mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-01-04 12:10:21 -05:00
137 lines
4.6 KiB
Go
137 lines
4.6 KiB
Go
/*
|
|
* Copyright 2021 Kopano and its licensors
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*
|
|
*/
|
|
|
|
package bootstrap
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/libregraph/lico/bootstrap"
|
|
"github.com/libregraph/lico/identifier"
|
|
"github.com/libregraph/lico/identity"
|
|
"github.com/libregraph/lico/identity/managers"
|
|
|
|
cs3 "github.com/opencloud-eu/opencloud/services/idp/pkg/backends/cs3/identifier"
|
|
)
|
|
|
|
// Identity managers.
|
|
const (
|
|
identityManagerName = "cs3"
|
|
)
|
|
|
|
// Register adds the CS3 identity manager to the lico bootstrap
|
|
func Register() error {
|
|
return bootstrap.RegisterIdentityManager(identityManagerName, NewIdentityManager)
|
|
}
|
|
|
|
// MustRegister adds the CS3 identity manager to the lico bootstrap or panics
|
|
func MustRegister() {
|
|
if err := Register(); err != nil {
|
|
panic(err)
|
|
}
|
|
}
|
|
|
|
// NewIdentityManager produces a CS3 backed identity manager instance for the idp
|
|
func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
|
|
config := bs.Config()
|
|
|
|
logger := config.Config.Logger
|
|
|
|
if config.AuthorizationEndpointURI.String() != "" {
|
|
return nil, fmt.Errorf("cs3 backend is incompatible with authorization-endpoint-uri parameter")
|
|
}
|
|
config.AuthorizationEndpointURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier/_/authorize")
|
|
|
|
if config.EndSessionEndpointURI.String() != "" {
|
|
return nil, fmt.Errorf("cs3 backend is incompatible with endsession-endpoint-uri parameter")
|
|
}
|
|
config.EndSessionEndpointURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier/_/endsession")
|
|
|
|
if config.SignInFormURI.EscapedPath() == "" {
|
|
config.SignInFormURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier")
|
|
}
|
|
|
|
if config.SignedOutURI.EscapedPath() == "" {
|
|
config.SignedOutURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/goodbye")
|
|
}
|
|
|
|
identifierBackend, identifierErr := cs3.NewCS3Backend(
|
|
config.Config,
|
|
config.TLSClientConfig,
|
|
// FIXME add a map[string]interface{} property to the lico config.Config so backends can pass custom config parameters through the bootstrap process
|
|
os.Getenv("CS3_GATEWAY"),
|
|
os.Getenv("CS3_MACHINE_AUTH_API_KEY"),
|
|
config.Settings.Insecure,
|
|
)
|
|
if identifierErr != nil {
|
|
return nil, fmt.Errorf("failed to create identifier backend: %v", identifierErr)
|
|
}
|
|
|
|
fullAuthorizationEndpointURL := bootstrap.WithSchemeAndHost(config.AuthorizationEndpointURI, config.IssuerIdentifierURI)
|
|
fullSignInFormURL := bootstrap.WithSchemeAndHost(config.SignInFormURI, config.IssuerIdentifierURI)
|
|
fullSignedOutEndpointURL := bootstrap.WithSchemeAndHost(config.SignedOutURI, config.IssuerIdentifierURI)
|
|
|
|
activeIdentifier, err := identifier.NewIdentifier(&identifier.Config{
|
|
Config: config.Config,
|
|
|
|
BaseURI: config.IssuerIdentifierURI,
|
|
PathPrefix: bs.MakeURIPath(bootstrap.APITypeSignin, ""),
|
|
StaticFolder: config.IdentifierClientPath,
|
|
ScopesConf: config.IdentifierScopesConf,
|
|
WebAppDisabled: config.IdentifierClientDisabled,
|
|
|
|
LogonCookieName: "__Secure-KKT", // Kopano-Konnect-Token
|
|
LogonCookieSameSite: config.CookieSameSite,
|
|
|
|
ConsentCookieSameSite: config.CookieSameSite,
|
|
|
|
StateCookieSameSite: config.CookieSameSite,
|
|
|
|
AuthorizationEndpointURI: fullAuthorizationEndpointURL,
|
|
SignedOutEndpointURI: fullSignedOutEndpointURL,
|
|
|
|
DefaultBannerLogo: config.IdentifierDefaultBannerLogo,
|
|
DefaultSignInPageText: config.IdentifierDefaultSignInPageText,
|
|
DefaultUsernameHintText: config.IdentifierDefaultUsernameHintText,
|
|
UILocales: config.IdentifierUILocales,
|
|
|
|
Backend: identifierBackend,
|
|
})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create identifier: %v", err)
|
|
}
|
|
err = activeIdentifier.SetKey(config.EncryptionSecret)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid --encryption-secret parameter value for identifier: %v", err)
|
|
}
|
|
|
|
identityManagerConfig := &identity.Config{
|
|
SignInFormURI: fullSignInFormURL,
|
|
SignedOutURI: fullSignedOutEndpointURL,
|
|
|
|
Logger: logger,
|
|
|
|
ScopesSupported: config.Config.AllowedScopes,
|
|
}
|
|
|
|
identifierIdentityManager := managers.NewIdentifierIdentityManager(identityManagerConfig, activeIdentifier)
|
|
logger.Infoln("using identifier backed identity manager")
|
|
|
|
return identifierIdentityManager, nil
|
|
}
|