The "aud" claim of the logout token is supposed to contain the client-id
of the client for which the token was issued. Our current implementation of
validating that claim is somewhat broken. We only allow to configure a single
value for the allowed client id. But we have different client-ids
accessing oCIS.
This completely removes the current validation of the `aud` claim until
we come up with a working solution. As we currently require a session id
to be present in the logout token the risk not validating the `aud`
claim is pretty low.
Related: #6149
* Streamline the store implementation with and into reva
* Adapt to the cache/store refactoring in reva
* Streamline config options and their env vars
* Apply suggestions from code review
Co-authored-by: Martin <github@diemattels.at>
* Use the same database for all stores
* Bump reva
* Configure stat and filemetadata cache separately
* Fix default config
---------
Co-authored-by: Martin <github@diemattels.at>
Use access token to lookup session id. The userinfo endpoint does
not return the session id. Also add some debug logging.
Co-authored-by: Christian Richter <crichter@owncloud.com>
Co-authored-by: Michael Barz <mbarz@owncloud.com>
when uploading files via uppy (tus), the path does not give any information about the file, PUT contains the filename in the path, tus POST not.
this pr extracts the HeaderUploadMetadata from that POST request and enhances the policies grpc environment request with that information.
Therefore, the policies service is now able to evaluate proxy requests for tus uploads too.
* refactor middleware options
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use ocmemstore micro store implementaiton for token cache
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* refactor ocis store options, support redis sentinel
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* align cache configuration
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* database and tabe are used to build prefixes for inmemory stores
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add global persistent store options to userlog config
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* log cache errors but continue
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* drup unnecessary type conversion
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Better description for the default userinfo ttl
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use global cache options for even more caches
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* don't log userinfo cache misses
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* default to stock memory store
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use correct mem store typo string
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* split cache options, doc cleanup
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* mint and write userinfo to cache async
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use hashed token as key
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* go mod tidy
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update docs
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update cache store naming
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* bring back depreceted ocis-pkg/store package for backwards compatability
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update changelog
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Apply suggestions from code review
Co-authored-by: kobergj <jkoberg@owncloud.com>
* revert ocis-pkg/cache to store rename
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add waiting for each step 50 milliseconds
* starlack check
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: kobergj <jkoberg@owncloud.com>
Co-authored-by: Viktor Scharf <scharf.vi@gmail.com>
* upgrade to go1.19 and set go mem limit
* create ocis-pkg memlimit package
* use std automemlimit import
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* import automemlimit in every ocis service, drop ocis-pkg/memlimit package
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* bump go to 1.20
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* drop unused config options and env vars
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update all version numbers, add doc
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix lint
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update bingo and mockery
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* bump golangci-lint
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix selector test
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Update changelog/unreleased/enhancement-memlimit.md
Co-authored-by: kobergj <juliankoberg@googlemail.com>
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: Willy Kloucek <wkloucek@owncloud.com>
Co-authored-by: kobergj <juliankoberg@googlemail.com>
Avoid torturing the settings service with "ListRoles" request for
every incoming request to the proxy.
The role Mapping is refreshed if cached data is older than 5 minutes.
Add a UserRoleAssigner implementation that extract role names from the
users' claims and creates role assignments in the settings service based
on a configured mapping of claim values to ocis role names.
Closes: #5669
This moves the lookup and the creation of the users' role assignemt out
of the user backend into its own interface. This makes the user backend
a bit simpler and allows to provide different implemenation for the user
role assignment more easily.
This removes the "withRoles" flag from the GetUserByClaims lookup and move the
functionality into a separate method. This should make the code a bit more readable
in preparation for maintaining the RoleAssignments from OIDC claims.
* add policies service
add policies proxy middleware
add policies event service
add policies grpc service
prepare ci and git environments (ci, make, readme, doc)
* add webfinger to the drone conf
* fix docs
remove not used virus scan postprocessing step
* relocate example rego file
implicitly enable and disable proxy and postprocessing policy checking by setting the query.
update configuration descriptions
* move policies
update readme
* use converter func to convert pp environment to actual environment
expose and test custom rego functions
add engine unit tests
add opa unit tests
update policies readme
Co-authored-by: Martin <github@diemattels.at>
* relocate sample policies to the deployments folder
change and document policies service port
* update index.md and small fix
* add health command
add version command
add debug server
---------
Co-authored-by: Martin <github@diemattels.at>
* Remove unused code from oidc module
* Use already existing Metadata type for jwks discovery
ocis-pkg/oidc already provides a type for the oidc metadata. Switch to
that instead of defining yet another custom type.
* oidc: Add helper to get IDP metadata
