mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-05-01 08:20:02 -05:00
Florian Schade
6840de574a
To enhance the security of our application and prevent Cross-Site Request Forgery (CSRF) attacks, we have updated the SameSite attribute of the build in Identity Provider (IDP) cookies to Strict.
137 lines
4.6 KiB
Go
137 lines
4.6 KiB
Go
/*
|
|
* Copyright 2021 Kopano and its licensors
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*
|
|
*/
|
|
|
|
package bootstrap
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/libregraph/lico/bootstrap"
|
|
"github.com/libregraph/lico/identifier"
|
|
"github.com/libregraph/lico/identity"
|
|
"github.com/libregraph/lico/identity/managers"
|
|
|
|
cs3 "github.com/owncloud/ocis/v2/services/idp/pkg/backends/cs3/identifier"
|
|
)
|
|
|
|
// Identity managers.
|
|
const (
|
|
identityManagerName = "cs3"
|
|
)
|
|
|
|
// Register adds the CS3 identity manager to the lico bootstrap
|
|
func Register() error {
|
|
return bootstrap.RegisterIdentityManager(identityManagerName, NewIdentityManager)
|
|
}
|
|
|
|
// MustRegister adds the CS3 identity manager to the lico bootstrap or panics
|
|
func MustRegister() {
|
|
if err := Register(); err != nil {
|
|
panic(err)
|
|
}
|
|
}
|
|
|
|
// NewIdentityManager produces a CS3 backed identity manager instance for the idp
|
|
func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
|
|
config := bs.Config()
|
|
|
|
logger := config.Config.Logger
|
|
|
|
if config.AuthorizationEndpointURI.String() != "" {
|
|
return nil, fmt.Errorf("cs3 backend is incompatible with authorization-endpoint-uri parameter")
|
|
}
|
|
config.AuthorizationEndpointURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier/_/authorize")
|
|
|
|
if config.EndSessionEndpointURI.String() != "" {
|
|
return nil, fmt.Errorf("cs3 backend is incompatible with endsession-endpoint-uri parameter")
|
|
}
|
|
config.EndSessionEndpointURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier/_/endsession")
|
|
|
|
if config.SignInFormURI.EscapedPath() == "" {
|
|
config.SignInFormURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier")
|
|
}
|
|
|
|
if config.SignedOutURI.EscapedPath() == "" {
|
|
config.SignedOutURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/goodbye")
|
|
}
|
|
|
|
identifierBackend, identifierErr := cs3.NewCS3Backend(
|
|
config.Config,
|
|
config.TLSClientConfig,
|
|
// FIXME add a map[string]interface{} property to the lico config.Config so backends can pass custom config parameters through the bootstrap process
|
|
os.Getenv("CS3_GATEWAY"),
|
|
os.Getenv("CS3_MACHINE_AUTH_API_KEY"),
|
|
config.Settings.Insecure,
|
|
)
|
|
if identifierErr != nil {
|
|
return nil, fmt.Errorf("failed to create identifier backend: %v", identifierErr)
|
|
}
|
|
|
|
fullAuthorizationEndpointURL := bootstrap.WithSchemeAndHost(config.AuthorizationEndpointURI, config.IssuerIdentifierURI)
|
|
fullSignInFormURL := bootstrap.WithSchemeAndHost(config.SignInFormURI, config.IssuerIdentifierURI)
|
|
fullSignedOutEndpointURL := bootstrap.WithSchemeAndHost(config.SignedOutURI, config.IssuerIdentifierURI)
|
|
|
|
activeIdentifier, err := identifier.NewIdentifier(&identifier.Config{
|
|
Config: config.Config,
|
|
|
|
BaseURI: config.IssuerIdentifierURI,
|
|
PathPrefix: bs.MakeURIPath(bootstrap.APITypeSignin, ""),
|
|
StaticFolder: config.IdentifierClientPath,
|
|
ScopesConf: config.IdentifierScopesConf,
|
|
WebAppDisabled: config.IdentifierClientDisabled,
|
|
|
|
LogonCookieName: "__Secure-KKT", // Kopano-Konnect-Token
|
|
LogonCookieSameSite: config.CookieSameSite,
|
|
|
|
ConsentCookieSameSite: config.CookieSameSite,
|
|
|
|
StateCookieSameSite: config.CookieSameSite,
|
|
|
|
AuthorizationEndpointURI: fullAuthorizationEndpointURL,
|
|
SignedOutEndpointURI: fullSignedOutEndpointURL,
|
|
|
|
DefaultBannerLogo: config.IdentifierDefaultBannerLogo,
|
|
DefaultSignInPageText: config.IdentifierDefaultSignInPageText,
|
|
DefaultUsernameHintText: config.IdentifierDefaultUsernameHintText,
|
|
UILocales: config.IdentifierUILocales,
|
|
|
|
Backend: identifierBackend,
|
|
})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create identifier: %v", err)
|
|
}
|
|
err = activeIdentifier.SetKey(config.EncryptionSecret)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid --encryption-secret parameter value for identifier: %v", err)
|
|
}
|
|
|
|
identityManagerConfig := &identity.Config{
|
|
SignInFormURI: fullSignInFormURL,
|
|
SignedOutURI: fullSignedOutEndpointURL,
|
|
|
|
Logger: logger,
|
|
|
|
ScopesSupported: config.Config.AllowedScopes,
|
|
}
|
|
|
|
identifierIdentityManager := managers.NewIdentifierIdentityManager(identityManagerConfig, activeIdentifier)
|
|
logger.Infoln("using identifier backed identity manager")
|
|
|
|
return identifierIdentityManager, nil
|
|
}
|