diff --git a/accounts/pkg/flagset/flagset.go b/accounts/pkg/flagset/flagset.go index b58bcce54..e4f90896a 100644 --- a/accounts/pkg/flagset/flagset.go +++ b/accounts/pkg/flagset/flagset.go @@ -137,7 +137,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"ACCOUNTS_JWT_SECRET"}, + EnvVars: []string{"ACCOUNTS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, &cli.StringFlag{ @@ -172,7 +172,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "storage-cs3-jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET"}, + EnvVars: []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.Repo.CS3.JWTSecret, }, &cli.StringFlag{ diff --git a/accounts/pkg/service/v0/service.go b/accounts/pkg/service/v0/service.go index cb74008c5..a0d882dc1 100644 --- a/accounts/pkg/service/v0/service.go +++ b/accounts/pkg/service/v0/service.go @@ -268,6 +268,12 @@ func (s Service) createDefaultAccounts() (err error) { }, } for i := range accounts { + a := &proto.Account{} + err := s.repo.LoadAccount(context.Background(), accounts[i].Id, a) + if !storage.IsNotFoundErr(err) { + continue // account already exists -> do not overwrite + } + if err := s.repo.WriteAccount(context.Background(), &accounts[i]); err != nil { return err } @@ -360,6 +366,12 @@ func (s Service) createDefaultGroups() (err error) { }}, } for i := range groups { + g := &proto.Group{} + err := s.repo.LoadGroup(context.Background(), groups[i].Id, g) + if !storage.IsNotFoundErr(err) { + continue // group already exists -> do not overwrite + } + if err := s.repo.WriteGroup(context.Background(), &groups[i]); err != nil { return err } diff --git a/deployments/examples/cs3_users_ocis/.env b/deployments/examples/cs3_users_ocis/.env index 016f879e4..b1ceeece4 100644 --- a/deployments/examples/cs3_users_ocis/.env +++ b/deployments/examples/cs3_users_ocis/.env @@ -17,6 +17,8 @@ TRAEFIK_ACME_MAIL= OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= ### LDAP server settings ### diff --git a/deployments/examples/cs3_users_ocis/docker-compose.yml b/deployments/examples/cs3_users_ocis/docker-compose.yml index 5513f2745..af468f5f6 100644 --- a/deployments/examples/cs3_users_ocis/docker-compose.yml +++ b/deployments/examples/cs3_users_ocis/docker-compose.yml @@ -51,14 +51,14 @@ services: environment: # CS3 users from ldap specific configuration PROXY_CONFIG_FILE: "/config/proxy-config.json" - LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))" - LDAP_URI: ldap://ldap-server:389 - LDAP_BINDDN: "cn=admin,dc=owncloud,dc=com" - LDAP_BINDPW: ${LDAP_ADMIN_PASSWORD:-admin} - LDAP_BASEDN: "dc=owncloud,dc=com" - LDAP_LOGIN_ATTRIBUTE: uid - LDAP_UUID_ATTRIBUTE: "ownclouduuid" - LDAP_UUID_ATTRIBUTE_TYPE: binary + IDP_LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))" + IDP_LDAP_URI: ldap://ldap-server:389 + IDP_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" + IDP_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + IDP_LDAP_BASE_DN: "dc=owncloud,dc=com" + IDP_LDAP_LOGIN_ATTRIBUTE: uid + IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid" + IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary PROXY_ACCOUNT_BACKEND_TYPE: cs3 STORAGE_LDAP_HOSTNAME: ldap-server STORAGE_LDAP_PORT: 636 @@ -74,6 +74,8 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} volumes: - ./config/ocis/proxy-config.json:/config/proxy-config.json - ocis-data:/var/tmp/ocis diff --git a/deployments/examples/ocis_keycloak/.env b/deployments/examples/ocis_keycloak/.env index e21b3d4d5..4ca629463 100644 --- a/deployments/examples/ocis_keycloak/.env +++ b/deployments/examples/ocis_keycloak/.env @@ -19,6 +19,12 @@ OCIS_DOCKER_TAG= OCIS_DOMAIN= # owncloud Web openid connect client id. Defaults to "web" OCIS_OIDC_CLIENT_ID= +# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". +IDP_LDAP_BIND_PASSWORD= +# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". +STORAGE_LDAP_BIND_PASSWORD= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= ### Keycloak ### # Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test" diff --git a/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh new file mode 100644 index 000000000..65a1ed475 --- /dev/null +++ b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -evx + +ocis server& +sleep 10 + +echo "##################################################" +echo "change default secrets:" + +# IDP +IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " IDP user UUID: $IDP_USER_UUID" +ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID + +# REVA +REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " Reva user UUID: $REVA_USER_UUID" +ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID + +killall ocis +echo "default serets changed" +echo "##################################################" + +ocis server diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 97aacea28..55c7d20f5 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -47,6 +47,9 @@ services: image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} networks: ocis-net: + entrypoint: + - /bin/sh + - /entrypoint-override.sh environment: # Keycloak IDP specific configuration PROXY_AUTOPROVISION_ACCOUNTS: "true" @@ -60,7 +63,12 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} + STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} + OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} volumes: + - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis labels: - "traefik.enable=true" diff --git a/deployments/examples/ocis_traefik/.env b/deployments/examples/ocis_traefik/.env index 132b2c6b7..94906757f 100644 --- a/deployments/examples/ocis_traefik/.env +++ b/deployments/examples/ocis_traefik/.env @@ -17,7 +17,12 @@ TRAEFIK_ACME_MAIL= OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= - +# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". +IDP_LDAP_BIND_PASSWORD= +# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". +STORAGE_LDAP_BIND_PASSWORD= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= # If you want to use debugging and tracing with this stack, # you need uncomment following line. Please see documentation at diff --git a/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh new file mode 100644 index 000000000..65a1ed475 --- /dev/null +++ b/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -evx + +ocis server& +sleep 10 + +echo "##################################################" +echo "change default secrets:" + +# IDP +IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " IDP user UUID: $IDP_USER_UUID" +ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID + +# REVA +REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " Reva user UUID: $REVA_USER_UUID" +ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID + +killall ocis +echo "default serets changed" +echo "##################################################" + +ocis server diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 2419b62c8..284d33efa 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -46,11 +46,19 @@ services: image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} networks: ocis-net: + entrypoint: + - /bin/sh + - /entrypoint-override.sh environment: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} + STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} + OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} volumes: + - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis labels: - "traefik.enable=true" diff --git a/idp/pkg/config/config.go b/idp/pkg/config/config.go index 617fda130..9e051be63 100644 --- a/idp/pkg/config/config.go +++ b/idp/pkg/config/config.go @@ -28,6 +28,21 @@ type HTTP struct { TLS bool } +// Ldap defines the available LDAP configuration. +type Ldap struct { + URI string + BindDN string + BindPassword string + BaseDN string + Scope string + LoginAttribute string + EmailAttribute string + NameAttribute string + UUIDAttribute string + UUIDAttributeType string + Filter string +} + // Service defines the available service configuration. type Service struct { Name string @@ -51,14 +66,15 @@ type Asset struct { // Config combines all available configuration parts. type Config struct { - File string - Log Log - Debug Debug - HTTP HTTP - Tracing Tracing - Asset Asset - IDP bootstrap.Config - Service Service + File string + Log Log + Debug Debug + HTTP HTTP + Tracing Tracing + Asset Asset + IDP bootstrap.Config + Ldap Ldap + Service Service } // New initializes a new configuration with or without defaults. diff --git a/idp/pkg/flagset/flagset.go b/idp/pkg/flagset/flagset.go index ed348e2c0..68b2561a8 100644 --- a/idp/pkg/flagset/flagset.go +++ b/idp/pkg/flagset/flagset.go @@ -150,6 +150,83 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"IDP_IDENTITY_MANAGER"}, Destination: &cfg.IDP.IdentityManager, }, + &cli.StringFlag{ + Name: "ldap-uri", + Value: "ldap://localhost:9125", + Usage: "URI of the LDAP server (glauth)", + EnvVars: []string{"IDP_LDAP_URI"}, + Destination: &cfg.Ldap.URI, + }, + &cli.StringFlag{ + Name: "ldap-bind-dn", + Value: "cn=idp,ou=sysusers,dc=example,dc=org", + Usage: "Bind DN for the LDAP server (glauth)", + EnvVars: []string{"IDP_LDAP_BIND_DN"}, + Destination: &cfg.Ldap.BindDN, + }, + &cli.StringFlag{ + Name: "ldap-bind-password", + Value: "idp", + Usage: "Password for the Bind DN of the LDAP server (glauth)", + EnvVars: []string{"IDP_LDAP_BIND_PASSWORD"}, + Destination: &cfg.Ldap.BindPassword, + }, + &cli.StringFlag{ + Name: "ldap-base-dn", + Value: "ou=users,dc=example,dc=org", + Usage: "LDAP base DN of the oCIS users", + EnvVars: []string{"IDP_LDAP_BASE_DN"}, + Destination: &cfg.Ldap.BaseDN, + }, + &cli.StringFlag{ + Name: "ldap-scope", + Value: "sub", + Usage: "LDAP scope of the oCIS users", + EnvVars: []string{"IDP_LDAP_SCOPE"}, + Destination: &cfg.Ldap.Scope, + }, + &cli.StringFlag{ + Name: "ldap-login-attribute", + Value: "cn", + Usage: "LDAP login attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_LOGIN_ATTRIBUTE"}, + Destination: &cfg.Ldap.LoginAttribute, + }, + &cli.StringFlag{ + Name: "ldap-email-attribute", + Value: "mail", + Usage: "LDAP email attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_EMAIL_ATTRIBUTE"}, + Destination: &cfg.Ldap.EmailAttribute, + }, + &cli.StringFlag{ + Name: "ldap-name-attribute", + Value: "sn", + Usage: "LDAP name attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_NAME_ATTRIBUTE"}, + Destination: &cfg.Ldap.NameAttribute, + }, + &cli.StringFlag{ + Name: "ldap-uuid-attribute", + Value: "uid", + Usage: "LDAP UUID attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_UUID_ATTRIBUTE"}, + Destination: &cfg.Ldap.UUIDAttribute, + }, + &cli.StringFlag{ + Name: "ldap-uuid-attribute-type", + Value: "text", + Usage: "LDAP UUID attribute type of the oCIS users", + EnvVars: []string{"IDP_LDAP_UUID_ATTRIBUTE_TYPE"}, + Destination: &cfg.Ldap.UUIDAttributeType, + }, + &cli.StringFlag{ + Name: "ldap-filter", + Value: "(objectClass=posixaccount)", + Usage: "LDAP filter of the oCIS users", + EnvVars: []string{"IDP_LDAP_FILTER"}, + Destination: &cfg.Ldap.Filter, + }, &cli.StringFlag{ Name: "transport-tls-cert", Value: "", diff --git a/idp/pkg/service/v0/service.go b/idp/pkg/service/v0/service.go index 419726212..c3a8be678 100644 --- a/idp/pkg/service/v0/service.go +++ b/idp/pkg/service/v0/service.go @@ -38,7 +38,7 @@ func NewService(opts ...Option) Service { assets.Config(options.Config), ) - if err := initKonnectInternalEnvVars(); err != nil { + if err := initKonnectInternalEnvVars(&options.Config.Ldap); err != nil { logger.Fatal().Err(err).Msg("could not initialize env vars") } @@ -110,26 +110,24 @@ func createConfigsIfNotExist(assets http.FileSystem, ocisURL string) error { } // Init vars which are currently not accessible via idp api -func initKonnectInternalEnvVars() error { +func initKonnectInternalEnvVars(ldap *config.Ldap) error { var defaults = map[string]string{ - "LDAP_URI": "ldap://localhost:9125", - "LDAP_BINDDN": "cn=idp,ou=sysusers,dc=example,dc=org", - "LDAP_BINDPW": "idp", - "LDAP_BASEDN": "ou=users,dc=example,dc=org", - "LDAP_SCOPE": "sub", - "LDAP_LOGIN_ATTRIBUTE": "cn", - "LDAP_EMAIL_ATTRIBUTE": "mail", - "LDAP_NAME_ATTRIBUTE": "sn", - "LDAP_UUID_ATTRIBUTE": "uid", - "LDAP_UUID_ATTRIBUTE_TYPE": "text", - "LDAP_FILTER": "(objectClass=posixaccount)", + "LDAP_URI": ldap.URI, + "LDAP_BINDDN": ldap.BindDN, + "LDAP_BINDPW": ldap.BindPassword, + "LDAP_BASEDN": ldap.BaseDN, + "LDAP_SCOPE": ldap.Scope, + "LDAP_LOGIN_ATTRIBUTE": ldap.LoginAttribute, + "LDAP_EMAIL_ATTRIBUTE": ldap.EmailAttribute, + "LDAP_NAME_ATTRIBUTE": ldap.NameAttribute, + "LDAP_UUID_ATTRIBUTE": ldap.UUIDAttribute, + "LDAP_UUID_ATTRIBUTE_TYPE": ldap.UUIDAttributeType, + "LDAP_FILTER": ldap.Filter, } for k, v := range defaults { - if _, exists := os.LookupEnv(k); !exists { - if err := os.Setenv(k, v); err != nil { - return fmt.Errorf("could not set env var %s=%s", k, v) - } + if err := os.Setenv(k, v); err != nil { + return fmt.Errorf("could not set env var %s=%s", k, v) } } diff --git a/ocis/pkg/config/config.go b/ocis/pkg/config/config.go index 4c9bce375..ca7d907ae 100644 --- a/ocis/pkg/config/config.go +++ b/ocis/pkg/config/config.go @@ -75,7 +75,7 @@ type Config struct { Graph *graph.Config GraphExplorer *graphExplorer.Config Hello *hello.Config - IDP *idp.Config + IDP *idp.Config OCS *ocs.Config Onlyoffice *onlyoffice.Config Web *web.Config @@ -96,7 +96,7 @@ func New() *Config { Graph: graph.New(), GraphExplorer: graphExplorer.New(), Hello: hello.New(), - IDP: idp.New(), + IDP: idp.New(), OCS: ocs.New(), Onlyoffice: onlyoffice.New(), Web: web.New(), diff --git a/ocis/pkg/flagset/flagset.go b/ocis/pkg/flagset/flagset.go index 8daa92c78..00ba85897 100644 --- a/ocis/pkg/flagset/flagset.go +++ b/ocis/pkg/flagset/flagset.go @@ -74,7 +74,7 @@ func RootWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to dismantle the access token, should equal reva's jwt-secret", - EnvVars: []string{"OCIS_JWT_SECRET"}, + EnvVars: []string{"OCIS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, } diff --git a/ocs/pkg/flagset/flagset.go b/ocs/pkg/flagset/flagset.go index 21665d9aa..909840335 100644 --- a/ocs/pkg/flagset/flagset.go +++ b/ocs/pkg/flagset/flagset.go @@ -149,7 +149,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to dismantle the access token, should equal reva's jwt-secret", - EnvVars: []string{"OCS_JWT_SECRET"}, + EnvVars: []string{"OCS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, } diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 81af13c7a..83f73fdda 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -175,7 +175,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"PROXY_JWT_SECRET"}, + EnvVars: []string{"PROXY_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, &cli.StringFlag{ diff --git a/settings/pkg/flagset/flagset.go b/settings/pkg/flagset/flagset.go index f4d04aba4..a84964c89 100644 --- a/settings/pkg/flagset/flagset.go +++ b/settings/pkg/flagset/flagset.go @@ -182,7 +182,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"SETTINGS_JWT_SECRET"}, + EnvVars: []string{"SETTINGS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, } diff --git a/storage/pkg/flagset/secret.go b/storage/pkg/flagset/secret.go index e51b7acd7..d7004e481 100644 --- a/storage/pkg/flagset/secret.go +++ b/storage/pkg/flagset/secret.go @@ -12,7 +12,7 @@ func SecretWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Shared jwt secret for reva service communication", - EnvVars: []string{"STORAGE_JWT_SECRET"}, + EnvVars: []string{"STORAGE_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.Reva.JWTSecret, }, }