fix add back slash to traefik allowed encoded characters

Add support for KC_LOG_LEVEL env variable & fix KC credentials leaking in logs

.env.example

@@ -22,6 +22,8 @@ INSECURE=true
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml
 # Keycloak Shared User Directory
 #COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml
+# External IDP
+#COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/external-idp.yml
 
 ## Traefik Settings ##
 # Note: Traefik is always enabled and can't be disabled.
@@ -57,13 +59,11 @@ TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
 #     - certFile: /certs/opencloud.test.crt
 #       keyFile: /certs/opencloud.test.key
 #   stores:
-#     default:
+#     - default
-#       defaultCertificate:
-#         certFile: /certs/opencloud.test.crt
-#         keyFile: /certs/opencloud.test.key
 #
 # The certificates need to be copied into ./certs/, the absolute path inside the container is /certs/.
 # You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
+#TRAEFIK_CERTS_DIR=./certs
 # Enable the access log for Traefik by setting the following variable to true.
 TRAEFIK_ACCESS_LOG=
 # Configure the log level for Traefik.
@@ -117,24 +117,30 @@ LOG_LEVEL=
 # Define the kind of logging.
 # The default log can be read by machines.
 # Set this to true to make the log human readable.
-# LOG_PRETTY=true
+#LOG_PRETTY=true
 #
 # Define the openCloud storage location. Set the paths for config and data to a local path.
 # Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
 # This matches the default user inside the container and avoids permission issues when accessing files.
 # Note that especially the data directory can grow big.
 # Leaving it default stores data in docker internal volumes.
-# OC_CONFIG_DIR=/your/local/opencloud/config
+OC_CONFIG_DIR=
-# OC_DATA_DIR=/your/local/opencloud/data
+OC_DATA_DIR=
 # OpenCloud Web can load extensions from a local directory.
 # The default uses the bind mount to the config/opencloud/apps directory.
-# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip | tar -xz -C config/opencloud/apps
+# Example: curl -L https://github.com/opencloud-eu/web-extensions/releases/download/unzip-v1.0.2/unzip-1.0.2.zip -o config/opencloud/apps/unzip-1.0.2.zip && unzip config/opencloud/apps/unzip-1.0.2.zip -d config/opencloud/apps && rm config/opencloud/apps/unzip-1.0.2.zip 
 # NOTE: you need to restart the openCloud container to load the new extensions.
-# OC_APPS_DIR=/your/local/opencloud/apps
+#OC_APPS_DIR=/your/local/opencloud/apps
+#
+# The default language used by services and the WebUI.
+# Uses ISO 639-1 language codes (e.g. "en", "de", "fr").
+# Defaults to English if not set.
+DEFAULT_LANGUAGE=
 
 # Define the ldap-server storage location. Set the paths for config and data to a local path.
-# LDAP_CERTS_DIR=
+# Leaving it default stores data in docker internal volumes.
-# LDAP_DATA_DIR=
+LDAP_CERTS_DIR=
+LDAP_DATA_DIR=
 
 # S3 Storage configuration - optional
 # OpenCloud supports S3 storage as primary storage.
@@ -316,6 +322,9 @@ KEYCLOAK_DOMAIN=
 KEYCLOAK_ADMIN=
 # Admin user login password. Defaults to "admin".
 KEYCLOAK_ADMIN_PASSWORD=
+# Configure the log level for Keycloak.
+# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "OFF". Default is "INFO".
+KC_LOG_LEVEL=
 # Keycloak Database username. Defaults to "keycloak".
 KC_DB_USERNAME=
 # Keycloak Database password. Defaults to "keycloak".

README.md

@@ -285,10 +285,6 @@ OpenCloud Compose supports adding SSL certificates for public domains and develo
          keyFile: /certs/opencloud.test.key
          stores:
            - default
-       - certFile: /certs/wildcard.example.com.crt
-         keyFile: /certs/wildcard.example.com.key
-         stores:
-           - default
    ```
 
 3. **Configure environment variables**:

config/keycloak/docker-entrypoint-override.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
-printenv
+# print env variables for trace/debug log levels
+log_level=$(printf '%s' "$KC_LOG_LEVEL" | tr '[:upper:]' '[:lower:]')
+case "$log_level" in trace|debug) printenv ;; *) ;; esac
+
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
 sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json

config/traefik/docker-entrypoint-override.sh

@@ -23,10 +23,14 @@ add_arg "--entryPoints.https.address=:${TRAEFIK_PORT_HTTPS:-443}"
 add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
 add_arg "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
 add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
-# allow encoded characters required for WOPI/Collabora
+# allow encoded characters
+# required for WOPI/Collabora and  file operations with supported encoded characters
 add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedSlash=true"
 add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedQuestionMark=true"
 add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedPercent=true"
+add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedSemicolon=true"
+add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedHash=true"
+add_arg "--entryPoints.https.http.encodedCharacters.allowEncodedBackSlash=true"
 # docker provider (get configuration from container labels)
 add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
 add_arg "--providers.docker.exposedByDefault=false"

docker-compose.yml

@@ -46,13 +46,15 @@ services:
       OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
       # control the password enforcement and policy for public shares
       OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD:-true}"
-      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-true}"
+      OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "${OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:-false}"
       OC_PASSWORD_POLICY_DISABLED: "${OC_PASSWORD_POLICY_DISABLED:-false}"
       OC_PASSWORD_POLICY_MIN_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_CHARACTERS:-8}"
       OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:-1}"
       OC_PASSWORD_POLICY_MIN_DIGITS: "${OC_PASSWORD_POLICY_MIN_DIGITS:-1}"
       OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "${OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:-1}"
+      # default language for services/WebUI; defaults to English, language code (ISO 639-1, e.g. de, en, fr)
+      OC_DEFAULT_LANGUAGE: ${DEFAULT_LANGUAGE}
     volumes:
       - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
       - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt

idm/ldap-keycloak.yml

@@ -96,6 +96,7 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}

testing/external-keycloak.yml

@@ -32,6 +32,7 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}

weboffice/collabora.yml

@@ -61,16 +61,12 @@ services:
         --o:ssl.termination=true \
         --o:welcome.enable=false \
         --o:net.frame_ancestors=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
-        --o:net.lok_allow.host[14]=${OC_DOMAIN-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
+        --o:net.lok_allow.host[14]=${OC_DOMAIN:-cloud.opencloud.test}${TRAEFIK_PORT_HTTPS:+:}${TRAEFIK_PORT_HTTPS:-} \
         --o:home_mode.enable=${COLLABORA_HOME_MODE:-false}
       username: ${COLLABORA_ADMIN_USER:-admin}
       password: ${COLLABORA_ADMIN_PASSWORD:-admin}
     cap_add:
-      - SYS_ADMIN
       - MKNOD
-    security_opt:
-      - seccomp=unconfined
-      - apparmor:unconfined
     volumes:
       # Mount local TrueType fonts so the container can use system fonts
       # (e.g. Microsoft fonts like Arial, Calibri, Cambria by installing the `ttf-mscorefonts-installer` package).