mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2025-12-28 08:38:12 -05:00
Code Issues Packages Projects Releases Wiki Activity
22,513 Commits 51 Branches 39 Tags
replaceCIImages
Commit Graph

147 Commits

Author SHA1 Message Date
Christian Richter
97ee9b36a5 incorporate requested changes 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
 2025-11-19 09:38:16 +01:00
Christian Richter
f9807f9f3a actually load overrideyaml 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
 2025-11-19 09:38:16 +01:00
Christian Richter
8007e8a269 add ability to completely override csp config 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
 2025-11-19 09:38:16 +01:00
Christian Richter
63603679a5 remove obsolete comment 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
 2025-11-19 09:38:16 +01:00
Christian Richter
16f9667fe8 adapt tests & deepmerge 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
 2025-11-19 09:38:16 +01:00
Christian Richter
d16524510a adapt tests 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
 2025-11-19 09:38:16 +01:00
Christian Richter
20b903b32d load two yaml configs 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
 2025-11-19 09:38:16 +01:00
Ralf Haferkamp
8cea8c8cfd feat(proxy): account_resolver multi-tenancy 
Make the account resolve reject users without a tenantid, when
multi-tenancy is enabled.
 2025-10-06 11:21:57 +02:00
Ralf Haferkamp
86db525cec feat(tracing): Improve tracing for proxy middlewares 
Each middleware adds a new span with a useful name now.
 2025-09-02 17:02:04 +02:00
Ralf Haferkamp
51c32c5e15 fix(tracing): Don't start separate span for request-id attr 
Just add the request id as an attribute to the span created by the
'otelhttp' middleware.
 2025-09-02 12:13:11 +02:00
Ralf Haferkamp
3a8b370a08 fix(proxy): First login fails in auto provision setups 
Redeclaring the `err` variable inside the if statement made the
later error check fail even when the user was successfully created.

Fixes: #1277
 2025-08-14 15:36:23 +02:00
Ralf Haferkamp
4bdb3bf70f proxy(sign_url_auth): Allow to verify server signed URLs 
With the ocdav service being able to provided signed download URLs we
need the proxy to be able to verify the signatures.
This should also be a first step towards phasing out the weird ocs based
client side signed urls.

Related Tickets: #1104
 2025-07-17 12:01:59 +02:00
Ralf Haferkamp
601bb4c955 cleanup(proxy): Remove misleading comment 
The signedurl middleware is already adding the user to the context.
 2025-07-17 12:01:59 +02:00
Ralf Haferkamp
8dd8943854 fix(proxy): Prevent panic when autoprovsioning user 
After autoprovisioning a user, we need to get a reva token via
`auth-machine`. If that fails the code would panic because the logger
tried to access the `user` object returned from the GetUserByClaims
call. Which is `nil`in case failure.

Fixes #936
 2025-06-12 11:54:23 +02:00
André Duffeck
cbac5f1555 Switch to a different msgpack lib 
The current one has a problem handling time.Time{} structs
 2025-05-16 10:24:43 +02:00
Ralf Haferkamp
dcf78f7f3d proxy(router): Allow to set some outgoing headers 
This introduces the "additional_headers", "remote_user_header" and
"skip_x_access_token" config keys to allow configuring routes to
external services that require addtional headers to be set.

"remote_user_header": defines the name of a Header that will carry the
userid of the authenticated user on the outgoing request.

"additional_headers": defines a list of header names and values that will
be added to outgoing requests on matching routes.

"skip_x_access_token": when set to true the reva access token will not
be added to the outgoing request.

Needed for #206
 2025-04-30 10:17:58 +02:00
Ralf Haferkamp
102e92fd73 appauth: Add token and user (with roles) to context 
When successfully authenticating a user via apptoken, resolve the user's
roles and add the user and the token returned by the auth service to the
request context. Rely on the account_resolve middleware to add the reva
token to the outgoing request as the other auth middlewares do.
 2025-04-30 10:17:58 +02:00
Ralf Haferkamp
95f28baa52 Use constant instead of repeating the "x-access-token" string over and over 2025-04-30 10:17:58 +02:00
Ralf Haferkamp
0716b40fa0 Adjust LDAP Schema for new name 2025-01-29 11:58:57 +01:00
André Duffeck
e8d35e1280 Use the opencloud reva from now on 2025-01-21 11:16:38 +01:00
Jörn Friedrich Dreyer
747b2879d7 proxy 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
 2025-01-16 17:31:51 +01:00
Ralf Haferkamp
213e9663a9 Rename go-micro services 2025-01-16 09:45:46 +01:00
André Duffeck
8c8cdd9310 Adapt protobuf naming 2025-01-15 11:04:32 +01:00
Jörn Friedrich Dreyer
b07b5a1149 use plain pkg module 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
 2025-01-13 16:42:19 +01:00
Jörn Friedrich Dreyer
8e028f17e9 change module name 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
 2025-01-13 09:58:18 +01:00
Juan Pablo Villafáñez
69864b8ab9 feat: improve logs when a context is canceled in the proxy 2024-11-19 11:25:40 +01:00
Roman Perekhod
3a060331f7 fixed an idp guest role default assignment 2024-11-07 17:57:01 +01:00
Jörn Friedrich Dreyer
7fd8284daf mark header to not show up as a potential password leak G101 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
 2024-10-22 10:57:01 +02:00
André Duffeck
bea1deebba Work around a problem with reverse proxies changing URLs being signed 
Fixes https://github.com/owncloud/ocis/issues/10180
 2024-10-04 09:50:58 +02:00
Ralf Haferkamp
cb8934081f proxy(oidc): Emit a UserSignedIn event on new session 
Every time the OIDC middleware sees a new access token (i.e when it needs
to update the userinfo cache) we consider that as a new login. In this case
the middleware add a new flag to the context, which is then used by the
accountresolver middleware to publish a UserSignedIn event.
The event needs to be sent by the accountresolver middleware, because only
at that point we know the user id of the user that just logged in.

(It would probably makes sense to merge the auth and account middleware into a
single component to avoid passing flags around via context)
 2024-09-17 16:02:47 +02:00
Ralf Haferkamp
109b23966c bump some jwt related go modules to current version 
go-jwt/jwt to v5.2.1
MicahParks/keyfunc to v2.1.0
 2024-08-26 15:35:15 +02:00
Juan Pablo Villafañez
faf162704e Merge pull request #9684 from owncloud/collaboration_improved_tracing 
feat: include additional metadata for tracing the collaboration service
 2024-08-13 11:35:52 +02:00
jkoberg
e7fd04bbe3 feat(tusd): bump tusd pkg to v2.4.0 
Signed-off-by: jkoberg <jkoberg@owncloud.com>
 2024-08-07 09:13:50 +02:00
Juan Pablo Villafáñez
a5d27b2f98 feat: include additional metadata for tracing the collaboration service 2024-08-05 13:15:12 +02:00
jkoberg
3b3d30159d fix(proxy): fix build after rebase 
Signed-off-by: jkoberg <jkoberg@owncloud.com>
 2024-07-23 08:58:07 +02:00
Thomas Müller
7005cbc0fc feat: add unit test for app auth middleware 2024-07-23 08:58:07 +02:00
Thomas Müller
4fa7ea0b20 feat: add cli command to generate app token for user 2024-07-23 08:58:07 +02:00
Thomas Müller
43403edfb8 feat: reva app auth 2024-07-23 08:58:07 +02:00
Jörn Friedrich Dreyer
b2255bb3d5 Log user agent and remote addr on auth errors 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
 2024-07-16 12:41:04 +02:00
Ralf Haferkamp
ff6674f97b Fix fallout of reva bump 
reva tries to avoid copying proto messages now. This changed some calls
to take pointers now (mainly e.g. FormatResourceId())
 2024-07-11 15:21:56 +02:00
Ralf Haferkamp
0d65908e82 autoprovisioning: sync group memberships 
Add support for autoprovisioning group memberships from OIDC claims.
Users are added to and removed from groups based on the value of an OIDC
claim. If a group does not exist, it is created.

Closes: #5538
 2024-07-08 09:32:23 +02:00
Michael Barz
ccb8228edd fix: bump upstream sec middleware 2024-06-10 17:20:38 +02:00
Roman Perekhod
c7281599d4 replacement for TokenInfo endpoint 2024-05-28 09:29:08 +02:00
Ralf Haferkamp
7ca8391ce2 feat(proxy): Update selected attributes of autoprovisioned users 
When autoprovisioning is enabled, we now update autoprovisioned users when their
display name or email address claims change.

Closes: #8955
 2024-05-15 13:30:45 +02:00
Thomas Müller
4f7480d322 feat: drop github.com/a8m/envsubst in favor of gookit/config (#9028) 2024-04-30 18:05:58 +02:00
Thomas Müller
bdbba929d0 feat: add CSP and other security related headers in the oCIS proxy service (#8777) 
* feat: add CSP and other security related headers in the oCIS proxy service

* fix: consolidate security related headers - drop middleware.Secure

* fix: use github.com/DeepDiver1975/secure

* fix: acceptance tests

* feat: support env var replacements in csp.yaml
 2024-04-26 09:10:35 +02:00
Ralf Haferkamp
8d5a0c6dd8 fix(public-share-auth): allow to create new documents in public share folder 
The public share authentication middleware only allowed to open existing documents
the /app/new route was missing.

Fixes #8691
 2024-04-15 16:35:13 +02:00
Christian Richter
29549fade7 kill oidc well known middleware and move it to static route 
Signed-off-by: Christian Richter <crichter@owncloud.com>
 2024-03-18 16:56:10 +01:00
Jörn Friedrich Dreyer
26136f8f81 drop store service in favor of a micro store implementation (#8419) 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
 2024-02-26 16:08:03 +01:00
Thomas Müller
b12cff1016 fix: properly check expiry and verify signature of signed urls (#8385) 
fix: signed url expiry validation only checks for expiry and not for used before
 2024-02-07 15:44:33 +01:00