package defaults import ( "net/http" "path/filepath" "strings" "github.com/qsfera/server/pkg/config/defaults" "github.com/qsfera/server/pkg/shared" "github.com/qsfera/server/pkg/structs" "github.com/qsfera/server/services/idp/pkg/config" ) // FullDefaultConfig returns a fully initialized default configuration func FullDefaultConfig() *config.Config { cfg := DefaultConfig() EnsureDefaults(cfg) Sanitize(cfg) return cfg } // DefaultConfig returns a basic default configuration func DefaultConfig() *config.Config { return &config.Config{ Debug: config.Debug{ Addr: "127.0.0.1:9134", }, HTTP: config.HTTP{ Addr: "127.0.0.1:9130", Root: "/", Namespace: "qsfera.web", TLSCert: filepath.Join(defaults.BaseDataPath(), "idp", "server.crt"), TLSKey: filepath.Join(defaults.BaseDataPath(), "idp", "server.key"), TLS: false, }, Reva: shared.DefaultRevaConfig(), Service: config.Service{ Name: "idp", }, IDP: config.Settings{ Iss: "https://localhost:9200", IdentityManager: "ldap", URIBasePath: "", SignInURI: "", SignedOutURI: "", AuthorizationEndpointURI: "", EndsessionEndpointURI: "", Insecure: false, TrustedProxy: nil, AllowScope: nil, AllowClientGuests: false, AllowDynamicClientRegistration: false, EncryptionSecretFile: filepath.Join(defaults.BaseDataPath(), "idp", "encryption.key"), Listen: "", IdentifierClientDisabled: true, IdentifierClientPath: filepath.Join(defaults.BaseDataPath(), "idp"), IdentifierRegistrationConf: filepath.Join(defaults.BaseDataPath(), "idp", "tmp", "identifier-registration.yaml"), IdentifierScopesConf: "", IdentifierDefaultBannerLogo: "", IdentifierDefaultSignInPageText: "", IdentifierDefaultLogoTargetURI: "", IdentifierDefaultUsernameHintText: "", SigningKid: "private-key", SigningMethod: "PS256", SigningPrivateKeyFiles: []string{filepath.Join(defaults.BaseDataPath(), "idp", "private-key.pem")}, ValidationKeysPath: "", CookieBackendURI: "", CookieNames: nil, CookieSameSite: http.SameSiteStrictMode, AccessTokenDurationSeconds: 60 * 5, // 5 minutes IDTokenDurationSeconds: 60 * 5, // 5 minutes RefreshTokenDurationSeconds: 60 * 60 * 24 * 30, // 30 days DynamicClientSecretDurationSeconds: 0, }, Clients: []config.Client{ { ID: "web", Name: "КуСфера Web App", Trusted: true, RedirectURIs: []string{ "{{OC_URL}}/", "{{OC_URL}}/oidc-callback.html", "{{OC_URL}}/oidc-silent-redirect.html", }, Origins: []string{ "{{OC_URL}}", }, }, { ID: "QsferaDesktop", Name: "КуСфера Desktop Client", ApplicationType: "native", RedirectURIs: []string{ "http://127.0.0.1", "http://localhost", }, }, { ID: "QsferaAndroid", Name: "КуСфера Android App", ApplicationType: "native", RedirectURIs: []string{ "oc://android.qsfera.eu", }, PostLogoutRedirectURIs: []string{ "oc://android.qsfera.eu", }, }, { ID: "QsferaIOS", Name: "КуСфера iOS App", ApplicationType: "native", RedirectURIs: []string{ "oc://ios.qsfera.eu", }, PostLogoutRedirectURIs: []string{ "oc://ios.qsfera.eu", }, }, }, Ldap: config.Ldap{ URI: "ldaps://localhost:9235", TLSCACert: filepath.Join(defaults.BaseDataPath(), "idm", "ldap.crt"), BindDN: "uid=idp,ou=sysusers,o=libregraph-idm", BaseDN: "ou=users,o=libregraph-idm", Scope: "sub", LoginAttribute: "uid", EmailAttribute: "mail", NameAttribute: "displayName", UUIDAttribute: "qsferaUUID", UUIDAttributeType: "text", Filter: "", ObjectClass: "inetOrgPerson", UserEnabledAttribute: "qsferaUserEnabled", }, } } // EnsureDefaults adds default values to the configuration if they are not set yet func EnsureDefaults(cfg *config.Config) { if cfg.LogLevel == "" { cfg.LogLevel = "error" } if cfg.Reva == nil && cfg.Commons != nil { cfg.Reva = structs.CopyOrZeroValue(cfg.Commons.Reva) } if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey } } // Sanitize sanitizes the configuration func Sanitize(cfg *config.Config) { // sanitize config if cfg.HTTP.Root != "/" { cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/") } }