6 files changed, 103 insertions, 14 deletions

diff --git a/lib/config/default.js b/lib/config/default.js
index a9689974..28f4490c 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -7,9 +7,23 @@ module.exports = {
   urladdport: false,
   alloworigin: ['localhost'],
   usessl: false,
+  hsts: {
+    enable: true,
+    maxAgeSeconds: 31536000,
+    includeSubdomains: true,
+    preload: true
+  },
+  csp: {
+    enable: true,
+    directives: {
+    },
+    addDefaults: true,
+    upgradeInsecureRequests: 'auto'
+  },
   protocolusessl: false,
   usecdn: true,
   allowanonymous: true,
+  allowanonymousedits: false,
   allowfreeurl: false,
   defaultpermission: 'editable',
   dburl: '',
@@ -75,10 +89,16 @@ module.exports = {
     clientSecret: undefined,
     scope: undefined
   },
-  dropbox: {
+  mattermost: {
+    baseURL: undefined,
     clientID: undefined,
     clientSecret: undefined
   },
+  dropbox: {
+    clientID: undefined,
+    clientSecret: undefined,
+    appKey: undefined
+  },
   google: {
     clientID: undefined,
     clientSecret: undefined
@@ -92,8 +112,24 @@ module.exports = {
     searchBase: undefined,
     searchFilter: undefined,
     searchAttributes: undefined,
+    usernameField: undefined,
     tlsca: undefined
   },
+  saml: {
+    idpSsoUrl: undefined,
+    idpCert: undefined,
+    issuer: undefined,
+    identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+    groupAttribute: undefined,
+    externalGroups: [],
+    requiredGroups: [],
+    attribute: {
+      id: undefined,
+      username: undefined,
+      email: undefined
+    }
+  },
   email: true,
-  allowemailregister: true
+  allowemailregister: true,
+  allowpdfexport: true
 }
diff --git a/lib/config/defaultSSL.js b/lib/config/defaultSSL.js
index 1f1d5590..362c62a1 100644
--- a/lib/config/defaultSSL.js
+++ b/lib/config/defaultSSL.js
@@ -12,6 +12,6 @@ function getFile (path) {
 module.exports = {
   sslkeypath: getFile('/run/secrets/key.pem'),
   sslcertpath: getFile('/run/secrets/cert.pem'),
-  sslcapath: getFile('/run/secrets/ca.pem'),
+  sslcapath: getFile('/run/secrets/ca.pem') !== undefined ? [getFile('/run/secrets/ca.pem')] : [],
   dhparampath: getFile('/run/secrets/dhparam.pem')
 }
diff --git a/lib/config/dockerSecret.js b/lib/config/dockerSecret.js
index eea2fafd..b9116cd3 100644
--- a/lib/config/dockerSecret.js
+++ b/lib/config/dockerSecret.js
@@ -38,9 +38,14 @@ if (fs.existsSync(basePath)) {
       clientID: getSecret('gitlab_clientID'),
       clientSecret: getSecret('gitlab_clientSecret')
     },
+    mattermost: {
+      clientID: getSecret('mattermost_clientID'),
+      clientSecret: getSecret('mattermost_clientSecret')
+    },
     dropbox: {
       clientID: getSecret('dropbox_clientID'),
-      clientSecret: getSecret('dropbox_clientSecret')
+      clientSecret: getSecret('dropbox_clientSecret'),
+      appKey: getSecret('dropbox_appKey')
     },
     google: {
       clientID: getSecret('google_clientID'),
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 49e44cad..932363da 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -1,17 +1,27 @@
 'use strict'
 
-const {toBooleanConfig} = require('./utils')
+const {toBooleanConfig, toArrayConfig} = require('./utils')
 
 module.exports = {
   domain: process.env.HMD_DOMAIN,
   urlpath: process.env.HMD_URL_PATH,
   port: process.env.HMD_PORT,
-  urladdport: process.env.HMD_URL_ADDPORT,
+  urladdport: toBooleanConfig(process.env.HMD_URL_ADDPORT),
   usessl: toBooleanConfig(process.env.HMD_USESSL),
+  hsts: {
+    enable: toBooleanConfig(process.env.HMD_HSTS_ENABLE),
+    maxAgeSeconds: process.env.HMD_HSTS_MAX_AGE,
+    includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS),
+    preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
+  },
+  csp: {
+    enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
+  },
   protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
-  alloworigin: process.env.HMD_ALLOW_ORIGIN ? process.env.HMD_ALLOW_ORIGIN.split(',') : undefined,
+  alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
   usecdn: toBooleanConfig(process.env.HMD_USECDN),
   allowanonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS),
+  allowanonymousedits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS),
   allowfreeurl: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
   defaultpermission: process.env.HMD_DEFAULT_PERMISSION,
   dburl: process.env.HMD_DB_URL,
@@ -50,9 +60,15 @@ module.exports = {
     clientSecret: process.env.HMD_GITLAB_CLIENTSECRET,
     scope: process.env.HMD_GITLAB_SCOPE
   },
+  mattermost: {
+    baseURL: process.env.HMD_MATTERMOST_BASEURL,
+    clientID: process.env.HMD_MATTERMOST_CLIENTID,
+    clientSecret: process.env.HMD_MATTERMOST_CLIENTSECRET
+  },
   dropbox: {
     clientID: process.env.HMD_DROPBOX_CLIENTID,
-    clientSecret: process.env.HMD_DROPBOX_CLIENTSECRET
+    clientSecret: process.env.HMD_DROPBOX_CLIENTSECRET,
+    appKey: process.env.HMD_DROPBOX_APPKEY
   },
   google: {
     clientID: process.env.HMD_GOOGLE_CLIENTID,
@@ -66,9 +82,25 @@ module.exports = {
     tokenSecret: process.env.HMD_LDAP_TOKENSECRET,
     searchBase: process.env.HMD_LDAP_SEARCHBASE,
     searchFilter: process.env.HMD_LDAP_SEARCHFILTER,
-    searchAttributes: process.env.HMD_LDAP_SEARCHATTRIBUTES,
+    searchAttributes: toArrayConfig(process.env.HMD_LDAP_SEARCHATTRIBUTES),
+    usernameField: process.env.HMD_LDAP_USERNAMEFIELD,
     tlsca: process.env.HMD_LDAP_TLS_CA
   },
+  saml: {
+    idpSsoUrl: process.env.HMD_SAML_IDPSSOURL,
+    idpCert: process.env.HMD_SAML_IDPCERT,
+    issuer: process.env.HMD_SAML_ISSUER,
+    identifierFormat: process.env.HMD_SAML_IDENTIFIERFORMAT,
+    groupAttribute: process.env.HMD_SAML_GROUPATTRIBUTE,
+    externalGroups: toArrayConfig(process.env.HMD_SAML_EXTERNALGROUPS, '|', []),
+    requiredGroups: toArrayConfig(process.env.HMD_SAML_REQUIREDGROUPS, '|', []),
+    attribute: {
+      id: process.env.HMD_SAML_ATTRIBUTE_ID,
+      username: process.env.HMD_SAML_ATTRIBUTE_USERNAME,
+      email: process.env.HMD_SAML_ATTRIBUTE_EMAIL
+    }
+  },
   email: toBooleanConfig(process.env.HMD_EMAIL),
-  allowemailregister: toBooleanConfig(process.env.HMD_ALLOW_EMAIL_REGISTER)
+  allowemailregister: toBooleanConfig(process.env.HMD_ALLOW_EMAIL_REGISTER),
+  allowpdfexport: toBooleanConfig(process.env.HMD_ALLOW_PDF_EXPORT)
 }
diff --git a/lib/config/index.js b/lib/config/index.js
index bea5a6af..3d22c3c3 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -1,3 +1,4 @@
+
 'use strict'
 
 const fs = require('fs')
@@ -12,8 +13,10 @@ const debugConfig = {
   debug: (env === Environment.development)
 }
 
+const {version} = require(path.join(appRootPath, 'package.json'))
+
 const packageConfig = {
-  version: '0.5.1',
+  version: version,
   minimumCompatibleVersion: '0.5.0'
 }
 
@@ -46,7 +49,7 @@ if (config.ldap.tlsca) {
 
 // Permission
 config.permission = Permission
-if (!config.allowanonymous) {
+if (!config.allowanonymous && !config.allowanonymousedits) {
   delete config.permission.freely
 }
 if (!(config.defaultpermission in config.permission)) {
@@ -89,10 +92,16 @@ config.isTwitterEnable = config.twitter.consumerKey && config.twitter.consumerSe
 config.isEmailEnable = config.email
 config.isGitHubEnable = config.github.clientID && config.github.clientSecret
 config.isGitLabEnable = config.gitlab.clientID && config.gitlab.clientSecret
+config.isMattermostEnable = config.mattermost.clientID && config.mattermost.clientSecret
 config.isLDAPEnable = config.ldap.url
+config.isSAMLEnable = config.saml.idpSsoUrl
+config.isPDFExportEnable = config.allowpdfexport
 
 // generate correct path
-config.sslcapath = path.join(appRootPath, config.sslcapath)
+config.sslcapath.forEach(function (capath, i, array) {
+  array[i] = path.resolve(appRootPath, capath)
+})
+
 config.sslcertpath = path.join(appRootPath, config.sslcertpath)
 config.sslkeypath = path.join(appRootPath, config.sslkeypath)
 config.dhparampath = path.join(appRootPath, config.dhparampath)
@@ -106,7 +115,7 @@ config.errorpath = path.join(appRootPath, config.errorpath)
 config.prettypath = path.join(appRootPath, config.prettypath)
 config.slidepath = path.join(appRootPath, config.slidepath)
 
-// maek config readonly
+// make config readonly
 config = deepFreeze(config)
 
 module.exports = config
diff --git a/lib/config/utils.js b/lib/config/utils.js
index 11bbd8cb..9ff2f96d 100644
--- a/lib/config/utils.js
+++ b/lib/config/utils.js
@@ -6,3 +6,10 @@ exports.toBooleanConfig = function toBooleanConfig (configValue) {
   }
   return configValue
 }
+
+exports.toArrayConfig = function toArrayConfig (configValue, separator = ',', fallback) {
+  if (configValue && typeof configValue === 'string') {
+    return (configValue.split(separator).map(arrayItem => arrayItem.trim()))
+  }
+  return fallback
+}