Groupware

.vscode/launch.json

@@ -76,6 +76,149 @@
         "OC_SERVICE_ACCOUNT_SECRET": "service-account-secret"
       }
     },
+    {
+      "name": "OpenCloud server with Groupware",
+      "type": "go",
+      "request": "launch",
+      "mode": "debug",
+      "buildFlags": [
+        // "-tags", "enable_vips"
+      ],
+      "program": "${workspaceFolder}/opencloud/cmd/opencloud",
+      "args": ["server"],
+      "env": {
+        // log settings for human developers
+        "OC_LOG_LEVEL": "info",
+        "OC_LOG_PRETTY": "true",
+        "OC_LOG_COLOR": "true",
+        // set insecure options because we don't have valid certificates in dev environments
+        "OC_INSECURE": "true",
+        // enable basic auth for dev setup so that we can use curl for testing
+        "PROXY_ENABLE_BASIC_AUTH": "true",
+        // demo users
+        "IDM_CREATE_DEMO_USERS": "true",
+        // OC_RUN_SERVICES allows to start a subset of services even in the supervised mode
+        //"OC_RUN_SERVICES": "settings,storage-system,graph,idp,idm,ocs,store,thumbnails,web,webdav,frontend,gateway,users,groups,auth-basic,storage-authmachine,storage-users,storage-shares,storage-publiclink,storage-system,app-provider,sharing,proxy,ocdav",
+
+        /*
+         * Keep secrets and passwords in one block to allow easy uncommenting
+         */
+        // user id of "admin", for user creation and admin role assignement
+        "OC_ADMIN_USER_ID": "some-admin-user-id-0000-000000000000", // FIXME currently must have the length of a UUID, see reva/pkg/storage/utils/decomposedfs/spaces.go:228
+        // admin user default password
+        "IDM_ADMIN_PASSWORD": "admin",
+        // system user
+        "OC_SYSTEM_USER_ID": "some-system-user-id-000-000000000000", // FIXME currently must have the length of a UUID, see reva/pkg/storage/utils/decomposedfs/spaces.go:228
+        "OC_SYSTEM_USER_API_KEY": "some-system-user-machine-auth-api-key",
+        // set some hardcoded secrets
+        "OC_JWT_SECRET": "some-opencloud-jwt-secret",
+        "OC_MACHINE_AUTH_API_KEY": "some-opencloud-machine-auth-api-key",
+        "OC_TRANSFER_SECRET": "some-opencloud-transfer-secret",
+        // collaboration
+        "COLLABORATION_WOPIAPP_SECRET": "some-wopi-secret",
+        // idm ldap
+        "IDM_SVC_PASSWORD": "some-ldap-idm-password",
+        "GRAPH_LDAP_BIND_PASSWORD": "some-ldap-idm-password",
+        // reva ldap
+        "IDM_REVASVC_PASSWORD": "some-ldap-reva-password",
+        "GROUPS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
+        "USERS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
+        "AUTH_BASIC_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
+        // idp ldap
+        "IDM_IDPSVC_PASSWORD": "some-ldap-idp-password",
+        "IDP_LDAP_BIND_PASSWORD": "some-ldap-idp-password",
+        // storage users mount ID
+        "GATEWAY_STORAGE_USERS_MOUNT_ID": "storage-users-1",
+        "STORAGE_USERS_MOUNT_ID": "storage-users-1",
+        // graph application ID
+        "GRAPH_APPLICATION_ID": "application-1",
+
+        // service accounts
+        "OC_SERVICE_ACCOUNT_ID": "service-account-id",
+        "OC_SERVICE_ACCOUNT_SECRET": "service-account-secret",
+
+        "OC_ADD_RUN_SERVICES": "auth-api,groupware",
+        "GROUPWARE_LOG_LEVEL": "trace",
+
+        "GROUPWARE_JMAP_MASTER_USERNAME": "master",
+        "GROUPWARE_JMAP_MASTER_PASSWORD": "admin",
+
+        "AUTHAPI_HTTP_ADDR": "0.0.0.0:10000",
+        "AUTHAPI_AUTH_REQUIRE_SHARED_SECRET": "true",
+        "AUTHAPI_AUTH_SHARED_SECRETS": "stalwart=maethaR9eiXaiph8ahn8ohH6dahPiequ;unused=eeyaigh6hae1zo5ahGeete6oohaiquei",
+
+        "WEB_ASSET_CORE_PATH": "${workspaceFolder}/../web/dist",
+        "WEB_UI_CONFIG_FILE": "${workspaceFolder}/../web/dev/docker/opencloud.web.config.json",
+        "FRONTEND_GROUPWARE_ENABLED": "true"
+      }
+    },
+    {
+      "name": "OpenCloud server with external services",
+      "type": "go",
+      "request": "launch",
+      "mode": "debug",
+      "buildFlags": [
+        // "-tags", "enable_vips"
+      ],
+      "program": "${workspaceFolder}/opencloud/cmd/opencloud",
+      "args": ["server"],
+      "env": {
+        "OC_URL": "https://localhost:9200/",
+        "PROXY_DEBUG_ADDR": "0.0.0.0:9205",
+        "OC_BASE_DATA_PATH": "${env:HOME}/.opencloud-with-external",
+        "OC_CONFIG_DIR": "${env:HOME}/.opencloud-with-external/config",
+        "GROUPWARE_LOG_LEVEL": "trace",
+        "OC_LOG_LEVEL": "info",
+        "OC_LOG_PRETTY": "true",
+        "OC_LOG_COLOR": "true",
+        "OC_INSECURE": "true",
+        "PROXY_ENABLE_BASIC_AUTH": "false",
+        "IDM_CREATE_DEMO_USERS": "false",
+        "OC_LDAP_URI": "ldaps://localhost:636",
+        "OC_LDAP_INSECURE": "true",
+        "OC_LDAP_BIND_DN": "cn=admin,dc=opencloud,dc=eu",
+        "OC_LDAP_BIND_PASSWORD": "admin",
+        "OC_LDAP_GROUP_BASE_DN": "ou=groups,dc=opencloud,dc=eu",
+        "OC_LDAP_GROUP_SCHEMA_ID": "entryUUID",
+        "OC_LDAP_USER_BASE_DN": "ou=users,dc=opencloud,dc=eu",
+        "OC_LDAP_USER_FILTER": "(objectclass=inetOrgPerson)",
+        "OC_LDAP_USER_SCHEMA_ID": "entryUUID",
+        "OC_LDAP_DISABLE_USER_MECHANISM": "none",
+        "OC_LDAP_SERVER_WRITE_ENABLED": "false",
+        "OC_EXCLUDE_RUN_SERVICES": "idm",
+        "OC_ADD_RUN_SERVICES": "notifications,groupware",
+        "NATS_NATS_HOST": "0.0.0.0",
+        "NATS_NATS_PORT": "9233",
+        "FRONTEND_ARCHIVER_MAX_SIZE": "10000000000",
+        "MICRO_REGISTRY_ADDRESS": "127.0.0.1:9233",
+        "NOTIFICATIONS_SMTP_HOST": "localhost",
+        "NOTIFICATIONS_SMTP_PORT": "2500",
+        "NOTIFICATIONS_SMTP_SENDER": "OpenCloud notifications <notifications@cloud.opencloud.test>",
+        "NOTIFICATIONS_SMTP_USERNAME": "notifications@cloud.opencloud.test",
+        "NOTIFICATIONS_SMTP_INSECURE": "true",
+        "NOTIFICATIONS_SMTP_PASSWORD": "",
+        "NOTIFICATIONS_SMTP_AUTHENTICATION": "",
+        "NOTIFICATIONS_SMTP_ENCRYPTION": "none",
+        "PROXY_AUTOPROVISION_ACCOUNTS": "false",
+        "PROXY_ROLE_ASSIGNMENT_DRIVER": "oidc",
+        "OC_OIDC_ISSUER": "https://keycloak.opencloud.test/realms/openCloud",
+        "PROXY_OIDC_REWRITE_WELLKNOWN": "true",
+        "WEB_OIDC_CLIENT_ID": "web",
+        "PROXY_USER_OIDC_CLAIM": "uuid",
+        "PROXY_USER_CS3_CLAIM": "userid",
+        "WEB_OPTION_ACCOUNT_EDIT_LINK_HREF": "https://keycloak.opencloud.test/realms/openCloud/account",
+        "OC_ADMIN_USER_ID": "",
+        "SETTINGS_SETUP_DEFAULT_ASSIGNMENTS": "false",
+        "GRAPH_ASSIGN_DEFAULT_USER_ROLE": "false",
+        "GRAPH_USERNAME_MATCH": "none",
+        "KEYCLOAK_DOMAIN": "keycloak.opencloud.test",
+        "IDM_ADMIN_PASSWORD": "admin",
+        "GRAPH_LDAP_SERVER_UUID": "true",
+        "GRAPH_LDAP_GROUP_CREATE_BASE_DN": "ou=custom,ou=groups,dc=opencloud,dc=eu",
+        "GRAPH_LDAP_REFINT_ENABLED": "true",
+        "GATEWAY_GRPC_ADDR": "0.0.0.0:9142",
+      }
+    },
     {
       "name": "Fed OpenCloud server",
       "type": "go",

Makefile

@@ -27,6 +27,7 @@ OC_MODULES = \
 	services/app-provider \
 	services/app-registry \
 	services/audit \
+	services/auth-api \
 	services/auth-app \
 	services/auth-basic \
 	services/auth-bearer \
@@ -39,6 +40,7 @@ OC_MODULES = \
 	services/gateway \
 	services/graph \
 	services/groups \
+	services/groupware \
 	services/idm \
 	services/idp \
 	services/invitations \

devtools/deployments/opencloud_full/.env

@@ -305,8 +305,21 @@ KEYCLOAK_ADMIN_PASSWORD=
 # Leaving it default stores data in docker internal volumes.
 #RADICALE_DATA_DIR=/your/local/radicale/data
 
+### Stalwart Settings ###
+# Note: the leading colon is required to enable the service.
+#STALWART=:stalwart.yml
+# Domain of Stalwart
+# Defaults to "stalwart.opencloud.test"
+STALWART_DOMAIN=
+# LDAP configuration to use for Stalwart:
+# Can either be either
+# - idmldap: for the built-in IDP/IDM, using Master Authentication between Groupware and Stalwart, and LDAP in Stalwart
+# - idmoidc: built-in IDP/IDM, using OIDC Userinfo between Groupware and Stalwart
+# - ldap: when using KeyCloak and OpenLDAP, with Master Authentication between Groupware and Stalwart, and LDAP in Stalwart
+STALWART_AUTH_DIRECTORY=idmldap
+
 ## IMPORTANT ##
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}
+COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}${STALWART:-}

devtools/deployments/opencloud_full/config/ldap/ldif/11_ppolicy.ldif

@@ -0,0 +1,26 @@
+dn: ou=policies,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+objectClass: top
+ou: policies
+
+dn: cn=default,ou=policies,dc=opencloud,dc=eu
+cn: default
+objectClass: pwdPolicy
+objectClass: person
+objectClass: top
+pwdAllowUserChange: TRUE
+pwdAttribute: userPassword
+pwdCheckQuality: 0
+pwdExpireWarning: 600
+pwdFailureCountInterval: 30
+pwdGraceAuthNLimit: 5
+pwdInHistory: 5
+pwdLockout: FALSE
+pwdLockoutDuration: 0
+pwdMaxAge: 0
+pwdMaxFailure: 5
+pwdMinAge: 0
+pwdMinLength: 1
+pwdMustChange: FALSE
+pwdSafeModify: FALSE
+sn: default

devtools/deployments/opencloud_full/config/stalwart/README.md

@@ -0,0 +1,21 @@
+# Stalwart Configuration
+
+The mechanics are currently to mount a different configuration file depending on the environment, as we support two scenarios that are described in [`services/groupware/DEVELOPER.md`](../../../../../services/groupware/DEVELOPER.md):
+
+ * «production» setup, with OpenLDAP and Keycloak containers
+ * «homelab» setup, with the built-in IDM (LDAP) and IDP that run as part of the `opencloud` container
+
+The Docker Compose setup (in [`stalwart.yml`](../../stalwart.yml)) mounts either [`idmldap.toml`](./idmldap.toml) or [`ldap.toml`](./ldap.toml) depending on how the variable `STALWART_AUTH_DIRECTORY` is set, which is either `idmldap` for the homelab setup, or `ldap` for the production setup.
+
+This is thus all done automatically, but whenever changes are performed to Stalwart configuration files, they must be reflected across those two files, to keep them in sync, as the only entry that should differ is this one:
+
+```ruby
+storage.directory = "ldap"
+```
+
+or this:
+
+```ruby
+storage.directory = "idmldap"
+```
+

devtools/deployments/opencloud_full/config/stalwart/config.toml

@@ -0,0 +1,110 @@
+authentication.fallback-admin.secret = "$6$4qPYDVhaUHkKcY7s$bB6qhcukb9oFNYRIvaDZgbwxrMa2RvF5dumCjkBFdX19lSNqrgKltf3aPrFMuQQKkZpK2YNuQ83hB1B3NiWzj."
+authentication.fallback-admin.user = "mailadmin"
+authentication.master.secret = "$6$4qPYDVhaUHkKcY7s$bB6qhcukb9oFNYRIvaDZgbwxrMa2RvF5dumCjkBFdX19lSNqrgKltf3aPrFMuQQKkZpK2YNuQ83hB1B3NiWzj."
+authentication.master.user = "master"
+directory.idmldap.attributes.class = "objectClass"
+directory.idmldap.attributes.description = "displayName"
+directory.idmldap.attributes.email = "mail"
+directory.idmldap.attributes.groups = "memberOf"
+directory.idmldap.attributes.name = "uid"
+directory.idmldap.attributes.secret = "userPassword"
+directory.idmldap.base-dn = "o=libregraph-idm"
+directory.idmldap.bind.auth.method = "default"
+directory.idmldap.bind.dn = "uid=reva,ou=sysusers,o=libregraph-idm"
+directory.idmldap.bind.secret = "admin"
+directory.idmldap.cache.size = 1048576
+directory.idmldap.cache.ttl.negative = "10m"
+directory.idmldap.cache.ttl.positive = "1h"
+directory.idmldap.filter.email = "(&(|(objectClass=person)(objectClass=groupOfNames))(mail=?))"
+directory.idmldap.filter.name = "(&(|(objectClass=person)(objectClass=groupOfNames))(uid=?))"
+directory.idmldap.timeout = "15s"
+directory.idmldap.tls.allow-invalid-certs = true
+directory.idmldap.tls.enable = true
+directory.idmldap.type = "ldap"
+directory.idmldap.url = "ldaps://opencloud:9235"
+directory.keycloak.auth.method = "user-token"
+directory.keycloak.cache.size = 1048576
+directory.keycloak.cache.ttl.negative = "10m"
+directory.keycloak.cache.ttl.positive = "1h"
+directory.keycloak.endpoint.method = "introspect"
+directory.keycloak.endpoint.url = "http://keycloak:8080/realms/openCloud/protocol/openid-connect/userinfo"
+directory.keycloak.fields.email = "email"
+directory.keycloak.fields.full-name = "name"
+directory.keycloak.fields.username = "preferred_username"
+directory.keycloak.timeout = "15s"
+directory.keycloak.type = "oidc"
+directory.ldap.attributes.class = "objectClass"
+directory.ldap.attributes.description = "displayName"
+directory.ldap.attributes.email = "mail"
+directory.ldap.attributes.email-alias = "mailAlias"
+directory.ldap.attributes.groups = "memberOf"
+directory.ldap.attributes.name = "uid"
+directory.ldap.attributes.secret = "userPassword"
+directory.ldap.attributes.secret-changed = "pwdChangedTime"
+directory.ldap.base-dn = "dc=opencloud,dc=eu"
+directory.ldap.bind.auth.dn = "cn=?,ou=users,dc=opencloud,dc=eu"
+directory.ldap.bind.auth.enable = true
+directory.ldap.bind.auth.search = true
+directory.ldap.bind.dn = "cn=admin,dc=opencloud,dc=eu"
+directory.ldap.bind.secret = "admin"
+directory.ldap.cache.ttl.negative = "10m"
+directory.ldap.cache.ttl.positive = "1h"
+directory.ldap.filter.email = "(&(|(objectClass=person)(objectClass=groupOfNames))(|(uid=?)(mail=?)(mailAlias=?)(cn=?)))"
+directory.ldap.filter.name = "(&(|(objectClass=person)(objectClass=groupOfNames))(|(uid=?)(cn=?)))"
+directory.ldap.timeout = "5s"
+directory.ldap.tls.allow-invalid-certs = true
+directory.ldap.tls.enable = true
+directory.ldap.type = "ldap"
+directory.ldap.url = "ldap://ldap-server:1389"
+http.allowed-endpoint = 200
+http.hsts = true
+http.permissive-cors = false
+http.url = "'https://' + config_get('server.hostname')"
+http.use-x-forwarded = true
+metrics.prometheus.auth.secret = "secret"
+metrics.prometheus.auth.username = "metrics"
+metrics.prometheus.enable = true
+server.listener.http.bind = "0.0.0.0:8080"
+server.listener.http.protocol = "http"
+server.listener.https.bind = "0.0.0.0:443"
+server.listener.https.protocol = "http"
+server.listener.https.tls.implicit = true
+server.listener.imap.bind = "0.0.0.0:143"
+server.listener.imap.protocol = "imap"
+server.listener.imaptls.bind = "0.0.0.0:993"
+server.listener.imaptls.protocol = "imap"
+server.listener.imaptls.tls.implicit = true
+server.listener.pop3.bind = "0.0.0.0:110"
+server.listener.pop3.protocol = "pop3"
+server.listener.pop3s.bind = "0.0.0.0:995"
+server.listener.pop3s.protocol = "pop3"
+server.listener.pop3s.tls.implicit = true
+server.listener.sieve.bind = "0.0.0.0:4190"
+server.listener.sieve.protocol = "managesieve"
+server.listener.smtp.bind = "0.0.0.0:25"
+server.listener.smtp.protocol = "smtp"
+server.listener.submission.bind = "0.0.0.0:587"
+server.listener.submission.protocol = "smtp"
+server.listener.submissions.bind = "0.0.0.0:465"
+server.listener.submissions.protocol = "smtp"
+server.listener.submissions.tls.implicit = true
+server.max-connections = 8192
+server.socket.backlog = 1024
+server.socket.nodelay = true
+server.socket.reuse-addr = true
+server.socket.reuse-port = true
+storage.blob = "rocksdb"
+storage.data = "rocksdb"
+storage.directory = "%{env:STALWART_AUTH_DIRECTORY}%"
+storage.fts = "rocksdb"
+storage.lookup = "rocksdb"
+store.rocksdb.compression = "lz4"
+store.rocksdb.path = "/opt/stalwart/data"
+store.rocksdb.type = "rocksdb"
+tracer.console.ansi = true
+tracer.console.buffered = true
+tracer.console.enable = true
+tracer.console.level = "trace"
+tracer.console.lossy = false
+tracer.console.multiline = false
+tracer.console.type = "stdout"