mirror of
https://github.com/owncloud/ocis
synced 2026-04-26 01:35:25 +02:00
eb94530433
Allow to switch jwt access token verification and off. Many (most?) IDP
provide JWT encoded access tokens. If ocis is configure to assume jwt
access tokens (access_token_verify_method==jwt) we now properly verify
the tokens signature and a set of standard claims ("exp", "iat" and nbf"
by way of the jwt module's standard verification and "iss" explicitliy).
This change also allows for introduction of other access token verification
mechanism in the future (e.g. through introspection (RFC7662).
245 lines
6.1 KiB
Go
245 lines
6.1 KiB
Go
package defaults
|
|
|
|
import (
|
|
"path"
|
|
"strings"
|
|
|
|
"github.com/owncloud/ocis/v2/ocis-pkg/config/defaults"
|
|
"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
|
|
)
|
|
|
|
func FullDefaultConfig() *config.Config {
|
|
cfg := DefaultConfig()
|
|
EnsureDefaults(cfg)
|
|
Sanitize(cfg)
|
|
return cfg
|
|
}
|
|
|
|
func DefaultConfig() *config.Config {
|
|
return &config.Config{
|
|
Debug: config.Debug{
|
|
Addr: "127.0.0.1:9205",
|
|
Token: "",
|
|
},
|
|
HTTP: config.HTTP{
|
|
Addr: "0.0.0.0:9200",
|
|
Root: "/",
|
|
Namespace: "com.owncloud.web",
|
|
TLSCert: path.Join(defaults.BaseDataPath(), "proxy", "server.crt"),
|
|
TLSKey: path.Join(defaults.BaseDataPath(), "proxy", "server.key"),
|
|
TLS: true,
|
|
},
|
|
Service: config.Service{
|
|
Name: "proxy",
|
|
},
|
|
OIDC: config.OIDC{
|
|
Issuer: "https://localhost:9200",
|
|
Insecure: true,
|
|
//Insecure: true,
|
|
AccessTokenVerifyMethod: config.AccessTokenVerificationJWT,
|
|
UserinfoCache: config.UserinfoCache{
|
|
Size: 1024,
|
|
TTL: 10,
|
|
},
|
|
},
|
|
PolicySelector: nil,
|
|
Reva: &config.Reva{
|
|
Address: "127.0.0.1:9142",
|
|
},
|
|
PreSignedURL: config.PreSignedURL{
|
|
AllowedHTTPMethods: []string{"GET"},
|
|
Enabled: true,
|
|
},
|
|
AccountBackend: "cs3",
|
|
UserOIDCClaim: "preferred_username",
|
|
UserCS3Claim: "username",
|
|
AutoprovisionAccounts: false,
|
|
EnableBasicAuth: false,
|
|
InsecureBackends: false,
|
|
}
|
|
}
|
|
|
|
func DefaultPolicies() []config.Policy {
|
|
return []config.Policy{
|
|
{
|
|
Name: "ocis",
|
|
Routes: []config.Route{
|
|
{
|
|
Endpoint: "/",
|
|
Backend: "http://localhost:9100",
|
|
},
|
|
{
|
|
Endpoint: "/.well-known/",
|
|
Backend: "http://localhost:9130",
|
|
},
|
|
{
|
|
Endpoint: "/konnect/",
|
|
Backend: "http://localhost:9130",
|
|
},
|
|
{
|
|
Endpoint: "/signin/",
|
|
Backend: "http://localhost:9130",
|
|
},
|
|
{
|
|
Endpoint: "/archiver",
|
|
Backend: "http://localhost:9140",
|
|
},
|
|
{
|
|
Type: config.RegexRoute,
|
|
Endpoint: "/ocs/v[12].php/cloud/user/signing-key", // only `user/signing-key` is left in ocis-ocs
|
|
Backend: "http://localhost:9110",
|
|
},
|
|
{
|
|
Endpoint: "/ocs/",
|
|
Backend: "http://localhost:9140",
|
|
},
|
|
{
|
|
Type: config.QueryRoute,
|
|
Endpoint: "/remote.php/?preview=1",
|
|
Backend: "http://localhost:9115",
|
|
},
|
|
// TODO the actual REPORT goes to /dav/files/{username}, which is user specific ... how would this work in a spaces world?
|
|
// TODO what paths are returned? the href contains the full path so it should be possible to return urls from other spaces?
|
|
// TODO or we allow a REPORT on /dav/spaces to search all spaces and /dav/space/{spaceid} to search a specific space
|
|
// send webdav REPORT requests to search service
|
|
{
|
|
Method: "REPORT",
|
|
Endpoint: "/remote.php/dav/",
|
|
Backend: "http://localhost:9115", // TODO use registry?
|
|
},
|
|
{
|
|
Method: "REPORT",
|
|
Endpoint: "/remote.php/webdav",
|
|
Backend: "http://localhost:9115", // TODO use registry?
|
|
},
|
|
{
|
|
Type: config.QueryRoute,
|
|
Endpoint: "/dav/?preview=1",
|
|
Backend: "http://localhost:9115",
|
|
},
|
|
{
|
|
Type: config.QueryRoute,
|
|
Endpoint: "/webdav/?preview=1",
|
|
Backend: "http://localhost:9115",
|
|
},
|
|
{
|
|
Endpoint: "/remote.php/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/dav/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/webdav/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/status",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/status.php",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/index.php/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/apps/",
|
|
Service: "com.owncloud.web.ocdav",
|
|
},
|
|
{
|
|
Endpoint: "/data",
|
|
Backend: "http://localhost:9140",
|
|
},
|
|
{
|
|
Endpoint: "/app/", // /app or /apps? ocdav only handles /apps
|
|
Backend: "http://localhost:9140",
|
|
},
|
|
{
|
|
Endpoint: "/graph/",
|
|
Backend: "http://localhost:9120",
|
|
},
|
|
{
|
|
Endpoint: "/graph-explorer",
|
|
Backend: "http://localhost:9135",
|
|
},
|
|
{
|
|
Endpoint: "/api/v0/settings",
|
|
Backend: "http://localhost:9190",
|
|
},
|
|
{
|
|
Endpoint: "/settings.js",
|
|
Backend: "http://localhost:9190",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func EnsureDefaults(cfg *config.Config) {
|
|
// provide with defaults for shared logging, since we need a valid destination address for "envdecode".
|
|
if cfg.Log == nil && cfg.Commons != nil && cfg.Commons.Log != nil {
|
|
cfg.Log = &config.Log{
|
|
Level: cfg.Commons.Log.Level,
|
|
Pretty: cfg.Commons.Log.Pretty,
|
|
Color: cfg.Commons.Log.Color,
|
|
File: cfg.Commons.Log.File,
|
|
}
|
|
} else if cfg.Log == nil {
|
|
cfg.Log = &config.Log{}
|
|
}
|
|
// provide with defaults for shared tracing, since we need a valid destination address for "envdecode".
|
|
if cfg.Tracing == nil && cfg.Commons != nil && cfg.Commons.Tracing != nil {
|
|
cfg.Tracing = &config.Tracing{
|
|
Enabled: cfg.Commons.Tracing.Enabled,
|
|
Type: cfg.Commons.Tracing.Type,
|
|
Endpoint: cfg.Commons.Tracing.Endpoint,
|
|
Collector: cfg.Commons.Tracing.Collector,
|
|
}
|
|
} else if cfg.Tracing == nil {
|
|
cfg.Tracing = &config.Tracing{}
|
|
}
|
|
|
|
if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil {
|
|
cfg.TokenManager = &config.TokenManager{
|
|
JWTSecret: cfg.Commons.TokenManager.JWTSecret,
|
|
}
|
|
} else if cfg.TokenManager == nil {
|
|
cfg.TokenManager = &config.TokenManager{}
|
|
}
|
|
|
|
if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" {
|
|
cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
|
|
}
|
|
|
|
if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
|
|
cfg.Reva = &config.Reva{
|
|
Address: cfg.Commons.Reva.Address,
|
|
}
|
|
} else if cfg.Reva == nil {
|
|
cfg.Reva = &config.Reva{}
|
|
}
|
|
}
|
|
|
|
func Sanitize(cfg *config.Config) {
|
|
// sanitize config
|
|
if cfg.Policies == nil {
|
|
cfg.Policies = DefaultPolicies()
|
|
}
|
|
|
|
if cfg.PolicySelector == nil {
|
|
cfg.PolicySelector = &config.PolicySelector{
|
|
Static: &config.StaticSelectorConf{
|
|
Policy: "ocis",
|
|
},
|
|
}
|
|
}
|
|
|
|
if cfg.HTTP.Root != "/" {
|
|
cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/")
|
|
}
|
|
}
|