From 45f0940071bd0208f6afdbf35a8449e9cd8bb658 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Wed, 16 Mar 2022 12:40:57 +0100 Subject: [PATCH] Turn of "insecure" of built-in IDP Setup idp to verify the LDAP server certificate. As this certificate might be generated on startup, this also moved the IDP to the "delayed" set of services. So it starts after "idm". --- extensions/idp/pkg/config/config.go | 3 ++- extensions/idp/pkg/config/defaults/defaultconfig.go | 3 ++- extensions/idp/pkg/service/v0/service.go | 4 ++++ ocis/pkg/runtime/service/service.go | 2 +- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/extensions/idp/pkg/config/config.go b/extensions/idp/pkg/config/config.go index 83bd84554..4979fb0f3 100644 --- a/extensions/idp/pkg/config/config.go +++ b/extensions/idp/pkg/config/config.go @@ -27,7 +27,8 @@ type Config struct { // Ldap defines the available LDAP configuration. type Ldap struct { - URI string `yaml:"uri" env:"LDAP_URI;IDP_LDAP_URI"` + URI string `yaml:"uri" env:"LDAP_URI;IDP_LDAP_URI"` + TLSCACert string `yaml:"cacert" env:"LDAP_CACERT;IDP_LDAP_TLS_CACERT"` BindDN string `yaml:"bind_dn" env:"LDAP_BIND_DN;IDP_LDAP_BIND_DN"` BindPassword string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;IDP_LDAP_BIND_PASSWORD"` diff --git a/extensions/idp/pkg/config/defaults/defaultconfig.go b/extensions/idp/pkg/config/defaults/defaultconfig.go index fe328b2bb..d9b68fb50 100644 --- a/extensions/idp/pkg/config/defaults/defaultconfig.go +++ b/extensions/idp/pkg/config/defaults/defaultconfig.go @@ -42,7 +42,7 @@ func DefaultConfig() *config.Config { SignedOutURI: "", AuthorizationEndpointURI: "", EndsessionEndpointURI: "", - Insecure: true, + Insecure: false, TrustedProxy: nil, AllowScope: nil, AllowClientGuests: false, @@ -69,6 +69,7 @@ func DefaultConfig() *config.Config { }, Ldap: config.Ldap{ URI: "ldaps://localhost:9235", + TLSCACert: path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"), BindDN: "uid=idp,ou=sysusers,o=libregraph-idm", BindPassword: "idp", BaseDN: "ou=users,o=libregraph-idm", diff --git a/extensions/idp/pkg/service/v0/service.go b/extensions/idp/pkg/service/v0/service.go index 71270f0c4..1b1a8bf1d 100644 --- a/extensions/idp/pkg/service/v0/service.go +++ b/extensions/idp/pkg/service/v0/service.go @@ -142,6 +142,10 @@ func initLicoInternalEnvVars(ldap *config.Ldap) error { "LDAP_FILTER": filter, } + if ldap.TLSCACert != "" { + defaults["LDAP_TLS_CACERT"] = ldap.TLSCACert + } + for k, v := range defaults { if err := os.Setenv(k, v); err != nil { return fmt.Errorf("could not set env var %s=%s", k, v) diff --git a/ocis/pkg/runtime/service/service.go b/ocis/pkg/runtime/service/service.go index 7215d8098..f791543a4 100644 --- a/ocis/pkg/runtime/service/service.go +++ b/ocis/pkg/runtime/service/service.go @@ -112,7 +112,6 @@ func NewService(options ...Option) (*Service, error) { s.ServicesRegistry["glauth"] = glauth.NewSutureService s.ServicesRegistry["graph"] = graph.NewSutureService s.ServicesRegistry["graph-explorer"] = graphExplorer.NewSutureService - s.ServicesRegistry["idp"] = idp.NewSutureService s.ServicesRegistry["idm"] = idm.NewSutureService s.ServicesRegistry["ocs"] = ocs.NewSutureService s.ServicesRegistry["store"] = store.NewSutureService @@ -137,6 +136,7 @@ func NewService(options ...Option) (*Service, error) { s.Delayed["accounts"] = accounts.NewSutureService s.Delayed["proxy"] = proxy.NewSutureService s.Delayed["ocdav"] = ocdav.NewOCDav + s.Delayed["idp"] = idp.NewSutureService return s, nil }