mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-23 04:50:45 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into nightly_full_ci

Browse Source
This commit is contained in:
A.Unger
2021-09-29 14:26:35 +02:00
parent bfbf469122 ac102c07f4
commit 83ddf4ecd2
17 changed files with 250 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/extensions/storage/users.md
View File

@@ -38,10 +38,10 @@ If the below defaults don't match your environment change them accordingly:
```
export STORAGE_LDAP_HOSTNAME=localhost
export STORAGE_LDAP_PORT=9126
export STORAGE_LDAP_BASE_DN='dc=example,dc=org'
export STORAGE_LDAP_BASE_DN='dc=ocis,dc=test'
export STORAGE_LDAP_USERFILTER='(&(objectclass=posixAccount)(cn=%s))'
export STORAGE_LDAP_GROUPFILTER='(&(objectclass=posixGroup)(cn=%s))'
export STORAGE_LDAP_BIND_DN='cn=reva,ou=sysusers,dc=example,dc=org'
export STORAGE_LDAP_BIND_DN='cn=reva,ou=sysusers,dc=ocis,dc=test'
export STORAGE_LDAP_BIND_PASSWORD=reva
export STORAGE_LDAP_USER_SCHEMA_UID=uid
export STORAGE_LDAP_USER_SCHEMA_MAIL=mail

298
docs/ocis/deployment/bridge.md
View File

@@ -15,7 +15,7 @@ This document is a work in progress of the current setup.
## Current status
Using ocis and the ownCloud 10 openidconnect and graphapi plugins it is possible today to introduce openid connect based authentication to existing instances. That is a prerequisite for migrating to ocis.
Using ocis and the ownCloud 10 [graphapi app](https://github.com/owncloud/graphapi/) it is possible today to use an existing owncloud 10 instance as a userbackend and storage backend for ocis.
## How to do it
@@ -36,11 +36,8 @@ occ a:e graphapi
No configuration necessary. You can test with `curl`:
```console
$ curl https://cloud.example.com/index.php/apps/graphapi/v1.0/users -u admin | jq
$ curl https://cloud.ocis.test/index.php/apps/graphapi/v1.0/users -u admin -s | jq
Enter host password for user 'admin':
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 694 100 694 0 0 4283 0 --:--:-- --:--:-- --:--:-- 4283
{
"value": [
{
@@ -56,65 +53,218 @@ Enter host password for user 'admin':
...
],
"@odata.nextLink": "https://oc.butonic.de/apps/graphapi/v1.0/users?$top=10&$skip=10"
"@odata.nextLink": "https://cloud.ocis.test/apps/graphapi/v1.0/users?$top=10&$skip=10"
}
```
> Note: The MS graph api actually asks for `Bearer` auth, but in order to check users passwords during an LDAP bind we are exploiting ownClouds authentication implementation that will grant access when `Basic` auth is used. An LDAP Bind you may ask? Read on!
{{< hint >}}
The MS graph api actually asks for `Bearer` auth, but in order to check users passwords during an LDAP bind we are exploiting ownClouds authentication implementation that will grant access when `Basic` auth is used. An LDAP Bind you may ask? Read on!
{{< /hint >}}
### Start ocis-glauth
### Grab ocis!
We are going to use the above ownCloud 10 and graphapi app to turn it into the datastore for an LDAP proxy.
#### Grab it!
In an `ocis` folder
```
$ git clone git@github.com:owncloud/ocis-glauth.git
$ cd ocis-glauth
$ make
$ git clone git@github.com:owncloud/ocis.git
$ cd ocis
$ make -C ocis build
```
This should give you a `bin/ocis-glauth` binary. Try listing the help with `bin/ocis-glauth --help`.
This should give you an `ocis/bin/ocis` binary. Try listing the help with `ocis/bin/ocis --help`.
{{< hint >}}
You can check out a custom branch and build a custom binary which can then be used for the below steps.
{{< /hint >}}
### Start ocis glauth
We are going to use the built binary and ownCloud 10 graphapi app to turn ownCloud 10 into the datastore for an LDAP proxy.
#### configure it
While ocis can be configured using environment variables, eg. for a docker compose setup we are going to use a more traditional config file here.
Create a config file for ocis in either `/etc/ocis`, `$HOME/.ocis` or `./.config`. You can use `.json`, `.yaml` or `.toml`. I will use toml here, because ... reasons.
```toml
[glauth.backend]
datastore = "owncloud" # switch to the owncloud datastore
servers = ["https://cloud.ocis.test/apps/graphapi/v1.0"] # the graph api endpoint to connect to
basedn = "dc=ocis,dc=test" # base dn to construct the LDAP dn. The user `admin` will become `cn=admin,dc=ocis,dc=test`
```
{{< hint >}}
There is a bug in the config merging for environment variables, cli flags and config files causing log settings not to be picked up from the config file when specifying `--extensions`. That is why I will
* configure most of the config in a file,
* adjust logging using `OCIS_LOG_*` environment variables and
* specify which extension to run using `ocis/bin/ocis server --extensions "comma, separated, list, of, extensions"`.
{{< /hint >}}
#### Run it!
You need to point `ocis-glauth` to your owncloud domain:
For now, we only start the glauth extension:
```console
$ bin/ocis-glauth --log-level debug server --backend-datastore owncloud --backend-server https://cloud.example.com --backend-basedn dc=example,dc=com
$ OCIS_LOG_PRETTY=true OCIS_LOG_COLOR=true ocis/bin/ocis server --extensions "glauth"
```
`--log-level debug` is only used to generate more verbose output
`--backend-datastore owncloud` switches to tho owncloud datastore
`--backend-server https://cloud.example.com` is the url to an ownCloud instance with an enabled graphapi app
`--backend-basedn dc=example,dc=com` is used to construct the LDAP dn. The user `admin` will become `cn=admin,dc=example,dc=com`.
#### Check it is up and running
You should now be able to list accounts from your ownCloud 10 oc_accounts table using:
```console
$ ldapsearch -x -H ldap://localhost:9125 -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -W '(objectclass=posixaccount)'
$ ldapsearch -x -H ldap://127.0.0.1:9125 -b dc=ocis,dc=test -D "cn=admin,dc=ocis,dc=test" -W '(objectclass=posixaccount)'
```
Groups should work as well:
```console
$ ldapsearch -x -H ldap://localhost:9125 -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -W '(objectclass=posixgroup)'
$ ldapsearch -x -H ldap://127.0.0.1:9125 -b dc=ocis,dc=test -D "cn=admin,dc=ocis,dc=test" -W '(objectclass=posixgroup)'
```
> Note: This is currently a readonly implementation and minimal to the usecase of authenticating users with idp.
{{< hint >}}
This is currently a readonly implementation and minimal to the usecase of authenticating users with an IDP.
{{< /hint >}}
### Start ocis storage-gateway, storage-authbasic and storage-userprovider
We are going to set up reva to authenticate users against our glauth LDAP proxy. This allows us to log in and use the reva cli. The ocis storage-gateway starts the reva gateway which will authenticate basic auth requests using the storage-authbasic service. Furthermore, users have to be available in the storage-userprovider to retrieve displayname, email address and other user metadata.
To configure LDAP to use our glauth we add this section to the config file:
```toml
[storage.reva.ldap]
idp = "https://ocis.ocis.test"
basedn = "dc=ocis,dc=test"
binddn = "cn=admin,dc=ocis,dc=test" # an admin user in your oc10
bindpassword = "secret"
userschema = { uid = "uid", displayname = "givenname" } # TODO make glauth return an ownclouduuid and displayname attribute
```
Now we can start all necessary services.
```console
$ OCIS_LOG_PRETTY=true OCIS_LOG_COLOR=true ocis/bin/ocis server --extensions "glauth, storage-gateway, storage-authbasic, storage-userprovider"
```
{{< hint warning >}}
Here I ran out of time. I tried to verify this step with the reva cli:
`cmd/reva/reva -insecure -host localhost:9142`
`login basic`
but it tries to create the user home, which cannot be disabled in a config file: https://github.com/owncloud/ocis/issues/2416#issuecomment-901197053
starting `STORAGE_GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN=true OCIS_LOG_LEVEL=debug OCIS_LOG_PRETTY=true OCIS_LOG_COLOR=true ocis/bin/ocis server --extensions "storage-gateway, storage-authbasic, storage-userprovider"` let me login:
```console
✗ cmd/reva/reva -insecure -host localhost:9142
reva-cli v1.11.0-27-g95b1f2ee (rev-95b1f2ee)
Please use `exit` or `Ctrl-D` to exit this program.
>> login basic
username: jfd
password: OK
>> whoami
id:<idp:"https://ocis.ocis.test" opaque_id:"jfd" type:USER_TYPE_PRIMARY > username:"jfd" mail:"jfd@butonic.de" display_name:"J\303\266rn" uid_number:99 gid_number:99
>> exit
```
I hope https://github.com/owncloud/ocis/pull/2024 fixes the parsing order of things.
everything below this is outdated
... gotta run
{{< /hint >}}
### Start ocis storage-userprovider
```console
ocis/bin/ocis storage-userprovider --ldap-port 19126 --ldap-user-schema-uid uid --ldap-user-schema-displayName givenName --addr :19144
```
TODO clone `git clone git@github.com:cs3org/cs3apis.git`
query users using [grpcurl](https://github.com/fullstorydev/grpcurl)
```console
grpcurl -import-path ./cs3apis/ -proto ./cs3apis/cs3/identity/user/v1beta1/user_api.proto -plaintext localhost:19144 cs3.identity.user.v1beta1.UserAPI/FindUsers
ERROR:
Code: Unauthenticated
Message: auth: core access token not found
```
### Start ocis idp
#### Set environment variables
The built in [libregraph/lico](https://github.com/libregraph/lico) needs environment variables to configure the LDAP server:
```console
export OCIS_URL=https://ocis.ocis.test
export IDP_LDAP_URI=ldap://127.0.0.1:9125
export IDP_LDAP_BASE_DN="dc=ocis,dc=test"
export IDP_LDAP_BIND_DN="cn=admin,dc=ocis,dc=test"
export IDP_LDAP_BIND_PASSWORD="its-a-secret"
export IDP_LDAP_SCOPE=sub
export IDP_LDAP_LOGIN_ATTRIBUTE=uid
export IDP_LDAP_NAME_ATTRIBUTE=givenName
```
Don't forget to use an existing user with admin permissions (only admins are allowed to list all users via the graph api) and the correct password.
{{< hint warning >}}
* TODO: change the default values in glauth & ocis to use an `ownclouduuid` attribute.
* TODO: split `OCIS_URL` and `IDP_ISS` env vars and use `OCIS_URL` to generate the clients in the `identifier-registration.yaml`.
{{< /hint >}}
### Configure clients
When the `identifier-registration.yaml` does not exist it will be generated based on the `OCIS_URL` environment variable.
#### Run it!
You can now bring up `ocis/bin/ocis idp` with:
```console
$ ocis/bin/ocis idp server --iss http://127.0.0.1:9130 --signing-kid gen1-2020-02-27
```
`ocis/bin/ocis idp` needs to know
- `--iss http://127.0.0.1:9130` the issuer, which must be a reachable http endpoint. For testing an ip works. For openid connect HTTPS is NOT optional. This URL is exposed in the `http://127.0.0.1:9130/.well-known/openid-configuration` endpoint and clients need to be able to connect to it, securely. We will change this when introducing the proxy.
- `--signing-kid gen1-2020-02-27` a signature key id, otherwise the jwks key has no name, which might cause problems with clients. a random key is ok, but it should change when the actual signing key changes.
{{< hint warning >}}
* TODO: the port in the `--iss` needs to be changed when hiding the idp behind the proxy
* TODO: the signing keys and encryption keys should be precerated so they are reused between restarts. Otherwise all client sessions will become invalid when restarting the IdP.
{{< /hint >}}
#### Check it is up and running
1. Try getting the configuration:
```console
$ curl http://127.0.0.1:9130/.well-known/openid-configuration
```
2. Check if the login works at http://127.0.0.1:9130/signin/v1/identifier
{{< hint >}}
If you later get a `Unable to find a key for (algorithm, kid):PS256, )` Error make sure you did set a `--signing-kid` when starting `ocis/bin/ocis idp` by checking it is present in http://127.0.0.1:9130/konnect/v1/jwks.json
{{< /hint >}}
### Start ocis proxy
{{< hint >}}
Everything below this hint is outdated. Next steps are roughly:
* directly after glauth start the `ocis storage-userporvider`?
- how to verify that works?
- https://github.com/fullstorydev/grpcurl
* start proxy
- the ocis ipd url can be changed to https
- when do we hide oc10 behind ocis? -> advanced bridge at the end? for now run it without touching the existing oc10 instance
* start web
- verify the login works, but how?
- TODO the login works, but then the capabilities requests will fail ... unless we make the proxy answer them by talking to oc10?
Other ideas:
* the owncloud backend in glauth also works with the user provisioning api ... no changes to a running production instance? db access could be done with a read only account as well...
{{< /hint >}}
### Start ocis-web
#### Get it!
In an `ocis` folder
```
$ git clone git@github.com:owncloud/ocis.git
$ cd web
$ make
```
This should give you a `bin/web` binary. Try listing the help with `bin/web --help`.
#### Run it!
Point `ocis-web` to your owncloud domain and tell it where to find the openid connect issuing authority:
@@ -128,80 +278,6 @@ $ bin/web server --web-config-server https://cloud.example.com --oidc-authority
- `--oidc-metadata-url https://192.168.1.100:9130/.well-known/openid-configuration` the openid connect configuration endpoint, typically the issuer host with `.well-known/openid-configuration`, but there are cases when another endpoint is used, eg. ping identity provides multiple endpoints to separate domains
- `--oidc-client-id ocis` the client id we will register later with `ocis-idp` in the `identifier-registration.yaml`
### Start ocis-idp
#### Get it!
In an `ocis` folder
```
$ git clone git@github.com:owncloud/ocis-idp.git
$ cd ocis-idp
$ make
```
This should give you a `bin/ocis-idp` binary. Try listing the help with `bin/ocis-idp --help`.
#### Set environment variables
Konnectd needs environment variables to configure the LDAP server:
```console
export LDAP_URI=ldap://192.168.1.100:9125
export LDAP_BINDDN="cn=admin,dc=example,dc=com"
export LDAP_BINDPW="its-a-secret"
export LDAP_BASEDN="dc=example,dc=com"
export LDAP_SCOPE=sub
export LDAP_LOGIN_ATTRIBUTE=uid
export LDAP_EMAIL_ATTRIBUTE=mail
export LDAP_NAME_ATTRIBUTE=givenName
export LDAP_UUID_ATTRIBUTE=uid
export LDAP_UUID_ATTRIBUTE_TYPE=text
export LDAP_FILTER="(objectClass=posixaccount)"
```
Don't forget to use an existing user and the correct password.
### Configure clients
Now we need to configure a client we can later use to configure the ownCloud 10 openidconnect app. In the `assets/identifier-registration.yaml` have:
```yaml
---
# OpenID Connect client registry.
clients:
- id: ocis
name: ownCloud Infinite Scale
application_type: web
redirect_uris:
- https://cloud.example.com/apps/openidconnect/redirect
- http://localhost:9100/oidc-callback.html
- http://localhost:9100
- http://localhost:9100/
```
Replace `cloud.example.com` in the redirect URI with your ownCloud 10 host and port.
Replace `localhost:9100` in the redirect URIs with your `ocis-web` host and port.
#### Run it!
You can now bring up `ocis-idp` with:
```console
$ bin/ocis-idp server --iss https://192.168.1.100:9130 --identifier-registration-conf assets/identifier-registration.yaml --signing-kid gen1-2020-02-27
```
`ocis-idp` needs to know
- `--iss https://192.168.1.100:9130` the issuer, which must be a reachable https endpoint. For testing an ip works. HTTPS is NOT optional. This url is exposed in the `https://192.168.1.100:9130/.well-known/openid-configuration` endpoint and clients need to be able to connect to it
- `--identifier-registration-conf assets/identifier-registration.yaml` the identifier-registration.yaml you created
- `--signing-kid gen1-2020-02-27` a signature key id, otherwise the jwks key has no name, which might cause problems with clients. a random key is ok, but it should change when the actual signing key changes.
#### Check it is up and running
1. Try getting the configuration:
```console
$ curl https://192.168.1.100:9130/.well-known/openid-configuration
```
2. Check if the login works at https://192.168.1.100:9130/signin/v1/identifier
> Note: If you later get a `Unable to find a key for (algorithm, kid):PS256, )` Error make sure you did set a `--signing-kid` when starting `ocis-idp` by checking it is present in https://192.168.1.100:9130/konnect/v1/jwks.json
### Patch owncloud
While the UserSession in ownCloud 10 is currently used to test all available IAuthModule implementations, it immediately logs out the user when an exception occurs. However, existing owncloud 10 instances use the oauth2 app to create Bearer tokens for mobile and desktop clients.

16
glauth/pkg/command/server.go
View File

@@ -30,12 +30,18 @@ func Server(cfg *config.Config) *cli.Command {
if cfg.HTTP.Root != "/" {
cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/")
}
cfg.Backend.Servers = ctx.StringSlice("backend-server")
cfg.Fallback.Servers = ctx.StringSlice("fallback-server")
// StringSliceFlag doesn't support Destination
// UPDATE Destination on string flags supported. Wait for https://github.com/urfave/cli/pull/1078 to get to micro/cli
if len(ctx.StringSlice("backend-server")) > 0 {
cfg.Backend.Servers = ctx.StringSlice("backend-server")
}
if len(ctx.StringSlice("fallback-server")) > 0 {
cfg.Fallback.Servers = ctx.StringSlice("fallback-server")
}
if !cfg.Supervised {
return ParseConfig(ctx, cfg)
}
logger.Debug().Str("service", "glauth").Msg("ignoring config file parsing when running supervised")
logger.Debug().Strs("backend-server", ctx.StringSlice("backend-server")).Str("service", "glauth").Msg("ignoring config file parsing when running supervised")
return nil
},
Action: func(c *cli.Context) error {
@@ -62,11 +68,11 @@ func Server(cfg *config.Config) *cli.Command {
lcfg := glauthcfg.LDAP{
Enabled: cfg.Ldap.Enabled,
Listen: cfg.Ldap.Address,
Listen: cfg.Ldap.Addr,
}
lscfg := glauthcfg.LDAPS{
Enabled: cfg.Ldaps.Enabled,
Listen: cfg.Ldaps.Address,
Listen: cfg.Ldaps.Addr,
Cert: cfg.Ldaps.Cert,
Key: cfg.Ldaps.Key,
}

9
glauth/pkg/config/config.go
View File

@@ -36,15 +36,16 @@ type Tracing struct {
// Ldap defined the available LDAP configuration.
type Ldap struct {
Address string
Addr string
Enabled bool
}
// Ldaps defined the available LDAPS configuration.
type Ldaps struct {
Ldap
Cert string
Key string
Addr string
Enabled bool
Cert string
Key string
}
// Backend defined the available backend configuration.

16
glauth/pkg/flagset/flagset.go
View File

@@ -132,10 +132,10 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
&cli.StringFlag{
Name: "ldap-addr",
Value: flags.OverrideDefaultString(cfg.Ldap.Address, "0.0.0.0:9125"),
Value: flags.OverrideDefaultString(cfg.Ldap.Addr, "0.0.0.0:9125"),
Usage: "Address to bind ldap server",
EnvVars: []string{"GLAUTH_LDAP_ADDR"},
Destination: &cfg.Ldap.Address,
Destination: &cfg.Ldap.Addr,
},
&cli.BoolFlag{
Name: "ldap-enabled",
@@ -147,10 +147,10 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
&cli.StringFlag{
Name: "ldaps-addr",
Value: flags.OverrideDefaultString(cfg.Ldaps.Address, "0.0.0.0:9126"),
Value: flags.OverrideDefaultString(cfg.Ldaps.Addr, "0.0.0.0:9126"),
Usage: "Address to bind ldap server",
EnvVars: []string{"GLAUTH_LDAPS_ADDR"},
Destination: &cfg.Ldaps.Address,
Destination: &cfg.Ldaps.Addr,
},
&cli.BoolFlag{
Name: "ldaps-enabled",
@@ -178,7 +178,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
&cli.StringFlag{
Name: "backend-basedn",
Value: flags.OverrideDefaultString(cfg.Backend.BaseDN, "dc=example,dc=org"),
Value: flags.OverrideDefaultString(cfg.Backend.BaseDN, "dc=ocis,dc=test"),
Usage: "base distinguished name to expose",
EnvVars: []string{"GLAUTH_BACKEND_BASEDN"},
Destination: &cfg.Backend.BaseDN,
@@ -221,8 +221,8 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
},
&cli.StringSliceFlag{
Name: "backend-server",
Value: cli.NewStringSlice("https://demo.owncloud.com/apps/graphapi/v1.0"),
Usage: `--backend-server http://internal1.example.com [--backend-server http://internal2.example.com]`,
Value: cli.NewStringSlice(),
Usage: `--backend-server https://demo.owncloud.com/apps/graphapi/v1.0 [--backend-server "https://demo2.owncloud.com/apps/graphapi/v1.0"]`,
EnvVars: []string{"GLAUTH_BACKEND_SERVERS"},
},
&cli.BoolFlag{
@@ -237,7 +237,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
&cli.StringFlag{
Name: "fallback-basedn",
Value: flags.OverrideDefaultString(cfg.Fallback.BaseDN, "dc=example,dc=org"),
Value: flags.OverrideDefaultString(cfg.Fallback.BaseDN, "dc=ocis,dc=test"),
Usage: "base distinguished name to expose",
EnvVars: []string{"GLAUTH_FALLBACK_BASEDN"},
Destination: &cfg.Fallback.BaseDN,

4
idp/pkg/flagset/flagset.go
View File

@@ -166,7 +166,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
},
&cli.StringFlag{
Name: "ldap-bind-dn",
Value: flags.OverrideDefaultString(cfg.Ldap.BindDN, "cn=idp,ou=sysusers,dc=example,dc=org"),
Value: flags.OverrideDefaultString(cfg.Ldap.BindDN, "cn=idp,ou=sysusers,dc=ocis,dc=test"),
Usage: "Bind DN for the LDAP server (glauth)",
EnvVars: []string{"IDP_LDAP_BIND_DN"},
Destination: &cfg.Ldap.BindDN,
@@ -180,7 +180,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
},
&cli.StringFlag{
Name: "ldap-base-dn",
Value: flags.OverrideDefaultString(cfg.Ldap.BaseDN, "ou=users,dc=example,dc=org"),
Value: flags.OverrideDefaultString(cfg.Ldap.BaseDN, "ou=users,dc=ocis,dc=test"),
Usage: "LDAP base DN of the oCIS users",
EnvVars: []string{"IDP_LDAP_BASE_DN"},
Destination: &cfg.Ldap.BaseDN,

2
ocis/docker-compose-eos-test.yml
View File

@@ -47,7 +47,7 @@ services:
# the eos end xrdcopy binaries use this env var to find the eos mgm
EOS_MGM_URL: ${EOS_MGM_URL:-root://mgm-master.testnet:1094}
# TODO without this the /etc/nclcd.conf file is empty
LDAP_BINDDN: "cn=reva,ou=sysusers,dc=example,dc=org"
LDAP_BINDDN: "cn=reva,ou=sysusers,dc=ocis,dc=test"
LDAP_BINDPW: "reva"
mgm-master:

4
ocis/docker/eos-ocis-dev/start-ldap
View File

@@ -1,6 +1,6 @@
#!/bin/sh
LDAP_BINDDN=${LDAP_BINDDN:-cn=reva,ou=sysusers,dc=example,dc=org}
LDAP_BINDDN=${LDAP_BINDDN:-cn=reva,ou=sysusers,dc=ocis,dc=test}
LDAP_BINDPW=${LDAP_BINDPW:-reva}
echo "Waiting for EOS MGM"
@@ -9,7 +9,7 @@ chmod +x /wait-for-mgm
/wait-for-mgm;
echo "----- [ocis] LDAP setup -----";
authconfig --enableldap --enableldapauth --ldapserver=${EOS_LDAP_HOST} --ldapbasedn="dc=example,dc=org" --update;
authconfig --enableldap --enableldapauth --ldapserver=${EOS_LDAP_HOST} --ldapbasedn="dc=ocis,dc=test" --update;
sed -i "s/#binddn cn=.*/binddn ${LDAP_BINDDN}/" /etc/nslcd.conf
sed -i "s/#bindpw .*/bindpw ${LDAP_BINDPW}/" /etc/nslcd.conf
# start in debug mode;

2
ocis/docker/eos-ocis/setup
View File

@@ -3,7 +3,7 @@
set -x
echo "----- [ocis] LDAP setup -----"
authconfig --enableldap --enableldapauth --ldapserver=${EOS_LDAP_HOST} --ldapbasedn="dc=example,dc=org" --update
authconfig --enableldap --enableldapauth --ldapserver=${EOS_LDAP_HOST} --ldapbasedn="dc=ocis,dc=test" --update
sed -i "s/#binddn cn=.*/binddn ${LDAP_BINDDN}/" /etc/nslcd.conf
sed -i "s/#bindpw .*/bindpw ${LDAP_BINDPW}/" /etc/nslcd.conf
# start in debug mode

6
proxy/pkg/command/server.go
View File

@@ -46,7 +46,11 @@ func Server(cfg *config.Config) *cli.Command {
if cfg.HTTP.Root != "/" {
cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/")
}
cfg.PreSignedURL.AllowedHTTPMethods = ctx.StringSlice("presignedurl-allow-method")
// StringSliceFlag doesn't support Destination
// UPDATE Destination on string flags supported. Wait for https://github.com/urfave/cli/pull/1078 to get to micro/cli
if len(ctx.StringSlice("presignedurl-allow-method")) > 0 {
cfg.PreSignedURL.AllowedHTTPMethods = ctx.StringSlice("presignedurl-allow-method")
}
if err := loadUserAgent(ctx, cfg); err != nil {
return err

4
storage/pkg/command/authbasic.go
View File

@@ -49,6 +49,10 @@ func AuthBasic(cfg *config.Config) *cli.Command {
pidFile := path.Join(os.TempDir(), "revad-"+c.Command.Name+"-"+uuid.String()+".pid")
rcfg := authBasicConfigFromStruct(c, cfg)
logger.Debug().
Str("server", "authbasic").
Interface("reva-config", rcfg).
Msg("config")
gr.Add(func() error {
runtime.RunWithOptions(rcfg, pidFile, runtime.WithLogger(&logger.Logger))

5
storage/pkg/command/gateway.go
View File

@@ -50,6 +50,11 @@ func Gateway(cfg *config.Config) *cli.Command {
uuid := uuid.Must(uuid.NewV4())
pidFile := path.Join(os.TempDir(), "revad-"+c.Command.Name+"-"+uuid.String()+".pid")
rcfg := gatewayConfigFromStruct(c, cfg, logger)
logger.Debug().
Str("server", "gateway").
Interface("reva-config", rcfg).
Msg("config")
defer cancel()
gr.Add(func() error {

4
storage/pkg/command/users.go
View File

@@ -52,6 +52,10 @@ func Users(cfg *config.Config) *cli.Command {
pidFile := path.Join(os.TempDir(), "revad-"+c.Command.Name+"-"+uuid.String()+".pid")
rcfg := usersConfigFromStruct(c, cfg)
logger.Debug().
Str("server", "users").
Interface("reva-config", rcfg).
Msg("config")
gr.Add(func() error {
runtime.RunWithOptions(

4
storage/pkg/flagset/ldap.go
View File

@@ -42,7 +42,7 @@ func LDAPWithConfig(cfg *config.Config) []cli.Flag {
},
&cli.StringFlag{
Name: "ldap-base-dn",
Value: flags.OverrideDefaultString(cfg.Reva.LDAP.BaseDN, "dc=example,dc=org"),
Value: flags.OverrideDefaultString(cfg.Reva.LDAP.BaseDN, "dc=ocis,dc=test"),
Usage: "LDAP basedn",
EnvVars: []string{"STORAGE_LDAP_BASE_DN"},
Destination: &cfg.Reva.LDAP.BaseDN,
@@ -122,7 +122,7 @@ func LDAPWithConfig(cfg *config.Config) []cli.Flag {
},
&cli.StringFlag{
Name: "ldap-bind-dn",
Value: flags.OverrideDefaultString(cfg.Reva.LDAP.BindDN, "cn=reva,ou=sysusers,dc=example,dc=org"),
Value: flags.OverrideDefaultString(cfg.Reva.LDAP.BindDN, "cn=reva,ou=sysusers,dc=ocis,dc=test"),
Usage: "LDAP bind dn",
EnvVars: []string{"STORAGE_LDAP_BIND_DN"},
Destination: &cfg.Reva.LDAP.BindDN,

3
tests/acceptance/expected-failures-webUI-on-OCIS-storage.md
View File

@@ -20,9 +20,6 @@ Other free text and markdown formatting can be used elsewhere in the document if
- [webUIPreview/imageMediaViewer.feature:182](https://github.com/owncloud/web/blob/master/tests/acceptance/features/webUIPreview/imageMediaViewer.feature#L182)
- [webUIPreview/imageMediaViewer.feature:191](https://github.com/owncloud/web/blob/master/tests/acceptance/features/webUIPreview/imageMediaViewer.feature#L191)
### [[oCIS] Previewing video from mediaviewer pops up a sign-in dialog](https://github.com/owncloud/web/issues/5840)
- [webUIPreview/imageMediaViewer.feature:56](https://github.com/owncloud/web/blob/master/tests/acceptance/features/webUIPreview/imageMediaViewer.feature#L56)
### [Exit page re-appears in loop when logged in user is deleted](https://github.com/owncloud/web/issues/4677)
- [webUILogin/openidLogin.feature:50](https://github.com/owncloud/web/blob/master/tests/acceptance/features/webUILogin/openidLogin.feature#L50)

7
thumbnails/pkg/command/server.go
View File

@@ -23,7 +23,12 @@ func Server(cfg *config.Config) *cli.Command {
Flags: flagset.ServerWithConfig(cfg),
Before: func(ctx *cli.Context) error {
logger := NewLogger(cfg)
cfg.Thumbnail.Resolutions = ctx.StringSlice("thumbnail-resolution")
// StringSliceFlag doesn't support Destination
// UPDATE Destination on string flags supported. Wait for https://github.com/urfave/cli/pull/1078 to get to micro/cli
if len(ctx.StringSlice("thumbnail-resolution")) > 0 {
cfg.Thumbnail.Resolutions = ctx.StringSlice("thumbnail-resolution")
}
if !cfg.Supervised {
return ParseConfig(ctx, cfg)

6
web/pkg/command/server.go
View File

@@ -29,7 +29,11 @@ func Server(cfg *config.Config) *cli.Command {
cfg.HTTP.Root = strings.TrimRight(cfg.HTTP.Root, "/")
}
cfg.Web.Config.Apps = ctx.StringSlice("web-config-app")
// StringSliceFlag doesn't support Destination
// UPDATE Destination on string flags supported. Wait for https://github.com/urfave/cli/pull/1078 to get to micro/cli
if len(ctx.StringSlice("web-config-app")) > 0 {
cfg.Web.Config.Apps = ctx.StringSlice("web-config-app")
}
if !cfg.Supervised {
if err := ParseConfig(ctx, cfg); err != nil {