opencloud-eu · pbleser-oc · Apr 16, 2025 · Apr 16, 2025 · Apr 16, 2025 · Apr 22, 2025
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -76,6 +76,138 @@
         "OC_SERVICE_ACCOUNT_SECRET": "service-account-secret"
       }
     },
+    {
+      "name": "OpenCloud server with Groupware",
+      "type": "go",
+      "request": "launch",
+      "mode": "debug",
+      "buildFlags": [
+        // "-tags", "enable_vips"
+      ],
+      "program": "${workspaceFolder}/opencloud/cmd/opencloud",
+      "args": ["server"],
+      "env": {
+        // log settings for human developers
+        "OC_LOG_LEVEL": "info",
+        "OC_LOG_PRETTY": "true",
+        "OC_LOG_COLOR": "true",
+        // set insecure options because we don't have valid certificates in dev environments
+        "OC_INSECURE": "true",
+        // enable basic auth for dev setup so that we can use curl for testing
+        "PROXY_ENABLE_BASIC_AUTH": "true",
+        // demo users
+        "IDM_CREATE_DEMO_USERS": "true",
+        // OC_RUN_SERVICES allows to start a subset of services even in the supervised mode
+        //"OC_RUN_SERVICES": "settings,storage-system,graph,idp,idm,ocs,store,thumbnails,web,webdav,frontend,gateway,users,groups,auth-basic,storage-authmachine,storage-users,storage-shares,storage-publiclink,storage-system,app-provider,sharing,proxy,ocdav",
+
+        /*
+         * Keep secrets and passwords in one block to allow easy uncommenting
+         */
+        // user id of "admin", for user creation and admin role assignement
+        "OC_ADMIN_USER_ID": "some-admin-user-id-0000-000000000000", // FIXME currently must have the length of a UUID, see reva/pkg/storage/utils/decomposedfs/spaces.go:228
+        // admin user default password
+        "IDM_ADMIN_PASSWORD": "admin",
+        // system user
+        "OC_SYSTEM_USER_ID": "some-system-user-id-000-000000000000", // FIXME currently must have the length of a UUID, see reva/pkg/storage/utils/decomposedfs/spaces.go:228
+        "OC_SYSTEM_USER_API_KEY": "some-system-user-machine-auth-api-key",
+        // set some hardcoded secrets
+        "OC_JWT_SECRET": "some-opencloud-jwt-secret",
+        "OC_MACHINE_AUTH_API_KEY": "some-opencloud-machine-auth-api-key",
+        "OC_TRANSFER_SECRET": "some-opencloud-transfer-secret",
+        // collaboration
+        "COLLABORATION_WOPIAPP_SECRET": "some-wopi-secret",
+        // idm ldap
+        "IDM_SVC_PASSWORD": "some-ldap-idm-password",
+        "GRAPH_LDAP_BIND_PASSWORD": "some-ldap-idm-password",
+        // reva ldap
+        "IDM_REVASVC_PASSWORD": "some-ldap-reva-password",
+        "GROUPS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
+        "USERS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
+        "AUTH_BASIC_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
+        // idp ldap
+        "IDM_IDPSVC_PASSWORD": "some-ldap-idp-password",
+        "IDP_LDAP_BIND_PASSWORD": "some-ldap-idp-password",
+        // storage users mount ID
+        "GATEWAY_STORAGE_USERS_MOUNT_ID": "storage-users-1",
+        "STORAGE_USERS_MOUNT_ID": "storage-users-1",
+        // graph application ID
+        "GRAPH_APPLICATION_ID": "application-1",
+
+        // service accounts
+        "OC_SERVICE_ACCOUNT_ID": "service-account-id",
+        "OC_SERVICE_ACCOUNT_SECRET": "service-account-secret",
+
+        "OC_ADD_RUN_SERVICES": "groupware",
+        "GROUPWARE_LOG_LEVEL": "trace"
+      }
+    },
+    {
+      "name": "OpenCloud server with external services",
+      "type": "go",
+      "request": "launch",
+      "mode": "debug",
+      "buildFlags": [
+        // "-tags", "enable_vips"
+      ],
+      "program": "${workspaceFolder}/opencloud/cmd/opencloud",
+      "args": ["server"],
+      "env": {
+        "OC_URL": "https://localhost:9200/",
+        "PROXY_DEBUG_ADDR": "0.0.0.0:9205",
+        "OC_BASE_DATA_PATH": "${env:HOME}/.opencloud-with-external",
+        "OC_CONFIG_DIR": "${env:HOME}/.opencloud-with-external/config",
+        "GROUPWARE_LOG_LEVEL": "trace",
+        "OC_LOG_LEVEL": "info",
+        "OC_LOG_PRETTY": "true",
+        "OC_LOG_COLOR": "true",
+        "OC_INSECURE": "true",
+        "PROXY_ENABLE_BASIC_AUTH": "false",
+        "IDM_CREATE_DEMO_USERS": "false",
+        "OC_LDAP_URI": "ldaps://localhost:636",
+        "OC_LDAP_INSECURE": "true",
+        "OC_LDAP_BIND_DN": "cn=admin,dc=opencloud,dc=eu",
+        "OC_LDAP_BIND_PASSWORD": "admin",
+        "OC_LDAP_GROUP_BASE_DN": "ou=groups,dc=opencloud,dc=eu",
+        "OC_LDAP_GROUP_SCHEMA_ID": "entryUUID",
+        "OC_LDAP_USER_BASE_DN": "ou=users,dc=opencloud,dc=eu",
+        "OC_LDAP_USER_FILTER": "(objectclass=inetOrgPerson)",
+        "OC_LDAP_USER_SCHEMA_ID": "entryUUID",
+        "OC_LDAP_DISABLE_USER_MECHANISM": "none",
+        "OC_LDAP_SERVER_WRITE_ENABLED": "false",
+        "OC_EXCLUDE_RUN_SERVICES": "idm",
+        "OC_ADD_RUN_SERVICES": "notifications,groupware",
+        "NATS_NATS_HOST": "0.0.0.0",
+        "NATS_NATS_PORT": "9233",
+        "FRONTEND_ARCHIVER_MAX_SIZE": "10000000000",
+        "MICRO_REGISTRY_ADDRESS": "127.0.0.1:9233",
+        "NOTIFICATIONS_SMTP_HOST": "localhost",
+        "NOTIFICATIONS_SMTP_PORT": "2500",
+        "NOTIFICATIONS_SMTP_SENDER": "OpenCloud notifications <notifications@cloud.opencloud.test>",
+        "NOTIFICATIONS_SMTP_USERNAME": "notifications@cloud.opencloud.test",
+        "NOTIFICATIONS_SMTP_INSECURE": "true",
+        "NOTIFICATIONS_SMTP_PASSWORD": "",
+        "NOTIFICATIONS_SMTP_AUTHENTICATION": "",
+        "NOTIFICATIONS_SMTP_ENCRYPTION": "none",
+        "PROXY_AUTOPROVISION_ACCOUNTS": "false",
+        "PROXY_ROLE_ASSIGNMENT_DRIVER": "oidc",
+        "OC_OIDC_ISSUER": "https://keycloak.opencloud.test/realms/openCloud",
+        "PROXY_OIDC_REWRITE_WELLKNOWN": "true",
+        "WEB_OIDC_CLIENT_ID": "web",
+        "PROXY_USER_OIDC_CLAIM": "uuid",
+        "PROXY_USER_CS3_CLAIM": "userid",
+        "WEB_OPTION_ACCOUNT_EDIT_LINK_HREF": "https://keycloak.opencloud.test/realms/openCloud/account",
+        "OC_ADMIN_USER_ID": "",
+        "SETTINGS_SETUP_DEFAULT_ASSIGNMENTS": "false",
+        "GRAPH_ASSIGN_DEFAULT_USER_ROLE": "false",
+        "GRAPH_USERNAME_MATCH": "none",
+        "KEYCLOAK_DOMAIN": "keycloak.opencloud.test",
+        "IDM_ADMIN_PASSWORD": "admin",
+        "GRAPH_LDAP_SERVER_UUID": "true",
+        "GRAPH_LDAP_GROUP_CREATE_BASE_DN": "ou=custom,ou=groups,dc=opencloud,dc=eu",
+        "GRAPH_LDAP_REFINT_ENABLED": "true",
+        "GATEWAY_GRPC_ADDR": "0.0.0.0:9142",
+      }
+    },
     {
       "name": "Fed OpenCloud server",
       "type": "go",

diff --git a/Makefile b/Makefile
@@ -27,6 +27,7 @@ OC_MODULES = \
 	services/app-provider \
 	services/app-registry \
 	services/audit \
+	services/auth-api \
 	services/auth-app \
 	services/auth-basic \
 	services/auth-bearer \
@@ -39,6 +40,7 @@ OC_MODULES = \
 	services/gateway \
 	services/graph \
 	services/groups \
+	services/groupware \
 	services/idm \
 	services/idp \
 	services/invitations \

diff --git a/devtools/deployments/opencloud_full/.env b/devtools/deployments/opencloud_full/.env
@@ -305,8 +305,15 @@ KEYCLOAK_ADMIN_PASSWORD=
 # Leaving it default stores data in docker internal volumes.
 #RADICALE_DATA_DIR=/your/local/radicale/data
 
+### Stalwart Settings ###
+# Note: the leading colon is required to enable the service.
+#STALWART=:stalwart.yml
+# Domain of Stalwart
+# Defaults to "stalwart.opencloud.test"
+STALWART_DOMAIN=
+
-STALWART_DOMAIN=
+STALWART_DOMAIN=
+# LDAP config to use. Can either be idmldap (the built in IdP) or ldap (when using keycloak).
+STALWART_AUTH_DIRECTORY=idmldap
-STALWART_DOMAIN=
+STALWART_DOMAIN=
+# LDAP config to use. Can either be idmldap (the built in IdP) or ldap (when using keycloak).
+STALWART_AUTH_DIRECTORY=idmldap
 ## IMPORTANT ##
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}
+COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}${STALWART:-}
diff --git a/devtools/deployments/opencloud_full/config/keycloak/clients/groupware.json b/devtools/deployments/opencloud_full/config/keycloak/clients/groupware.json
@@ -0,0 +1,58 @@
+{
+  "clientId": "groupware",
+  "name": "OpenCloud Groupware",
+  "description": "Used for authenticating automated HTTP clients of the OpenCloud Groupware API",
+  "rootUrl": "",
+  "adminUrl": "",
+  "baseUrl": "",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "/*"
+  ],
+  "webOrigins": [
+    "/*"
+  ],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": true,
+  "protocol": "openid-connect",
+  "attributes": {
+    "oidc.ciba.grant.enabled": "false",
+    "backchannel.logout.session.required": "true",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "acr",
+    "profile",
+    "roles",
+    "groups",
+    "OpenCloudUnique_ID",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}
diff --git a/devtools/deployments/opencloud_full/config/ldap/ldif/11_ppolicy.ldif b/devtools/deployments/opencloud_full/config/ldap/ldif/11_ppolicy.ldif
@@ -0,0 +1,26 @@
+dn: ou=policies,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+objectClass: top
+ou: policies
+
+dn: cn=default,ou=policies,dc=opencloud,dc=eu
+cn: default
+objectClass: pwdPolicy
+objectClass: person
+objectClass: top
+pwdAllowUserChange: TRUE
+pwdAttribute: userPassword
+pwdCheckQuality: 0
+pwdExpireWarning: 600
+pwdFailureCountInterval: 30
+pwdGraceAuthNLimit: 5
+pwdInHistory: 5
+pwdLockout: FALSE
+pwdLockoutDuration: 0
+pwdMaxAge: 0
+pwdMaxFailure: 5
+pwdMinAge: 0
+pwdMinLength: 1
+pwdMustChange: FALSE
+pwdSafeModify: FALSE
+sn: default
diff --git a/devtools/deployments/opencloud_full/config/stalwart/README.md b/devtools/deployments/opencloud_full/config/stalwart/README.md
@@ -0,0 +1,21 @@
+# Stalwart Configuration
+
+The mechanics are currently to mount a different configuration file depending on the environment, as we support two scenarios that are described in [`services/groupware/DEVELOPER.md`](../../../../../services/groupware/DEVELOPER.md):
+
+ * &laquo;production&raquo; setup, with OpenLDAP and Keycloak containers
+ * &laquo;homelab&raquo; setup, with the built-in IDM (LDAP) and IDP that run as part of the `opencloud` container
+
+The Docker Compose setup (in [`stalwart.yml`](../../stalwart.yml)) mounts either [`idmldap.toml`](./idmldap.toml) or [`ldap.toml`](./ldap.toml) depending on how the variable `STALWART_AUTH_DIRECTORY` is set, which is either `idmldap` for the homelab setup, or `ldap` for the production setup.
+
+This is thus all done automatically, but whenever changes are performed to Stalwart configuration files, they must be reflected across those two files, to keep them in sync, as the only entry that should differ is this one:
+
+```ruby
+storage.directory = "ldap"
+```
+
+or this:
+
+```ruby
+storage.directory = "idmldap"
+```
+
diff --git a/devtools/deployments/opencloud_full/config/stalwart/config.toml b/devtools/deployments/opencloud_full/config/stalwart/config.toml
@@ -0,0 +1,110 @@
+authentication.fallback-admin.secret = "$6$4qPYDVhaUHkKcY7s$bB6qhcukb9oFNYRIvaDZgbwxrMa2RvF5dumCjkBFdX19lSNqrgKltf3aPrFMuQQKkZpK2YNuQ83hB1B3NiWzj."
+authentication.fallback-admin.user = "mailadmin"
+authentication.master.secret = "$6$4qPYDVhaUHkKcY7s$bB6qhcukb9oFNYRIvaDZgbwxrMa2RvF5dumCjkBFdX19lSNqrgKltf3aPrFMuQQKkZpK2YNuQ83hB1B3NiWzj."
+authentication.master.user = "master"
+directory.idmldap.attributes.class = "objectClass"
+directory.idmldap.attributes.description = "displayName"
+directory.idmldap.attributes.email = "mail"
+directory.idmldap.attributes.groups = "memberOf"
+directory.idmldap.attributes.name = "uid"
+directory.idmldap.attributes.secret = "userPassword"
+directory.idmldap.base-dn = "o=libregraph-idm"
+directory.idmldap.bind.auth.method = "default"
+directory.idmldap.bind.dn = "uid=reva,ou=sysusers,o=libregraph-idm"
+directory.idmldap.bind.secret = "admin"
+directory.idmldap.cache.size = 1048576
+directory.idmldap.cache.ttl.negative = "10m"
+directory.idmldap.cache.ttl.positive = "1h"
+directory.idmldap.filter.email = "(&(|(objectClass=person)(objectClass=groupOfNames))(mail=?))"
+directory.idmldap.filter.name = "(&(|(objectClass=person)(objectClass=groupOfNames))(uid=?))"
+directory.idmldap.timeout = "15s"
+directory.idmldap.tls.allow-invalid-certs = true
+directory.idmldap.tls.enable = true
+directory.idmldap.type = "ldap"
+directory.idmldap.url = "ldaps://opencloud:9235"
+directory.keycloak.auth.method = "user-token"
+directory.keycloak.cache.size = 1048576
+directory.keycloak.cache.ttl.negative = "10m"
+directory.keycloak.cache.ttl.positive = "1h"
+directory.keycloak.endpoint.method = "introspect"
+directory.keycloak.endpoint.url = "http://keycloak:8080/realms/openCloud/protocol/openid-connect/userinfo"
+directory.keycloak.fields.email = "email"
+directory.keycloak.fields.full-name = "name"
+directory.keycloak.fields.username = "preferred_username"
+directory.keycloak.timeout = "15s"
+directory.keycloak.type = "oidc"
+directory.ldap.attributes.class = "objectClass"
+directory.ldap.attributes.description = "displayName"
+directory.ldap.attributes.email = "mail"
+directory.ldap.attributes.email-alias = "mailAlias"
+directory.ldap.attributes.groups = "memberOf"
+directory.ldap.attributes.name = "uid"
+directory.ldap.attributes.secret = "userPassword"
+directory.ldap.attributes.secret-changed = "pwdChangedTime"
+directory.ldap.base-dn = "dc=opencloud,dc=eu"
+directory.ldap.bind.auth.dn = "cn=?,ou=users,dc=opencloud,dc=eu"
+directory.ldap.bind.auth.enable = true
+directory.ldap.bind.auth.search = true
+directory.ldap.bind.dn = "cn=admin,dc=opencloud,dc=eu"
+directory.ldap.bind.secret = "admin"
+directory.ldap.cache.ttl.negative = "10m"
+directory.ldap.cache.ttl.positive = "1h"
+directory.ldap.filter.email = "(&(|(objectClass=person)(objectClass=groupOfNames))(|(uid=?)(mail=?)(mailAlias=?)(cn=?)))"
+directory.ldap.filter.name = "(&(|(objectClass=person)(objectClass=groupOfNames))(|(uid=?)(cn=?)))"
+directory.ldap.timeout = "5s"
+directory.ldap.tls.allow-invalid-certs = true
+directory.ldap.tls.enable = true
+directory.ldap.type = "ldap"
+directory.ldap.url = "ldap://ldap-server:1389"
+http.allowed-endpoint = 200
+http.hsts = true
+http.permissive-cors = false
+http.url = "'https://' + config_get('server.hostname')"
+http.use-x-forwarded = true
+metrics.prometheus.auth.secret = "secret"
+metrics.prometheus.auth.username = "metrics"
+metrics.prometheus.enable = true
+server.listener.http.bind = "0.0.0.0:8080"
+server.listener.http.protocol = "http"
+server.listener.https.bind = "0.0.0.0:443"
+server.listener.https.protocol = "http"
+server.listener.https.tls.implicit = true
+server.listener.imap.bind = "0.0.0.0:143"
+server.listener.imap.protocol = "imap"
+server.listener.imaptls.bind = "0.0.0.0:993"
+server.listener.imaptls.protocol = "imap"
+server.listener.imaptls.tls.implicit = true
+server.listener.pop3.bind = "0.0.0.0:110"
+server.listener.pop3.protocol = "pop3"
+server.listener.pop3s.bind = "0.0.0.0:995"
+server.listener.pop3s.protocol = "pop3"
+server.listener.pop3s.tls.implicit = true
+server.listener.sieve.bind = "0.0.0.0:4190"
+server.listener.sieve.protocol = "managesieve"
+server.listener.smtp.bind = "0.0.0.0:25"
+server.listener.smtp.protocol = "smtp"
+server.listener.submission.bind = "0.0.0.0:587"
+server.listener.submission.protocol = "smtp"
+server.listener.submissions.bind = "0.0.0.0:465"
+server.listener.submissions.protocol = "smtp"
+server.listener.submissions.tls.implicit = true
+server.max-connections = 8192
+server.socket.backlog = 1024
+server.socket.nodelay = true
+server.socket.reuse-addr = true
+server.socket.reuse-port = true
+storage.blob = "rocksdb"
+storage.data = "rocksdb"
+storage.directory = "%{env:STALWART_AUTH_DIRECTORY}%"
+storage.fts = "rocksdb"
+storage.lookup = "rocksdb"
+store.rocksdb.compression = "lz4"
+store.rocksdb.path = "/opt/stalwart/data"
+store.rocksdb.type = "rocksdb"
+tracer.console.ansi = true
+tracer.console.buffered = true
+tracer.console.enable = true
+tracer.console.level = "trace"
+tracer.console.lossy = false
+tracer.console.multiline = false
+tracer.console.type = "stdout"