Merge pull request #3699 from wkloucek/idp-config-fix

idp: configure clients in the idp configuration instead of the templated file
2026-01-05 03:40:01 -06:00 · 2022-05-05 16:36:12 +02:00
parent bfc978c400 5581558869
commit 6e4dc0a9eb
5 changed files with 107 additions and 74 deletions
--- a/extensions/idp/assets/.keep
+++ b/extensions/idp/assets/.keep
--- a/extensions/idp/assets/identifier-registration.yaml
+++ b/extensions/idp/assets/identifier-registration.yaml
@@ -1,44 +0,0 @@
---
-# OpenID Connect client registry.
-clients:
-  - id: web
-    name: ownCloud web app
-    trusted: yes
-    redirect_uris:
-      - {{OCIS_URL}}/
-      - {{OCIS_URL}}/oidc-callback.html
-      - {{OCIS_URL}}/oidc-silent-redirect.html
-    origins:
-      - {{OCIS_URL}}
-
-  - id: ocis-explorer.js
-    name: oCIS Graph Explorer
-    trusted: yes
-    redirect_uris:
-      - {{OCIS_URL}}/graph-explorer/
-    origins:
-      - {{OCIS_URL}}
-      
-
-  - id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
-    secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
-    name: ownCloud desktop app
-    application_type: native
-    redirect_uris:
-      - http://127.0.0.1
-      - http://localhost
-
-  - id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
-    secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
-    name: ownCloud Android app
-    application_type: native
-    redirect_uris:
-      - oc://android.owncloud.com
-
-  - id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
-    secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
-    name: ownCloud iOS app
-    application_type: native
-    redirect_uris:
-      - oc://ios.owncloud.com
-      - oc.ios://ios.owncloud.com
--- a/extensions/idp/pkg/config/config.go
+++ b/extensions/idp/pkg/config/config.go
@@ -18,9 +18,10 @@ type Config struct {

 	HTTP HTTP `yaml:"http"`

-	Asset Asset    `yaml:"asset"`
-	IDP   Settings `yaml:"idp"`
-	Ldap  Ldap     `yaml:"ldap"`
+	Asset   Asset    `yaml:"asset"`
+	IDP     Settings `yaml:"idp"`
+	Clients []Client `yaml:"clients"`
+	Ldap    Ldap     `yaml:"ldap"`

 	Context context.Context `yaml:"-"`
 }
@@ -51,6 +52,16 @@ type Asset struct {
 	Path string `yaml:"asset" env:"IDP_ASSET_PATH"`
 }

+type Client struct {
+	ID              string   `yaml:"id"`
+	Name            string   `yaml:"name"`
+	Trusted         bool     `yaml:"trusted"`
+	Secret          string   `yaml:"secret"`
+	RedirectURIs    []string `yaml:"redirect_uris"`
+	Origins         []string `yaml:"origins"`
+	ApplicationType string   `yaml:"application_type"`
+}
+
 type Settings struct {
 	// don't change the order of elements in this struct
 	// it needs to match github.com/libregraph/lico/bootstrap.Settings
@@ -80,8 +91,8 @@ type Settings struct {
 	Listen string

 	IdentifierClientDisabled          bool   `yaml:"identifier_client_disabled" env:"IDP_DISABLE_IDENTIFIER_WEBAPP"`
-	IdentifierClientPath              string `yaml:"identifier_client_path" env:"IDP_IDENTIFIER_CLIENT_PATH"`
-	IdentifierRegistrationConf        string `yaml:"identifier_registration_conf" env:"IDP_IDENTIFIER_REGISTRATION_CONF"`
+	IdentifierClientPath              string `yaml:"-"`
+	IdentifierRegistrationConf        string `yaml:"-"`
 	IdentifierScopesConf              string `yaml:"identifier_scopes_conf" env:"IDP_IDENTIFIER_SCOPES_CONF"`
 	IdentifierDefaultBannerLogo       string
 	IdentifierDefaultSignInPageText   string
--- a/extensions/idp/pkg/config/defaults/defaultconfig.go
+++ b/extensions/idp/pkg/config/defaults/defaultconfig.go
@@ -31,7 +31,6 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "idp",
 		},
-		Asset: config.Asset{},
 		IDP: config.Settings{
 			Iss:                               "https://localhost:9200",
 			IdentityManager:                   "ldap",
@@ -49,7 +48,7 @@ func DefaultConfig() *config.Config {
 			Listen:                            "",
 			IdentifierClientDisabled:          true,
 			IdentifierClientPath:              path.Join(defaults.BaseDataPath(), "idp"),
-			IdentifierRegistrationConf:        path.Join(defaults.BaseDataPath(), "idp", "identifier-registration.yaml"),
+			IdentifierRegistrationConf:        path.Join(defaults.BaseDataPath(), "idp", "tmp", "identifier-registration.yaml"),
 			IdentifierScopesConf:              "",
 			IdentifierDefaultBannerLogo:       "",
 			IdentifierDefaultSignInPageText:   "",
@@ -65,6 +64,61 @@ func DefaultConfig() *config.Config {
 			RefreshTokenDurationSeconds:       60 * 60 * 24 * 365 * 3, // 1 year
 			DyamicClientSecretDurationSeconds: 0,
 		},
+		Clients: []config.Client{
+			{
+				ID:      "web",
+				Name:    "ownCloud Web app",
+				Trusted: true,
+				RedirectURIs: []string{
+					"{{OCIS_URL}}/",
+					"{{OCIS_URL}}/oidc-callback.html",
+					"{{OCIS_URL}}/oidc-silent-redirect.html",
+				},
+				Origins: []string{
+					"{{OCIS_URL}}",
+				},
+			},
+			{
+				ID:      "ocis-explorer.js",
+				Name:    "oCIS Graph Explorer",
+				Trusted: true,
+				RedirectURIs: []string{
+					"{{OCIS_URL}}/graph-explorer/",
+				},
+				Origins: []string{
+					"{{OCIS_URL}}",
+				},
+			},
+			{
+				ID:              "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
+				Secret:          "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
+				Name:            "ownCloud desktop app",
+				ApplicationType: "native",
+				RedirectURIs: []string{
+					"http://127.0.0.1",
+					"http://localhost",
+				},
+			},
+			{
+				ID:              "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
+				Secret:          "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD",
+				Name:            "ownCloud Android app",
+				ApplicationType: "native",
+				RedirectURIs: []string{
+					"oc://android.owncloud.com",
+				},
+			},
+			{
+				ID:              "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
+				Secret:          "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx",
+				Name:            "ownCloud iOS app",
+				ApplicationType: "native",
+				RedirectURIs: []string{
+					"oc://ios.owncloud.com",
+					"oc.ios://ios.owncloud.com",
+				},
+			},
+		},
 		Ldap: config.Ldap{
 			URI:               "ldaps://localhost:9235",
 			TLSCACert:         path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
--- a/extensions/idp/pkg/service/v0/service.go
+++ b/extensions/idp/pkg/service/v0/service.go
@@ -24,6 +24,7 @@ import (
 	"github.com/owncloud/ocis/v2/extensions/idp/pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/ldap"
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+	"gopkg.in/yaml.v2"
 	"stash.kopano.io/kgol/rndm"
 )

@@ -54,7 +55,11 @@ func NewService(opts ...Option) Service {
 		logger.Fatal().Err(err).Msg("could not initialize env vars")
 	}

-	if err := createConfigsIfNotExist(assetVFS, options.Config.IDP.IdentifierRegistrationConf, options.Config.IDP.Iss); err != nil {
+	if err := createTemporaryClientsConfig(
+		options.Config.IDP.IdentifierRegistrationConf,
+		options.Config.IDP.Iss,
+		options.Config.Clients,
+	); err != nil {
 		logger.Fatal().Err(err).Msg("could not create default config")
 	}

@@ -88,7 +93,11 @@ func NewService(opts ...Option) Service {
 	return svc
 }

-func createConfigsIfNotExist(assets http.FileSystem, filePath, ocisURL string) error {
+type temporaryClientConfig struct {
+	Clients []config.Client `yaml:"clients"`
+}
+
+func createTemporaryClientsConfig(filePath, ocisURL string, clients []config.Client) error {

 	folder := path.Dir(filePath)
 	if _, err := os.Stat(folder); os.IsNotExist(err) {
@@ -97,33 +106,36 @@ func createConfigsIfNotExist(assets http.FileSystem, filePath, ocisURL string) e
 		}
 	}

-	if _, err := os.Stat(filePath); os.IsNotExist(err) {
-		defaultConf, err := assets.Open("/identifier-registration.yaml")
-		if err != nil {
-			return err
+	for i, client := range clients {
+
+		for i, entry := range client.RedirectURIs {
+			client.RedirectURIs[i] = strings.ReplaceAll(entry, "{{OCIS_URL}}", strings.TrimRight(ocisURL, "/"))
 		}
-
-		defer defaultConf.Close()
-
-		confOnDisk, err := os.Create(filePath)
-		if err != nil {
-			return err
+		for i, entry := range client.Origins {
+			client.Origins[i] = strings.ReplaceAll(entry, "{{OCIS_URL}}", strings.TrimRight(ocisURL, "/"))
 		}
+		clients[i] = client
+	}

-		defer confOnDisk.Close()
+	c := temporaryClientConfig{
+		Clients: clients,
+	}

-		conf, err := ioutil.ReadAll(defaultConf)
-		if err != nil {
-			return err
-		}
+	conf, err := yaml.Marshal(c)
+	if err != nil {
+		return err
+	}

-		// replace placeholder {{OCIS_URL}} with https://localhost:9200 / correct host
-		conf = []byte(strings.ReplaceAll(string(conf), "{{OCIS_URL}}", strings.TrimRight(ocisURL, "/")))
+	confOnDisk, err := os.Create(filePath)
+	if err != nil {
+		return err
+	}

-		err = ioutil.WriteFile(filePath, conf, 0600)
-		if err != nil {
-			return err
-		}
+	defer confOnDisk.Close()
+
+	err = ioutil.WriteFile(filePath, conf, 0600)
+	if err != nil {
+		return err
 	}

 	return nil