diff --git a/accounts/pkg/flagset/flagset.go b/accounts/pkg/flagset/flagset.go index b58bcce547..e4f90896ab 100644 --- a/accounts/pkg/flagset/flagset.go +++ b/accounts/pkg/flagset/flagset.go @@ -137,7 +137,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"ACCOUNTS_JWT_SECRET"}, + EnvVars: []string{"ACCOUNTS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, &cli.StringFlag{ @@ -172,7 +172,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "storage-cs3-jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET"}, + EnvVars: []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.Repo.CS3.JWTSecret, }, &cli.StringFlag{ diff --git a/accounts/pkg/service/v0/service.go b/accounts/pkg/service/v0/service.go index cb74008c52..a0d882dc18 100644 --- a/accounts/pkg/service/v0/service.go +++ b/accounts/pkg/service/v0/service.go @@ -268,6 +268,12 @@ func (s Service) createDefaultAccounts() (err error) { }, } for i := range accounts { + a := &proto.Account{} + err := s.repo.LoadAccount(context.Background(), accounts[i].Id, a) + if !storage.IsNotFoundErr(err) { + continue // account already exists -> do not overwrite + } + if err := s.repo.WriteAccount(context.Background(), &accounts[i]); err != nil { return err } @@ -360,6 +366,12 @@ func (s Service) createDefaultGroups() (err error) { }}, } for i := range groups { + g := &proto.Group{} + err := s.repo.LoadGroup(context.Background(), groups[i].Id, g) + if !storage.IsNotFoundErr(err) { + continue // group already exists -> do not overwrite + } + if err := s.repo.WriteGroup(context.Background(), &groups[i]); err != nil { return err } diff --git a/deployments/examples/cs3_users_ocis/.env b/deployments/examples/cs3_users_ocis/.env index 016f879e48..b1ceeece47 100644 --- a/deployments/examples/cs3_users_ocis/.env +++ b/deployments/examples/cs3_users_ocis/.env @@ -17,6 +17,8 @@ TRAEFIK_ACME_MAIL= OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= ### LDAP server settings ### diff --git a/deployments/examples/cs3_users_ocis/docker-compose.yml b/deployments/examples/cs3_users_ocis/docker-compose.yml index 2bcadb0ab2..0b31dbca78 100644 --- a/deployments/examples/cs3_users_ocis/docker-compose.yml +++ b/deployments/examples/cs3_users_ocis/docker-compose.yml @@ -51,14 +51,14 @@ services: environment: # CS3 users from ldap specific configuration PROXY_CONFIG_FILE: "/config/proxy-config.json" - LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))" - LDAP_URI: ldap://ldap-server:389 - LDAP_BINDDN: "cn=admin,dc=owncloud,dc=com" - LDAP_BINDPW: ${LDAP_ADMIN_PASSWORD:-admin} - LDAP_BASEDN: "dc=owncloud,dc=com" - LDAP_LOGIN_ATTRIBUTE: uid - LDAP_UUID_ATTRIBUTE: "ownclouduuid" - LDAP_UUID_ATTRIBUTE_TYPE: binary + IDP_LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))" + IDP_LDAP_URI: ldap://ldap-server:389 + IDP_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" + IDP_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + IDP_LDAP_BASE_DN: "dc=owncloud,dc=com" + IDP_LDAP_LOGIN_ATTRIBUTE: uid + IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid" + IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary PROXY_ACCOUNT_BACKEND_TYPE: cs3 STORAGE_LDAP_HOSTNAME: ldap-server STORAGE_LDAP_PORT: 636 @@ -74,6 +74,8 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} volumes: - ./config/ocis/proxy-config.json:/config/proxy-config.json - ocis-data:/var/tmp/ocis diff --git a/deployments/examples/ocis_keycloak/.env b/deployments/examples/ocis_keycloak/.env index e21b3d4d57..4ca629463b 100644 --- a/deployments/examples/ocis_keycloak/.env +++ b/deployments/examples/ocis_keycloak/.env @@ -19,6 +19,12 @@ OCIS_DOCKER_TAG= OCIS_DOMAIN= # owncloud Web openid connect client id. Defaults to "web" OCIS_OIDC_CLIENT_ID= +# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". +IDP_LDAP_BIND_PASSWORD= +# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". +STORAGE_LDAP_BIND_PASSWORD= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= ### Keycloak ### # Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test" diff --git a/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh new file mode 100644 index 0000000000..9e0a524ac1 --- /dev/null +++ b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -evx + +ocis server& +sleep 10 + +echo "##################################################" +echo "change default secrets:" + +# IDP +IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " IDP user UUID: $IDP_USER_UUID" +ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID + +# REVA +REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " Reva user UUID: $REVA_USER_UUID" +ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID + +killall ocis +echo "default secrets changed" +echo "##################################################" + +ocis server diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 86babb4848..634c81d9ec 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -47,6 +47,9 @@ services: image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} networks: ocis-net: + entrypoint: + - /bin/sh + - /entrypoint-override.sh environment: # Keycloak IDP specific configuration PROXY_AUTOPROVISION_ACCOUNTS: "true" @@ -60,7 +63,12 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} + STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} + OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} volumes: + - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis labels: - "traefik.enable=true" diff --git a/deployments/examples/ocis_traefik/.env b/deployments/examples/ocis_traefik/.env index 132b2c6b7c..a93b12e07c 100644 --- a/deployments/examples/ocis_traefik/.env +++ b/deployments/examples/ocis_traefik/.env @@ -17,7 +17,12 @@ TRAEFIK_ACME_MAIL= OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= - +# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". +IDP_LDAP_BIND_PASSWORD=foo +# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". +STORAGE_LDAP_BIND_PASSWORD=foo +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET=foo # If you want to use debugging and tracing with this stack, # you need uncomment following line. Please see documentation at diff --git a/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh new file mode 100644 index 0000000000..9e0a524ac1 --- /dev/null +++ b/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -evx + +ocis server& +sleep 10 + +echo "##################################################" +echo "change default secrets:" + +# IDP +IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " IDP user UUID: $IDP_USER_UUID" +ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID + +# REVA +REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " Reva user UUID: $REVA_USER_UUID" +ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID + +killall ocis +echo "default secrets changed" +echo "##################################################" + +ocis server diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 17f9240509..7861af16e4 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -46,11 +46,19 @@ services: image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} networks: ocis-net: + entrypoint: + - /bin/sh + - /entrypoint-override.sh environment: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} + STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} + OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} volumes: + - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis labels: - "traefik.enable=true" diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md index ab101b652e..694c6dc2cf 100644 --- a/docs/ocis/deployment/_index.md +++ b/docs/ocis/deployment/_index.md @@ -26,3 +26,34 @@ You can run ownCloud 10 and oCIS together. This allows you to use new parts of o - [ownCloud 10 setup with oCIS serving ownCloud Web and acting as OIDC provider]({{< ref "owncloud10_with_oc_web.md" >}}) - This allows you to switch between the traditional ownCloud 10 frontend and the new ownCloud Web frontend - Run ownCloud 10 and oCIS in parallel - together - Migrate users from ownCloud 10 to oCIS + + +## Secure an oCIS instance + +### Change default secrets +oCIS uses two system users which are needed for being operational: +- Reva Inter Operability Platform (bc596f3c-c955-4328-80a0-60d018b4ad57) +- Kopano IDP (820ba2a1-3f54-4538-80a4-2d73007e30bf) + +Both have simple default passwords which need to be changed. Currently, changing a password is only possible on the command line. You need to run `ocis accounts update --password ` for both users. + +The new password for the Reva Inter Operability Platform user must be made available to oCIS by using the environment variable `STORAGE_LDAP_BIND_PASSWORD`. The same applies to the new Kopano IDP user password, which needs do be made available to oCIS in `IDP_LDAP_BIND_PASSWORD`. + +Furthermore, oCIS uses a shared secret to sign JWT tokens for inter service authorization, which also needs to be changed by the user. +You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string. + +### Delete demo users + +{{< hint info >}} +Before deleting the demo users mentioned below, you must create a new account for yourself and assign it to the administrator role. +{{< /hint >}} + +oCIS ships with a few demo users besides the system users: +- Admin (ddc2004c-0977-11eb-9d3f-a793888cd0f8) +- Albert Einstein (4c510ada-c86b-4815-8820-42cdf82c3d51) +- Richard Feynman (932b4540-8d16-481e-8ef4-588e4b6b151c) +- Maurice Moss (058bff95-6708-4fe5-91e4-9ea3d377588b) +- Marie Curie (f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c) + +You can view them in ownCloud Web if you log in as Admin user or list them by running `ocis accounts list`. +After adding your own user it is safe to delete the demo users in the web UI or with the command `ocis accounts remove `. Please do not delete the system users (see [change default secrets]({{< ref "_index.md#change-default-secrets" >}})) or oCIS will not function properly anymore. diff --git a/docs/ocis/deployment/basic-remote-setup.md b/docs/ocis/deployment/basic-remote-setup.md index b28d30f7c2..48a828206a 100644 --- a/docs/ocis/deployment/basic-remote-setup.md +++ b/docs/ocis/deployment/basic-remote-setup.md @@ -21,6 +21,10 @@ Upon first start of the oCIS fullstack server with `./bin/ocis server` it will g The `identifier-registration.yml` file will only be generated if does not exist. If you want to change certain environment variables like `OCIS_URL`, please delete this file first before doing so. Otherwise your changes will not be applied correctly and you will run into errors. {{< /hint >}} +{{< hint warning >}} +oCIS is currently in a Tech Preview state and is shipped with demo users. In order to secure your oCIS instances please follow following guide: [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}) +{{< /hint >}} + For the following examples you need to have the oCIS binary in your current working directory, we assume it is named `ocis` and it needs to be marked as executable. See [Getting Started]({{< ref "../getting-started/#binaries" >}}) for where to get the binary from. ### Using automatically generated certificates diff --git a/docs/ocis/deployment/ocis_keycloak.md b/docs/ocis/deployment/ocis_keycloak.md index ea85f9fcd2..9f901d0233 100644 --- a/docs/ocis/deployment/ocis_keycloak.md +++ b/docs/ocis/deployment/ocis_keycloak.md @@ -70,6 +70,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) OCIS_DOMAIN= # ownCloud Web openid connect client id. Defaults to "ocis-web" OCIS_OIDC_CLIENT_ID= + # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". + IDP_LDAP_BIND_PASSWORD= + # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". + STORAGE_LDAP_BIND_PASSWORD= + # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" + OCIS_JWT_SECRET= ### Keycloak ### # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test" @@ -97,6 +103,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) If you want to change the OIDC client id of th ownCloud Web frontend, you can do this by setting the name to `OCIS_OIDC_CLIENT_ID=`. + You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}). + Set your domain for the Keycloak administration panel and authentication endpoints to `KEYCLOAK_DOMAIN=` eg. `KEYCLOAK_DOMAIN=keycloak.owncloud.test`. Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the oCIS realm `KEYCLOAK_REALM=oCIS`. The oCIS realm will be automatically imported on startup and includes our demo users. diff --git a/docs/ocis/deployment/ocis_traefik.md b/docs/ocis/deployment/ocis_traefik.md index 0e96a35ff9..34ccc422bf 100644 --- a/docs/ocis/deployment/ocis_traefik.md +++ b/docs/ocis/deployment/ocis_traefik.md @@ -64,6 +64,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= + # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". + IDP_LDAP_BIND_PASSWORD= + # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". + STORAGE_LDAP_BIND_PASSWORD= + # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" + OCIS_JWT_SECRET= ``` You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. @@ -78,6 +84,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) Set your domain for the oCIS frontend in `OCIS_DOMAIN=`, eg. `OCIS_DOMAIN=ocis.owncloud.test`. + You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}). + Now you have configured everything and can save the file. * Start the docker stack diff --git a/docs/ocis/deployment/preparing_server.md b/docs/ocis/deployment/preparing_server.md index 5e6bba68e4..8bd1724c9d 100644 --- a/docs/ocis/deployment/preparing_server.md +++ b/docs/ocis/deployment/preparing_server.md @@ -1,7 +1,7 @@ --- title: "Preparing a server" date: 2020-10-12T14:04:00+01:00 -weight: 10 +weight: 100 geekdocRepo: https://github.com/owncloud/ocis geekdocEditPath: edit/master/docs/ocis/deployment geekdocFilePath: preparing_server.md diff --git a/idp/pkg/config/config.go b/idp/pkg/config/config.go index 617fda130c..9e051be630 100644 --- a/idp/pkg/config/config.go +++ b/idp/pkg/config/config.go @@ -28,6 +28,21 @@ type HTTP struct { TLS bool } +// Ldap defines the available LDAP configuration. +type Ldap struct { + URI string + BindDN string + BindPassword string + BaseDN string + Scope string + LoginAttribute string + EmailAttribute string + NameAttribute string + UUIDAttribute string + UUIDAttributeType string + Filter string +} + // Service defines the available service configuration. type Service struct { Name string @@ -51,14 +66,15 @@ type Asset struct { // Config combines all available configuration parts. type Config struct { - File string - Log Log - Debug Debug - HTTP HTTP - Tracing Tracing - Asset Asset - IDP bootstrap.Config - Service Service + File string + Log Log + Debug Debug + HTTP HTTP + Tracing Tracing + Asset Asset + IDP bootstrap.Config + Ldap Ldap + Service Service } // New initializes a new configuration with or without defaults. diff --git a/idp/pkg/flagset/flagset.go b/idp/pkg/flagset/flagset.go index ed348e2c06..68b2561a8a 100644 --- a/idp/pkg/flagset/flagset.go +++ b/idp/pkg/flagset/flagset.go @@ -150,6 +150,83 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"IDP_IDENTITY_MANAGER"}, Destination: &cfg.IDP.IdentityManager, }, + &cli.StringFlag{ + Name: "ldap-uri", + Value: "ldap://localhost:9125", + Usage: "URI of the LDAP server (glauth)", + EnvVars: []string{"IDP_LDAP_URI"}, + Destination: &cfg.Ldap.URI, + }, + &cli.StringFlag{ + Name: "ldap-bind-dn", + Value: "cn=idp,ou=sysusers,dc=example,dc=org", + Usage: "Bind DN for the LDAP server (glauth)", + EnvVars: []string{"IDP_LDAP_BIND_DN"}, + Destination: &cfg.Ldap.BindDN, + }, + &cli.StringFlag{ + Name: "ldap-bind-password", + Value: "idp", + Usage: "Password for the Bind DN of the LDAP server (glauth)", + EnvVars: []string{"IDP_LDAP_BIND_PASSWORD"}, + Destination: &cfg.Ldap.BindPassword, + }, + &cli.StringFlag{ + Name: "ldap-base-dn", + Value: "ou=users,dc=example,dc=org", + Usage: "LDAP base DN of the oCIS users", + EnvVars: []string{"IDP_LDAP_BASE_DN"}, + Destination: &cfg.Ldap.BaseDN, + }, + &cli.StringFlag{ + Name: "ldap-scope", + Value: "sub", + Usage: "LDAP scope of the oCIS users", + EnvVars: []string{"IDP_LDAP_SCOPE"}, + Destination: &cfg.Ldap.Scope, + }, + &cli.StringFlag{ + Name: "ldap-login-attribute", + Value: "cn", + Usage: "LDAP login attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_LOGIN_ATTRIBUTE"}, + Destination: &cfg.Ldap.LoginAttribute, + }, + &cli.StringFlag{ + Name: "ldap-email-attribute", + Value: "mail", + Usage: "LDAP email attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_EMAIL_ATTRIBUTE"}, + Destination: &cfg.Ldap.EmailAttribute, + }, + &cli.StringFlag{ + Name: "ldap-name-attribute", + Value: "sn", + Usage: "LDAP name attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_NAME_ATTRIBUTE"}, + Destination: &cfg.Ldap.NameAttribute, + }, + &cli.StringFlag{ + Name: "ldap-uuid-attribute", + Value: "uid", + Usage: "LDAP UUID attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_UUID_ATTRIBUTE"}, + Destination: &cfg.Ldap.UUIDAttribute, + }, + &cli.StringFlag{ + Name: "ldap-uuid-attribute-type", + Value: "text", + Usage: "LDAP UUID attribute type of the oCIS users", + EnvVars: []string{"IDP_LDAP_UUID_ATTRIBUTE_TYPE"}, + Destination: &cfg.Ldap.UUIDAttributeType, + }, + &cli.StringFlag{ + Name: "ldap-filter", + Value: "(objectClass=posixaccount)", + Usage: "LDAP filter of the oCIS users", + EnvVars: []string{"IDP_LDAP_FILTER"}, + Destination: &cfg.Ldap.Filter, + }, &cli.StringFlag{ Name: "transport-tls-cert", Value: "", diff --git a/idp/pkg/service/v0/service.go b/idp/pkg/service/v0/service.go index 419726212b..c3a8be6780 100644 --- a/idp/pkg/service/v0/service.go +++ b/idp/pkg/service/v0/service.go @@ -38,7 +38,7 @@ func NewService(opts ...Option) Service { assets.Config(options.Config), ) - if err := initKonnectInternalEnvVars(); err != nil { + if err := initKonnectInternalEnvVars(&options.Config.Ldap); err != nil { logger.Fatal().Err(err).Msg("could not initialize env vars") } @@ -110,26 +110,24 @@ func createConfigsIfNotExist(assets http.FileSystem, ocisURL string) error { } // Init vars which are currently not accessible via idp api -func initKonnectInternalEnvVars() error { +func initKonnectInternalEnvVars(ldap *config.Ldap) error { var defaults = map[string]string{ - "LDAP_URI": "ldap://localhost:9125", - "LDAP_BINDDN": "cn=idp,ou=sysusers,dc=example,dc=org", - "LDAP_BINDPW": "idp", - "LDAP_BASEDN": "ou=users,dc=example,dc=org", - "LDAP_SCOPE": "sub", - "LDAP_LOGIN_ATTRIBUTE": "cn", - "LDAP_EMAIL_ATTRIBUTE": "mail", - "LDAP_NAME_ATTRIBUTE": "sn", - "LDAP_UUID_ATTRIBUTE": "uid", - "LDAP_UUID_ATTRIBUTE_TYPE": "text", - "LDAP_FILTER": "(objectClass=posixaccount)", + "LDAP_URI": ldap.URI, + "LDAP_BINDDN": ldap.BindDN, + "LDAP_BINDPW": ldap.BindPassword, + "LDAP_BASEDN": ldap.BaseDN, + "LDAP_SCOPE": ldap.Scope, + "LDAP_LOGIN_ATTRIBUTE": ldap.LoginAttribute, + "LDAP_EMAIL_ATTRIBUTE": ldap.EmailAttribute, + "LDAP_NAME_ATTRIBUTE": ldap.NameAttribute, + "LDAP_UUID_ATTRIBUTE": ldap.UUIDAttribute, + "LDAP_UUID_ATTRIBUTE_TYPE": ldap.UUIDAttributeType, + "LDAP_FILTER": ldap.Filter, } for k, v := range defaults { - if _, exists := os.LookupEnv(k); !exists { - if err := os.Setenv(k, v); err != nil { - return fmt.Errorf("could not set env var %s=%s", k, v) - } + if err := os.Setenv(k, v); err != nil { + return fmt.Errorf("could not set env var %s=%s", k, v) } } diff --git a/ocis/pkg/config/config.go b/ocis/pkg/config/config.go index 4c9bce3751..ca7d907ae9 100644 --- a/ocis/pkg/config/config.go +++ b/ocis/pkg/config/config.go @@ -75,7 +75,7 @@ type Config struct { Graph *graph.Config GraphExplorer *graphExplorer.Config Hello *hello.Config - IDP *idp.Config + IDP *idp.Config OCS *ocs.Config Onlyoffice *onlyoffice.Config Web *web.Config @@ -96,7 +96,7 @@ func New() *Config { Graph: graph.New(), GraphExplorer: graphExplorer.New(), Hello: hello.New(), - IDP: idp.New(), + IDP: idp.New(), OCS: ocs.New(), Onlyoffice: onlyoffice.New(), Web: web.New(), diff --git a/ocs/pkg/flagset/flagset.go b/ocs/pkg/flagset/flagset.go index 21665d9aa5..909840335a 100644 --- a/ocs/pkg/flagset/flagset.go +++ b/ocs/pkg/flagset/flagset.go @@ -149,7 +149,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to dismantle the access token, should equal reva's jwt-secret", - EnvVars: []string{"OCS_JWT_SECRET"}, + EnvVars: []string{"OCS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, } diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 81af13c7a3..83f73fdda4 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -175,7 +175,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"PROXY_JWT_SECRET"}, + EnvVars: []string{"PROXY_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, &cli.StringFlag{ diff --git a/settings/pkg/flagset/flagset.go b/settings/pkg/flagset/flagset.go index f4d04aba48..a84964c896 100644 --- a/settings/pkg/flagset/flagset.go +++ b/settings/pkg/flagset/flagset.go @@ -182,7 +182,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"SETTINGS_JWT_SECRET"}, + EnvVars: []string{"SETTINGS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, } diff --git a/storage/pkg/flagset/secret.go b/storage/pkg/flagset/secret.go index e51b7acd73..d7004e4812 100644 --- a/storage/pkg/flagset/secret.go +++ b/storage/pkg/flagset/secret.go @@ -12,7 +12,7 @@ func SecretWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Shared jwt secret for reva service communication", - EnvVars: []string{"STORAGE_JWT_SECRET"}, + EnvVars: []string{"STORAGE_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.Reva.JWTSecret, }, }