* feat: add CSP and other security related headers in the oCIS proxy service
* fix: consolidate security related headers - drop middleware.Secure
* fix: use github.com/DeepDiver1975/secure
* fix: acceptance tests
* feat: support env var replacements in csp.yaml
To enhance the security of our application and prevent Cross-Site Request Forgery (CSRF) attacks, we have updated the
SameSite attribute of the build in Identity Provider (IDP) cookies to Strict.
* enhancement: allow ocis to provide custom web applications
* enhancement: add an option to disable web apps
* test: add default logger tests
* test: add app loading tests
* test: add asset server tests
* enhancement: make use of dedicated app conf file and app asset paths
* enhancement: adjust asset locations and deprecate WEB_ASSET_PATH
* enhancement: get rid of default logger and use the service level logger instead
* Apply suggestions from code review
Co-authored-by: Benedikt Kulmann <benedikt@kulmann.biz>
Co-authored-by: kobergj <juliankoberg@googlemail.com>
* enhancement: use basename as app id
* Apply suggestions from code review
Co-authored-by: Martin <github@diemattels.at>
* enhancement: use afero as fs abstraction
* enhancement: simplify logo upload
* enhancement: make use of introductionVersion field annotations
---------
Co-authored-by: Benedikt Kulmann <benedikt@kulmann.biz>
Co-authored-by: kobergj <juliankoberg@googlemail.com>
Co-authored-by: Martin <github@diemattels.at>
This revision introduces a new environment variable
`IDP_LOGIN_BACKGROUND_URL` that overrides the default background image
of the IDP login page when present.
For some reason LDAP_BIND_PASSWORD was forgotten when all the other global LDAP_
variables got renamed.
Also marks LDAP_BIND_PASSWORD and LDAP_USER_SCHEMA_ID_IS_OCTETSTRING for removal with 5.0.0
Partial: #7176
This reverts commit 52951b42b0.
The change broke authentication for at least the desktop client when
using the builtin idp. There seem to be issues in the IDP (lico) which
result in the implicit scoped not being added correctly in some case.
When that scope is missing the `lg.uuid` claim will not be present in
the userinfo and we can correctly match users by id.
This reverts back to the old behaviour of matching users by name. Which
also brings some aspects of https://github.com/owncloud/ocis/issues/904Fixes#6415
Reconfigure the oidc clients for lico, so that lico adds the "lg.uuid" to
tokens and userinfo by default. That claim will contain the userid. So
we can now use the userid for matching users when using the default
idm/idp configuration. This fixes further problems so that users being
recreated with the same name are correctly treated as differnt users.
Fixes: #904
Fixes: 5906
After clarification and renaming th envvar and post a discussion with @rhafer, we should align the yaml name to the envvar name. Note that the backend name (`Insecure`) is not changed.
* In the deployment examples, we use ennvars and no yaml
* ocis init does not use it
This adds support for configuring an LDAP Attribute that can be used as a flag
to disallow users to login. We currently default to 'ownCloudUserEnabled' as
used in the default configuration of the graph service.
* walk and log chi routes, ocs cleanup
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* make linter happy
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
