* upgrade to go1.19 and set go mem limit
* create ocis-pkg memlimit package
* use std automemlimit import
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* import automemlimit in every ocis service, drop ocis-pkg/memlimit package
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* bump go to 1.20
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* drop unused config options and env vars
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update all version numbers, add doc
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix lint
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update bingo and mockery
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* bump golangci-lint
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix selector test
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Update changelog/unreleased/enhancement-memlimit.md
Co-authored-by: kobergj <juliankoberg@googlemail.com>
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: Willy Kloucek <wkloucek@owncloud.com>
Co-authored-by: kobergj <juliankoberg@googlemail.com>
Avoid torturing the settings service with "ListRoles" request for
every incoming request to the proxy.
The role Mapping is refreshed if cached data is older than 5 minutes.
Add a UserRoleAssigner implementation that extract role names from the
users' claims and creates role assignments in the settings service based
on a configured mapping of claim values to ocis role names.
Closes: #5669
This moves the lookup and the creation of the users' role assignemt out
of the user backend into its own interface. This makes the user backend
a bit simpler and allows to provide different implemenation for the user
role assignment more easily.
This removes the "withRoles" flag from the GetUserByClaims lookup and move the
functionality into a separate method. This should make the code a bit more readable
in preparation for maintaining the RoleAssignments from OIDC claims.
For certain setups we don't need the ADMIN_USER_ID to be set. It is
mainly needed for bootstrapping the internal idm and the initial role
assignment. If roles are assigned by other means (e.g. OIDC claims
in the future) we don't need it.
This makes the ADMIN_USER_ID optional, also if ADMIN_USER_ID is unset
we don't need to configure a password for the admin user. We will still
generated the admin_id and password when running 'ocis init', but it is
ok to run manual setups without those settings.
Introduces a switch ('GRAPH_ASSIGN_DEFAULT_USER_ROLE') to allow to disable the assignment of the default role "User" to newly created users.
This will be used for setups where the role-assignments are populated either manually or during first login (e.g. from OIDC claims)
Fixes 5603
- Calling POST /graph/v1.0/users with userType not set will create a user as "Member"
- Calling POST /graph/v1.0/users with userType set as "Member" or "Guest" will create a user as "Member" or "Guest"
- Calling POST /graph/v1.0/users with userType set as anything but "Member" or "Guest" returns error
- Calling POST /graph/v1.0/education/users with userType not set will create a user as "Member"
- Calling POST /graph/v1.0/education/users with userType set as "Member" will create a user as "Member" and primary role as parameter specifies
- Calling POST /graph/v1.0/education/users with userType set as "Guest" will create a user as "Guest" and primary role as parameter specifies
- Calling POST /graph/v1.0/education/users with userType not set as anything but "Member" or "Guest" returns error
- Calling PATCH on /users or /education/users will update attribute in the same way as for POST
When using metadata backend the default role assignments for the demo users
where create independed of whether the demo users are were actually requested
to be created. This also fixes the name of the env var for enabling the demo
users. This was missed when moving from the accounts service to graph/idm for
user management.
When using the metadata storage (the current default) the default role
assignments were recreated at every start of the settings service. Leading to
duplicated role assignments
Fixes: #3432
* add policies service
add policies proxy middleware
add policies event service
add policies grpc service
prepare ci and git environments (ci, make, readme, doc)
* add webfinger to the drone conf
* fix docs
remove not used virus scan postprocessing step
* relocate example rego file
implicitly enable and disable proxy and postprocessing policy checking by setting the query.
update configuration descriptions
* move policies
update readme
* use converter func to convert pp environment to actual environment
expose and test custom rego functions
add engine unit tests
add opa unit tests
update policies readme
Co-authored-by: Martin <github@diemattels.at>
* relocate sample policies to the deployments folder
change and document policies service port
* update index.md and small fix
* add health command
add version command
add debug server
---------
Co-authored-by: Martin <github@diemattels.at>
