From e1e8a7f121c41c3f23db4541211d255dfb06591a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= <thorsten.rossner.extern@zendis.de>
Date: Mon, 3 Jun 2024 16:10:50 +0200
Subject: [PATCH] fix(nubus): Disable UDM REST API routing by default and
 always disable UMC local login.

---
 .../values-umbrella.yaml.gotmpl               | 48 +++++++++++--------
 helmfile/environments/default/functional.yaml |  6 +++
 2 files changed, 35 insertions(+), 19 deletions(-)

diff --git a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
index 29e41cf3..f03a3bc9 100644
--- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
@@ -1317,6 +1317,21 @@ stack-gateway:
       proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
       proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
 
+
+      {{ if .Values.externalServices.nubus.udmRestApi.enabled }}
+      ## udm-rest-api
+      location /univention/udm/ {
+        # The UDM Rest API does return on some endpoints a lot of headers
+        proxy_busy_buffers_size 128k;
+        proxy_buffers 4 128k;
+        proxy_buffer_size 64k;
+
+        rewrite ^/univention(/udm/.*)$ $1 break;
+        proxy_pass http://ums-udm-rest-api:80;
+      }
+      {{ end }}
+
+
       ## portal-frontend
       # The frontend does not own "/univention/portal" nor
       # "/univention/selfservice", only these two bits
@@ -1419,18 +1434,6 @@ stack-gateway:
       }
 
 
-      ## udm-rest-api
-      location /univention/udm/ {
-        # The UDM Rest API does return on some endpoints a lot of headers
-        proxy_busy_buffers_size 128k;
-        proxy_buffers 4 128k;
-        proxy_buffer_size 64k;
-
-        rewrite ^/univention(/udm/.*)$ $1 break;
-        proxy_pass http://ums-udm-rest-api:80;
-      }
-
-
       ## umc-gateway
       location = /univention/languages.json {
         proxy_pass http://ums-umc-gateway:80;
@@ -1444,7 +1447,13 @@ stack-gateway:
       location /univention/js/ {
         proxy_pass http://ums-umc-gateway:80;
       }
-      location /univention/login/ {
+      location /univention/login/main.js {
+        proxy_pass http://ums-umc-gateway:80;
+      }
+      location /univention/login/LoginDialog.js {
+        proxy_pass http://ums-umc-gateway:80;
+      }
+      location /univention/login/i18n/ {
         proxy_pass http://ums-umc-gateway:80;
       }
       location /univention/management/ {
@@ -1455,12 +1464,13 @@ stack-gateway:
       }
 
 
-      ## umc-server
-      location = /univention/auth {
-        rewrite ^/univention(/.*)$ $1 break;
-        proxy_pass http://ums-umc-server:80;
-        proxy_set_header X-UMC-HTTPS 'on';
-      }
+      ### umc-server
+      ## Do not support local authentication
+      #location = /univention/auth {
+      #  rewrite ^/univention(/.*)$ $1 break;
+      #  proxy_pass http://ums-umc-server:80;
+      #  proxy_set_header X-UMC-HTTPS 'on';
+      #}
       location /univention/logout {
         rewrite ^/univention(/.*)$ $1 break;
         proxy_pass http://ums-umc-server:80;
diff --git a/helmfile/environments/default/functional.yaml b/helmfile/environments/default/functional.yaml
index bd710e4a..61a3325f 100644
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -7,4 +7,10 @@ authentication:
     # Note: Removing a group from the list will not disable 2FA for the removed group.
     groups:
       - "Domain Admins"
+
+externalServices:
+  nubus:
+    udmRestApi:
+      # Set to 'true' if you don't want to make the UDM REST API from the Nubus stack externally available
+      enabled: false
 ...