Commit Graph

23323 Commits

Author SHA1 Message Date
Pascal Bleser
7367f5bd6a add an OIDC Directory to Stalwart, requires exposing Keycloak port 8080 directly to access the userinfo endpoint using HTTP since the certificates in traefik are self-signed and end up being rejected by Stalwart with no option to bypass the certificate check 2026-07-09 14:15:48 +02:00
Pascal Bleser
e4f415652d rename Stalwart fallback admin username from 'admin' to 'mailadmin' since 'admin' exists as a regular user in LDAP and thus won't have access to the administration 2026-07-09 14:15:48 +02:00
Pascal Bleser
77af5d6e5e add missing routing for /groupware (currently unprotected for testing) 2026-07-09 14:15:48 +02:00
Pascal Bleser
11f45fc83b WIP: initial implementation of the groupware service 2026-07-09 14:15:48 +02:00
Pascal Bleser
6f03eae368 Add Stalwart container to the opencloud_full deployment, using the OpenLDAP container as a directory for user authentication 2026-07-09 14:15:48 +02:00
Alex
e4faa179b6 feat: add disableSponsorLink web config option (#3093) 2026-07-09 13:33:07 +02:00
Viktor Scharf
9efc71d42e [decomposed] more cli command tests (#3087)
* more cli command tests

* add tests to expected failures file
2026-07-09 07:51:43 +02:00
Jörn Friedrich Dreyer
415900ab01 chore(idp): update axios
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
2026-07-08 17:09:05 +02:00
Thomas Schweiger
50be30e5db fix: fix typo in proxy service documentation 2026-07-08 10:25:47 +02:00
opencloudeu
95f29d0440 [tx] updated from transifex 2026-07-07 23:16:19 +00:00
dependabot[bot]
ee478ed6a5 build(deps): bump golang.org/x/text from 0.38.0 to 0.39.0
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.38.0 to 0.39.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.38.0...v0.39.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-version: 0.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 17:08:57 +02:00
dependabot[bot]
e53c77e2be build(deps): bump github.com/go-chi/chi/v5 from 5.3.0 to 5.3.1
Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.3.0 to 5.3.1.
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-chi/chi/compare/v5.3.0...v5.3.1)

---
updated-dependencies:
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 14:08:35 +02:00
dependabot[bot]
6f838a2131 build(deps): bump github.com/nats-io/nats-server/v2
Bumps [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) from 2.14.2 to 2.14.3.
- [Release notes](https://github.com/nats-io/nats-server/releases)
- [Changelog](https://github.com/nats-io/nats-server/blob/main/RELEASES.md)
- [Commits](https://github.com/nats-io/nats-server/compare/v2.14.2...v2.14.3)

---
updated-dependencies:
- dependency-name: github.com/nats-io/nats-server/v2
  dependency-version: 2.14.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 12:32:16 +02:00
dependabot[bot]
e4dfada264 build(deps): bump github.com/gookit/config/v2 from 2.2.8 to 2.2.9
Bumps [github.com/gookit/config/v2](https://github.com/gookit/config) from 2.2.8 to 2.2.9.
- [Release notes](https://github.com/gookit/config/releases)
- [Commits](https://github.com/gookit/config/compare/v2.2.8...v2.2.9)

---
updated-dependencies:
- dependency-name: github.com/gookit/config/v2
  dependency-version: 2.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-06 17:48:24 +02:00
dependabot[bot]
bce52eec38 build(deps): bump github.com/open-policy-agent/opa from 1.18.1 to 1.18.2
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.18.1 to 1.18.2.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.18.1...v1.18.2)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.18.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-06 15:06:27 +02:00
dependabot[bot]
2683b2db6f build(deps): bump github.com/kovidgoyal/imaging from 1.8.21 to 1.8.22
Bumps [github.com/kovidgoyal/imaging](https://github.com/kovidgoyal/imaging) from 1.8.21 to 1.8.22.
- [Release notes](https://github.com/kovidgoyal/imaging/releases)
- [Commits](https://github.com/kovidgoyal/imaging/compare/v1.8.21...v1.8.22)

---
updated-dependencies:
- dependency-name: github.com/kovidgoyal/imaging
  dependency-version: 1.8.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-06 15:05:54 +02:00
Benedikt Kulmann
08bb6fe003 chore: add github funding 2026-07-06 11:56:29 +02:00
opencloudeu
7de9ade8aa [tx] updated from transifex 2026-07-05 23:16:18 +00:00
opencloudeu
f714b22dc4 [tx] updated from transifex 2026-07-03 23:16:24 +00:00
opencloudeu
0fd05d3f5c [tx] updated from transifex 2026-07-02 23:16:19 +00:00
dependabot[bot]
85be8e726b build(deps): bump github.com/libregraph/lico from 0.66.0 to 0.67.0
Bumps [github.com/libregraph/lico](https://github.com/libregraph/lico) from 0.66.0 to 0.67.0.
- [Changelog](https://github.com/libregraph/lico/blob/master/CHANGELOG.md)
- [Commits](https://github.com/libregraph/lico/compare/v0.66.0...v0.67.0)

---
updated-dependencies:
- dependency-name: github.com/libregraph/lico
  dependency-version: 0.67.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-02 09:15:58 +02:00
Benedikt Kulmann
eee040d066 chore: trigger settings bot 2026-07-02 08:51:29 +02:00
dependabot[bot]
364d090667 build(deps): bump google.golang.org/grpc from 1.81.1 to 1.82.0
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.81.1 to 1.82.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.81.1...v1.82.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.82.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-02 08:12:25 +02:00
dependabot[bot]
04a924f716 build(deps): bump github.com/open-policy-agent/opa from 1.17.1 to 1.18.1
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.17.1 to 1.18.1.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.17.1...v1.18.1)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-02 08:11:54 +02:00
opencloudeu
c2ceb923e4 [tx] updated from transifex 2026-07-01 23:16:28 +00:00
Dominik Schmidt
11449b5943 docs(graph): frame colon paths as "encode segments" instead of a raw-colon edge case
Per review discussion: don't document accidental behavior. The contract is
simply "percent-encode each path segment, as MS Graph requires; encode ':'
as %3A" - OpenCloud allows ':' in names (OneDrive forbids it), so it's one
more character in the mandatory encode set, not a special case.

The parser is unchanged (split on ":/", decode once). This only rewrites the
docs (code comment, acceptance feature, PR description) to state the encode
contract, and drops the tests that relied on a raw, unencoded ':' in a file
name - keeping the "%3A" test that reflects the actual contract.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
b6a4a66aef refactor(graph): split colon paths on ":/" so colons in names work
Review feedback: split the anchor/path and path/suffix on the structural
delimiter ":/" instead of a bare ":". Since the path and suffix always
start with "/", ":/" is the real delimiter, and a ":" *inside* a file or
directory name (which OpenCloud allows but MS Graph/OneDrive forbid) is
kept as part of the path instead of being mistaken for a separator.

A ":" sitting at a segment boundary (e.g. a name ending in ":") stays
ambiguous and must be percent-encoded as "%3A": the split works on the
literal ":/", so "%3A" is never a delimiter and decodes back to ":". This
is now documented in the code and the acceptance feature.

Tests: colon inside a name (with and without a suffix), the Stat path
carrying the colon, and the "%3A" boundary escape.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
95544b65ef docs(graph): drop stale regex references from colon-path comments
The colon-syntax parsing is plain string operations now, but a few
comments still referred to "the previous regex" / "captures". Update them
to match: parseColonPath extracts the itemID from the path (driveID comes
from the route param), and the shape checks stand on their own.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
407bb2bc70 refactor(graph): clearer colon-path anchor parsing, pin second-colon rule
parseColonPath split the anchor asymmetrically (root trimmed the delimiter
colon as part of a literal "/root:" prefix, item cut on it), and the root
branch's comment talked about the driveID which isn't this function's
concern. Split once at the first colon into anchor + rest, then classify
the anchor (exactly "/root", or "/items/{id}" with a single-segment id).
Same behavior, easier to follow.

Also add explicit coverage for the rule that a suffix requires a second
colon: "/root:/Documents/children" (no second colon) is the path
"/Documents/children", not the path "/Documents" with a "/children"
suffix. Two tests pin it end-to-end - it must route to the bare item (not
/items/{id}/children) and Stat must receive the full path.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
4b98022688 refactor(graph): parse colon paths with string ops instead of regexes
Review feedback: the two colon-syntax regexes were hard to read. Since the
middleware is scoped to /drives/{driveID}, the RoutePath it inspects is just
the sub-path (/root:/... or /items/{id}:/...), so a regex buys nothing.

Replace rootColonRe/itemColonRe (and the matchInto/extract helpers) with a
single parseColonPath that uses plain string operations
(HasPrefix/TrimPrefix/TrimSuffix/Cut), one commented step at a time.
Behavior is unchanged; the existing table tests (trailing colon, no suffix,
deep paths, multi-segment suffixes, item-anchored, encoded paths) still pass
and pin it.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
1f51bad9d1 refactor(graph): scope colon-path middleware to /drives/{driveID}
Addresses review feedback: a sub-router middleware can re-route after all,
as long as it rewrites chi.RouteContext().RoutePath instead of r.URL.Path.
Once chi has descended into a sub-router its routeHTTP matches against
rctx.RoutePath and ignores r.URL.Path, which is why the earlier top-level
registration was thought to be required.

Move ResolveGraphPath off the top-level mux.Use and attach it to the
/drives/{driveID} sub-routers (v1.0 + v1beta1). It now reads driveID from
chi.URLParam and matches against RoutePath (the part below the drive), so
the regexes drop the version + drive prefix entirely.

RoutePath carries the percent-encoded wire form (Graph.ServeHTTP sets
RawPath), so the captured driveID/itemID/path are PathUnescape'd exactly
once - reproducing the decoded r.URL.Path a normal handler would see,
without the previous RawPath/EscapedPath workaround. r.URL.Path is now
left untouched; only chi's internal RoutePath is rewritten.

Tests are reworked to drive requests through a chi router mirroring the
production nesting (including the Graph.ServeHTTP RawPath behavior), so
chi's sub-router middleware ordering, RoutePath encoding and param
round-trip are all covered indirectly: a chi upgrade that changes any of
them fails these tests instead of silently breaking colon-path lookups.
Adds explicit coverage for percent-decoding (%20, %252F) and the `$`/`!`
sub-delimiter id round-trip.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
8f51a4318a test(graph): pin chi URLParam round-trip for IDs with ! sub-delim
Codacy flagged the colon-path middleware comment claiming both `$`
and `!` need percent-encoding for chi's tree match, while the
implementation only calls r.URL.RawPath = r.URL.EscapedPath() which
does not encode either character per the suggestion's reading.

In practice EscapedPath does encode `!` as `%21` (only `?` is the
hardcoded escape, `!` is escaped because Go's net/url treats it as
needing encoding outside specific contexts). It leaves `$` literal,
which chi handles fine. chi.URLParam returns the encoded segment
verbatim, and downstream OpenCloud handlers (parseIDParam,
GetDriveAndItemIDParam) already PathUnescape before parsing IDs, so
the round-trip works end-to-end. The acceptance tests on this
branch already exercise this with real `$`/`!`-containing IDs.

Add a focused unit test that mounts the middleware behind chi,
sends a colon URL, and asserts the actual contract:
  - driveID (only `$`): chi.URLParam returns it literal
  - itemID (with `!`):  PathUnescape(chi.URLParam(...)) == original

Update the misleading comment so future readers (and reviewers) see
what the encoding actually does and which downstream contract it
relies on.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
3b42c6250d test(graph): acceptance tests for MS Graph colon-syntax path lookup
Cover the rewrite shapes the middleware handles end-to-end against a
real OpenCloud server: root-anchored, item-anchored, deep paths,
trailing colon, and the "/<path>:/<suffix>" sub-route form. Also
assert that NOT_FOUND and PERMISSION_DENIED both collapse to 404.

The /permissions sub-route is registered only at /v1beta1, and the
v1beta1 GetDriveItem handler is share-jail-only, so the v1beta1
mount of the middleware is exercised through the permissions
scenario, since there is no other v1beta1 endpoint that works for
regular personal-drive items.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
6343f7e861 refactor(graph): drop MS Graph framing from colon-path middleware logs 2026-07-01 17:44:31 +02:00
Dominik Schmidt
7498e8f848 fix(graph): map UNAUTHENTICATED to 401, validate drive/item id pair
Three more Copilot review nits on the colon-syntax middleware:

- CS3 Stat returning UNAUTHENTICATED now surfaces as HTTP 401 (was 500
  via the default-case fallback). Distinct sentinel + handler branch.
- Item-anchored form (/drives/{driveID}/items/{itemID}:/...) now
  validates that driveID's storage/space prefix matches the itemID's,
  short-circuiting to 400 InvalidRequest on mismatch instead of doing
  a CS3 Stat that would only fail at the handler layer.
- ParseID failures on the anchor id now surface as 400 (was 404). In
  practice this branch is defensive — storagespace.ParseID is lenient
  and only errors on empty input, which the regex already filters out
  — but the right semantic for malformed client input is 400, not 404.

Tests: added two new cases (UNAUTHENTICATED → 401, drive/item id
mismatch → 400). The "malformed drive id" case Copilot suggested
isn't reachable in practice given ParseID's leniency, so it's not
covered.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
e49959b833 fix(graph): preserve RawPath workaround + use NopLogger in tests
Two follow-up Copilot review nits on the colon-syntax middleware:

- Don't blank r.URL.RawPath after the rewrite. Graph.ServeHTTP sets
  RawPath = EscapedPath() as a workaround for chi's parameter-binding
  quirks with `$`/`!` in IDs (see go-chi/chi#641). Clearing RawPath
  for rewritten requests negates that workaround. Re-establish the
  same invariant after the rewrite.

- Tests previously used log.NewLogger(), which mutates global zerolog
  state. Switch to log.NopLogger() — order-independent, no global
  side effects.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
f31e50381f fix(graph): address Copilot review feedback on path lookup middleware
- Drop double-decoding of URL path components. r.URL.Path is already
  decoded by net/http; calling url.PathUnescape again would let crafted
  inputs like "%252F" become "/", changing path semantics. Path and
  anchor-id strings now go straight to utils.MakeRelativePath /
  storagespace.ParseID.
- Distinguish operational errors from "not found". Gateway selection
  failure, RPC transport errors, and unexpected CS3 status codes now
  surface as 500 (don't mask outages); only NOT_FOUND and PERMISSION_DENIED
  collapse to 404 (no existence disclosure). Implemented via a sentinel
  errPathNotFound + a 500 fall-through.
- Refactor the two regex-handling branches in rewriteColonPath to share a
  resolution path via a small colonMatch struct + matchInto/extract helpers.
  Removes the SonarCloud duplication finding without changing behavior.
- Update the docstring on ResolveGraphPath to reflect that the rewrite
  preserves the requested API version (/{version}/...) rather than
  hard-coding /v1beta1/...
- Test cleanup: register t.Cleanup to remove the per-subtest selector
  entry from pool's global selectors map after the subtest, and update
  the "unexpected status" case to expect 500 (matches the new error
  semantics).
2026-07-01 17:44:31 +02:00
Dominik Schmidt
0b373817a8 feat(graph): add MS Graph colon-syntax path lookup middleware
Adds a chi middleware that detects MS Graph colon-syntax URLs and rewrites
them to the canonical /items/{itemID}/... form before chi performs route
matching. Existing handlers, routes, and GetDriveAndItemIDParam stay
unchanged.

Two URL shapes are recognized at both /v1.0 and /v1beta1:

  /drives/{driveID}/root:/<path>[:/<suffix>][:]
  /drives/{driveID}/items/{itemID}:/<relativePath>[:/<suffix>][:]

Path resolution runs as the request user via CS3 Stat. Both NOT_FOUND and
PERMISSION_DENIED collapse to a 404 response so existence isn't disclosed
to unauthorized callers. URLs without colon syntax fast-path through with
a single substring check. The original URL is stashed in request context
under OriginalPathContextKey for downstream tracing/logging.

The middleware is registered as a top-level mux.Use so it runs before any
route matching: chi middleware on a sub-router runs after the prefix is
matched but cannot redirect to a different leaf route. Top-level
middleware lets URL rewriting actually re-route the request.

Tests cover regex matching across versions, all rewrite variants
(root/items anchored, with/without suffix, with/without trailing colon,
deep paths), NOT_FOUND -> 404, PERMISSION_DENIED -> 404 (security: no
existence disclosure), and original-URL preservation in request context.
2026-07-01 17:44:31 +02:00
Alex
93fb9cbf6c feat: adjust theme chrome colors and logos (#2599) 2026-07-01 13:20:39 +02:00
dependabot[bot]
e599fa57aa build(deps): bump github.com/jellydator/ttlcache/v3 from 3.4.0 to 3.4.1
Bumps [github.com/jellydator/ttlcache/v3](https://github.com/jellydator/ttlcache) from 3.4.0 to 3.4.1.
- [Release notes](https://github.com/jellydator/ttlcache/releases)
- [Commits](https://github.com/jellydator/ttlcache/compare/v3.4.0...v3.4.1)

---
updated-dependencies:
- dependency-name: github.com/jellydator/ttlcache/v3
  dependency-version: 3.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-01 09:57:45 +02:00
dependabot[bot]
00ec9a8898 build(deps): bump go.etcd.io/bbolt from 1.4.3 to 1.5.0
Bumps [go.etcd.io/bbolt](https://github.com/etcd-io/bbolt) from 1.4.3 to 1.5.0.
- [Release notes](https://github.com/etcd-io/bbolt/releases)
- [Commits](https://github.com/etcd-io/bbolt/compare/v1.4.3...v1.5.0)

---
updated-dependencies:
- dependency-name: go.etcd.io/bbolt
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-01 09:56:17 +02:00
Ralf Haferkamp
22485957fe chore: bump version in license-checker clarifications 2026-06-30 18:10:16 +02:00
dependabot[bot]
06c7d6d7af build(deps-dev): bump i18next-conv in /services/idp
Bumps [i18next-conv](https://github.com/i18next/i18next-gettext-converter) from 15.1.2 to 17.0.0.
- [Release notes](https://github.com/i18next/i18next-gettext-converter/releases)
- [Changelog](https://github.com/i18next/i18next-gettext-converter/blob/master/CHANGELOG.md)
- [Commits](https://github.com/i18next/i18next-gettext-converter/compare/v15.1.2...v17.0.0)

---
updated-dependencies:
- dependency-name: i18next-conv
  dependency-version: 17.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-30 18:10:16 +02:00
opencloudeu
858f03fde4 [tx] updated from transifex 2026-06-29 23:16:21 +00:00
Michael Stingl
ea29a5d1a4 test(apiSpaces): a space admin can delete a space with no manager (#3040)
#1877 reordered the api-test teardown to delete spaces before users, so the
state where a project space's manager has been deleted is no longer exercised.
This adds explicit coverage for it: the only manager of a project space is
deleted, and a space admin can still list and delete (disable + purge) the space.

Related: #1878
2026-06-29 10:00:44 +02:00
Jannik Stehle
012d817288 Merge pull request #3019 from opencloud-eu/chore/bump-web-skill
chore(skills): add skill for bumping web
2026-06-29 09:52:36 +02:00
Ralf Haferkamp
ab7cf4655a Merge pull request #3023 from opencloud-eu/dependabot/go_modules/github.com/testcontainers/testcontainers-go/modules/opensearch-0.43.0
build(deps): bump github.com/testcontainers/testcontainers-go/modules/opensearch from 0.42.0 to 0.43.0
2026-06-26 12:53:53 +02:00
Ralf Haferkamp
9318001dcc Merge pull request #3024 from opencloud-eu/dependabot/go_modules/go.opentelemetry.io/contrib/zpages-0.69.0
build(deps): bump go.opentelemetry.io/contrib/zpages from 0.68.0 to 0.69.0
2026-06-26 11:37:38 +02:00
Ralf Haferkamp
a7b57ccfc2 Merge pull request #3022 from opencloud-eu/dependabot/go_modules/github.com/onsi/ginkgo/v2-2.32.0
build(deps): bump github.com/onsi/ginkgo/v2 from 2.31.0 to 2.32.0
2026-06-26 09:19:09 +02:00
Ralf Haferkamp
6300c99924 Merge pull request #3025 from rhafer/bump-reva
chore: switch reva back from fork
2026-06-26 09:17:42 +02:00