From 40074c3700e52e239f2b3267d6d75b811bed787c Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Wed, 16 Mar 2022 12:40:57 +0100 Subject: [PATCH] Turn of "insecure" of built-in IDP Setup idp to verify the LDAP server certificate. As this certificate might be generated on startup, this also moved the IDP to the "delayed" set of services. So it starts after "idm". --- idp/pkg/config/config.go | 3 ++- idp/pkg/config/defaults/defaultconfig.go | 3 ++- idp/pkg/service/v0/service.go | 4 ++++ ocis/pkg/runtime/service/service.go | 2 +- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/idp/pkg/config/config.go b/idp/pkg/config/config.go index c6e4b5b15a8..61de02b6e92 100644 --- a/idp/pkg/config/config.go +++ b/idp/pkg/config/config.go @@ -27,7 +27,8 @@ type Config struct { // Ldap defines the available LDAP configuration. type Ldap struct { - URI string `ocisConfig:"uri" env:"IDP_LDAP_URI"` + URI string `ocisConfig:"uri" env:"IDP_LDAP_URI"` + TLSCACert string `ocisConfig:"uri" env:"IDP_LDAP_TLS_CACERT"` BindDN string `ocisConfig:"bind_dn" env:"IDP_LDAP_BIND_DN"` BindPassword string `ocisConfig:"bind_password" env:"IDP_LDAP_BIND_PASSWORD"` diff --git a/idp/pkg/config/defaults/defaultconfig.go b/idp/pkg/config/defaults/defaultconfig.go index 00675f0cafe..2350dfe4063 100644 --- a/idp/pkg/config/defaults/defaultconfig.go +++ b/idp/pkg/config/defaults/defaultconfig.go @@ -42,7 +42,7 @@ func DefaultConfig() *config.Config { SignedOutURI: "", AuthorizationEndpointURI: "", EndsessionEndpointURI: "", - Insecure: true, + Insecure: false, TrustedProxy: nil, AllowScope: nil, AllowClientGuests: false, @@ -69,6 +69,7 @@ func DefaultConfig() *config.Config { }, Ldap: config.Ldap{ URI: "ldaps://localhost:9235", + TLSCACert: path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"), BindDN: "uid=idp,ou=sysusers,o=libregraph-idm", BindPassword: "idp", BaseDN: "ou=users,o=libregraph-idm", diff --git a/idp/pkg/service/v0/service.go b/idp/pkg/service/v0/service.go index cf486f16214..c2434f179b1 100644 --- a/idp/pkg/service/v0/service.go +++ b/idp/pkg/service/v0/service.go @@ -138,6 +138,10 @@ func initLicoInternalEnvVars(ldap *config.Ldap) error { "LDAP_FILTER": ldap.Filter, } + if ldap.TLSCACert != "" { + defaults["LDAP_TLS_CACERT"] = ldap.TLSCACert + } + for k, v := range defaults { if err := os.Setenv(k, v); err != nil { return fmt.Errorf("could not set env var %s=%s", k, v) diff --git a/ocis/pkg/runtime/service/service.go b/ocis/pkg/runtime/service/service.go index 44e46eae9a9..d543898826b 100644 --- a/ocis/pkg/runtime/service/service.go +++ b/ocis/pkg/runtime/service/service.go @@ -97,7 +97,6 @@ func NewService(options ...Option) (*Service, error) { s.ServicesRegistry["storage-metadata"] = storage.NewStorageMetadata s.ServicesRegistry["graph"] = graph.NewSutureService s.ServicesRegistry["graph-explorer"] = graphExplorer.NewSutureService - s.ServicesRegistry["idp"] = idp.NewSutureService s.ServicesRegistry["idm"] = idm.NewSutureService s.ServicesRegistry["ocs"] = ocs.NewSutureService s.ServicesRegistry["store"] = store.NewSutureService @@ -120,6 +119,7 @@ func NewService(options ...Option) (*Service, error) { // populate delayed services s.Delayed["storage-sharing"] = storage.NewSharing s.Delayed["proxy"] = proxy.NewSutureService + s.Delayed["idp"] = idp.NewSutureService return s, nil }