add OCIS_OIDC_ISSUER config env

.drone.star

@@ -1663,16 +1663,14 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
     else:
         user = "33:33"
         environment = {
+            # Keycloak IDP specific configuration
+            "OCIS_OIDC_ISSUER": "https://keycloak/auth/realms/owncloud",
+            "WEB_OIDC_METADATA_URL": "https://keycloak/auth/realms/owncloud/.well-known/openid-configuration",
+            "WEB_OIDC_CLIENT_ID": "ocis-web",
+            "WEB_OIDC_SCOPE": "openid profile email owncloud",
+            # external  ldap is supposed to be read only
             "GRAPH_IDENTITY_BACKEND": "cs3",
             "GRAPH_LDAP_SERVER_WRITE_ENABLED": "false",
-            # Keycloak IDP specific configuration
-            "PROXY_OIDC_ISSUER": "https://keycloak/auth/realms/owncloud",
-            "LDAP_IDP": "https://keycloak/auth/realms/owncloud",
-            "WEB_OIDC_AUTHORITY": "https://keycloak/auth/realms/owncloud",
-            "WEB_OIDC_CLIENT_ID": "ocis-web",
-            "WEB_OIDC_METADATA_URL": "https://keycloak/auth/realms/owncloud/.well-known/openid-configuration",
-            "AUTH_BEARER_OIDC_ISSUER": "https://keycloak",
-            "WEB_OIDC_SCOPE": "openid profile email owncloud",
             # LDAP bind
             "LDAP_URI": "ldaps://openldap",
             "LDAP_INSECURE": "true",
@@ -1685,19 +1683,19 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
             "PROXY_USER_CS3_CLAIM": "userid",  # equals STORAGE_LDAP_USER_SCHEMA_UID
             "LDAP_GROUP_BASE_DN": "ou=testgroups,dc=owncloud,dc=com",
             "LDAP_GROUP_OBJECTCLASS": "groupOfUniqueNames",
-            "LDAP_GROUPFILTER": "(objectclass=owncloud)",
             "LDAP_GROUP_SCHEMA_DISPLAYNAME": "cn",
             "LDAP_GROUP_SCHEMA_ID": "cn",
             "LDAP_GROUP_SCHEMA_MAIL": "mail",
             "LDAP_GROUP_SCHEMA_MEMBER": "cn",
+            "LDAP_GROUPFILTER": "(objectclass=owncloud)",
+            "LDAP_LOGIN_ATTRIBUTES": "uid,mail",
             "LDAP_USER_BASE_DN": "ou=testusers,dc=owncloud,dc=com",
             "LDAP_USER_OBJECTCLASS": "posixAccount",
-            "LDAP_USERFILTER": "(objectclass=owncloud)",
-            "LDAP_USER_SCHEMA_USERNAME": "cn",
             "LDAP_USER_SCHEMA_DISPLAYNAME": "displayname",
-            "LDAP_USER_SCHEMA_MAIL": "mail",
             "LDAP_USER_SCHEMA_ID": "ownclouduuid",
-            "LDAP_LOGIN_ATTRIBUTES": "uid,mail",
+            "LDAP_USER_SCHEMA_MAIL": "mail",
+            "LDAP_USER_SCHEMA_USERNAME": "cn",
+            "LDAP_USERFILTER": "(objectclass=owncloud)",
             # ownCloudSQL storage driver
             "STORAGE_USERS_DRIVER": "owncloudsql",
             "STORAGE_USERS_OWNCLOUDSQL_DATADIR": "/mnt/data/files",

deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+ocis init || true # will only initialize once
+
+#chmod 744 -R /etc/ocis
+#setpriv --reuid=33 --regid=33 --clear-groups
+ocis server

deployments/examples/oc10_ocis_parallel/docker-compose.yml

@@ -50,60 +50,55 @@ services:
     user: "33:33" # equals the user "www-data" for oC10
     environment:
       # Keycloak IDP specific configuration
-      PROXY_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
-      WEB_OIDC_AUTHORITY: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
-      WEB_OIDC_CLIENT_ID: ocis-web
+      OCIS_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
       WEB_OIDC_METADATA_URL: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}/.well-known/openid-configuration
-      STORAGE_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
-      STORAGE_LDAP_IDP: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}
+      WEB_OIDC_CLIENT_ID: ocis-web
       WEB_OIDC_SCOPE: openid profile email owncloud
+      # external ldap is supposed to be read only
+      GRAPH_IDENTITY_BACKEND: cs3
+      GRAPH_LDAP_SERVER_WRITE_ENABLED: "false"
       # LDAP bind
-      STORAGE_LDAP_URI: "ldaps://openldap"
-      STORAGE_LDAP_INSECURE: "true"
-      STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
-      STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      LDAP_URI: "ldaps://openldap"
+      LDAP_INSECURE: "true"
+      LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
+      LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
       # LDAP user settings
       PROXY_AUTOPROVISION_ACCOUNTS: "true" # automatically create users when they login
       PROXY_ACCOUNT_BACKEND_TYPE: cs3 # proxy should get users from CS3APIS (which gets it from LDAP)
       PROXY_USER_OIDC_CLAIM: ocis.user.uuid # claim was added in Keycloak
       PROXY_USER_CS3_CLAIM: userid # equals STORAGE_LDAP_USER_SCHEMA_UID
-      STORAGE_LDAP_GROUP_BASE_DN: "dc=owncloud,dc=com"
-      STORAGE_LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn"
-      STORAGE_LDAP_GROUP_SCHEMA_GID_NUMBER: "gidnumber"
-      STORAGE_LDAP_GROUP_SCHEMA_ID: "cn"
-      STORAGE_LDAP_GROUP_SCHEMA_MAIL: "mail"
-      STORAGE_LDAP_GROUP_SCHEMA_MEMBER: "cn"
-      STORAGE_LDAP_GROUP_OBJECTCLASS: "groupOfUniqueNames"
-      STORAGE_LDAP_GROUPFILTER: "(objectclass=owncloud)"
-      STORAGE_LDAP_USER_BASE_DN: "dc=owncloud,dc=com"
-      STORAGE_LDAP_USER_SCHEMA_USERNAME: "cn"
-      STORAGE_LDAP_USER_SCHEMA_DISPLAYNAME: "displayname"
-      STORAGE_LDAP_USER_SCHEMA_GID_NUMBER: "gidnumber"
-      STORAGE_LDAP_USER_SCHEMA_MAIL: "mail"
-      STORAGE_LDAP_USER_SCHEMA_UID_NUMBER: "uidnumber"
-      STORAGE_LDAP_USER_SCHEMA_ID: "ownclouduuid"
-      STORAGE_LDAP_LOGIN_ATTRIBUTES: "uid,mail"
+      LDAP_GROUP_BASE_DN: "dc=owncloud,dc=com"
+      LDAP_GROUP_OBJECTCLASS: "groupOfUniqueNames"
+      LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn"
+      LDAP_GROUP_SCHEMA_ID: "cn"
+      LDAP_GROUP_SCHEMA_MAIL: "mail"
+      LDAP_GROUP_SCHEMA_MEMBER: "cn"
+      LDAP_GROUPFILTER: "(objectclass=owncloud)"
+      LDAP_LOGIN_ATTRIBUTES: "uid,mail"
+      LDAP_USER_BASE_DN: "dc=owncloud,dc=com"
+      LDAP_USER_OBJECTCLASS: "posixAccount"
+      LDAP_USER_SCHEMA_DISPLAYNAME: "displayname"
+      LDAP_USER_SCHEMA_ID: "ownclouduuid"
+      LDAP_USER_SCHEMA_MAIL: "mail"
+      LDAP_USER_SCHEMA_USERNAME: "cn"
+      LDAP_USERFILTER: "(objectclass=owncloud)"
       # ownCloudSQL storage driver
-      STORAGE_USERS_DRIVER: owncloudsql
-      STORAGE_SYSTEM_DRIVER: ocis # keep system data on ocis storage since this are only small files atm
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_DATADIR: /mnt/data/files
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_UPLOADINFO_DIR: /tmp
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_SHARE_FOLDER: "/Shares"
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_LAYOUT: "{{.Username}}"
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBUSERNAME: owncloud
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBPASSWORD: owncloud
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBHOST: oc10-db
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBPORT: 3306
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBNAME: owncloud
-      STORAGE_USERS_DRIVER_OWNCLOUDSQL_REDIS_ADDR: redis:6379 # TODO: redis is not yet supported
+      STORAGE_USERS_DRIVER: "owncloudsql"
+      STORAGE_USERS_OWNCLOUDSQL_DATADIR: "/mnt/data/files"
+      STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER: "/Shares"
+      STORAGE_USERS_OWNCLOUDSQL_LAYOUT: "{{.Username}}"
+      STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME: "owncloud"
+      STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD: "owncloud"
+      STORAGE_USERS_OWNCLOUDSQL_DB_HOST: "oc10-db"
+      STORAGE_USERS_OWNCLOUDSQL_DB_PORT: 3306
+      STORAGE_USERS_OWNCLOUDSQL_DB_NAME: "owncloud"
       # ownCloudSQL sharing driver
-      STORAGE_SHARING_USER_DRIVER: owncloudsql
-      STORAGE_SHARING_USER_SQL_USERNAME: owncloud
-      STORAGE_SHARING_USER_SQL_PASSWORD: owncloud
-      STORAGE_SHARING_USER_SQL_HOST: oc10-db
-      STORAGE_SHARING_USER_SQL_PORT: 3306
-      STORAGE_SHARING_USER_SQL_NAME: owncloud
-
+      SHARING_USER_DRIVER: "owncloudsql"
+      SHARING_USER_OWNCLOUDSQL_DB_USERNAME: "owncloud"
+      SHARING_USER_OWNCLOUDSQL_DB_PASSWORD: "owncloud"
+      SHARING_USER_OWNCLOUDSQL_DB_HOST: "oc10-db"
+      SHARING_USER_OWNCLOUDSQL_DB_PORT: 330
+      SHARING_USER_OWNCLOUDSQL_DB_NAME: "owncloud"
       # ownCloud storage readonly
       OCIS_STORAGE_READ_ONLY: "false" # TODO: conflict with OWNCLOUDSQL -> https://github.com/owncloud/ocis/issues/2303
       # General oCIS config

extensions/auth-basic/pkg/config/config.go

@@ -81,7 +81,7 @@ type LDAPProvider struct {
 	UserObjectClass  string          `yaml:"user_object_filter" env:"LDAP_USER_OBJECTCLASS;AUTH_BASIC_LDAP_USER_OBJECTCLASS"`
 	GroupObjectClass string          `yaml:"group_object_class" env:"LDAP_GROUP_OBJECTCLASS;AUTH_BASIC_LDAP_GROUP_OBJECTCLASS"`
 	LoginAttributes  []string        `yaml:"login_attributes" env:"LDAP_LOGIN_ATTRIBUTES;AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES"`
-	IDP              string          `yaml:"idp" env:"OCIS_URL;AUTH_BASIC_IDP_URL"`
+	IDP              string          `yaml:"idp" env:"OCIS_URL;OCIS_OIDC_ISSUER;AUTH_BASIC_IDP_URL"`
 	UserSchema       LDAPUserSchema  `yaml:"user_schema"`
 	GroupSchema      LDAPGroupSchema `yaml:"group_schema"`
 }

extensions/auth-bearer/pkg/config/config.go

@@ -57,7 +57,7 @@ type GRPCConfig struct {
 }
 
 type OIDC struct {
-	Issuer   string `yaml:"issuer" env:"OCIS_URL;AUTH_BEARER_OIDC_ISSUER"`
+	Issuer   string `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;AUTH_BEARER_OIDC_ISSUER"`
 	Insecure bool   `yaml:"insecure" env:"OCIS_INSECURE;AUTH_BEARER_OIDC_INSECURE"`
 	IDClaim  string `yaml:"id_claim" env:"AUTH_BEARER_OIDC_ID_CLAIM"`
 	UIDClaim string `yaml:"uid_claim" env:"AUTH_BEARER_OIDC_UID_CLAIM"`

extensions/graph-explorer/pkg/config/config.go

@@ -26,7 +26,7 @@ type Config struct {
 // GraphExplorer defines the available graph-explorer configuration.
 type GraphExplorer struct {
 	ClientID     string `yaml:"client_id" env:"GRAPH_EXPLORER_CLIENT_ID"`
-	Issuer       string `yaml:"issuer" env:"OCIS_URL;GRAPH_EXPLORER_ISSUER"`
+	Issuer       string `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;GRAPH_EXPLORER_ISSUER"`
 	GraphURLBase string `yaml:"graph_url_base" env:"OCIS_URL;GRAPH_EXPLORER_GRAPH_URL_BASE"`
 	GraphURLPath string `yaml:"graph_url_path" env:"GRAPH_EXPLORER_GRAPH_URL_PATH"`
 }

extensions/groups/pkg/config/config.go

@@ -80,7 +80,7 @@ type LDAPDriver struct {
 	UserObjectClass  string          `yaml:"user_object_class" env:"LDAP_USER_OBJECTCLASS;GROUPS_LDAP_USER_OBJECTCLASS"`
 	GroupObjectClass string          `yaml:"group_object_class" env:"LDAP_GROUP_OBJECTCLASS;GROUPS_LDAP_GROUP_OBJECTCLASS"`
 	LoginAttributes  []string        `yaml:"login_attributes" env:"LDAP_LOGIN_ATTRIBUTES;GROUPS_LDAP_LOGIN_ATTRIBUTES"`
-	IDP              string          `yaml:"idp" env:"OCIS_URL;GROUPS_IDP_URL"`
+	IDP              string          `yaml:"idp" env:"OCIS_URL;OCIS_OIDC_ISSUER;GROUPS_IDP_URL"`
 	UserSchema       LDAPUserSchema  `yaml:"user_schema"`
 	GroupSchema      LDAPGroupSchema `yaml:"group_schema"`
 }

extensions/idp/pkg/config/config.go

@@ -55,7 +55,7 @@ type Settings struct {
 	// don't change the order of elements in this struct
 	// it needs to match github.com/libregraph/lico/bootstrap.Settings
 
-	Iss string `yaml:"iss" env:"OCIS_URL;IDP_ISS"`
+	Iss string `yaml:"iss" env:"OCIS_URL;OCIS_OIDC_ISSUER;IDP_ISS"`
 
 	IdentityManager string `yaml:"identity_manager" env:"IDP_IDENTITY_MANAGER"`
 

extensions/ocs/pkg/config/config.go

@@ -34,5 +34,5 @@ type Config struct {
 // is based in the combination of IDP hostname + UserID. For more information see:
 // https://github.com/cs3org/reva/blob/4fd0229f13fae5bc9684556a82dbbd0eced65ef9/pkg/storage/utils/decomposedfs/node/node.go#L856-L865
 type IdentityManagement struct {
-	Address string `yaml:"address" env:"OCIS_URL;OCS_IDM_ADDRESS"`
+	Address string `yaml:"address" env:"OCIS_URL;OCIS_OIDC_ISSUER;OCS_IDM_ADDRESS"`
 }

extensions/proxy/pkg/config/config.go

@@ -83,7 +83,7 @@ type AuthMiddleware struct {
 // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request
 // with the configured oidc-provider
 type OIDC struct {
-	Issuer        string        `yaml:"issuer" env:"OCIS_URL;PROXY_OIDC_ISSUER"`
+	Issuer        string        `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;PROXY_OIDC_ISSUER"`
 	Insecure      bool          `yaml:"insecure" env:"OCIS_INSECURE;PROXY_OIDC_INSECURE"`
 	UserinfoCache UserinfoCache `yaml:"user_info_cache"`
 }

extensions/users/pkg/config/config.go

@@ -84,7 +84,7 @@ type LDAPDriver struct {
 	UserObjectClass  string          `yaml:"user_object_class" env:"LDAP_USER_OBJECTCLASS;USERS_LDAP_USER_OBJECTCLASS"`
 	GroupObjectClass string          `yaml:"group_object_class" env:"LDAP_GROUP_OBJECTCLASS;USERS_LDAP_GROUP_OBJECTCLASS"`
 	LoginAttributes  []string        `yaml:"login_attributes" env:"LDAP_LOGIN_ATTRIBUTES;USERS_LDAP_LOGIN_ATTRIBUTES"`
-	IDP              string          `yaml:"idp" env:"OCIS_URL;USERS_IDP_URL"`
+	IDP              string          `yaml:"idp" env:"OCIS_URL;OCIS_OIDC_ISSUER;USERS_IDP_URL"`
 	UserSchema       LDAPUserSchema  `yaml:"user_schema"`
 	GroupSchema      LDAPGroupSchema `yaml:"group_schema"`
 }

extensions/web/pkg/config/config.go

@@ -44,7 +44,7 @@ type WebConfig struct {
 // OIDC defines the available oidc configuration
 type OIDC struct {
 	MetadataURL  string `json:"metadata_url,omitempty" yaml:"metadata_url" env:"WEB_OIDC_METADATA_URL"`
-	Authority    string `json:"authority,omitempty" yaml:"authority" env:"OCIS_URL;WEB_OIDC_AUTHORITY"`
+	Authority    string `json:"authority,omitempty" yaml:"authority" env:"OCIS_URL;OCIS_OIDC_ISSUER;WEB_OIDC_AUTHORITY"`
 	ClientID     string `json:"client_id,omitempty" yaml:"client_id" env:"WEB_OIDC_CLIENT_ID"`
 	ResponseType string `json:"response_type,omitempty" yaml:"response_type" env:"WEB_OIDC_RESPONSE_TYPE"`
 	Scope        string `json:"scope,omitempty" yaml:"scope" env:"WEB_OIDC_SCOPE"`