In Active Directories UUID attributes such as "objectGUID" use a binary
syntax (oposed to the standard UUID syntax defined in RFC4530). This
introduces a flag to enable support for binary UUIDs as the id for users
and groups (similar to what the "users" and "groups" services already
support)
Fixes: #5815
* Streamline the store implementation with and into reva
* Adapt to the cache/store refactoring in reva
* Streamline config options and their env vars
* Apply suggestions from code review
Co-authored-by: Martin <github@diemattels.at>
* Use the same database for all stores
* Bump reva
* Configure stat and filemetadata cache separately
* Fix default config
---------
Co-authored-by: Martin <github@diemattels.at>
By setting GRAPH_LDAP_GROUP_CREATE_BASE_DN a distinct subtree can be
configured where new LDAP groups are created. That subtree needs to be
subordinate to GRAPH_LDAP_GROUP_BASE_DN. All groups outside for
GRAPH_LDAP_GROUP_CREATE_BASE_DN are considered read-only and only groups
below that DN can be updated and deleted.
This is introduced for a pretty specific usecase where most groups are managed
in an external source (e.g. a read-only replica of an LDAP tree). But we still
want to allow the local administrator to create groups in a writeable subtree
attached to that replica.
* refactor middleware options
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use ocmemstore micro store implementaiton for token cache
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* refactor ocis store options, support redis sentinel
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* align cache configuration
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* database and tabe are used to build prefixes for inmemory stores
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add global persistent store options to userlog config
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* log cache errors but continue
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* drup unnecessary type conversion
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Better description for the default userinfo ttl
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use global cache options for even more caches
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* don't log userinfo cache misses
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* default to stock memory store
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use correct mem store typo string
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* split cache options, doc cleanup
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* mint and write userinfo to cache async
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use hashed token as key
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* go mod tidy
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update docs
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update cache store naming
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* bring back depreceted ocis-pkg/store package for backwards compatability
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update changelog
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Apply suggestions from code review
Co-authored-by: kobergj <jkoberg@owncloud.com>
* revert ocis-pkg/cache to store rename
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add waiting for each step 50 milliseconds
* starlack check
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: kobergj <jkoberg@owncloud.com>
Co-authored-by: Viktor Scharf <scharf.vi@gmail.com>
Introduces a switch ('GRAPH_ASSIGN_DEFAULT_USER_ROLE') to allow to disable the assignment of the default role "User" to newly created users.
This will be used for setups where the role-assignments are populated either manually or during first login (e.g. from OIDC claims)
Fixes 5603
- Calling POST /graph/v1.0/users with userType not set will create a user as "Member"
- Calling POST /graph/v1.0/users with userType set as "Member" or "Guest" will create a user as "Member" or "Guest"
- Calling POST /graph/v1.0/users with userType set as anything but "Member" or "Guest" returns error
- Calling POST /graph/v1.0/education/users with userType not set will create a user as "Member"
- Calling POST /graph/v1.0/education/users with userType set as "Member" will create a user as "Member" and primary role as parameter specifies
- Calling POST /graph/v1.0/education/users with userType set as "Guest" will create a user as "Guest" and primary role as parameter specifies
- Calling POST /graph/v1.0/education/users with userType not set as anything but "Member" or "Guest" returns error
- Calling PATCH on /users or /education/users will update attribute in the same way as for POST
* A new config option for disabling users with the options "none", "attribute" and "group".
* When set to "none", there will be no enabledAttribute returned in user info and trying to change enabledAttribute will return an error
* Disable/enable group name DN as config parameter
* Adding/removing users to specified group on user update
* Changing log level for service initialization failure to error
* Adding helper methods to check if user is enabled/disabled + tests
Fixes#5554
When refint is enabled on an LDAP server, it will rename all references
to an entity if its DN is modified. If this happens, the member
renames will not be needed, and will also return an error.
This PR does the following:
* Detects the attribute error, and don't return an error.
* Log that the server has been misconfigured.
* Add config value that skips renaming if set.
* bump libregraph-go lib
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add appRoleAssignment stubs
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add get application stub
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fetch appRoles for application from settings service
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* initial list appRoleAssignments implementation
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* initial create appRoleAssignment implementation, extract assignmentToAppRoleAssignment, configurable app id and displayname
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* initial delete appRoleAssignment implementation, changed error handling and logging
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* initial expand appRoleAssignment on users
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* test user expand appRoleAssignment
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* test appRoleAssignment
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix education test by actually using the mocked roleManager
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* test getapplication
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* list assignments
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use common not exists error handling
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* default to just 'ownCloud Infinite Scale' as application name
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix store_test
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* roll application uuid on init
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix tests
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* extract method
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Apply suggestions from code review
Co-authored-by: Michael Barz <mbarz@owncloud.com>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: Michael Barz <mbarz@owncloud.com>
This PR changes the following:
* Create an API config section for API configurables.
* Add a setting `UserPatchLimit` that controls how many users can be changed in a PATCH request.
* Use this setting in the API to limit the amount of users that can be changed.
* standalone graph service with LDAP
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* no panic on PATCH and DELETE
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix apitoken yaml key
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update user, fix response codes
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix group creation return code
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* remove unknown user property
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix create return code checks in graph feature context
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* updating uses 200 OK when returning a body
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* revert user statusCreated change for now
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* revert return code changes
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
TLS for the services can be configure by setting the "OCIS_HTTP_TLS_ENABLED",
"OCIS_HTTP_TLS_CERTIFICATE" and "OCIS_HTTP_TLS_KEY" environment variables.
Currently the ocis proxy is this only service that directly accesses backend
services. It determines whether to use TLS or not by looking a the new registry
metadata "use_tls". As specific CA Cert for certificate verification
can be set with the "PROXY_HTTPS_CACERT" environment variable.
* Introduce TLS Settings for go-micro based grpc services and clients
TLS for the services can be configure by setting the OCIS_MICRO_GRPC_TLS_ENABLED"
"OCIS_MICRO_GRPC_TLS_CERTIFICATE" and "OCIS_MICRO_GRPC_TLS_KEY"
enviroment variables.
TLS for the clients can configured by setting the "OCIS_MICRO_GRPC_CLIENT_TLS_MODE"
and "OCIS_MICRO_GRPC_CLIENT_TLS_CACERT" variables.
By default TLS is disabled.
Co-authored-by: Martin <github@diemattels.at>
* Unify TLS configuration for all grpc services
All grpc service (whether they're based on reva) or go-micro use the
same set of config vars now.
TLS for the services can be configure by setting the OCIS_GRPC_TLS_ENABLED,
OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY enviroment variables.
TLS for the clients can configured by setting the OCIS_GRPC_CLIENT_TLS_MODE
and OCIS_MICRO_GRPC_CLIENT_TLS_CACERT variables.
There are no individual per service config vars currently. If really
needed, per service tls configurations can be specified via config file.
Co-authored-by: Martin <github@diemattels.at>
Co-authored-by: Martin <github@diemattels.at>
Consolidate all services to use the Reva config struct for the shared package.
This works because all services (except 'notifications', 'thumbnails' and
'webdav') where using the same config keys and environment variables for
setting the reva gateway.
* use tls for nats connections
* add config options for nats client tls config
* add nats tls config to CI
* add function to create a certpool
* add option to provide a rootCA to validate the server's TLS certificate
* add option to provide a rootCA to validate the server's TLS certificate
* add option to provide a rootCA to validate the server's TLS certificate
* add option to provide a rootCA to validate the server's TLS certificate
* configure nats clients in reva to use tls
* bring back CORS env vars
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update CORS descriptions
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* align writing of 'A comma-separated ...'
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix some desc quotes
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Apply suggestions from code review
Co-authored-by: Martin <github@diemattels.at>
* Apply more suggestions from code review
Co-authored-by: Martin <github@diemattels.at>
* Apply final suggestions from code review
Co-authored-by: Martin <github@diemattels.at>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: Martin <github@diemattels.at>
* Use go-micro store to cache the roles
Add custom in-memory implementation
* replace redis with custom etcd implementation
* adjust table name for the cache in the roles manager
* Fix tests
* Fix sonarcloud issues
* Refactor for sonarcloud
* Allow configuration of cache per service
* Reuse parent context in etcd implementation
