feat: Allow collabora to download images from the cloud instance

Related: https://github.com/opencloud-eu/web/issues/704

.env.example

@@ -56,10 +56,10 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #   certificates:
 #     - certFile: /certs/opencloud.test.crt
 #       keyFile: /certs/opencloud.test.key
-#     stores:
-#       - default
+#       stores:
+#         - default
 #
-# The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
+# The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
 # Enable the access log for Traefik by setting the following variable to true.
 TRAEFIK_ACCESS_LOG=
@@ -137,6 +137,8 @@ DECOMPOSEDS3_BUCKET=
 
 
 # Define SMTP settings if you would like to send OpenCloud email notifications.
+# To actually send notifications, you also need to enable the 'notifications' service
+# by adding it to the START_ADDITIONAL_SERVICES variable below.
 #
 # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
 # SMTP host to connect to.
@@ -157,12 +159,11 @@ SMTP_TRANSPORT_ENCRYPTION=
 # Allow insecure connections to the SMTP server. Defaults to false.
 SMTP_INSECURE=
 
-# Addititional services to be started on opencloud startup
-# The following list of services is not startet automatically and must be
+# Additional services to be started on opencloud startup
+# The following list of services is not started automatically and must be
 # manually defined for startup:
-# IMPORTANT: The notification service is MANDATORY, do not delete!
 # IMPORTANT: Add any services to the startup list comma separated like "notifications,antivirus" etc.
-START_ADDITIONAL_SERVICES="notifications"
+START_ADDITIONAL_SERVICES=""
 
 
 ## Default Enabled Services ##
@@ -216,7 +217,7 @@ COLLABORA_SSL_VERIFICATION=false
 # Defaults to "partial"
 #ANTIVIRUS_MAX_SCAN_SIZE_MODE=
 # Image version of the ClamAV container.
-# Defaults to "latest"y
+# Defaults to "latest"
 CLAMAV_DOCKER_TAG=
 
 

config/keycloak/opencloud-realm.dist.json

@@ -676,6 +676,7 @@
         "profile",
         "roles",
         "groups",
+        "OpenCloudUnique_ID",
         "basic",
         "email"
       ],
@@ -2336,7 +2337,7 @@
             "always"
           ],
           "usePasswordModifyExtendedOp": [
-            "false"
+            "true"
           ],
           "trustEmail": [
             "false"

config/ldap/init-ldap-acls.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -eu
+
+# apply acls
+echo -n "Applying acls... "
+slapmodify -F /opt/bitnami/openldap/etc/slapd.d -b cn=config -l /opt/bitnami/openldap/etc/schema/50_acls.ldif
+if [ $? -eq 0 ]; then
+    echo "done."
+else
+    echo "failed."
+fi

config/ldap/ldif/50_acls.ldif

@@ -0,0 +1,9 @@
+# OpenCloud ldap acl file which gets applied during the first db initialisation
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID
+  by * read
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by * auth

config/opencloud/csp.yaml

@@ -8,6 +8,7 @@ directives:
     - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
     - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
+    - 'https://update.opencloud.eu/'
   default-src:
     - '''none'''
   font-src:

config/opencloud/opencloud.storage.ocmproviders.json

@@ -1,46 +0,0 @@
-[
-  {
-    "name": "host.docker.internal:9200",
-    "full_name": "host.docker.internal 9200",
-    "organization": "OpenCloud",
-    "domain": "host.docker.internal:9200",
-    "homepage": "https://opencloud.eu",
-    "services": [
-      {
-        "endpoint": {
-          "type": {
-            "name": "OCM",
-            "description": "OpenCloud Open Cloud Mesh API"
-          },
-          "name": "OpenCloud - OCM API",
-          "path": "https://host.docker.internal:9200/ocm/",
-          "is_monitored": true
-        },
-        "api_version": "0.0.1",
-        "host": "host.docker.internal:9200"
-      }
-    ]
-  },
-  {
-    "name": "cloud.opencloud.test",
-    "full_name": "cloud.opencloud.test",
-    "organization": "OpenCloud",
-    "domain": "cloud.opencloud.test",
-    "homepage": "https://opencloud.eu",
-    "services": [
-      {
-        "endpoint": {
-          "type": {
-            "name": "OCM",
-            "description": "OpenCloud Open Cloud Mesh API"
-          },
-          "name": "OpenCloud - OCM API",
-          "path": "https://cloud.opencloud.test/ocm/",
-          "is_monitored": true
-        },
-        "api_version": "0.0.1",
-        "host": "cloud.opencloud.test"
-      }
-    ]
-  }
-]

config/opencloud/web.yaml

@@ -1,14 +0,0 @@
-# OpenCloud web configuration
-web:
-  config:
-    apps:
-    - files
-    - search
-    - text-editor
-    - pdf-viewer
-    - external
-    - admin-settings
-    - epub-reader
-    - preview
-    - app-store
-    - ocm

docker-compose.yml

@@ -51,25 +51,13 @@ services:
       OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_DIGITS: "${OC_PASSWORD_POLICY_MIN_DIGITS:-1}"
       OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:-1}"
-
-      # OCM
-      OC_ENABLE_OCM: "true"
-      OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE: "/etc/opencloud/ocmproviders.json"
-      OCM_OCM_INVITE_MANAGER_INSECURE: "true"
-      OCM_OCM_SHARE_PROVIDER_INSECURE: "true"
-      OCM_OCM_STORAGE_PROVIDER_INSECURE: "true"
-      GRAPH_INCLUDE_OCM_SHAREES: "true"
-
     volumes:
       - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
       - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt
-      - ./config/opencloud/opencloud.storage.ocmproviders.json:/etc/opencloud/ocmproviders.json
-      - ./config/opencloud/web.yaml:/etc/opencloud/web.yaml
       # configure the .env file to use own paths instead of docker internal volumes
       - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
       - ${OC_DATA_DIR:-opencloud-data}:/var/lib/opencloud
       - ${OC_APPS_DIR:-./config/opencloud/apps}:/var/lib/opencloud/web/assets/apps
-
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always

idm/external-idp.yml

@@ -44,7 +44,7 @@ services:
       # The openCloud users need to be able to edit their account in the externa IdP
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
-    image: bitnami/openldap:2.6
+    image: bitnamilegacy/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
@@ -57,9 +57,6 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-    ports:
-      - "127.0.0.1:389:1389"
-      - "127.0.0.1:636:1636"
     volumes:
       # Only use the base ldif file to create the base structure
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
@@ -68,6 +65,7 @@ services:
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
       - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
+    restart: always
 
 volumes:
   ldap-certs:

idm/ldap-keycloak.yml

@@ -51,12 +51,11 @@ services:
       LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
       LDAP_ROOT: "dc=opencloud,dc=eu"
       LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
-    ports:
-      - "127.0.0.1:389:1389"
-      - "127.0.0.1:636:1636"
     volumes:
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
+      - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif
+      - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ldap-certs:/opt/bitnami/openldap/share
       - ldap-data:/bitnami/openldap
@@ -65,7 +64,7 @@ services:
     restart: always
 
   postgres:
-    image: postgres:alpine
+    image: postgres:17-alpine
     networks:
       opencloud-net:
     volumes:

testing/external-keycloak.yml

@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: postgres:alpine
+    image: postgres:17-alpine
     networks:
       opencloud-net:
     volumes:

weboffice/collabora.yml

@@ -58,7 +58,8 @@ services:
         --o:ssl.ssl_verification=${COLLABORA_SSL_VERIFICATION:-true} \
         --o:ssl.termination=true \
         --o:welcome.enable=false \
-        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}
+        --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test} \
+        --o:net.lok_allow.host[14]=${OC_DOMAIN-cloud.opencloud.test}
       username: ${COLLABORA_ADMIN_USER:-admin}
       password: ${COLLABORA_ADMIN_PASSWORD:-admin}
     cap_add: