mirror of
https://github.com/owncloud/ocis
synced 2026-04-26 01:35:25 +02:00
69ba80562e
I added an unprotected flag to the proxy routes which is evaluated by the authentication middleware. This way we won't have to maintain a hardcoded list of unprotected paths and path prefixes and we will hopefully reduce the times we encounter the basic auth prompt by web browsers.
258 lines
6.5 KiB
Go
258 lines
6.5 KiB
Go
package defaults
|
|
|
|
import (
|
|
"path"
|
|
"strings"
|
|
|
|
"github.com/owncloud/ocis/v2/ocis-pkg/config/defaults"
|
|
"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
|
|
)
|
|
|
|
func FullDefaultConfig() *config.Config {
|
|
cfg := DefaultConfig()
|
|
EnsureDefaults(cfg)
|
|
Sanitize(cfg)
|
|
return cfg
|
|
}
|
|
|
|
func DefaultConfig() *config.Config {
|
|
return &config.Config{
|
|
Debug: config.Debug{
|
|
Addr: "127.0.0.1:9205",
|
|
Token: "",
|
|
},
|
|
HTTP: config.HTTP{
|
|
Addr: "0.0.0.0:9200",
|
|
Root: "/",
|
|
Namespace: "com.owncloud.web",
|
|
TLSCert: path.Join(defaults.BaseDataPath(), "proxy", "server.crt"),
|
|
TLSKey: path.Join(defaults.BaseDataPath(), "proxy", "server.key"),
|
|
TLS: true,
|
|
},
|
|
Service: config.Service{
|
|
Name: "proxy",
|
|
},
|
|
OIDC: config.OIDC{
|
|
Issuer: "https://localhost:9200",
|
|
Insecure: true,
|
|
//Insecure: true,
|
|
AccessTokenVerifyMethod: config.AccessTokenVerificationJWT,
|
|
UserinfoCache: config.UserinfoCache{
|
|
Size: 1024,
|
|
TTL: 10,
|
|
},
|
|
JWKS: config.JWKS{
|
|
RefreshInterval: 60, // minutes
|
|
RefreshRateLimit: 60, // seconds
|
|
RefreshTimeout: 10, // seconds
|
|
RefreshUnknownKID: true,
|
|
},
|
|
},
|
|
PolicySelector: nil,
|
|
Reva: &config.Reva{
|
|
Address: "127.0.0.1:9142",
|
|
},
|
|
PreSignedURL: config.PreSignedURL{
|
|
AllowedHTTPMethods: []string{"GET"},
|
|
Enabled: true,
|
|
},
|
|
AccountBackend: "cs3",
|
|
UserOIDCClaim: "preferred_username",
|
|
UserCS3Claim: "username",
|
|
AutoprovisionAccounts: false,
|
|
EnableBasicAuth: false,
|
|
InsecureBackends: false,
|
|
}
|
|
}
|
|
|
|
func DefaultPolicies() []config.Policy {
|
|
return []config.Policy{
|
|
{
|
|
Name: "ocis",
|
|
Routes: []config.Route{
|
|
{
|
|
Endpoint: "/",
|
|
Backend: "http://localhost:9100",
|
|
Unprotected: true,
|
|
},
|
|
{
|
|
Endpoint: "/.well-known/",
|
|
Backend: "http://localhost:9130",
|
|
Unprotected: true,
|
|
},
|
|
{
|
|
Endpoint: "/konnect/",
|
|
Backend: "http://localhost:9130",
|
|
Unprotected: true,
|
|
},
|
|
{
|
|
Endpoint: "/signin/",
|
|
Backend: "http://localhost:9130",
|
|
Unprotected: true,
|
|
},
|
|
{
|
|
Endpoint: "/archiver",
|
|
Backend: "http://localhost:9140",
|
|
},
|
|
{
|
|
Type: config.RegexRoute,
|
|
Endpoint: "/ocs/v[12].php/cloud/user/signing-key", // only `user/signing-key` is left in ocis-ocs
|
|
Backend: "http://localhost:9110",
|
|
},
|
|
{
|
|
Endpoint: "/ocs/",
|
|
Backend: "http://localhost:9140",
|
|
},
|
|
{
|
|
Type: config.QueryRoute,
|
|
Endpoint: "/remote.php/?preview=1",
|
|
Backend: "http://localhost:9115",
|
|
},
|
|
// TODO the actual REPORT goes to /dav/files/{username}, which is user specific ... how would this work in a spaces world?
|
|
// TODO what paths are returned? the href contains the full path so it should be possible to return urls from other spaces?
|
|
// TODO or we allow a REPORT on /dav/spaces to search all spaces and /dav/space/{spaceid} to search a specific space
|
|
// send webdav REPORT requests to search service
|
|
{
|
|
Method: "REPORT",
|
|
Endpoint: "/remote.php/dav/",
|
|
Backend: "http://localhost:9115", // TODO use registry?
|
|
},
|
|
{
|
|
Method: "REPORT",
|
|
Endpoint: "/remote.php/webdav",
|
|
Backend: "http://localhost:9115", // TODO use registry?
|
|
},
|
|
{
|
|
Type: config.QueryRoute,
|
|
Endpoint: "/dav/?preview=1",
|
|
Backend: "http://localhost:9115",
|
|
},
|
|
{
|
|
Type: config.QueryRoute,
|
|
Endpoint: "/webdav/?preview=1",
|
|
Backend: "http://localhost:9115",
|
|
},
|
|
{
|
|
Endpoint: "/remote.php/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/dav/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/webdav/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/status",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/status.php",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/index.php/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/apps/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/data",
|
|
Backend: "http://localhost:9140",
|
|
},
|
|
{
|
|
Endpoint: "/app/", // /app or /apps? ocdav only handles /apps
|
|
Backend: "http://localhost:9140",
|
|
Unprotected: true, // TODO check if this is safe
|
|
},
|
|
{
|
|
Endpoint: "/graph/",
|
|
Backend: "http://localhost:9120",
|
|
},
|
|
{
|
|
Endpoint: "/graph-explorer",
|
|
Backend: "http://localhost:9135",
|
|
Unprotected: true,
|
|
},
|
|
{
|
|
Endpoint: "/api/v0/settings",
|
|
Backend: "http://localhost:9190",
|
|
},
|
|
{
|
|
Endpoint: "/settings.js",
|
|
Backend: "http://localhost:9190",
|
|
Unprotected: true,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func EnsureDefaults(cfg *config.Config) {
|
|
// provide with defaults for shared logging, since we need a valid destination address for "envdecode".
|
|
if cfg.Log == nil && cfg.Commons != nil && cfg.Commons.Log != nil {
|
|
cfg.Log = &config.Log{
|
|
Level: cfg.Commons.Log.Level,
|
|
Pretty: cfg.Commons.Log.Pretty,
|
|
Color: cfg.Commons.Log.Color,
|
|
File: cfg.Commons.Log.File,
|
|
}
|
|
} else if cfg.Log == nil {
|
|
cfg.Log = &config.Log{}
|
|
}
|
|
// provide with defaults for shared tracing, since we need a valid destination address for "envdecode".
|
|
if cfg.Tracing == nil && cfg.Commons != nil && cfg.Commons.Tracing != nil {
|
|
cfg.Tracing = &config.Tracing{
|
|
Enabled: cfg.Commons.Tracing.Enabled,
|
|
Type: cfg.Commons.Tracing.Type,
|
|
Endpoint: cfg.Commons.Tracing.Endpoint,
|
|
Collector: cfg.Commons.Tracing.Collector,
|
|
}
|
|
} else if cfg.Tracing == nil {
|
|
cfg.Tracing = &config.Tracing{}
|
|
}
|
|
|
|
if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil {
|
|
cfg.TokenManager = &config.TokenManager{
|
|
JWTSecret: cfg.Commons.TokenManager.JWTSecret,
|
|
}
|
|
} else if cfg.TokenManager == nil {
|
|
cfg.TokenManager = &config.TokenManager{}
|
|
}
|
|
|
|
if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" {
|
|
cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
|
|
}
|
|
|
|
if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
|
|
cfg.Reva = &config.Reva{
|
|
Address: cfg.Commons.Reva.Address,
|
|
}
|
|
} else if cfg.Reva == nil {
|
|
cfg.Reva = &config.Reva{}
|
|
}
|
|
}
|
|
|
|
func Sanitize(cfg *config.Config) {
|
|
// sanitize config
|
|
if cfg.Policies == nil {
|
|
cfg.Policies = DefaultPolicies()
|
|
}
|
|
|
|
if cfg.PolicySelector == nil {
|
|
cfg.PolicySelector = &config.PolicySelector{
|
|
Static: &config.StaticSelectorConf{
|
|
Policy: "ocis",
|
|
},
|
|
}
|
|
}
|
|
|
|
if cfg.HTTP.Root != "/" {
|
|
cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/")
|
|
}
|
|
}
|