Merge branch 'master' into ocis-init

.drone.env

@@ -1,5 +1,5 @@
 # The test runner source for API tests
-CORE_COMMITID=8f4783aa71a2fd6e863b2a4534fc697d5455bc45
+CORE_COMMITID=f73c5f6086921d858d19c1013f1cbf762c8e27dd
 CORE_BRANCH=master
 
 # The test runner source for UI tests

.drone.star

@@ -18,7 +18,7 @@ OC_CI_NODEJS = "owncloudci/nodejs:%s"
 OC_CI_PHP = "owncloudci/php:%s"
 OC_CI_WAIT_FOR = "owncloudci/wait-for:latest"
 OC_CS3_API_VALIDATOR = "owncloud/cs3api-validator:latest"
-OC_OC_TEST_MIDDLEWARE = "owncloud/owncloud-test-middleware:1.5.0"
+OC_OC_TEST_MIDDLEWARE = "owncloud/owncloud-test-middleware:1.6.0"
 OC_SERVER = "owncloud/server:10"
 OC_UBUNTU = "owncloud/ubuntu:18.04"
 OSIXIA_OPEN_LDAP = "osixia/openldap:latest"
@@ -698,7 +698,7 @@ def uiTestPipeline(ctx, filterTags, early_fail, runPart = 1, numberOfParts = 1,
             "arch": "amd64",
         },
         "steps": skipIfUnchanged(ctx, "acceptance-tests") + restoreBuildArtifactCache(ctx, "ocis-binary-amd64", "ocis/bin/ocis") +
-                 ocisServerWithAccounts(storage, accounts_hash_difficulty, [stepVolumeOC10Tests]) + waitForSeleniumService() + waitForMiddlewareService() + [
+                 ocisServer(storage, accounts_hash_difficulty, [stepVolumeOC10Tests]) + waitForSeleniumService() + waitForMiddlewareService() + [
             {
                 "name": "webUITests",
                 "image": OC_CI_NODEJS % DEFAULT_NODEJS_VERSION,
@@ -1838,6 +1838,7 @@ def middlewareService():
             "REMOTE_UPLOAD_DIR": "/uploads",
             "NODE_TLS_REJECT_UNAUTHORIZED": "0",
             "MIDDLEWARE_HOST": "middleware",
+            "TEST_WITH_GRAPH_API": "true",
         },
         "volumes": [{
             "name": "uploads",

CHANGELOG.md

@@ -6,15 +6,25 @@ The following sections list the changes for unreleased.
 
 ## Summary
 
+* Bugfix - Idp: Check if CA certificate if present: [#3623](https://github.com/owncloud/ocis/issues/3623)
 * Bugfix - Return proper errors when ocs/cloud/users is using the cs3 backend: [#3483](https://github.com/owncloud/ocis/issues/3483)
 * Bugfix - URL encode the webdav url in the graph API: [#3597](https://github.com/owncloud/ocis/pull/3597)
 * Change - Load configuration files just from one directory: [#3587](https://github.com/owncloud/ocis/pull/3587)
+* Change - Switched default configuration to use libregraph/idm: [#3331](https://github.com/owncloud/ocis/pull/3331)
 * Enhancement - Add capability for public link single file edit: [#6787](https://github.com/owncloud/web/pull/6787)
 * Enhancement - Update linkshare capabilities: [#3579](https://github.com/owncloud/ocis/pull/3579)
 * Enhancement - Update reva to v2.x.x: [#3552](https://github.com/owncloud/ocis/pull/3552)
 
 ## Details
 
+* Bugfix - Idp: Check if CA certificate if present: [#3623](https://github.com/owncloud/ocis/issues/3623)
+
+   Upon first start with the default configurtation the idm service creates a server
+   certificate, that might not be finished before the idp service is starting. Add a check to idp
+   similar to what the user, group, and auth-providers implement.
+
+   https://github.com/owncloud/ocis/issues/3623
+
 * Bugfix - Return proper errors when ocs/cloud/users is using the cs3 backend: [#3483](https://github.com/owncloud/ocis/issues/3483)
 
    The ocs API was just exiting with a fatal error on any update request, when configured for the cs3
@@ -42,6 +52,15 @@ The following sections list the changes for unreleased.
 
    https://github.com/owncloud/ocis/pull/3587
 
+* Change - Switched default configuration to use libregraph/idm: [#3331](https://github.com/owncloud/ocis/pull/3331)
+
+   We switched the default configuration of oCIS to use the "idm" service (based on
+   libregraph/idm) as the standard source for user and group information. The accounts and
+   glauth services are no longer enabled by default and will be removed with an upcoming release.
+
+   https://github.com/owncloud/ocis/pull/3331
+   https://github.com/owncloud/ocis/pull/3633
+
 * Enhancement - Add capability for public link single file edit: [#6787](https://github.com/owncloud/web/pull/6787)
 
    It is now possible to share a single file by link with edit permissions. Therefore we need a

changelog/unreleased/idp-cert-wait.md

@@ -0,0 +1,8 @@
+Bugfix: idp: Check if CA certificate if present
+
+Upon first start with the default configurtation the idm service creates
+a server certificate, that might not be finished before the idp service
+is starting. Add a check to idp similar to what the user, group, and
+auth-providers implement.
+
+https://github.com/owncloud/ocis/issues/3623

changelog/unreleased/libregraph-idm-switch.md

@@ -0,0 +1,9 @@
+Change: Switched default configuration to use libregraph/idm
+
+We switched the default configuration of oCIS to use the "idm" service (based
+on libregraph/idm) as the standard source for user and group information. The
+accounts and glauth services are no longer enabled by default and will be
+removed with an upcoming release.
+
+https://github.com/owncloud/ocis/pull/3331
+https://github.com/owncloud/ocis/pull/3633

docs/extensions/idm/_index.md

@@ -22,8 +22,8 @@ of the LDAP tree is `o=libregraph-idm`. IDM gives LDAP write permissions to a si
 [boltdb](https://github.com/etcd-io/bbolt) file `idm/ocis.boltdb` inside the oCIS base data directory.
 
 Note: IDM is limited in its functionality. It only supports a subset of the LDAP operations (namely BIND, SEARCH, ADD, MODIFY, DELETE).
-Also IDM currently does not do any Schema Verification (e.g. structural vs. auxiliary Objectclasses, require and option Attributes,
-Syntax Checks, ...). So it's not meant as a general purpose LDAP server.
+Also IDM currently does not do any schema verification (e.g. structural vs. auxiliary object classes, require and option attributes,
+syntax checks, ...). So it's not meant as a general purpose LDAP server.
 
 ## Table of Contents
 

docs/extensions/idm/configuration_hints.md

@@ -22,7 +22,7 @@ in a separate subtree. The base DN of that subtree is:
 `ou=sysusers,o=libregraph-idm`. The service users are:
 
 * `uid=libregraph,ou=sysusers,o=libregraph-idm`: This is the only user with write
-  access to the LDAP tree. It is used by the Graph service to lookup, create, delete and
+  access to the LDAP tree. It is used by the Graph service to look up, create, delete and
   modify users and groups.
 * `uid=idp,ou=sysusers,o=libregraph-idm`: This user is used by the IDP service to
   perform user lookups for authentication.
@@ -40,8 +40,8 @@ command line clients. To e.g. list all users, this command can be used:
 ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson
 ```
 
-When using the default configuration with the self-signed server certificate
-you might need to switch off the Certificate Validation using `LDAPTL_REQCERT` env
+When using the default configuration with the self-signed server certificate,
+you might need to switch off the certificate validation using the `LDAPTL_REQCERT` env
 variable:
 
 ```

extensions/idp/pkg/service/v0/service.go

@@ -22,6 +22,7 @@ import (
 	"github.com/owncloud/ocis/extensions/idp/pkg/assets"
 	"github.com/owncloud/ocis/extensions/idp/pkg/config"
 	"github.com/owncloud/ocis/extensions/idp/pkg/middleware"
+	"github.com/owncloud/ocis/ocis-pkg/ldap"
 	"github.com/owncloud/ocis/ocis-pkg/log"
 	"stash.kopano.io/kgol/rndm"
 )
@@ -41,6 +42,14 @@ func NewService(opts ...Option) Service {
 		assets.Config(options.Config),
 	)
 
+	if err := ldap.WaitForCA(options.Logger, options.Config.IDP.Insecure, options.Config.Ldap.TLSCACert); err != nil {
+		logger.Fatal().Err(err).Msg("The configured LDAP CA cert does not exist")
+	}
+	if options.Config.IDP.Insecure {
+		// force CACert to be empty to avoid lico try to load it
+		options.Config.Ldap.TLSCACert = ""
+	}
+
 	if err := initLicoInternalEnvVars(&options.Config.Ldap); err != nil {
 		logger.Fatal().Err(err).Msg("could not initialize env vars")
 	}
@@ -56,7 +65,6 @@ func NewService(opts ...Option) Service {
 
 	// https://play.golang.org/p/Mh8AVJCd593
 	idpSettings := bootstrap.Settings(options.Config.IDP)
-
 	bs, err := bootstrap.Boot(ctx, &idpSettings, &licoconfig.Config{
 		Logger: log.LogrusWrap(logger),
 	})

extensions/web/pkg/config/defaults/defaultconfig.go

@@ -48,7 +48,7 @@ func DefaultConfig() *config.Config {
 					ResponseType: "code",
 					Scope:        "openid profile email",
 				},
-				Apps: []string{"files", "search", "preview", "text-editor", "pdf-viewer", "external"},
+				Apps: []string{"files", "search", "preview", "text-editor", "pdf-viewer", "external", "user-management"},
 			},
 		},
 	}

extensions/web/pkg/service/v0/service.go

@@ -85,10 +85,6 @@ func (p Web) getPayload() (payload []byte, err error) {
 					ID:   "settings",
 					Path: "/settings.js",
 				},
-				{
-					ID:   "accounts",
-					Path: "/accounts.js",
-				},
 			}
 		}
 

tests/acceptance/expected-failures-API-on-OCIS-storage.md

@@ -1798,7 +1798,7 @@ Not everything needs to be implemented for ocis. While the oc10 testsuite covers
 
 #### [Incorrect response while listing resources of a folder with depth infinity](https://github.com/owncloud/ocis/issues/3073)
 
-- [apiWebdavOperations/listFiles.feature:180](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/listFiles.feature#L180)
+- [apiWebdavOperations/listFiles.feature:182](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/listFiles.feature#L182)
 
 ### [[spaces webdav] upload to a share that was locked by owner ends with status code 409](https://github.com/owncloud/ocis/issues/3128)
 
@@ -1815,9 +1815,9 @@ Not everything needs to be implemented for ocis. While the oc10 testsuite covers
 
 #### [can't access public link resources with spaces webdav API](https://github.com/owncloud/ocis/issues/3085)
 
-- [apiWebdavOperations/listFiles.feature:216](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/listFiles.feature#L216)
-- [apiWebdavOperations/listFiles.feature:254](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/listFiles.feature#L254)
-- [apiWebdavOperations/listFiles.feature:291](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/listFiles.feature#L291)
+- [apiWebdavOperations/listFiles.feature:218](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/listFiles.feature#L218)
+- [apiWebdavOperations/listFiles.feature:256](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/listFiles.feature#L256)
+- [apiWebdavOperations/listFiles.feature:294](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiWebdavOperations/listFiles.feature#L294)
 
 #### [OCS response is not returned when a disabled user tries to enable himself](https://github.com/owncloud/ocis/issues/3254)
 
@@ -1859,5 +1859,32 @@ Not everything needs to be implemented for ocis. While the oc10 testsuite covers
 #### [HTTP status code differ while deleting file of another user's trash bin](https://github.com/owncloud/ocis/issues/3544)
 - [apiTrashbin/trashbinDelete.feature:108](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L108)
 
+#### [Problem accessing trashbin with personal space id](https://github.com/owncloud/ocis/issues/3639)
+- [apiTrashbin/trashbinDelete.feature:35](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L35)
+- [apiTrashbin/trashbinDelete.feature:36](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L36)
+- [apiTrashbin/trashbinDelete.feature:58](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L58)
+- [apiTrashbin/trashbinDelete.feature:85](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L85)
+- [apiTrashbin/trashbinDelete.feature:130](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L130)
+- [apiTrashbin/trashbinDelete.feature:152](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L152)
+- [apiTrashbin/trashbinDelete.feature:177](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L177)
+- [apiTrashbin/trashbinDelete.feature:202](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L202)
+- [apiTrashbin/trashbinDelete.feature:239](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L239)
+- [apiTrashbin/trashbinDelete.feature:276](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L276)
+- [apiTrashbin/trashbinDelete.feature:324](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinDelete.feature#L324)
+- [apiTrashbin/trashbinFilesFolders.feature:25](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L25)
+- [apiTrashbin/trashbinFilesFolders.feature:41](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L41)
+- [apiTrashbin/trashbinFilesFolders.feature:59](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L59)
+- [apiTrashbin/trashbinFilesFolders.feature:80](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L80)
+- [apiTrashbin/trashbinFilesFolders.feature:99](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L99)
+- [apiTrashbin/trashbinFilesFolders.feature:135](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L135)
+- [apiTrashbin/trashbinFilesFolders.feature:158](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L158)
+- [apiTrashbin/trashbinFilesFolders.feature:313](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L313)
+- [apiTrashbin/trashbinFilesFolders.feature:314](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L314)
+- [apiTrashbin/trashbinFilesFolders.feature:315](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L315)
+- [apiTrashbin/trashbinFilesFolders.feature:334](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L334)
+- [apiTrashbin/trashbinFilesFolders.feature:354](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L354)
+- [apiTrashbin/trashbinFilesFolders.feature:408](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L408)
+- [apiTrashbin/trashbinFilesFolders.feature:445](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L445)
+
   Note: always have an empty line at the end of this file.
   The bash script that processes this file requires that the last line has a newline on the end.