From d2de2a775de7ad1d67ba91a92edaa289ececda85 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 4 May 2022 08:34:36 +0200 Subject: [PATCH] add OCIS_OIDC_ISSUER config env --- .drone.star | 24 +++--- .../config/ocis/entrypoint-override.sh | 8 ++ .../oc10_ocis_parallel/docker-compose.yml | 83 +++++++++---------- extensions/auth-basic/pkg/config/config.go | 2 +- extensions/auth-bearer/pkg/config/config.go | 2 +- .../graph-explorer/pkg/config/config.go | 2 +- extensions/groups/pkg/config/config.go | 2 +- extensions/idp/pkg/config/config.go | 2 +- extensions/ocs/pkg/config/config.go | 2 +- extensions/proxy/pkg/config/config.go | 2 +- extensions/users/pkg/config/config.go | 2 +- extensions/web/pkg/config/config.go | 2 +- 12 files changed, 67 insertions(+), 66 deletions(-) create mode 100644 deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh diff --git a/.drone.star b/.drone.star index 8a9acb8db..7c19e3a1a 100644 --- a/.drone.star +++ b/.drone.star @@ -1663,16 +1663,14 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on = else: user = "33:33" environment = { + # Keycloak IDP specific configuration + "OCIS_OIDC_ISSUER": "https://keycloak/auth/realms/owncloud", + "WEB_OIDC_METADATA_URL": "https://keycloak/auth/realms/owncloud/.well-known/openid-configuration", + "WEB_OIDC_CLIENT_ID": "ocis-web", + "WEB_OIDC_SCOPE": "openid profile email owncloud", + # external ldap is supposed to be read only "GRAPH_IDENTITY_BACKEND": "cs3", "GRAPH_LDAP_SERVER_WRITE_ENABLED": "false", - # Keycloak IDP specific configuration - "PROXY_OIDC_ISSUER": "https://keycloak/auth/realms/owncloud", - "LDAP_IDP": "https://keycloak/auth/realms/owncloud", - "WEB_OIDC_AUTHORITY": "https://keycloak/auth/realms/owncloud", - "WEB_OIDC_CLIENT_ID": "ocis-web", - "WEB_OIDC_METADATA_URL": "https://keycloak/auth/realms/owncloud/.well-known/openid-configuration", - "AUTH_BEARER_OIDC_ISSUER": "https://keycloak", - "WEB_OIDC_SCOPE": "openid profile email owncloud", # LDAP bind "LDAP_URI": "ldaps://openldap", "LDAP_INSECURE": "true", @@ -1685,19 +1683,19 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on = "PROXY_USER_CS3_CLAIM": "userid", # equals STORAGE_LDAP_USER_SCHEMA_UID "LDAP_GROUP_BASE_DN": "ou=testgroups,dc=owncloud,dc=com", "LDAP_GROUP_OBJECTCLASS": "groupOfUniqueNames", - "LDAP_GROUPFILTER": "(objectclass=owncloud)", "LDAP_GROUP_SCHEMA_DISPLAYNAME": "cn", "LDAP_GROUP_SCHEMA_ID": "cn", "LDAP_GROUP_SCHEMA_MAIL": "mail", "LDAP_GROUP_SCHEMA_MEMBER": "cn", + "LDAP_GROUPFILTER": "(objectclass=owncloud)", + "LDAP_LOGIN_ATTRIBUTES": "uid,mail", "LDAP_USER_BASE_DN": "ou=testusers,dc=owncloud,dc=com", "LDAP_USER_OBJECTCLASS": "posixAccount", - "LDAP_USERFILTER": "(objectclass=owncloud)", - "LDAP_USER_SCHEMA_USERNAME": "cn", "LDAP_USER_SCHEMA_DISPLAYNAME": "displayname", - "LDAP_USER_SCHEMA_MAIL": "mail", "LDAP_USER_SCHEMA_ID": "ownclouduuid", - "LDAP_LOGIN_ATTRIBUTES": "uid,mail", + "LDAP_USER_SCHEMA_MAIL": "mail", + "LDAP_USER_SCHEMA_USERNAME": "cn", + "LDAP_USERFILTER": "(objectclass=owncloud)", # ownCloudSQL storage driver "STORAGE_USERS_DRIVER": "owncloudsql", "STORAGE_USERS_OWNCLOUDSQL_DATADIR": "/mnt/data/files", diff --git a/deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh b/deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh new file mode 100644 index 000000000..dcbef6736 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +ocis init || true # will only initialize once + +#chmod 744 -R /etc/ocis +#setpriv --reuid=33 --regid=33 --clear-groups +ocis server diff --git a/deployments/examples/oc10_ocis_parallel/docker-compose.yml b/deployments/examples/oc10_ocis_parallel/docker-compose.yml index 56886b6d2..053eeebfc 100644 --- a/deployments/examples/oc10_ocis_parallel/docker-compose.yml +++ b/deployments/examples/oc10_ocis_parallel/docker-compose.yml @@ -50,60 +50,55 @@ services: user: "33:33" # equals the user "www-data" for oC10 environment: # Keycloak IDP specific configuration - PROXY_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} - WEB_OIDC_AUTHORITY: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} - WEB_OIDC_CLIENT_ID: ocis-web + OCIS_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} WEB_OIDC_METADATA_URL: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}/.well-known/openid-configuration - STORAGE_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} - STORAGE_LDAP_IDP: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} + WEB_OIDC_CLIENT_ID: ocis-web WEB_OIDC_SCOPE: openid profile email owncloud + # external ldap is supposed to be read only + GRAPH_IDENTITY_BACKEND: cs3 + GRAPH_LDAP_SERVER_WRITE_ENABLED: "false" # LDAP bind - STORAGE_LDAP_URI: "ldaps://openldap" - STORAGE_LDAP_INSECURE: "true" - STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" - STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + LDAP_URI: "ldaps://openldap" + LDAP_INSECURE: "true" + LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" + LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} # LDAP user settings PROXY_AUTOPROVISION_ACCOUNTS: "true" # automatically create users when they login PROXY_ACCOUNT_BACKEND_TYPE: cs3 # proxy should get users from CS3APIS (which gets it from LDAP) PROXY_USER_OIDC_CLAIM: ocis.user.uuid # claim was added in Keycloak PROXY_USER_CS3_CLAIM: userid # equals STORAGE_LDAP_USER_SCHEMA_UID - STORAGE_LDAP_GROUP_BASE_DN: "dc=owncloud,dc=com" - STORAGE_LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn" - STORAGE_LDAP_GROUP_SCHEMA_GID_NUMBER: "gidnumber" - STORAGE_LDAP_GROUP_SCHEMA_ID: "cn" - STORAGE_LDAP_GROUP_SCHEMA_MAIL: "mail" - STORAGE_LDAP_GROUP_SCHEMA_MEMBER: "cn" - STORAGE_LDAP_GROUP_OBJECTCLASS: "groupOfUniqueNames" - STORAGE_LDAP_GROUPFILTER: "(objectclass=owncloud)" - STORAGE_LDAP_USER_BASE_DN: "dc=owncloud,dc=com" - STORAGE_LDAP_USER_SCHEMA_USERNAME: "cn" - STORAGE_LDAP_USER_SCHEMA_DISPLAYNAME: "displayname" - STORAGE_LDAP_USER_SCHEMA_GID_NUMBER: "gidnumber" - STORAGE_LDAP_USER_SCHEMA_MAIL: "mail" - STORAGE_LDAP_USER_SCHEMA_UID_NUMBER: "uidnumber" - STORAGE_LDAP_USER_SCHEMA_ID: "ownclouduuid" - STORAGE_LDAP_LOGIN_ATTRIBUTES: "uid,mail" + LDAP_GROUP_BASE_DN: "dc=owncloud,dc=com" + LDAP_GROUP_OBJECTCLASS: "groupOfUniqueNames" + LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn" + LDAP_GROUP_SCHEMA_ID: "cn" + LDAP_GROUP_SCHEMA_MAIL: "mail" + LDAP_GROUP_SCHEMA_MEMBER: "cn" + LDAP_GROUPFILTER: "(objectclass=owncloud)" + LDAP_LOGIN_ATTRIBUTES: "uid,mail" + LDAP_USER_BASE_DN: "dc=owncloud,dc=com" + LDAP_USER_OBJECTCLASS: "posixAccount" + LDAP_USER_SCHEMA_DISPLAYNAME: "displayname" + LDAP_USER_SCHEMA_ID: "ownclouduuid" + LDAP_USER_SCHEMA_MAIL: "mail" + LDAP_USER_SCHEMA_USERNAME: "cn" + LDAP_USERFILTER: "(objectclass=owncloud)" # ownCloudSQL storage driver - STORAGE_USERS_DRIVER: owncloudsql - STORAGE_SYSTEM_DRIVER: ocis # keep system data on ocis storage since this are only small files atm - STORAGE_USERS_DRIVER_OWNCLOUDSQL_DATADIR: /mnt/data/files - STORAGE_USERS_DRIVER_OWNCLOUDSQL_UPLOADINFO_DIR: /tmp - STORAGE_USERS_DRIVER_OWNCLOUDSQL_SHARE_FOLDER: "/Shares" - STORAGE_USERS_DRIVER_OWNCLOUDSQL_LAYOUT: "{{.Username}}" - STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBUSERNAME: owncloud - STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBPASSWORD: owncloud - STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBHOST: oc10-db - STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBPORT: 3306 - STORAGE_USERS_DRIVER_OWNCLOUDSQL_DBNAME: owncloud - STORAGE_USERS_DRIVER_OWNCLOUDSQL_REDIS_ADDR: redis:6379 # TODO: redis is not yet supported + STORAGE_USERS_DRIVER: "owncloudsql" + STORAGE_USERS_OWNCLOUDSQL_DATADIR: "/mnt/data/files" + STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER: "/Shares" + STORAGE_USERS_OWNCLOUDSQL_LAYOUT: "{{.Username}}" + STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME: "owncloud" + STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD: "owncloud" + STORAGE_USERS_OWNCLOUDSQL_DB_HOST: "oc10-db" + STORAGE_USERS_OWNCLOUDSQL_DB_PORT: 3306 + STORAGE_USERS_OWNCLOUDSQL_DB_NAME: "owncloud" # ownCloudSQL sharing driver - STORAGE_SHARING_USER_DRIVER: owncloudsql - STORAGE_SHARING_USER_SQL_USERNAME: owncloud - STORAGE_SHARING_USER_SQL_PASSWORD: owncloud - STORAGE_SHARING_USER_SQL_HOST: oc10-db - STORAGE_SHARING_USER_SQL_PORT: 3306 - STORAGE_SHARING_USER_SQL_NAME: owncloud - + SHARING_USER_DRIVER: "owncloudsql" + SHARING_USER_OWNCLOUDSQL_DB_USERNAME: "owncloud" + SHARING_USER_OWNCLOUDSQL_DB_PASSWORD: "owncloud" + SHARING_USER_OWNCLOUDSQL_DB_HOST: "oc10-db" + SHARING_USER_OWNCLOUDSQL_DB_PORT: 330 + SHARING_USER_OWNCLOUDSQL_DB_NAME: "owncloud" # ownCloud storage readonly OCIS_STORAGE_READ_ONLY: "false" # TODO: conflict with OWNCLOUDSQL -> https://github.com/owncloud/ocis/issues/2303 # General oCIS config diff --git a/extensions/auth-basic/pkg/config/config.go b/extensions/auth-basic/pkg/config/config.go index 69b5fba14..ef4392f84 100644 --- a/extensions/auth-basic/pkg/config/config.go +++ b/extensions/auth-basic/pkg/config/config.go @@ -81,7 +81,7 @@ type LDAPProvider struct { UserObjectClass string `yaml:"user_object_filter" env:"LDAP_USER_OBJECTCLASS;AUTH_BASIC_LDAP_USER_OBJECTCLASS"` GroupObjectClass string `yaml:"group_object_class" env:"LDAP_GROUP_OBJECTCLASS;AUTH_BASIC_LDAP_GROUP_OBJECTCLASS"` LoginAttributes []string `yaml:"login_attributes" env:"LDAP_LOGIN_ATTRIBUTES;AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES"` - IDP string `yaml:"idp" env:"OCIS_URL;AUTH_BASIC_IDP_URL"` + IDP string `yaml:"idp" env:"OCIS_URL;OCIS_OIDC_ISSUER;AUTH_BASIC_IDP_URL"` UserSchema LDAPUserSchema `yaml:"user_schema"` GroupSchema LDAPGroupSchema `yaml:"group_schema"` } diff --git a/extensions/auth-bearer/pkg/config/config.go b/extensions/auth-bearer/pkg/config/config.go index 7c1390e2a..962fb06d8 100644 --- a/extensions/auth-bearer/pkg/config/config.go +++ b/extensions/auth-bearer/pkg/config/config.go @@ -57,7 +57,7 @@ type GRPCConfig struct { } type OIDC struct { - Issuer string `yaml:"issuer" env:"OCIS_URL;AUTH_BEARER_OIDC_ISSUER"` + Issuer string `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;AUTH_BEARER_OIDC_ISSUER"` Insecure bool `yaml:"insecure" env:"OCIS_INSECURE;AUTH_BEARER_OIDC_INSECURE"` IDClaim string `yaml:"id_claim" env:"AUTH_BEARER_OIDC_ID_CLAIM"` UIDClaim string `yaml:"uid_claim" env:"AUTH_BEARER_OIDC_UID_CLAIM"` diff --git a/extensions/graph-explorer/pkg/config/config.go b/extensions/graph-explorer/pkg/config/config.go index 4301472d4..afe223005 100644 --- a/extensions/graph-explorer/pkg/config/config.go +++ b/extensions/graph-explorer/pkg/config/config.go @@ -26,7 +26,7 @@ type Config struct { // GraphExplorer defines the available graph-explorer configuration. type GraphExplorer struct { ClientID string `yaml:"client_id" env:"GRAPH_EXPLORER_CLIENT_ID"` - Issuer string `yaml:"issuer" env:"OCIS_URL;GRAPH_EXPLORER_ISSUER"` + Issuer string `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;GRAPH_EXPLORER_ISSUER"` GraphURLBase string `yaml:"graph_url_base" env:"OCIS_URL;GRAPH_EXPLORER_GRAPH_URL_BASE"` GraphURLPath string `yaml:"graph_url_path" env:"GRAPH_EXPLORER_GRAPH_URL_PATH"` } diff --git a/extensions/groups/pkg/config/config.go b/extensions/groups/pkg/config/config.go index e0ff9c1ce..ac7859ef3 100644 --- a/extensions/groups/pkg/config/config.go +++ b/extensions/groups/pkg/config/config.go @@ -80,7 +80,7 @@ type LDAPDriver struct { UserObjectClass string `yaml:"user_object_class" env:"LDAP_USER_OBJECTCLASS;GROUPS_LDAP_USER_OBJECTCLASS"` GroupObjectClass string `yaml:"group_object_class" env:"LDAP_GROUP_OBJECTCLASS;GROUPS_LDAP_GROUP_OBJECTCLASS"` LoginAttributes []string `yaml:"login_attributes" env:"LDAP_LOGIN_ATTRIBUTES;GROUPS_LDAP_LOGIN_ATTRIBUTES"` - IDP string `yaml:"idp" env:"OCIS_URL;GROUPS_IDP_URL"` + IDP string `yaml:"idp" env:"OCIS_URL;OCIS_OIDC_ISSUER;GROUPS_IDP_URL"` UserSchema LDAPUserSchema `yaml:"user_schema"` GroupSchema LDAPGroupSchema `yaml:"group_schema"` } diff --git a/extensions/idp/pkg/config/config.go b/extensions/idp/pkg/config/config.go index ab6a90c1a..b239e1be4 100644 --- a/extensions/idp/pkg/config/config.go +++ b/extensions/idp/pkg/config/config.go @@ -55,7 +55,7 @@ type Settings struct { // don't change the order of elements in this struct // it needs to match github.com/libregraph/lico/bootstrap.Settings - Iss string `yaml:"iss" env:"OCIS_URL;IDP_ISS"` + Iss string `yaml:"iss" env:"OCIS_URL;OCIS_OIDC_ISSUER;IDP_ISS"` IdentityManager string `yaml:"identity_manager" env:"IDP_IDENTITY_MANAGER"` diff --git a/extensions/ocs/pkg/config/config.go b/extensions/ocs/pkg/config/config.go index 53ba58276..a105abf45 100644 --- a/extensions/ocs/pkg/config/config.go +++ b/extensions/ocs/pkg/config/config.go @@ -34,5 +34,5 @@ type Config struct { // is based in the combination of IDP hostname + UserID. For more information see: // https://github.com/cs3org/reva/blob/4fd0229f13fae5bc9684556a82dbbd0eced65ef9/pkg/storage/utils/decomposedfs/node/node.go#L856-L865 type IdentityManagement struct { - Address string `yaml:"address" env:"OCIS_URL;OCS_IDM_ADDRESS"` + Address string `yaml:"address" env:"OCIS_URL;OCIS_OIDC_ISSUER;OCS_IDM_ADDRESS"` } diff --git a/extensions/proxy/pkg/config/config.go b/extensions/proxy/pkg/config/config.go index a8c394f36..f71e00066 100644 --- a/extensions/proxy/pkg/config/config.go +++ b/extensions/proxy/pkg/config/config.go @@ -83,7 +83,7 @@ type AuthMiddleware struct { // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request // with the configured oidc-provider type OIDC struct { - Issuer string `yaml:"issuer" env:"OCIS_URL;PROXY_OIDC_ISSUER"` + Issuer string `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;PROXY_OIDC_ISSUER"` Insecure bool `yaml:"insecure" env:"OCIS_INSECURE;PROXY_OIDC_INSECURE"` UserinfoCache UserinfoCache `yaml:"user_info_cache"` } diff --git a/extensions/users/pkg/config/config.go b/extensions/users/pkg/config/config.go index 81f27896e..57b3f95c1 100644 --- a/extensions/users/pkg/config/config.go +++ b/extensions/users/pkg/config/config.go @@ -84,7 +84,7 @@ type LDAPDriver struct { UserObjectClass string `yaml:"user_object_class" env:"LDAP_USER_OBJECTCLASS;USERS_LDAP_USER_OBJECTCLASS"` GroupObjectClass string `yaml:"group_object_class" env:"LDAP_GROUP_OBJECTCLASS;USERS_LDAP_GROUP_OBJECTCLASS"` LoginAttributes []string `yaml:"login_attributes" env:"LDAP_LOGIN_ATTRIBUTES;USERS_LDAP_LOGIN_ATTRIBUTES"` - IDP string `yaml:"idp" env:"OCIS_URL;USERS_IDP_URL"` + IDP string `yaml:"idp" env:"OCIS_URL;OCIS_OIDC_ISSUER;USERS_IDP_URL"` UserSchema LDAPUserSchema `yaml:"user_schema"` GroupSchema LDAPGroupSchema `yaml:"group_schema"` } diff --git a/extensions/web/pkg/config/config.go b/extensions/web/pkg/config/config.go index a01b8f82b..e289109b1 100644 --- a/extensions/web/pkg/config/config.go +++ b/extensions/web/pkg/config/config.go @@ -44,7 +44,7 @@ type WebConfig struct { // OIDC defines the available oidc configuration type OIDC struct { MetadataURL string `json:"metadata_url,omitempty" yaml:"metadata_url" env:"WEB_OIDC_METADATA_URL"` - Authority string `json:"authority,omitempty" yaml:"authority" env:"OCIS_URL;WEB_OIDC_AUTHORITY"` + Authority string `json:"authority,omitempty" yaml:"authority" env:"OCIS_URL;OCIS_OIDC_ISSUER;WEB_OIDC_AUTHORITY"` ClientID string `json:"client_id,omitempty" yaml:"client_id" env:"WEB_OIDC_CLIENT_ID"` ResponseType string `json:"response_type,omitempty" yaml:"response_type" env:"WEB_OIDC_RESPONSE_TYPE"` Scope string `json:"scope,omitempty" yaml:"scope" env:"WEB_OIDC_SCOPE"`