opencloud/services/graph/pkg/config/parser/parse.go

package parser

import (
	"errors"
	"fmt"

	"github.com/go-ldap/ldap/v3"

	occfg "github.com/opencloud-eu/opencloud/pkg/config"
	defaults2 "github.com/opencloud-eu/opencloud/pkg/config/defaults"
	"github.com/opencloud-eu/opencloud/pkg/config/envdecode"
	"github.com/opencloud-eu/opencloud/pkg/shared"
	"github.com/opencloud-eu/opencloud/services/graph/pkg/config"
	"github.com/opencloud-eu/opencloud/services/graph/pkg/config/defaults"
	"github.com/opencloud-eu/opencloud/services/graph/pkg/unifiedrole"
)

// ParseConfig loads configuration from known paths.
func ParseConfig(cfg *config.Config) error {
	err := occfg.BindSourcesToStructs(cfg.Service.Name, cfg)
	if err != nil {
		return err
	}

	defaults.EnsureDefaults(cfg)

	// load all env variables relevant to the config in the current context.
	if err := envdecode.Decode(cfg); err != nil {
		// no environment variable set for this config is an expected "error"
		if !errors.Is(err, envdecode.ErrNoTargetFieldsAreSet) {
			return err
		}
	}

	defaults.Sanitize(cfg)

	return Validate(cfg)
}

func Validate(cfg *config.Config) error {
	if cfg.TokenManager.JWTSecret == "" {
		return shared.MissingJWTTokenError(cfg.Service.Name)
	}

	// ensure that the "cs3" identity backend is used in multi-tenant setups
	if cfg.Commons.MultiTenantEnabled && cfg.Identity.Backend != "cs3" {
		return fmt.Errorf("Multi-tenant support is enabled. The identity backend must be set to 'cs3' for the 'graph' service.")
	}
	if cfg.Identity.Backend == "ldap" {
		if err := validateLDAPSettings(cfg); err != nil {
			return err
		}
	}

	if cfg.Application.ID == "" {
		return fmt.Errorf("The application ID has not been configured for %s. "+
			"Make sure your %s config contains the proper values "+
			"(e.g. by running opencloud init or setting it manually in "+
			"the config/corresponding environment variable).",
			"graph", defaults2.BaseConfigPath())
	}

	switch cfg.API.UsernameMatch {
	case "default", "none":
	default:
		return fmt.Errorf("The username match validator is invalid for %s. "+
			"Make sure your %s config contains the proper values "+
			"(e.g. by running opencloud init or setting it manually in "+
			"the config/corresponding environment variable).",
			"graph", defaults2.BaseConfigPath())
	}

	if cfg.ServiceAccount.ServiceAccountID == "" {
		return shared.MissingServiceAccountID(cfg.Service.Name)
	}
	if cfg.ServiceAccount.ServiceAccountSecret == "" {
		return shared.MissingServiceAccountSecret(cfg.Service.Name)
	}

	// validate unified roles
	{
		var err error

		for _, uid := range cfg.UnifiedRoles.AvailableRoles {
			// check if the role is known
			if len(unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(uid))) == 0 {
				// collect all possible errors to return them all at once
				err = errors.Join(err, fmt.Errorf("%w: %s", unifiedrole.ErrUnknownRole, uid))
			}
		}

		if err != nil {
			return err
		}
	}

	return nil
}

func validateLDAPSettings(cfg *config.Config) error {
	if cfg.Identity.LDAP.BindPassword == "" {
		return shared.MissingLDAPBindPassword(cfg.Service.Name)
	}

	// ensure that "GroupBaseDN" is below "GroupBaseDN"
	if cfg.Identity.LDAP.WriteEnabled && cfg.Identity.LDAP.GroupCreateBaseDN != cfg.Identity.LDAP.GroupBaseDN {
		baseDN, err := ldap.ParseDN(cfg.Identity.LDAP.GroupBaseDN)
		if err != nil {
			return fmt.Errorf("Unable to parse the LDAP Group Base DN '%s': %w ", cfg.Identity.LDAP.GroupBaseDN, err)
		}
		createBaseDN, err := ldap.ParseDN(cfg.Identity.LDAP.GroupCreateBaseDN)
		if err != nil {
			return fmt.Errorf("Unable to parse the LDAP Group Create Base DN '%s': %w ", cfg.Identity.LDAP.GroupCreateBaseDN, err)
		}

		if !baseDN.AncestorOfFold(createBaseDN) {
			return fmt.Errorf("The LDAP Group Create Base DN (%s) must be subordinate to the LDAP Group Base DN (%s)", cfg.Identity.LDAP.GroupCreateBaseDN, cfg.Identity.LDAP.GroupBaseDN)
		}
	}
	return nil
}