From 97d9c149f1d6d175f650ab21fb7c4da4a4e4760c Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 24 Dec 2023 13:46:26 +0100 Subject: [PATCH] IdP config draft (#62) --- README.md | 2 +- docs/examples/docker/idp/copyparty.conf | 60 +++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 docs/examples/docker/idp/copyparty.conf diff --git a/README.md b/README.md index f5b67d57..aa4e6d95 100644 --- a/README.md +++ b/README.md @@ -1219,7 +1219,7 @@ work is [ongoing](https://github.com/9001/copyparty/issues/62) to support authen it is currently possible to specify `--idp-h-usr x-username`; copyparty will then skip password validation and blindly trust the username specified in the `X-Username` request header -the remaining stuff (accepting user groups through another header, creating volumes on the fly) are still to-do +the remaining stuff (accepting user groups through another header, creating volumes on the fly) are still to-do; configuration will probably [look like this](./docs/examples/docker/idp/copyparty.conf) ## hiding from google diff --git a/docs/examples/docker/idp/copyparty.conf b/docs/examples/docker/idp/copyparty.conf new file mode 100644 index 00000000..b911eb08 --- /dev/null +++ b/docs/examples/docker/idp/copyparty.conf @@ -0,0 +1,60 @@ +# not actually YAML but lets pretend: +# -*- mode: yaml -*- +# vim: ft=yaml: + + +# example config for how copyparty can be used with an identity +# provider, replacing the built-in authentication/authorization +# mechanism, and instead expecting the reverse-proxy to provide +# the requester's username (and possibly a group-name, for +# optional group-based access control) +# +# the filesystem-path `/w` is used as the storage location +# because that is the data-volume in the docker containers, +# because a deployment like this (with an IdP) is more commonly +# seen in containerized environments -- but this is not required + + +[global] + e2dsa # enable file indexing and filesystem scanning + e2ts # enable multimedia indexing + ansi # enable colors in log messages + + # enable IdP support by expecting username/groupname in + # http-headers provided by the reverse-proxy; header "X-IdP-User" + # will contain the username, "X-IdP-Group" the groupname + idp-h-usr: x-idp-user + idp-h-grp: x-idp-group + + +[/] # create a volume at "/" (the webroot), which will + /w # share /w (the docker data volume) + accs: + rw: * # everyone gets read-access, but + rwmda: %su # the group "su" gets read-write-move-delete-admin + + +[/~${u}] # each user gets their own home-folder at /~username + /w/~${u} # which will be in a folder named ~username in the docker data volume + accs: + r: * # read-access for anyone, and + rwmda: ${u}, %su # read-write-move-delete-admin for that username + the "su" group + + +[/~${u}/priv] # each user also gets a private area at /~username/priv + /w/~${u}/priv # stored at DATAVOLUME/~username/priv + accs: + rwmda: ${u}, %su # read-write-move-delete-admin for that username + the "su" group + + +[/lounge/${g}] # each group gets their own shared volume + /w/lounge/${g} # stored at DATAVOLUME/lounge/groupname + accs: + r: * # read-access for anyone, and + rwmda: %${g}, %su # read-write-move-delete-admin for that group + the "su" group + + +[/lounge/${g}/priv] # and a private area for each group too + /w/lounge/${g}/priv # stored at DATAVOLUME/lounge/groupname/priv + accs: + rwmda: %${g}, %su # read-write-move-delete-admin for that group + the "su" group