From 0f23ce6bed09cea3cb1db6556236468ec43f926a Mon Sep 17 00:00:00 2001
From: David Christofas <dchristofas@owncloud.com>
Date: Mon, 30 May 2022 11:49:04 +0200
Subject: [PATCH] add config option to provide TLS certificate

---
 changelog/unreleased/graph-cacert.md          |  6 +++++
 extensions/graph/pkg/config/config.go         |  1 +
 .../pkg/config/defaults/defaultconfig.go      |  3 +++
 extensions/graph/pkg/service/v0/service.go    | 24 +++++++++++++++++++
 4 files changed, 34 insertions(+)
 create mode 100644 changelog/unreleased/graph-cacert.md

diff --git a/changelog/unreleased/graph-cacert.md b/changelog/unreleased/graph-cacert.md
new file mode 100644
index 00000000000..a8adb211487
--- /dev/null
+++ b/changelog/unreleased/graph-cacert.md
@@ -0,0 +1,6 @@
+Enhancement: Add config option to provide TLS certificate
+
+Added a config option to the graph service to provide a TLS certificate to be used to verify the LDAP server certificate.
+
+https://github.com/owncloud/ocis/issues/3818
+https://github.com/owncloud/ocis/pull/3888
diff --git a/extensions/graph/pkg/config/config.go b/extensions/graph/pkg/config/config.go
index 57c1df58af6..e772929e15d 100644
--- a/extensions/graph/pkg/config/config.go
+++ b/extensions/graph/pkg/config/config.go
@@ -38,6 +38,7 @@ type Spaces struct {
 
 type LDAP struct {
 	URI           string `yaml:"uri" env:"LDAP_URI;GRAPH_LDAP_URI"`
+	CACert        string `yaml:"cacert" env:"LDAP_CACERT;GRAPH_LDAP_CACERT" desc:"The certificate to verify TLS connections"`
 	Insecure      bool   `yaml:"insecure" env:"OCIS_INSECURE;GRAPH_LDAP_INSECURE"`
 	BindDN        string `yaml:"bind_dn" env:"LDAP_BIND_DN;GRAPH_LDAP_BIND_DN"`
 	BindPassword  string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;GRAPH_LDAP_BIND_PASSWORD"`
diff --git a/extensions/graph/pkg/config/defaults/defaultconfig.go b/extensions/graph/pkg/config/defaults/defaultconfig.go
index e2f2da4b996..581e833eb5b 100644
--- a/extensions/graph/pkg/config/defaults/defaultconfig.go
+++ b/extensions/graph/pkg/config/defaults/defaultconfig.go
@@ -1,9 +1,11 @@
 package defaults
 
 import (
+	"path"
 	"strings"
 
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/config"
+	"github.com/owncloud/ocis/v2/ocis-pkg/config/defaults"
 )
 
 func FullDefaultConfig() *config.Config {
@@ -41,6 +43,7 @@ func DefaultConfig() *config.Config {
 			LDAP: config.LDAP{
 				URI:                      "ldaps://localhost:9235",
 				Insecure:                 true,
+				CACert:                   path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
 				BindDN:                   "uid=libregraph,ou=sysusers,o=libregraph-idm",
 				UseServerUUID:            false,
 				WriteEnabled:             true,
diff --git a/extensions/graph/pkg/service/v0/service.go b/extensions/graph/pkg/service/v0/service.go
index ca880b1bb62..2386a21c647 100644
--- a/extensions/graph/pkg/service/v0/service.go
+++ b/extensions/graph/pkg/service/v0/service.go
@@ -2,6 +2,8 @@ package svc
 
 import (
 	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
 	"net/http"
 	"strconv"
 	"time"
@@ -14,6 +16,7 @@ import (
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/identity"
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/identity/ldap"
 	graphm "github.com/owncloud/ocis/v2/extensions/graph/pkg/middleware"
+	ocisldap "github.com/owncloud/ocis/v2/ocis-pkg/ldap"
 	"github.com/owncloud/ocis/v2/ocis-pkg/roles"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
@@ -83,12 +86,33 @@ func NewService(opts ...Option) Service {
 
 			var tlsConf *tls.Config
 			if options.Config.Identity.LDAP.Insecure {
+				// When insecure is set to true then we don't need a certificate.
+				options.Config.Identity.LDAP.CACert = ""
 				tlsConf = &tls.Config{
 					//nolint:gosec // We need the ability to run with "insecure" (dev/testing)
 					InsecureSkipVerify: options.Config.Identity.LDAP.Insecure,
 				}
 			}
 
+			if options.Config.Identity.LDAP.CACert != "" {
+				if err := ocisldap.WaitForCA(options.Logger,
+					options.Config.Identity.LDAP.Insecure,
+					options.Config.Identity.LDAP.CACert); err != nil {
+					options.Logger.Fatal().Err(err).Msg("The configured LDAP CA cert does not exist")
+				}
+				if tlsConf == nil {
+					tlsConf = &tls.Config{}
+				}
+				certs := x509.NewCertPool()
+				pemData, err := ioutil.ReadFile(options.Config.Identity.LDAP.CACert)
+				if err != nil {
+					options.Logger.Error().Msgf("Error initializing LDAP Backend: '%s'", err)
+					return nil
+				}
+				certs.AppendCertsFromPEM(pemData)
+				tlsConf.RootCAs = certs
+			}
+
 			conn := ldap.NewLDAPWithReconnect(&options.Logger,
 				ldap.Config{
 					URI:          options.Config.Identity.LDAP.URI,