Skip to content

Commit

Permalink
add config option to provide TLS certificate
Browse files Browse the repository at this point in the history
  • Loading branch information
David Christofas committed May 30, 2022
1 parent d4e0045 commit ced4bc3
Show file tree
Hide file tree
Showing 6 changed files with 28 additions and 0 deletions.
1 change: 1 addition & 0 deletions .drone.star
Original file line number Diff line number Diff line change
Expand Up @@ -1583,6 +1583,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
"SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings",
"IDM_CREATE_DEMO_USERS": True,
"IDM_ADMIN_PASSWORD": "admin", # override the random admin password from `ocis init`
"GRAPH_LDAP_CACERT": "",
}
wait_for_ocis = {
"name": "wait-for-ocis-server",
Expand Down
6 changes: 6 additions & 0 deletions changelog/unreleased/graph-cacert.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Enhancement: Add config option to provide TLS certificate

Added a config option to the graph service to provide a TLS certificate to be used to verify the LDAP server certificate.

https://github.com/owncloud/ocis/issues/3818
https://github.com/owncloud/ocis/pull/3888
1 change: 1 addition & 0 deletions extensions/graph/pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ type Spaces struct {

type LDAP struct {
URI string `yaml:"uri" env:"LDAP_URI;GRAPH_LDAP_URI"`
CACert string `yaml:"cacert" env:"LDAP_CACERT;GRAPH_LDAP_CACERT" desc:"The certificate to verify TLS connections"`
Insecure bool `yaml:"insecure" env:"OCIS_INSECURE;GRAPH_LDAP_INSECURE"`
BindDN string `yaml:"bind_dn" env:"LDAP_BIND_DN;GRAPH_LDAP_BIND_DN"`
BindPassword string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;GRAPH_LDAP_BIND_PASSWORD"`
Expand Down
3 changes: 3 additions & 0 deletions extensions/graph/pkg/config/defaults/defaultconfig.go
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
package defaults

import (
"path"
"strings"

"github.com/owncloud/ocis/v2/extensions/graph/pkg/config"
"github.com/owncloud/ocis/v2/ocis-pkg/config/defaults"
)

func FullDefaultConfig() *config.Config {
Expand Down Expand Up @@ -41,6 +43,7 @@ func DefaultConfig() *config.Config {
LDAP: config.LDAP{
URI: "ldaps://localhost:9235",
Insecure: true,
CACert: path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
BindDN: "uid=libregraph,ou=sysusers,o=libregraph-idm",
UseServerUUID: false,
WriteEnabled: true,
Expand Down
1 change: 1 addition & 0 deletions extensions/graph/pkg/service/v0/graph_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ var _ = Describe("Graph", func() {
JustBeforeEach(func() {
ctx = context.Background()
cfg = defaults.FullDefaultConfig()
cfg.Identity.LDAP.CACert = ""
cfg.TokenManager.JWTSecret = "loremipsum"

gatewayClient = &mocks.GatewayClient{}
Expand Down
16 changes: 16 additions & 0 deletions extensions/graph/pkg/service/v0/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package svc

import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"net/http"
"strconv"
"time"
Expand Down Expand Up @@ -89,6 +91,20 @@ func NewService(opts ...Option) Service {
}
}

if options.Config.Identity.LDAP.CACert != "" {
if tlsConf == nil {
tlsConf = &tls.Config{}
}
certs := x509.NewCertPool()
pemData, err := ioutil.ReadFile(options.Config.Identity.LDAP.CACert)
if err != nil {
options.Logger.Error().Msgf("Error initializing LDAP Backend: '%s'", err)
return nil
}
certs.AppendCertsFromPEM(pemData)
tlsConf.RootCAs = certs
}

conn := ldap.NewLDAPWithReconnect(&options.Logger,
ldap.Config{
URI: options.Config.Identity.LDAP.URI,
Expand Down

0 comments on commit ced4bc3

Please sign in to comment.