Allow reva to use safer TLS defaults for LDAP

Reva is moving away from the hardcoded "insecure" setting for LDAP connections. For this to happend ocis needs some adjustments. In order to avoid an "insecure" by default config in ocis this commit adds the new parameters "insecure" and "cacert" to the LDAP configuration for the auth-, user- and groups-provider. To make the out of the box experience as smooth as possible the default setting for "cacert" points to the certificate that is generated for glauth on startup.
owncloud · Sep 13, 2021 · 6a54b6d · 6a54b6d
1 parent 47c2c3a
commit 6a54b6d
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 0 deletions.
diff --git a/storage/pkg/command/authbasic.go b/storage/pkg/command/authbasic.go
@@ -114,6 +114,8 @@ func authBasicConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]in
 						"ldap": map[string]interface{}{
 							"hostname":      cfg.Reva.LDAP.Hostname,
 							"port":          cfg.Reva.LDAP.Port,
+							"cacert":        cfg.Reva.LDAP.CACert,
+							"insecure":      cfg.Reva.LDAP.Insecure,
 							"base_dn":       cfg.Reva.LDAP.BaseDN,
 							"loginfilter":   cfg.Reva.LDAP.LoginFilter,
 							"bind_username": cfg.Reva.LDAP.BindDN,

diff --git a/storage/pkg/command/groups.go b/storage/pkg/command/groups.go
@@ -118,6 +118,8 @@ func groupsConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inter
 						"ldap": map[string]interface{}{
 							"hostname":        cfg.Reva.LDAP.Hostname,
 							"port":            cfg.Reva.LDAP.Port,
+							"cacert":          cfg.Reva.LDAP.CACert,
+							"insecure":        cfg.Reva.LDAP.Insecure,
 							"base_dn":         cfg.Reva.LDAP.BaseDN,
 							"groupfilter":     cfg.Reva.LDAP.GroupFilter,
 							"attributefilter": cfg.Reva.LDAP.GroupAttributeFilter,

diff --git a/storage/pkg/command/users.go b/storage/pkg/command/users.go
@@ -121,6 +121,8 @@ func usersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]interf
 						"ldap": map[string]interface{}{
 							"hostname":        cfg.Reva.LDAP.Hostname,
 							"port":            cfg.Reva.LDAP.Port,
+							"cacert":          cfg.Reva.LDAP.CACert,
+							"insecure":        cfg.Reva.LDAP.Insecure,
 							"base_dn":         cfg.Reva.LDAP.BaseDN,
 							"userfilter":      cfg.Reva.LDAP.UserFilter,
 							"attributefilter": cfg.Reva.LDAP.UserAttributeFilter,

diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go
@@ -332,6 +332,8 @@ type OIDC struct {
 type LDAP struct {
 	Hostname             string
 	Port                 int
+	CACert               string
+	Insecure             bool
 	BaseDN               string
 	LoginFilter          string
 	UserFilter           string

diff --git a/storage/pkg/flagset/ldap.go b/storage/pkg/flagset/ldap.go
@@ -1,8 +1,11 @@
 package flagset
 
 import (
+	"path"
+
 	"github.com/micro/cli/v2"
 	"github.com/owncloud/ocis/ocis-pkg/flags"
+	pkgos "github.com/owncloud/ocis/ocis-pkg/os"
 	"github.com/owncloud/ocis/storage/pkg/config"
 )
 
@@ -23,6 +26,20 @@ func LDAPWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_LDAP_PORT"},
 			Destination: &cfg.Reva.LDAP.Port,
 		},
+		&cli.StringFlag{
+			Name:        "ldap-cacert",
+			Value:       flags.OverrideDefaultString(cfg.Reva.LDAP.CACert, path.Join(pkgos.MustUserConfigDir("ocis", "ldap"), "ldap.crt")),
+			Usage:       "Path to a trusted Certificate file (in PEM format) for the LDAP Connection",
+			EnvVars:     []string{"STORAGE_LDAP_CACERT"},
+			Destination: &cfg.Reva.LDAP.CACert,
+		},
+		&cli.BoolFlag{
+			Name:        "ldap-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.LDAP.Insecure, false),
+			Usage:       "Disable TLS certificate and hostname validation",
+			EnvVars:     []string{"STORAGE_LDAP_INSECURE"},
+			Destination: &cfg.Reva.LDAP.Insecure,
+		},
 		&cli.StringFlag{
 			Name:        "ldap-base-dn",
 			Value:       flags.OverrideDefaultString(cfg.Reva.LDAP.BaseDN, "dc=example,dc=org"),