mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-01-04 03:09:33 -06:00
120887abcc
By setting GRAPH_LDAP_GROUP_CREATE_BASE_DN a distinct subtree can be configured where new LDAP groups are created. That subtree needs to be subordinate to GRAPH_LDAP_GROUP_BASE_DN. All groups outside for GRAPH_LDAP_GROUP_CREATE_BASE_DN are considered read-only and only groups below that DN can be updated and deleted. This is introduced for a pretty specific usecase where most groups are managed in an external source (e.g. a read-only replica of an LDAP tree). But we still want to allow the local administrator to create groups in a writeable subtree attached to that replica.
93 lines
2.8 KiB
Go
93 lines
2.8 KiB
Go
package parser
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/go-ldap/ldap/v3"
|
|
ociscfg "github.com/owncloud/ocis/v2/ocis-pkg/config"
|
|
defaults2 "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults"
|
|
"github.com/owncloud/ocis/v2/ocis-pkg/shared"
|
|
"github.com/owncloud/ocis/v2/services/graph/pkg/config"
|
|
"github.com/owncloud/ocis/v2/services/graph/pkg/config/defaults"
|
|
|
|
"github.com/owncloud/ocis/v2/ocis-pkg/config/envdecode"
|
|
)
|
|
|
|
// ParseConfig loads configuration from known paths.
|
|
func ParseConfig(cfg *config.Config) error {
|
|
_, err := ociscfg.BindSourcesToStructs(cfg.Service.Name, cfg)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
defaults.EnsureDefaults(cfg)
|
|
|
|
// load all env variables relevant to the config in the current context.
|
|
if err := envdecode.Decode(cfg); err != nil {
|
|
// no environment variable set for this config is an expected "error"
|
|
if !errors.Is(err, envdecode.ErrNoTargetFieldsAreSet) {
|
|
return err
|
|
}
|
|
}
|
|
|
|
defaults.Sanitize(cfg)
|
|
|
|
return Validate(cfg)
|
|
}
|
|
|
|
func Validate(cfg *config.Config) error {
|
|
if cfg.TokenManager.JWTSecret == "" {
|
|
return shared.MissingJWTTokenError(cfg.Service.Name)
|
|
}
|
|
|
|
if cfg.Identity.Backend == "ldap" {
|
|
if err := validateLDAPSettings(cfg); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if cfg.Application.ID == "" {
|
|
return fmt.Errorf("The application ID has not been configured for %s. "+
|
|
"Make sure your %s config contains the proper values "+
|
|
"(e.g. by running ocis init or setting it manually in "+
|
|
"the config/corresponding environment variable).",
|
|
"graph", defaults2.BaseConfigPath())
|
|
}
|
|
|
|
switch cfg.API.UsernameMatch {
|
|
case "default", "none":
|
|
default:
|
|
return fmt.Errorf("The username match validator is invalid for %s. "+
|
|
"Make sure your %s config contains the proper values "+
|
|
"(e.g. by running ocis init or setting it manually in "+
|
|
"the config/corresponding environment variable).",
|
|
"graph", defaults2.BaseConfigPath())
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func validateLDAPSettings(cfg *config.Config) error {
|
|
if cfg.Identity.LDAP.BindPassword == "" {
|
|
return shared.MissingLDAPBindPassword(cfg.Service.Name)
|
|
}
|
|
|
|
// ensure that "GroupBaseDN" is below "GroupBaseDN"
|
|
if cfg.Identity.LDAP.WriteEnabled && cfg.Identity.LDAP.GroupCreateBaseDN != cfg.Identity.LDAP.GroupBaseDN {
|
|
baseDN, err := ldap.ParseDN(cfg.Identity.LDAP.GroupBaseDN)
|
|
if err != nil {
|
|
return fmt.Errorf("Unable to parse the LDAP Group Base DN '%s': %w ", cfg.Identity.LDAP.GroupBaseDN, err)
|
|
}
|
|
createBaseDN, err := ldap.ParseDN(cfg.Identity.LDAP.GroupCreateBaseDN)
|
|
if err != nil {
|
|
return fmt.Errorf("Unable to parse the LDAP Group Create Base DN '%s': %w ", cfg.Identity.LDAP.GroupCreateBaseDN, err)
|
|
}
|
|
|
|
if !baseDN.AncestorOfFold(createBaseDN) {
|
|
return fmt.Errorf("The LDAP Group Create Base DN (%s) must be subordinate to the LDAP Group Base DN (%s)", cfg.Identity.LDAP.GroupCreateBaseDN, cfg.Identity.LDAP.GroupBaseDN)
|
|
}
|
|
}
|
|
return nil
|
|
}
|