commit 078698f

Author: Jörn Friedrich Dreyer <[email protected]>
Date:   Thu Jan 12 16:09:34 2023 +0100

    graph: add appRoleAssignments and minimal application resource (#5318)

    * bump libregraph-go lib

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * add appRoleAssignment stubs

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * add get application stub

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * fetch appRoles for application from settings service

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * initial list appRoleAssignments implementation

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * initial create appRoleAssignment implementation, extract assignmentToAppRoleAssignment, configurable app id and displayname

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * initial delete appRoleAssignment implementation, changed error handling and logging

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * initial expand appRoleAssignment on users

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * test user expand appRoleAssignment

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * test appRoleAssignment

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * fix education test by actually using the mocked roleManager

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * test getapplication

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * list assignments

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * use common not exists error handling

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * default to just 'ownCloud Infinite Scale' as application name

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * fix store_test

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * roll application uuid on init

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * fix tests

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * extract method

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

    * Apply suggestions from code review

    Co-authored-by: Michael Barz <[email protected]>

    Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
    Co-authored-by: Michael Barz <[email protected]>

services/_includes/adoc/global_configvars.adoc

@@ -26,7 +26,7 @@ a| [subs=-attributes]
 ++false ++
 
 a| [subs=-attributes]
-Flag to enable or disable the creation of the demo users.
+The default role assignments the demo users should be setup.
 
 a| `LDAP_BIND_DN`
 
@@ -535,7 +535,7 @@ a| [subs=-attributes]
 ++[]string ++
 
 a| [subs=-attributes]
-++[Authorization Origin Content-Type Accept X-Requested-With] ++
+++[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override] ++
 
 a| [subs=-attributes]
 A comma-separated list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers.
@@ -552,7 +552,7 @@ a| [subs=-attributes]
 ++[]string ++
 
 a| [subs=-attributes]
-++[GET POST PUT PATCH DELETE OPTIONS] ++
+++[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH] ++
 
 a| [subs=-attributes]
 A comma-separated list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method
@@ -853,7 +853,7 @@ a| [subs=-attributes]
 ++false ++
 
 a| [subs=-attributes]
-Whether the ocis server should skip the client certificate verification during the TLS handshake.
+Allow insecure connections to the frontend.
 
 a| `OCIS_JWT_SECRET`
 
@@ -1078,7 +1078,7 @@ a| [subs=-attributes]
 ++ ++
 
 a| [subs=-attributes]
-Machine auth API key used to validate internal requests necessary for the access to resources from other services.
+The machine auth API key used to validate internal requests necessary to access resources from other services.
 
 a| `OCIS_OIDC_ISSUER`
 
@@ -1099,7 +1099,7 @@ a| [subs=-attributes]
 ++https://localhost:9200 ++
 
 a| [subs=-attributes]
-The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.
+URL of the OIDC issuer. It defaults to URL of the builtin IDP.
 
 a| `OCIS_SYSTEM_USER_API_KEY`
 
@@ -1137,7 +1137,7 @@ a| [subs=-attributes]
 ++ ++
 
 a| [subs=-attributes]
-ID of the oCIS storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.
+ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.
 
 a| `OCIS_SYSTEM_USER_IDP`
 
@@ -1341,7 +1341,7 @@ a| [subs=-attributes]
 ++https://localhost:9200 ++
 
 a| [subs=-attributes]
-The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.
+The public facing URL of the oCIS frontend.
 
 a| `REVA_GATEWAY`
 
@@ -1392,7 +1392,7 @@ a| [subs=-attributes]
 ++ ++
 
 a| [subs=-attributes]
-The storage transfer secret.
+Transfer secret for signing file up- and download requests.
 
 a| `STORAGE_USERS_OCIS_ASYNC_UPLOADS`
 

services/_includes/adoc/graph_configvars.adoc

@@ -289,6 +289,24 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
 
+a|`GRAPH_APPLICATION_ID` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ ++
+a| [subs=-attributes]
+The ocis application id shown in the graph. All app roles are tied to this.
+
+a|`GRAPH_APPLICATION_DISPLAYNAME` +
+
+a| [subs=-attributes]
+++string ++
+a| [subs=-attributes]
+++ownCloud Infinite Scale ++
+a| [subs=-attributes]
+The oCIS application name
+
 a|`OCIS_URL` +
 `GRAPH_SPACES_WEBDAV_BASE` +
 

services/_includes/graph-config-example.yaml

@@ -40,6 +40,9 @@ token_manager:
 grpc_client_tls:
   mode: ""
   cacert: ""
+application:
+  id: ""
+  displayname: ownCloud Infinite Scale
 spaces:
   webdav_base: https://localhost:9200
   webdav_path: /dav/spaces/

services/_includes/graph_configvars.md

@@ -30,6 +30,8 @@
 | OCIS_JWT_SECRET<br/>GRAPH_JWT_SECRET | string |  | The secret to mint and validate jwt tokens.|
 | OCIS_GRPC_CLIENT_TLS_MODE | string |  | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.|
 | OCIS_GRPC_CLIENT_TLS_CACERT | string |  | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|
+| GRAPH_APPLICATION_ID | string |  | The ocis application id shown in the graph. All app roles are tied to this.|
+| GRAPH_APPLICATION_DISPLAYNAME | string | ownCloud Infinite Scale | The oCIS application name|
 | OCIS_URL<br/>GRAPH_SPACES_WEBDAV_BASE | string | https://localhost:9200 | The public facing URL of WebDAV.|
 | GRAPH_SPACES_WEBDAV_PATH | string | /dav/spaces/ | The WebDAV subpath for spaces.|
 | GRAPH_SPACES_DEFAULT_QUOTA | string | 1000000000 | The default quota in bytes.|