From e932120cbcb6077f299cfa82a46a759a8c9d1c35 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Mon, 13 Sep 2021 17:46:30 +0200
Subject: [PATCH] Allow reva to use safer TLS defaults for LDAP

Reva is moving away from the hardcoded "insecure" setting for LDAP
connections. For this to happend ocis needs some adjustments. In order
to avoid an "insecure" by default config in ocis this commit adds the
new parameters "insecure" and "cacert" to the LDAP configuration for the
auth-, user- and groups-provider. To make the out of the box experience
as smooth as possible the default setting for "cacert" points to the
certificate that is generated for glauth on startup.
---
 changelog/unreleased/reva-ldap-tls.md | 10 ++++++++++
 storage/pkg/command/authbasic.go      |  2 ++
 storage/pkg/command/groups.go         |  2 ++
 storage/pkg/command/users.go          |  2 ++
 storage/pkg/config/config.go          |  2 ++
 storage/pkg/flagset/ldap.go           | 17 +++++++++++++++++
 6 files changed, 35 insertions(+)
 create mode 100644 changelog/unreleased/reva-ldap-tls.md

diff --git a/changelog/unreleased/reva-ldap-tls.md b/changelog/unreleased/reva-ldap-tls.md
new file mode 100644
index 00000000000..8cc1846bbe5
--- /dev/null
+++ b/changelog/unreleased/reva-ldap-tls.md
@@ -0,0 +1,10 @@
+Enhancement: TLS config options for ldap in reva
+
+We added the new config options "ldap-cacert" and "ldap-insecure" to the auth-,
+users- and groups-provider services to be able to do proper TLS configuration
+for the LDAP clients. "ldap-cacert" is by default configured to add the bundled
+glauth LDAP servers certificate to the trusted set for the LDAP clients.
+"ldap-insecure" is set to "false" by default and can be used to disable
+certificate checks (only advisable for development and test enviroments).
+
+https://github.com/owncloud/ocis/pull/2492
diff --git a/storage/pkg/command/authbasic.go b/storage/pkg/command/authbasic.go
index 3e0d11db410..7b1bd96b97c 100644
--- a/storage/pkg/command/authbasic.go
+++ b/storage/pkg/command/authbasic.go
@@ -114,6 +114,8 @@ func authBasicConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]in
 						"ldap": map[string]interface{}{
 							"hostname":      cfg.Reva.LDAP.Hostname,
 							"port":          cfg.Reva.LDAP.Port,
+							"cacert":        cfg.Reva.LDAP.CACert,
+							"insecure":      cfg.Reva.LDAP.Insecure,
 							"base_dn":       cfg.Reva.LDAP.BaseDN,
 							"loginfilter":   cfg.Reva.LDAP.LoginFilter,
 							"bind_username": cfg.Reva.LDAP.BindDN,
diff --git a/storage/pkg/command/groups.go b/storage/pkg/command/groups.go
index 47f0bbb4e8d..0c11d3d18a8 100644
--- a/storage/pkg/command/groups.go
+++ b/storage/pkg/command/groups.go
@@ -118,6 +118,8 @@ func groupsConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inter
 						"ldap": map[string]interface{}{
 							"hostname":        cfg.Reva.LDAP.Hostname,
 							"port":            cfg.Reva.LDAP.Port,
+							"cacert":          cfg.Reva.LDAP.CACert,
+							"insecure":        cfg.Reva.LDAP.Insecure,
 							"base_dn":         cfg.Reva.LDAP.BaseDN,
 							"groupfilter":     cfg.Reva.LDAP.GroupFilter,
 							"attributefilter": cfg.Reva.LDAP.GroupAttributeFilter,
diff --git a/storage/pkg/command/users.go b/storage/pkg/command/users.go
index 4836afe6d49..24ef2b57369 100644
--- a/storage/pkg/command/users.go
+++ b/storage/pkg/command/users.go
@@ -121,6 +121,8 @@ func usersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]interf
 						"ldap": map[string]interface{}{
 							"hostname":        cfg.Reva.LDAP.Hostname,
 							"port":            cfg.Reva.LDAP.Port,
+							"cacert":          cfg.Reva.LDAP.CACert,
+							"insecure":        cfg.Reva.LDAP.Insecure,
 							"base_dn":         cfg.Reva.LDAP.BaseDN,
 							"userfilter":      cfg.Reva.LDAP.UserFilter,
 							"attributefilter": cfg.Reva.LDAP.UserAttributeFilter,
diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go
index 4d73c02c762..e50bc34c51a 100644
--- a/storage/pkg/config/config.go
+++ b/storage/pkg/config/config.go
@@ -332,6 +332,8 @@ type OIDC struct {
 type LDAP struct {
 	Hostname             string
 	Port                 int
+	CACert               string
+	Insecure             bool
 	BaseDN               string
 	LoginFilter          string
 	UserFilter           string
diff --git a/storage/pkg/flagset/ldap.go b/storage/pkg/flagset/ldap.go
index b5f069a45b4..cea3c2bddba 100644
--- a/storage/pkg/flagset/ldap.go
+++ b/storage/pkg/flagset/ldap.go
@@ -1,8 +1,11 @@
 package flagset
 
 import (
+	"path"
+
 	"github.com/micro/cli/v2"
 	"github.com/owncloud/ocis/ocis-pkg/flags"
+	pkgos "github.com/owncloud/ocis/ocis-pkg/os"
 	"github.com/owncloud/ocis/storage/pkg/config"
 )
 
@@ -23,6 +26,20 @@ func LDAPWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_LDAP_PORT"},
 			Destination: &cfg.Reva.LDAP.Port,
 		},
+		&cli.StringFlag{
+			Name:        "ldap-cacert",
+			Value:       flags.OverrideDefaultString(cfg.Reva.LDAP.CACert, path.Join(pkgos.MustUserConfigDir("ocis", "ldap"), "ldap.crt")),
+			Usage:       "Path to a trusted Certificate file (in PEM format) for the LDAP Connection",
+			EnvVars:     []string{"STORAGE_LDAP_CACERT"},
+			Destination: &cfg.Reva.LDAP.CACert,
+		},
+		&cli.BoolFlag{
+			Name:        "ldap-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.LDAP.Insecure, false),
+			Usage:       "Disable TLS certificate and hostname validation",
+			EnvVars:     []string{"STORAGE_LDAP_INSECURE"},
+			Destination: &cfg.Reva.LDAP.Insecure,
+		},
 		&cli.StringFlag{
 			Name:        "ldap-base-dn",
 			Value:       flags.OverrideDefaultString(cfg.Reva.LDAP.BaseDN, "dc=example,dc=org"),