kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-06-25 03:38:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added base for openproject nextcloud integration bug

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-06-20 13:13:15 +02:00
parent 68287c3c66
commit 20c3fdd455
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
6 changed files with 93 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
roles/docker-nextcloud/Administration.md Normal file
View File

@ -0,0 +1,5 @@
# Administration
## Logs
The logs you will find here on the host: **/var/lib/docker/volumes/nextcloud_data/_data/data/nextcloud.log**

2
roles/docker-oauth2-proxy/vars/configuration.yml
View File

@ -1,6 +1,6 @@
configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it
version: "latest" # Docker Image version version: "latest" # Docker Image version
allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups allowed_roles: "admin" # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups
features: features:
matomo: true matomo: true
css: true css: true

5
roles/docker-openproject/vars/configuration.yml
View File

@ -2,6 +2,11 @@ version: "13" # Update when available. Sadly no rolling release
oauth2_proxy: oauth2_proxy:
application: "proxy" application: "proxy"
port: "80" port: "80"
acl:
whitelist:
- "/users/me" # Necessary for Nextcloud Plugin to work
- "/api/" # Necessary for Nextcloud Plugin to work
- "/oauth/token" # Necessary for Nextcloud Plugin to work
ldap: ldap:
filters: filters:
administrators: True # Set true to filter administrators administrators: True # Set true to filter administrators

4
roles/docker-yourls/vars/configuration.yml
View File

@ -5,7 +5,9 @@ version: "latest"
oauth2_proxy: oauth2_proxy:
application: "application" application: "application"
port: "80" port: "80"
location: "/admin/" # Protects the admin area acl:
blacklist:
- "/admin/" # Protects the admin area
features: features:
matomo: true matomo: true
css: true css: true

42
roles/nginx-docker-reverse-proxy/templates/vhost/basic.conf.j2
View File

@ -15,21 +15,47 @@ server
{% include 'roles/letsencrypt/templates/ssl_header.j2' %} {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% if applications | is_feature_enabled('oauth2',application_id) %} {% if applications | is_feature_enabled('oauth2', application_id) %}
{% if applications[application_id].oauth2_proxy.location is defined %} {% set acl = applications[application_id].oauth2_proxy.acl | default({}) %}
{# Exposed and Unprotected Location #}
{% if acl.blacklist is defined %}
{# 1. Expose everything by default, then protect blacklisted paths #}
{% set oauth2_proxy_enabled = false %}
{% set location = "/" %}
{% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
{% for loc in acl.blacklist %}
{% set oauth2_proxy_enabled = true %}
{% set location = loc %}
{% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
{% endfor %}
{% elif acl.whitelist is defined %}
{# 2. Protect everything by default, then expose whitelisted paths #}
{% set oauth2_proxy_enabled = true %} {% set oauth2_proxy_enabled = true %}
{% set location = applications[application_id].oauth2_proxy.location %} {% set location = "/" %}
{# Gated Location by OAuth2 Proxy #}
{% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
{% for loc in acl.whitelist %}
{% set oauth2_proxy_enabled = false %}
{% set location = loc %}
{% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
{% endfor %}
{% else %} {% else %}
{# 3. OAuth2 enabled but no (or empty) ACL — protect all #}
{% set oauth2_proxy_enabled = true %} {% set oauth2_proxy_enabled = true %}
{# Protected Domain by OAuth2 Proxy #} {% set location = "/" %}
{% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2'%} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
{% endif %} {% endif %}
{% else %} {% else %}
{# Exposed Domain - Not protected by OAuth2 Proxy #} {# 4. OAuth2 completely disabled — expose all #}
{% set oauth2_proxy_enabled = false %}
{% set location = "/" %}
{% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %}
{% endif %} {% endif %}
} }

45
tests/integration/test_oauth2_acl_mutual_exclusive.py Normal file
View File

@ -0,0 +1,45 @@
import os
import yaml
import unittest
from pathlib import Path
ROLES_DIR = Path(__file__).resolve().parent.parent.parent / "roles"
class TestOauth2AclMutualExclusion(unittest.TestCase):
def test_acl_has_either_whitelist_or_blacklist(self):
failures = []
for role_path in ROLES_DIR.iterdir():
vars_file = role_path / "vars" / "configuration.yml"
if not vars_file.exists():
continue
# open the YAML file instead of passing the Path object
try:
with open(vars_file) as f:
data = yaml.safe_load(f) or {}
except yaml.YAMLError as e:
failures.append(f"{role_path.name}: failed to parse YAML ({e})")
continue
oauth2 = data.get("oauth2_proxy", {})
acl = oauth2.get("acl", None)
if acl is None:
continue
has_wl = "whitelist" in acl
has_bl = "blacklist" in acl
if has_wl and has_bl:
failures.append(
f"{role_path.name}: both 'whitelist' and 'blacklist' are defined"
)
if failures:
self.fail(
"The following roles define both whitelist and blacklist under oauth2_proxy.acl:\n"
+ "\n".join(failures)
)
if __name__ == "__main__":
unittest.main()