Merge #3 Central customization setup

tsdicloud · tsdicloud · commit c8cd675c2908 · 2023-09-27T10:48:03.000Z
diff --git a/.github/README.md b/.github/README.md
@@ -0,0 +1,56 @@
+# MagentaCLOUD user_oidc
+
+Customisation of the Nextcloud delivered OpenID connect app for MagentaCLOUD.
+
+The app extends the standard `user_oidc` Nextcloud app,
+see [upstream configuration hints for basic setup](https://github.com/nextcloud/user_oidc/blob/main/README.md)
+
+
+## Feature: Event-based provisioning (upstream contribution candidate)
+The mechanism allows to implement custom puser provisioning logic in a separate Nextcloud app by
+registering and handling a attribute change and provisioning event:
+
+```
+use OCP\AppFramework\App;
+use OCP\AppFramework\Bootstrap\IBootContext;
+use OCP\AppFramework\Bootstrap\IBootstrap;
+use OCP\AppFramework\Bootstrap\IRegistrationContext;
+
+class Application extends App implements IBootstrap {
+...
+	public function register(IRegistrationContext $context): void {
+		$context->registerEventListener(AttributeMappedEvent::class, MyUserAttributeListener::class);
+		$context->registerEventListener(UserAccountChangeEvent::class, MyUserAccountChangeListener::class);
+	}
+...
+}
+```
+The provisioning handler should return a `OCA\UserOIDC\Event\UserAccountChangeResult` object
+
+## Feature: Telekom-specific bearer token
+
+Due to historic reason, Telekom bearer tokens have a close to standard structure, but
+require special security implementation in detail. The customisation overrides te standard
+
+
+### Requiring web-token libraries
+The central configuration branch `nmc/2372-central-setup` automatic merge will frequently fail if composer
+upstream 
+
+The fast and easy way to bring it back to sync with upstream is:
+```
+git checkout nmc/2372-central-setup
+git rebase --onto main nmc/2372-central-setup
+# manually take over everything from upstream for composer.lock (TODO: automate that)
+
+# ALWAYS update web-token dependencies in composer.lock
+# to avoid upstream conflicts. The lock file diff should only contain adds to upstream state!
+composer update "web-token/jwt-*"
+```
+
+
+### Configuring an additional Bearer preshared secret with provider
+TODO
+
+### Testing Bearer secrets
+TODO
diff --git a/COPYING.DTAG b/COPYING.DTAG
@@ -0,0 +1,5 @@
+Although this Nextcloud app code is free and available under the AGPL3 license, Deutsche Telekom 
+(including T-Systems) fully reserves all rights to the Telekom brand. To prevent users from getting confused about
+the source of a digital product or experience, there are stringent restrictions on using the Telekom brand and design,
+even when built into code that we provide. For any customization other than explicitly for Telekom or T-Systems, you must
+replace the Deutsche Telekom and T-Systems brand elements contained in the provided sources.
diff --git a/appinfo/routes.php b/appinfo/routes.php
@@ -29,8 +29,11 @@
 		['name' => 'login#code', 'url' => '/code', 'verb' => 'GET'],
 		['name' => 'login#singleLogoutService', 'url' => '/sls', 'verb' => 'GET'],
 		['name' => 'login#backChannelLogout', 'url' => '/backchannel-logout/{providerIdentifier}', 'verb' => 'POST'],
+		// compatibility with NMC V24 until reconfig on SAM
+		['name' => 'login#telekomBackChannelLogout', 'url' => '/logout', 'verb' => 'POST'],
 
-		['name' => 'api#createUser', 'url' => '/user', 'verb' => 'POST'],
+		// this is a security problem combined with Telekom provisioning, so we habe to disable the endpoint
+		// ['name' => 'api#createUser', 'url' => '/user', 'verb' => 'POST'],
 
 		['name' => 'id4me#showLogin', 'url' => '/id4me', 'verb' => 'GET'],
 		['name' => 'id4me#login', 'url' => '/id4me', 'verb' => 'POST'],
diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
@@ -33,7 +33,9 @@
 use OCA\UserOIDC\Listener\TimezoneHandlingListener;
 use OCA\UserOIDC\Service\ID4MeService;
 use OCA\UserOIDC\Service\SettingsService;
-use OCA\UserOIDC\User\Backend;
+use OCA\UserOIDC\Service\ProvisioningService;
+use OCA\UserOIDC\Service\ProvisioningEventService;
+use OCA\UserOIDC\MagentaBearer\MBackend;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
 use OCP\AppFramework\Bootstrap\IBootstrap;
@@ -44,6 +46,7 @@
 use OCP\IUserManager;
 use OCP\IUserSession;
 use Throwable;
+use Psr\Container\ContainerInterface;
 
 class Application extends App implements IBootstrap {
 	public const APP_ID = 'user_oidc';
@@ -57,11 +60,19 @@ public function __construct(array $urlParams = []) {
 	}
 
 	public function register(IRegistrationContext $context): void {
+		// Register the composer autoloader required for the added jwt-token libs
+		include_once __DIR__ . '/../../vendor/autoload.php';
+
+		// override registration of provisioning srevice to use event-based solution
+		$this->getContainer()->registerService(ProvisioningService::class, function (ContainerInterface $c): ProvisioningService {
+			return $c->get(ProvisioningEventService::class);
+		});
+
 		/** @var IUserManager $userManager */
 		$userManager = $this->getContainer()->get(IUserManager::class);
 
 		/* Register our own user backend */
-		$this->backend = $this->getContainer()->get(Backend::class);
+		$this->backend = $this->getContainer()->get(MBackend::class);
 		$userManager->registerBackend($this->backend);
 		OC_User::useBackend($this->backend);
 
diff --git a/tests/bootstrap.php b/tests/bootstrap.php
@@ -26,6 +26,7 @@
 require_once __DIR__.'/../vendor/autoload.php';
 
 \OC::$loader->addValidRoot(OC::$SERVERROOT . '/tests');
+\OC::$composerAutoloader->addPsr4('OCA\\UserOIDC\\BaseTest\\', dirname(__FILE__) . '/unit/MagentaCloud/', true);
 \OC_App::loadApp('user_oidc');
 
 OC_Hook::clear();
