p "$DESTINATION/radius"
+    cp extensions/guacamole-auth-radius/target/guacamole-auth-radius*.jar "$DESTINATION/radius"
 fi

From 5fb537b707a3797113ed8233155e12bde4dbd64c Mon Sep 17 00:00:00 2001
From: Joern Lentes <joern.lentes@web.de>
Date: Sun, 23 Dec 2018 22:09:55 +0100
Subject: [PATCH 5/5] GUACAMOLE-682: added parameter documentation

---
 guacamole-docker/bin/build-guacamole.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/guacamole-docker/bin/build-guacamole.sh b/guacamole-docker/bin/build-guacamole.sh
index c0c75974a..f72fb673d 100755
--- a/guacamole-docker/bin/build-guacamole.sh
+++ b/guacamole-docker/bin/build-guacamole.sh
@@ -38,6 +38,11 @@
 ##     subdirectories within this directory, and files will thus be grouped by
 ##     extension type.
 ##
+## @param BUILD_PROFILE
+##     The build profile that will be passed to Maven build process. Defaults
+##     to empty string. Can be set to "lgpl-extensions" to e.g. include
+##     RADIUS authentication extension.
+##
 
 BUILD_DIR="$1"
 DESTINATION="$2"