<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <!-- EOCube.Ro per-user S3 object storage, authenticated through the ROCS
         Single Sign-On (OIDC).

         Cyberduck performs an OAuth2 Authorization-Code (+PKCE) login, then
         exchanges the resulting token for temporary S3 credentials via the STS
         endpoint (AssumeRoleWithWebIdentity). No static access/secret key is
         stored in the bookmark.

         The user is only prompted for their EOCube.Ro username and password on
         the sign-in page; no client secret is requested (the empty
         "OAuth Client Secret" below marks this as a public PKCE client). -->

    <key>Protocol</key>
    <string>s3</string>
    <key>Vendor</key>
    <string>eocube-user-storage-sso</string>
    <key>Name</key>
    <string>EOCube.Ro User Storage (Single Sign-On)</string>
    <key>Description</key>
    <string>EOCube.Ro per-user S3 storage (Single Sign-On)</string>

    <!-- Fixed S3 endpoint (HTTPS) -->
    <key>Default Hostname</key>
    <string>s3.svc.uvt-01.eocube.ro</string>
    <key>Default Port</key>
    <string>443</string>
    <key>Hostname Configurable</key>
    <false/>
    <key>Port Configurable</key>
    <false/>
    <key>Scheme</key>
    <string>https</string>
    <key>Schemes</key>
    <array>
        <string>https</string>
    </array>

    <!-- Path-style addressing (bucket name in the path), not virtual-hosted-style -->
    <key>Region</key>
    <string>ro-west-uvt-01</string>
    <key>Regions</key>
    <array>
        <string>ro-west-uvt-01</string>
    </array>

    <!-- OAuth2 / OIDC against the ROCS Single Sign-On.
         "OAuth Client Secret" is intentionally empty: eocube-cyberduck is a
         public client using PKCE, so the client must NOT prompt for a secret. -->
    <key>Authorization</key>
    <string>AuthorizationCode</string>
    <key>OAuth Authorization Url</key>
    <string>https://aai.eocube.ro/realms/rocs/protocol/openid-connect/auth</string>
    <key>OAuth Token Url</key>
    <string>https://aai.eocube.ro/realms/rocs/protocol/openid-connect/token</string>
    <key>OAuth Client ID</key>
    <string>eocube-cyberduck</string>
    <key>OAuth Client Secret</key>
    <string></string>
    <key>OAuth Redirect Url</key>
    <string>x-cyberduck-action:oauth</string>
    <key>OAuth PKCE</key>
    <true/>
    <key>Scopes</key>
    <array>
        <string>openid</string>
        <string>offline_access</string>
        <string>eocube-object-storage</string>
    </array>

    <!-- Token -> temporary S3 credentials exchange (AssumeRoleWithWebIdentity).
         The STS service is served at the S3 endpoint itself. -->
    <key>STS Endpoint</key>
    <string>https://s3.svc.uvt-01.eocube.ro</string>

    <!-- Credentials come from the sign-in flow, not from user input -->
    <key>Username Configurable</key>
    <false/>
    <key>Password Configurable</key>
    <false/>
    <key>Token Configurable</key>
    <false/>
    <key>Anonymous Configurable</key>
    <false/>

    <!-- Object-storage-specific S3 properties. Cyberduck reads Properties as an
         array of "key=value" strings. -->
    <key>Properties</key>
    <array>
        <!-- Force path-style addressing (https://host/bucket/key); the endpoint
             has no wildcard DNS/TLS for virtual-hosted-style (bucket.host). -->
        <string>s3.bucket.virtualhost.disable=true</string>

        <!-- Assume the per-user write role. Its policy is scoped to the caller's
             own home bucket (arn:aws:s3:::${jwt:eocube_bucket}), so each user can
             only access their own storage. -->
        <string>s3.assumerole.rolearn=arn:aws:iam::role/S3WriteRole</string>
    </array>
</dict>
</plist>
