Merge pull request #3888 from owncloud/graph-cacert

add config option to provide TLS certificate

changelog/unreleased/graph-cacert.md

@@ -0,0 +1,6 @@
+Enhancement: Add config option to provide TLS certificate
+
+Added a config option to the graph service to provide a TLS certificate to be used to verify the LDAP server certificate.
+
+https://github.com/owncloud/ocis/issues/3818
+https://github.com/owncloud/ocis/pull/3888

extensions/graph/pkg/config/config.go

@@ -38,6 +38,7 @@ type Spaces struct {
 
 type LDAP struct {
 	URI           string `yaml:"uri" env:"LDAP_URI;GRAPH_LDAP_URI"`
+	CACert        string `yaml:"cacert" env:"LDAP_CACERT;GRAPH_LDAP_CACERT" desc:"The certificate to verify TLS connections"`
 	Insecure      bool   `yaml:"insecure" env:"OCIS_INSECURE;GRAPH_LDAP_INSECURE"`
 	BindDN        string `yaml:"bind_dn" env:"LDAP_BIND_DN;GRAPH_LDAP_BIND_DN"`
 	BindPassword  string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;GRAPH_LDAP_BIND_PASSWORD"`

extensions/graph/pkg/config/defaults/defaultconfig.go

@@ -1,9 +1,11 @@
 package defaults
 
 import (
+	"path"
 	"strings"
 
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/config"
+	"github.com/owncloud/ocis/v2/ocis-pkg/config/defaults"
 )
 
 func FullDefaultConfig() *config.Config {
@@ -41,6 +43,7 @@ func DefaultConfig() *config.Config {
 			LDAP: config.LDAP{
 				URI:                      "ldaps://localhost:9235",
 				Insecure:                 true,
+				CACert:                   path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
 				BindDN:                   "uid=libregraph,ou=sysusers,o=libregraph-idm",
 				UseServerUUID:            false,
 				WriteEnabled:             true,

extensions/graph/pkg/service/v0/service.go

@@ -2,6 +2,8 @@ package svc
 
 import (
 	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
 	"net/http"
 	"strconv"
 	"time"
@@ -14,6 +16,7 @@ import (
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/identity"
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/identity/ldap"
 	graphm "github.com/owncloud/ocis/v2/extensions/graph/pkg/middleware"
+	ocisldap "github.com/owncloud/ocis/v2/ocis-pkg/ldap"
 	"github.com/owncloud/ocis/v2/ocis-pkg/roles"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
@@ -83,12 +86,33 @@ func NewService(opts ...Option) Service {
 
 			var tlsConf *tls.Config
 			if options.Config.Identity.LDAP.Insecure {
+				// When insecure is set to true then we don't need a certificate.
+				options.Config.Identity.LDAP.CACert = ""
 				tlsConf = &tls.Config{
 					//nolint:gosec // We need the ability to run with "insecure" (dev/testing)
 					InsecureSkipVerify: options.Config.Identity.LDAP.Insecure,
 				}
 			}
 
+			if options.Config.Identity.LDAP.CACert != "" {
+				if err := ocisldap.WaitForCA(options.Logger,
+					options.Config.Identity.LDAP.Insecure,
+					options.Config.Identity.LDAP.CACert); err != nil {
+					options.Logger.Fatal().Err(err).Msg("The configured LDAP CA cert does not exist")
+				}
+				if tlsConf == nil {
+					tlsConf = &tls.Config{}
+				}
+				certs := x509.NewCertPool()
+				pemData, err := ioutil.ReadFile(options.Config.Identity.LDAP.CACert)
+				if err != nil {
+					options.Logger.Error().Msgf("Error initializing LDAP Backend: '%s'", err)
+					return nil
+				}
+				certs.AppendCertsFromPEM(pemData)
+				tlsConf.RootCAs = certs
+			}
+
 			conn := ldap.NewLDAPWithReconnect(&options.Logger,
 				ldap.Config{
 					URI:          options.Config.Identity.LDAP.URI,