Use the new PROXY_ROLE_ASSIGNMENT_DRIVER "oidc". This also means we can
now run with OCIS_ADMIN_USER_ID being empty. So that no admin user will
be created on startup and no default role assignment will happen.
By setting GRAPH_ASSIGN_DEFAULT_USER_ROLE to "false", we make sure to
not create the default "user" role assignment when auto provisioning a
user.
* add policies service
add policies proxy middleware
add policies event service
add policies grpc service
prepare ci and git environments (ci, make, readme, doc)
* add webfinger to the drone conf
* fix docs
remove not used virus scan postprocessing step
* relocate example rego file
implicitly enable and disable proxy and postprocessing policy checking by setting the query.
update configuration descriptions
* move policies
update readme
* use converter func to convert pp environment to actual environment
expose and test custom rego functions
add engine unit tests
add opa unit tests
update policies readme
Co-authored-by: Martin <github@diemattels.at>
* relocate sample policies to the deployments folder
change and document policies service port
* update index.md and small fix
* add health command
add version command
add debug server
---------
Co-authored-by: Martin <github@diemattels.at>
* ocis_keycloak: Add ocis roles as realm roles
This adds the roles ocisAdmin, ocisSpaceAdmin, ocisUser and ocisGuest as realm roles
to the the oCIS realm. It also assigns those roles to the demo users.
Additionally the missing demo user "Katherine Johnson" is added with the role of
"ocisSpaceAdmin".
* Expose realm_roles in "roles" claim of id tokens and userinfo
Switch away from the unmaintained osixia image to the more uptodate
bitnami image.
Also update the owncloud schema to include the latest changes
Fixes#5636
Fix for
`ERROR: The Compose file './docker-compose.yml' is invalid because:
services.ocis.environment.NOTIFICATIONS_SMTP_INSECURE contains true, which is an invalid type, it should be a string, number, or a null`
When refint is enabled on an LDAP server, it will rename all references
to an entity if its DN is modified. If this happens, the member
renames will not be needed, and will also return an error.
This PR does the following:
* Detects the attribute error, and don't return an error.
* Log that the server has been misconfigured.
* Add config value that skips renaming if set.
ownCloud Web recently transitioned to Vue3. The settings ui is still
written in Vue2. Since it's pretty much unused we won't take the efforts
of upgrading it to Vue3.
Allow to adjust the docker socket path used by traefik and the logging driver
so that this example can be more easily used with podman based setups.
With a running podman service ("podman system service --time 0"), this should
basically work:
export DOCKER_SOCKET_PATH="/run/user/1000/podman/podman.sock"
export LOG_DRIVER=journald
docker-compose -H unix:///run/user/1000/podman/podman.sock up
The setup was configured to use a mix of the 'groupOfNames' and
'groupOfUniqueNames' objectclasses/attributetypes for groups. This
aligns the configuration and sample data to use just'groupOfNames'.
Closes: #5085
The auth-bearer service is currently not needed by ocis. Reva tookens
for oidc authenticated clients are currently minted via the auth-machine
service. This commit does not completely remove the service as we shoud
consider to rework the proxy's oidc middleware to use the auth-bearer
service in the future (see #4701)
Fixes: #4692
