We installed Perforce Helix Authentication Service and Extension following the
this guide.
We installed everything on the same box that runs p4d, Swarm and Jenkins.
We created and populated background
and corp-sso
groups in p4admin
to control which users are prompted to authenticate against our IdP.
curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash
sudo apt-get install nodejs
We installed the HAS service with apt-get.
sudo apt-get install helix-auth-svc
This software won't currently function behind a reverse proxy, so we simply created
and host a welcome
page so certbot can create and refresh the certificate.
Create a vhost apache config at /etc/apache2/sites-available/has-site.conf
<VirtualHost *:80>
ServerName has.domain.com
DocumentRoot /var/www/html
DirectoryIndex welcome.html
ErrorLog "/var/log/apache2/has.error_log"
CustomLog "/var/log/apache2/has.access_log" common
</VirtualHost>
Don't forget to make a sites-enabled
symlink and restart Apache.
cd /etc/apache2/sites-enabled
ln -s ../sites-available/has-site.conf .
sudo systemctl reload apache2
We've already installed Let's Encrypt, now run certbot.
sudo certbot --apache -d has.domain.com
We configured the OAuth consent screen and created credentials in a project on GCP.
Take note of the Client ID
and Client secret
and add these Authorized redirect URIs
.
https://has.domain.com:3000/
https://has.domain.com:3000/oidc/callback
This NodeJS service runs as root
(which is a bit sketch) but this allows us
to point directly to the real certificate and private key maintained by certbot.
sudo /opt/perforce/helix-auth-svc/bin/configure-auth-service.sh
cat /opt/perforce/helix-auth-svc/.env
> A_CERT_FILE='certs/ca.crt'
> SP_CERT_FILE='/etc/letsencrypt/live/has.domain.com/fullchain.pem'
> SP_KEY_FILE='/etc/letsencrypt/live/has.domain.com/privkey.pem'
> LOGGING=/opt/perforce/helix-auth-svc/logging.config.js
> DEFAULT_PROTOCOL=oidc
> SVC_BASE_URI=https://has.domain.com:3000/
> OIDC_ISSUER_URI=https://accounts.google.com
> OIDC_CLIENT_ID=123456789012-abcdefghijklmnopqrstuvwxyz123456.apps.googleusercontent.com
> OIDC_CLIENT_SECRET_FILE=client-secret.txt
If the service won't start, tail the syslog and restart the service.
sudo systemctl restart helix-auth
tail -f /var/log/syslog
Download an extract HAE using the following commands:
wget https://github.com/perforce/helix-authentication-extension/archive/2020.2.zip
sudo apt-get install -y unzip
unzip 2020.2.zip
To install the extension:
cd helix-authentication-extension-2020.2/
p4 extension --package loginhook
p4 configure set server.extensions.allow.unsigned=1
p4 extension --install loginhook.p4-extension -y
To configure the extension, use tabs as described here:
p4 extension --configure Auth::loginhook
> ExtP4USER: admin
> Auth-Protocol: oidc
> Service-URL: https://has.domain.com:3000/
To configure the instanceuse, use tabs as described here:
p4 extension --configure Auth::loginhook --name Auth::loginhook-all
> enable-logging: true
> name-identifier: email
> non-sso-groups: background
< non-sso-users:
> sso-groups: corp-sso
< sso-users:
> user-identifier: email
Finally, restart Helix Core:
sudo -u perforce p4dctl restart -a
If things go badly, you can remove the extension.
p4 extension --list --type=extensions
p4 extension --delete Auth::loginhook --yes
sudo -u perforce p4dctl restart -a