Commit Graph

23340 Commits

Author SHA1 Message Date
Pascal Bleser
4a138b8082 Groupware and jmap: cleanup and API documentation 2026-07-09 14:15:49 +02:00
Pascal Bleser
181dd14335 groupware: remove unneeded messages.go that was a remainder from an earlier implementation attempt, which also fixes compilation issues due to changes in main 2026-07-09 14:15:49 +02:00
Pascal Bleser
f5573a53f3 opencloud_full: upgrade Stalwart to 0.12.5, and use the ghcr.io container repository to avoid Hub limits 2026-07-09 14:15:49 +02:00
Pascal Bleser
aaf4be4546 Groupware improvements: refactoring, k6 tests
* refactored the models to be strongly typed with structs and mapstruct
   to decompose the dynamic parts of the JMAP payloads

 * externalized large JSON strings for tests into .json files under
   testdata/

 * added a couple of fantasy Graph groupware APIs to explore further
   options

 * added k6 scripts to test those graph/me/messages APIs, with a setup
   program to set up users in LDAP, fill their IMAP inbox, activate them
   in Stalwart, cleaning things up, etc...
2026-07-09 14:15:49 +02:00
Pascal Bleser
8cc8da45bf fix Stalwart LDAP configuration 2026-07-09 14:15:49 +02:00
Pascal Bleser
f79ba9a35b Use password policy overlay in LDAP and configure Stalwart to use it 2026-07-09 14:15:49 +02:00
Pascal Bleser
0dee74399d upgrade Stalwart to 0.12.4 2026-07-09 14:15:49 +02:00
Pascal Bleser
3b43f51592 groupware: removed debugging logs 2026-07-09 14:15:49 +02:00
Pascal Bleser
04d1af5041 jwkset: remove debugging printlns 2026-07-09 14:15:49 +02:00
Pascal Bleser
68eaafece8 auth-api: fix: was missing newly introduced metrics 2026-07-09 14:15:49 +02:00
Pascal Bleser
8cf5aa3e4c groupware and jmap improvements and refactoring 2026-07-09 14:15:48 +02:00
Pascal Bleser
7307e0143a upgrade Stalwart to 0.12 2026-07-09 14:15:48 +02:00
Pascal Bleser
6101791c24 minor corrections to the Stalwart configuration 2026-07-09 14:15:48 +02:00
Pascal Bleser
521d2a0820 Introduce a the auth-api service
* primitive implementation to demonstrate how it could work, still to
   be considered WIP at best

 * add new dependency: MicahParks/jwkset and MicahParks/keyfunc to
   retrieve the JWK set from KeyCloak to verify the signature of the
   JWTs sent as part of Bearer authentication in the /auth API

 * (minor) opencloud/.../service.go: clean up a logging statement that
   was introduced earlier to hunt down why the auth-api service was not
   being started
2026-07-09 14:15:48 +02:00
Pascal Bleser
9076c8449f add an auth-api service to make an exemplary implementation of an external authentication API for third party services such as Stalwart 2026-07-09 14:15:48 +02:00
Pascal Bleser
d4cf02b17d move services/groupware/pkg/jmap to pkg/jmap 2026-07-09 14:15:48 +02:00
Pascal Bleser
b8b1b02564 WIP: restructure the Jmap client, and implement the /me/messages Graph API endpoint with it 2026-07-09 14:15:48 +02:00
Pascal Bleser
7367f5bd6a add an OIDC Directory to Stalwart, requires exposing Keycloak port 8080 directly to access the userinfo endpoint using HTTP since the certificates in traefik are self-signed and end up being rejected by Stalwart with no option to bypass the certificate check 2026-07-09 14:15:48 +02:00
Pascal Bleser
e4f415652d rename Stalwart fallback admin username from 'admin' to 'mailadmin' since 'admin' exists as a regular user in LDAP and thus won't have access to the administration 2026-07-09 14:15:48 +02:00
Pascal Bleser
77af5d6e5e add missing routing for /groupware (currently unprotected for testing) 2026-07-09 14:15:48 +02:00
Pascal Bleser
11f45fc83b WIP: initial implementation of the groupware service 2026-07-09 14:15:48 +02:00
Pascal Bleser
6f03eae368 Add Stalwart container to the opencloud_full deployment, using the OpenLDAP container as a directory for user authentication 2026-07-09 14:15:48 +02:00
Alex
e4faa179b6 feat: add disableSponsorLink web config option (#3093) 2026-07-09 13:33:07 +02:00
Viktor Scharf
9efc71d42e [decomposed] more cli command tests (#3087)
* more cli command tests

* add tests to expected failures file
2026-07-09 07:51:43 +02:00
Jörn Friedrich Dreyer
415900ab01 chore(idp): update axios
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
2026-07-08 17:09:05 +02:00
Thomas Schweiger
50be30e5db fix: fix typo in proxy service documentation 2026-07-08 10:25:47 +02:00
opencloudeu
95f29d0440 [tx] updated from transifex 2026-07-07 23:16:19 +00:00
dependabot[bot]
ee478ed6a5 build(deps): bump golang.org/x/text from 0.38.0 to 0.39.0
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.38.0 to 0.39.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.38.0...v0.39.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-version: 0.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 17:08:57 +02:00
dependabot[bot]
e53c77e2be build(deps): bump github.com/go-chi/chi/v5 from 5.3.0 to 5.3.1
Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.3.0 to 5.3.1.
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-chi/chi/compare/v5.3.0...v5.3.1)

---
updated-dependencies:
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 14:08:35 +02:00
dependabot[bot]
6f838a2131 build(deps): bump github.com/nats-io/nats-server/v2
Bumps [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) from 2.14.2 to 2.14.3.
- [Release notes](https://github.com/nats-io/nats-server/releases)
- [Changelog](https://github.com/nats-io/nats-server/blob/main/RELEASES.md)
- [Commits](https://github.com/nats-io/nats-server/compare/v2.14.2...v2.14.3)

---
updated-dependencies:
- dependency-name: github.com/nats-io/nats-server/v2
  dependency-version: 2.14.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 12:32:16 +02:00
dependabot[bot]
e4dfada264 build(deps): bump github.com/gookit/config/v2 from 2.2.8 to 2.2.9
Bumps [github.com/gookit/config/v2](https://github.com/gookit/config) from 2.2.8 to 2.2.9.
- [Release notes](https://github.com/gookit/config/releases)
- [Commits](https://github.com/gookit/config/compare/v2.2.8...v2.2.9)

---
updated-dependencies:
- dependency-name: github.com/gookit/config/v2
  dependency-version: 2.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-06 17:48:24 +02:00
dependabot[bot]
bce52eec38 build(deps): bump github.com/open-policy-agent/opa from 1.18.1 to 1.18.2
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.18.1 to 1.18.2.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.18.1...v1.18.2)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.18.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-06 15:06:27 +02:00
dependabot[bot]
2683b2db6f build(deps): bump github.com/kovidgoyal/imaging from 1.8.21 to 1.8.22
Bumps [github.com/kovidgoyal/imaging](https://github.com/kovidgoyal/imaging) from 1.8.21 to 1.8.22.
- [Release notes](https://github.com/kovidgoyal/imaging/releases)
- [Commits](https://github.com/kovidgoyal/imaging/compare/v1.8.21...v1.8.22)

---
updated-dependencies:
- dependency-name: github.com/kovidgoyal/imaging
  dependency-version: 1.8.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-06 15:05:54 +02:00
Benedikt Kulmann
08bb6fe003 chore: add github funding 2026-07-06 11:56:29 +02:00
opencloudeu
7de9ade8aa [tx] updated from transifex 2026-07-05 23:16:18 +00:00
opencloudeu
f714b22dc4 [tx] updated from transifex 2026-07-03 23:16:24 +00:00
opencloudeu
0fd05d3f5c [tx] updated from transifex 2026-07-02 23:16:19 +00:00
dependabot[bot]
85be8e726b build(deps): bump github.com/libregraph/lico from 0.66.0 to 0.67.0
Bumps [github.com/libregraph/lico](https://github.com/libregraph/lico) from 0.66.0 to 0.67.0.
- [Changelog](https://github.com/libregraph/lico/blob/master/CHANGELOG.md)
- [Commits](https://github.com/libregraph/lico/compare/v0.66.0...v0.67.0)

---
updated-dependencies:
- dependency-name: github.com/libregraph/lico
  dependency-version: 0.67.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-02 09:15:58 +02:00
Benedikt Kulmann
eee040d066 chore: trigger settings bot 2026-07-02 08:51:29 +02:00
dependabot[bot]
364d090667 build(deps): bump google.golang.org/grpc from 1.81.1 to 1.82.0
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.81.1 to 1.82.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.81.1...v1.82.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.82.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-02 08:12:25 +02:00
dependabot[bot]
04a924f716 build(deps): bump github.com/open-policy-agent/opa from 1.17.1 to 1.18.1
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.17.1 to 1.18.1.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.17.1...v1.18.1)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-02 08:11:54 +02:00
opencloudeu
c2ceb923e4 [tx] updated from transifex 2026-07-01 23:16:28 +00:00
Dominik Schmidt
11449b5943 docs(graph): frame colon paths as "encode segments" instead of a raw-colon edge case
Per review discussion: don't document accidental behavior. The contract is
simply "percent-encode each path segment, as MS Graph requires; encode ':'
as %3A" - OpenCloud allows ':' in names (OneDrive forbids it), so it's one
more character in the mandatory encode set, not a special case.

The parser is unchanged (split on ":/", decode once). This only rewrites the
docs (code comment, acceptance feature, PR description) to state the encode
contract, and drops the tests that relied on a raw, unencoded ':' in a file
name - keeping the "%3A" test that reflects the actual contract.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
b6a4a66aef refactor(graph): split colon paths on ":/" so colons in names work
Review feedback: split the anchor/path and path/suffix on the structural
delimiter ":/" instead of a bare ":". Since the path and suffix always
start with "/", ":/" is the real delimiter, and a ":" *inside* a file or
directory name (which OpenCloud allows but MS Graph/OneDrive forbid) is
kept as part of the path instead of being mistaken for a separator.

A ":" sitting at a segment boundary (e.g. a name ending in ":") stays
ambiguous and must be percent-encoded as "%3A": the split works on the
literal ":/", so "%3A" is never a delimiter and decodes back to ":". This
is now documented in the code and the acceptance feature.

Tests: colon inside a name (with and without a suffix), the Stat path
carrying the colon, and the "%3A" boundary escape.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
95544b65ef docs(graph): drop stale regex references from colon-path comments
The colon-syntax parsing is plain string operations now, but a few
comments still referred to "the previous regex" / "captures". Update them
to match: parseColonPath extracts the itemID from the path (driveID comes
from the route param), and the shape checks stand on their own.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
407bb2bc70 refactor(graph): clearer colon-path anchor parsing, pin second-colon rule
parseColonPath split the anchor asymmetrically (root trimmed the delimiter
colon as part of a literal "/root:" prefix, item cut on it), and the root
branch's comment talked about the driveID which isn't this function's
concern. Split once at the first colon into anchor + rest, then classify
the anchor (exactly "/root", or "/items/{id}" with a single-segment id).
Same behavior, easier to follow.

Also add explicit coverage for the rule that a suffix requires a second
colon: "/root:/Documents/children" (no second colon) is the path
"/Documents/children", not the path "/Documents" with a "/children"
suffix. Two tests pin it end-to-end - it must route to the bare item (not
/items/{id}/children) and Stat must receive the full path.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
4b98022688 refactor(graph): parse colon paths with string ops instead of regexes
Review feedback: the two colon-syntax regexes were hard to read. Since the
middleware is scoped to /drives/{driveID}, the RoutePath it inspects is just
the sub-path (/root:/... or /items/{id}:/...), so a regex buys nothing.

Replace rootColonRe/itemColonRe (and the matchInto/extract helpers) with a
single parseColonPath that uses plain string operations
(HasPrefix/TrimPrefix/TrimSuffix/Cut), one commented step at a time.
Behavior is unchanged; the existing table tests (trailing colon, no suffix,
deep paths, multi-segment suffixes, item-anchored, encoded paths) still pass
and pin it.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
1f51bad9d1 refactor(graph): scope colon-path middleware to /drives/{driveID}
Addresses review feedback: a sub-router middleware can re-route after all,
as long as it rewrites chi.RouteContext().RoutePath instead of r.URL.Path.
Once chi has descended into a sub-router its routeHTTP matches against
rctx.RoutePath and ignores r.URL.Path, which is why the earlier top-level
registration was thought to be required.

Move ResolveGraphPath off the top-level mux.Use and attach it to the
/drives/{driveID} sub-routers (v1.0 + v1beta1). It now reads driveID from
chi.URLParam and matches against RoutePath (the part below the drive), so
the regexes drop the version + drive prefix entirely.

RoutePath carries the percent-encoded wire form (Graph.ServeHTTP sets
RawPath), so the captured driveID/itemID/path are PathUnescape'd exactly
once - reproducing the decoded r.URL.Path a normal handler would see,
without the previous RawPath/EscapedPath workaround. r.URL.Path is now
left untouched; only chi's internal RoutePath is rewritten.

Tests are reworked to drive requests through a chi router mirroring the
production nesting (including the Graph.ServeHTTP RawPath behavior), so
chi's sub-router middleware ordering, RoutePath encoding and param
round-trip are all covered indirectly: a chi upgrade that changes any of
them fails these tests instead of silently breaking colon-path lookups.
Adds explicit coverage for percent-decoding (%20, %252F) and the `$`/`!`
sub-delimiter id round-trip.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
8f51a4318a test(graph): pin chi URLParam round-trip for IDs with ! sub-delim
Codacy flagged the colon-path middleware comment claiming both `$`
and `!` need percent-encoding for chi's tree match, while the
implementation only calls r.URL.RawPath = r.URL.EscapedPath() which
does not encode either character per the suggestion's reading.

In practice EscapedPath does encode `!` as `%21` (only `?` is the
hardcoded escape, `!` is escaped because Go's net/url treats it as
needing encoding outside specific contexts). It leaves `$` literal,
which chi handles fine. chi.URLParam returns the encoded segment
verbatim, and downstream OpenCloud handlers (parseIDParam,
GetDriveAndItemIDParam) already PathUnescape before parsing IDs, so
the round-trip works end-to-end. The acceptance tests on this
branch already exercise this with real `$`/`!`-containing IDs.

Add a focused unit test that mounts the middleware behind chi,
sends a colon URL, and asserts the actual contract:
  - driveID (only `$`): chi.URLParam returns it literal
  - itemID (with `!`):  PathUnescape(chi.URLParam(...)) == original

Update the misleading comment so future readers (and reviewers) see
what the encoding actually does and which downstream contract it
relies on.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
3b42c6250d test(graph): acceptance tests for MS Graph colon-syntax path lookup
Cover the rewrite shapes the middleware handles end-to-end against a
real OpenCloud server: root-anchored, item-anchored, deep paths,
trailing colon, and the "/<path>:/<suffix>" sub-route form. Also
assert that NOT_FOUND and PERMISSION_DENIED both collapse to 404.

The /permissions sub-route is registered only at /v1beta1, and the
v1beta1 GetDriveItem handler is share-jail-only, so the v1beta1
mount of the middleware is exercised through the permissions
scenario, since there is no other v1beta1 endpoint that works for
regular personal-drive items.
2026-07-01 17:44:31 +02:00