nextmcloud · memurats · Jul 10, 2023 · Jul 10, 2023 · Jul 11, 2023 · Jul 11, 2023
diff --git a/.github/README.md b/.github/README.md
@@ -0,0 +1,54 @@
+# MagentaCLOUD user_oidc
+
+Customisation of the Nextcloud delivered OpenID connect app for MagentaCLOUD.
+
+The app extends the standard `user_oidc` Nextcloud app,
+see [upstream configuration hints for basic setup](https://github.com/nextcloud/user_oidc/blob/main/README.md)
+
+
+## Feature: Event-based provisioning (upstream contribution candidate)
+The mechanism allows to implement custom puser provisioning logic in a separate Nextcloud app by
+registering and handling a attribute change and provisioning event:
+
+```
+use OCP\AppFramework\App;
+use OCP\AppFramework\Bootstrap\IBootContext;
+use OCP\AppFramework\Bootstrap\IBootstrap;
+use OCP\AppFramework\Bootstrap\IRegistrationContext;
+class Application extends App implements IBootstrap {
+...
+	public function register(IRegistrationContext $context): void {
+		$context->registerEventListener(AttributeMappedEvent::class, MyUserAttributeListener::class);
+		$context->registerEventListener(UserAccountChangeEvent::class, MyUserAccountChangeListener::class);
+	}
+...
+}
+```
+The provisioning handler should return a `OCA\UserOIDC\Event\UserAccountChangeResult` object
+
+## Feature: Telekom-specific bearer token
+
+Due to historic reason, Telekom bearer tokens have a close to standard structure, but
+require special security implementation in detail. The customisation overrides te standard
+
+
+### Requiring web-token libraries
+The central configuration branch `nmc/2372-central-setup` automatic merge will frequently fail if composer
+upstream 
+
+The fast and easy way to bring it back to sync with upstream is:
+```
+git checkout nmc/2372-central-setup
+git rebase --onto main nmc/2372-central-setup
+# manually take over everything from upstream for composer.lock (TODO: automate that)
+# ALWAYS update web-token dependencies in composer.lock
+# to avoid upstream conflicts. The lock file diff should only contain adds to upstream state!
+composer update "web-token/jwt-*"
+```
+
+
+### Configuring an additional Bearer preshared secret with provider
+TODO
+
+### Testing Bearer secrets
+TODO
diff --git a/.github/workflows/nmc-custom-app-release.yml b/.github/workflows/nmc-custom-app-release.yml
@@ -0,0 +1,68 @@
+###
+# SPDX-License-Identifier: AGPL-3.0
+#
+# Author: Bernd rederlechner <bernd.rederlechner@t-systems.com>
+#
+# Builds a stable release package based on a release assembly
+# customisation-<version>-<increment>
+#
+# As soon as a package is deployed to production, the tag and the branch
+# MUST STAY FOR 2 years and not deleted.
+#
+# Release packages, tags and customisation branches not delivered to production should
+# be deleted asap a newer release is available.
+#
+
+name: MCLOUD custom app release
+
+on:
+  workflow_dispatch:
+    inputs:
+      increment:
+        description: 'Release increment'
+        required: true
+        type: number
+      branch:
+        type: choice
+        description: Branch to build a package from
+        options: 
+          - main
+          - stable25
+          - stable26
+          - stable27
+        default: main
+
+jobs:
+  check-custom:
+    uses: nextmcloud/.github/.github/workflows/nmc-app-precond.yml@master
+    with:
+      versionbranch: ${{ inputs.branch }}
+      increment: ${{ inputs.increment }}
+    secrets: inherit
+  assemble-custom:
+    uses: nextmcloud/.github/.github/workflows/nmc-custom-assembly.yml@master
+    needs: check-custom
+    with:
+      trunk: 'main'
+      stable: ${{ inputs.branch }}
+      result: ${{ format('customisation-{0}-{1}', inputs.branch, inputs.increment ) }}
+    secrets: inherit
+
+  composerdep:
+    strategy:
+      fail-fast: false
+    uses: ./.github/workflows/nmc-custom-oidc-composer.yml
+    needs: assemble-custom
+    with:
+      assembly: ${{ format('customisation-{0}-{1}', inputs.branch, inputs.increment) }}
+    secrets: inherit
+
+  build-custom:
+    uses: nextmcloud/.github/.github/workflows/nmc-custom-app-build.yml@master
+    needs: [ check-custom, composerdep ]
+    with:
+      appname: ${{ needs.check-custom.outputs.appname }}
+      assembly: ${{ format('customisation-{0}-{1}', inputs.branch , inputs.increment ) }}
+      tag: ${{ needs.check-custom.outputs.tag }}
+      prerelease: ${{ inputs.branch == 'main' && true || false }}
+    secrets: inherit
diff --git a/.github/workflows/nmc-custom-app-versions.yml b/.github/workflows/nmc-custom-app-versions.yml
@@ -0,0 +1,72 @@
+###
+# SPDX-License-Identifier: AGPL-3.0
+#
+# Author: Bernd rederlechner <bernd.rederlechner@t-systems.com>
+#
+# Assemble a customisation for trunk (no backports) and stable
+# (backport xor trunk)
+#
+# It creates review (user-specific) customisations branches
+# - customisation-<user>-<trunk>
+# - customisation-<user>-<stable>
+
+name: MCLOUD custom app versions
+
+###
+# The customisation-* branches are always reassembled if a customisation branch
+# is updated or included into a custom PR
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    branches:
+      - master
+      - main
+      - trunk
+      - nmcstable/**
+      # - stable/**
+
+jobs:
+
+  assemble:
+    strategy:
+      fail-fast: false
+      matrix:
+        custombase: [ "main" ]
+    uses: nextmcloud/.github/.github/workflows/nmc-custom-assembly.yml@master
+    with:
+      trunk: "main"
+      stable: ${{ matrix.custombase }}
+      result: ${{ format('customisation-{0}-{1}', github.actor, matrix.custombase) }}
+    secrets: inherit
+
+  composerdep:
+    strategy:
+      fail-fast: false
+      matrix:
+        custombase: [ "main" ]
+    uses: ./.github/workflows/nmc-custom-oidc-composer.yml
+    needs: assemble
+    with:
+      assembly: ${{ format('customisation-{0}-{1}', github.actor, matrix.custombase) }}
+    secrets: inherit
+
+  phpunit:
+    strategy:
+      fail-fast: false
+      matrix:
+        phpversion: ['8.0', '8.1']
+        database: ['mysql']
+        custombase: [ "main" ]
+    uses: nextmcloud/.github/.github/workflows/nmc-custom-app-phpunit.yml@master
+    needs: composerdep
+    with:
+      assembly: ${{ format('customisation-{0}-{1}', github.actor, matrix.custombase) }}
+      appname: 'user_oidc'
+      server-branch: ${{ matrix.custombase }}
+      phpversion: ${{ matrix.phpversion }}
+      database: ${{ matrix.database }}
+    secrets: inherit
diff --git a/.github/workflows/nmc-custom-oidc-composer.yml b/.github/workflows/nmc-custom-oidc-composer.yml
@@ -0,0 +1,81 @@
+###
+# SPDX-License-Identifier: AGPL-3.0
+#
+# Author: Bernd Rederlechner <bernd.rederlechner@t-systems.com
+#
+# user_oidc is (so far) the only app where we add php packages
+# to Nextcloud standard. We add these commandline based in build
+# to avoid continuous merge conflicts due to "composer.lock"
+# merge problems
+
+name: MCLOUD custom user_oidc dependencies
+
+
+on:
+  workflow_call:
+    inputs:
+      assembly:
+        description: name of the customisation assembly branch
+        required: true
+        type: string
+
+jobs:
+  build-custom:
+    runs-on: ubuntu-latest
+    env:
+      BUILD_USER:    ${{ github.actor }}
+      BUILD_EMAIL:   ${{ github.actor }}@users.noreply.github.com
+      BUILD_TOKEN:   ${{ secrets.BUILD_TOKEN || secrets.GITHUB_TOKEN }}
+      PHP_VERSION:   ${{ vars.PHP_VERSION || '8.2' }}
+    steps:
+      - name: Fetch custom assembly
+        id:   checkout_custom
+        uses: actions/checkout@v3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ inputs.assembly }}
+          fetch-depth: 0
+          token: ${{ env.BUILD_TOKEN }}
+
+      - name: Prepare GIT modifications
+        id:   prepare_git        
+        run: |
+          # set user in case commits are needed
+          git config user.name $BUILD_USER
+          git config user.email $BUILD_EMAIL
+
+      # install php dependencies
+      - name: Set up php ${{ env.PHP_VERSION }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ env.PHP_VERSION }}
+          coverage: none
+
+      - name: Check composer.json
+        id: check_composer
+        uses: andstor/file-existence-action@v1
+        with:
+          files: "./composer.json"
+
+      - name: Install composer JWT dependencies
+        if: steps.check_composer.outputs.files_exists == 'true'
+        run: |
+          composer require web-token/jwt-core:^2.0 \
+            web-token/jwt-encryption:^2.2 \
+            web-token/jwt-signature:^2.2 \
+            web-token/jwt-encryption-algorithm-aescbc:^2.2 \
+            web-token/jwt-encryption-algorithm-ecdh-es:^2.2 \
+            web-token/jwt-encryption-algorithm-rsa:^2.2 \
+            web-token/jwt-encryption-algorithm-pbes2:^2.2 \
+            web-token/jwt-signature-algorithm-hmac:^2.2 \
+            web-token/jwt-signature-algorithm-rsa:^2.2 \
+            web-token/jwt-util-ecc:^2.2
+
+      - name: Commit push composer.json/.lock '${{ env.CUSTOM_BRANCH }}'
+        id: pushcomposerdep
+        run: |
+          git commit -m "Add jwt-token composer library dependencies" composer.json composer.lock
+          git push origin $CUSTOM_BRANCH
+          
diff --git a/COPYING.DTAG b/COPYING.DTAG
@@ -0,0 +1,5 @@
+Although this Nextcloud app code is free and available under the AGPL3 license, Deutsche Telekom 
+(including T-Systems) fully reserves all rights to the Telekom brand. To prevent users from getting confused about
+the source of a digital product or experience, there are stringent restrictions on using the Telekom brand and design,
+even when built into code that we provide. For any customization other than explicitly for Telekom or T-Systems, you must
+replace the Deutsche Telekom and T-Systems brand elements contained in the provided sources.
diff --git a/appinfo/routes.php b/appinfo/routes.php
@@ -16,9 +16,10 @@
 		['name' => 'login#code', 'url' => '/code', 'verb' => 'GET'],
 		['name' => 'login#singleLogoutService', 'url' => '/sls', 'verb' => 'GET'],
 		['name' => 'login#backChannelLogout', 'url' => '/backchannel-logout/{providerIdentifier}', 'verb' => 'POST'],
+		['name' => 'login#telekomBackChannelLogout', 'url' => '/logout', 'verb' => 'POST'],
 
-		['name' => 'api#createUser', 'url' => '/user', 'verb' => 'POST'],
-		['name' => 'api#deleteUser', 'url' => '/user/{userId}', 'verb' => 'DELETE'],
+		// ['name' => 'api#createUser', 'url' => '/user', 'verb' => 'POST'],
+		// ['name' => 'api#deleteUser', 'url' => '/user/{userId}', 'verb' => 'DELETE'],
 
 		['name' => 'id4me#showLogin', 'url' => '/id4me', 'verb' => 'GET'],
 		['name' => 'id4me#login', 'url' => '/id4me', 'verb' => 'POST'],

diff --git a/composer.json b/composer.json
@@ -31,7 +31,17 @@
   "require": {
     "id4me/id4me-rp": "^1.2",
     "firebase/php-jwt": "^6.8.1",
-    "bamarni/composer-bin-plugin": "^1.4"
+    "bamarni/composer-bin-plugin": "^1.4",
+    "web-token/jwt-core": "^2.0",
+    "web-token/jwt-encryption": "^2.2",
+    "web-token/jwt-signature": "^2.2",
+    "web-token/jwt-encryption-algorithm-aescbc": "^2.2",
+    "web-token/jwt-encryption-algorithm-ecdh-es": "^2.2",
+    "web-token/jwt-encryption-algorithm-rsa": "^2.2",
+    "web-token/jwt-encryption-algorithm-pbes2": "^2.2",
+    "web-token/jwt-signature-algorithm-hmac": "^2.2",
+    "web-token/jwt-signature-algorithm-rsa": "^2.2",
+    "web-token/jwt-util-ecc": "^2.2"
   },
   "require-dev": {
     "nextcloud/coding-standard": "^1.0.0",