make insecure options configurable

2026-01-04 11:19:39 -06:00 · 2021-11-10 13:18:04 +01:00
parent 424a2e3f09
commit 0ec64fe99f
10 changed files with 76 additions and 9 deletions
--- a/.drone.star
+++ b/.drone.star
@@ -1474,6 +1474,11 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []):
        "IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml",
        "OCIS_LOG_LEVEL": "error",
        "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings",
+        "STORAGE_HOME_DATAPROVIDER_INSECURE": True,
+        "STORAGE_METADATA_DATAPROVIDER_INSECURE": True,
+        "STORAGE_FRONTEND_OCDAV_INSECURE": True,
+        "STORAGE_FRONTEND_ARCHIVER_INSECURE": True,
+        "STORAGE_FRONTEND_APPPROVIDER_INSECURE": True,
    }

    # Pass in "default" accounts_hash_difficulty to not set this environment variable.
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -12,7 +12,12 @@
                "OCIS_LOG_LEVEL": "debug",
                "OCIS_LOG_PRETTY": "true",
                "OCIS_LOG_COLOR": "true",
-                "PROXY_ENABLE_BASIC_AUTH": "true"
+                "PROXY_ENABLE_BASIC_AUTH": "true",
+                "STORAGE_HOME_DATAPROVIDER_INSECURE": "true",
+                "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true",
+                "STORAGE_FRONTEND_OCDAV_INSECURE": "true",
+                "STORAGE_FRONTEND_ARCHIVER_INSECURE": "true",
+                "STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true",
            }
        },
    ]
--- a/changelog/unreleased/insecure-options.md
+++ b/changelog/unreleased/insecure-options.md
@@ -0,0 +1,14 @@
+Enhancement: Make insecure options configurable
+
+We had several hard-coded 'insecure' flags. These options are now configurable. In development environments using self signed certs (the default) you need to set these flags:
+
+```
+STORAGE_HOME_DATAPROVIDER_INSECURE=true
+STORAGE_METADATA_DATAPROVIDER_INSECURE=true
+STORAGE_FRONTEND_OCDAV_INSECURE=true
+STORAGE_FRONTEND_ARCHIVER_INSECURE=true
+STORAGE_FRONTEND_APPPROVIDER_INSECURE=true
+```
+
+https://github.com/owncloud/ocis/issues/2700
+https://github.com/owncloud/ocis/pull/2745
--- a/storage/pkg/command/frontend.go
+++ b/storage/pkg/command/frontend.go
@@ -170,12 +170,12 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s
 					"prefix":                 cfg.Reva.Frontend.AppProviderPrefix,
 					"transfer_shared_secret": cfg.Reva.TransferSecret,
 					"timeout":                86400,
-					"insecure":               true,
+					"insecure":               cfg.Reva.Frontend.AppProviderInsecure,
 				},
 				"archiver": map[string]interface{}{
 					"prefix":        cfg.Reva.Frontend.ArchiverPrefix,
 					"timeout":       86400,
-					"insecure":      true,
+					"insecure":      cfg.Reva.Frontend.ArchiverInsecure,
 					"max_num_files": cfg.Reva.Archiver.MaxNumFiles,
 					"max_size":      cfg.Reva.Archiver.MaxSize,
 				},
@@ -190,7 +190,7 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s
 					"files_namespace":  cfg.Reva.OCDav.DavFilesNamespace,
 					"webdav_namespace": cfg.Reva.OCDav.WebdavNamespace,
 					"timeout":          86400,
-					"insecure":         true,
+					"insecure":         cfg.Reva.Frontend.OCDavInsecure,
 					"public_url":       cfg.Reva.Frontend.PublicURL,
 				},
 				"ocs": map[string]interface{}{
--- a/storage/pkg/command/storagehome.go
+++ b/storage/pkg/command/storagehome.go
@@ -128,7 +128,7 @@ func storageHomeConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]
 					"driver":      cfg.Reva.StorageHome.Driver,
 					"drivers":     storagedrivers.HomeDrivers(cfg),
 					"timeout":     86400,
-					"insecure":    true,
+					"insecure":    cfg.Reva.StorageHome.DataProvider.Insecure,
 					"disable_tus": false,
 				},
 			},
--- a/storage/pkg/command/storagemetadata.go
+++ b/storage/pkg/command/storagemetadata.go
@@ -150,7 +150,7 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in
 					"driver":      cfg.Reva.StorageMetadata.Driver,
 					"drivers":     storagedrivers.MetadataDrivers(cfg),
 					"timeout":     86400,
-					"insecure":    true,
+					"insecure":    cfg.Reva.StorageMetadata.DataProvider.Insecure,
 					"disable_tus": true,
 				},
 			},
--- a/storage/pkg/config/config.go
+++ b/storage/pkg/config/config.go
@@ -144,10 +144,13 @@ type Groups struct {
 type FrontendPort struct {
 	Port

+	AppProviderInsecure        bool
 	AppProviderPrefix          string
+	ArchiverInsecure           bool
 	ArchiverPrefix             string
 	DatagatewayPrefix          string
 	Favorites                  bool
+	OCDavInsecure              bool
 	OCDavPrefix                string
 	OCSPrefix                  string
 	OCSSharePrefix             string
@@ -175,6 +178,10 @@ type DataGatewayPort struct {
 	PublicURL string
 }

+type DataProvider struct {
+	Insecure bool
+}
+
 // StoragePort defines the available storage configuration.
 type StoragePort struct {
 	Port
@@ -186,9 +193,10 @@ type StoragePort struct {
 	DataServerURL string

 	// for HTTP ports with only one http service
-	HTTPPrefix string
-	TempFolder string
-	ReadOnly   bool
+	HTTPPrefix   string
+	TempFolder   string
+	ReadOnly     bool
+	DataProvider DataProvider
 }

 // PublicStorage configures a public storage provider
--- a/storage/pkg/flagset/frontend.go
+++ b/storage/pkg/flagset/frontend.go
@@ -119,6 +119,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_FRONTEND_APPPROVIDER_PREFIX"},
 			Destination: &cfg.Reva.Frontend.AppProviderPrefix,
 		},
+		&cli.BoolFlag{
+			Name:        "approvider-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.Frontend.AppProviderInsecure, false),
+			Usage:       "approvider insecure",
+			EnvVars:     []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE"},
+			Destination: &cfg.Reva.Frontend.AppProviderInsecure,
+		},
 		&cli.StringFlag{
 			Name:        "archiver-prefix",
 			Value:       flags.OverrideDefaultString(cfg.Reva.Frontend.ArchiverPrefix, "archiver"),
@@ -126,6 +133,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_FRONTEND_ARCHIVER_PREFIX"},
 			Destination: &cfg.Reva.Frontend.ArchiverPrefix,
 		},
+		&cli.BoolFlag{
+			Name:        "archiver-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.Frontend.ArchiverInsecure, false),
+			Usage:       "archiver insecure",
+			EnvVars:     []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE"},
+			Destination: &cfg.Reva.Frontend.ArchiverInsecure,
+		},
 		&cli.StringFlag{
 			Name:        "datagateway-prefix",
 			Value:       flags.OverrideDefaultString(cfg.Reva.Frontend.DatagatewayPrefix, "data"),
@@ -147,6 +161,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_FRONTEND_OCDAV_PREFIX"},
 			Destination: &cfg.Reva.Frontend.OCDavPrefix,
 		},
+		&cli.BoolFlag{
+			Name:        "ocdav-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.Frontend.OCDavInsecure, false),
+			Usage:       "owncloud webdav insecure",
+			EnvVars:     []string{"STORAGE_FRONTEND_OCDAV_INSECURE"},
+			Destination: &cfg.Reva.Frontend.OCDavInsecure,
+		},
 		&cli.StringFlag{
 			Name:        "ocs-prefix",
 			Value:       flags.OverrideDefaultString(cfg.Reva.Frontend.OCSPrefix, "ocs"),
--- a/storage/pkg/flagset/storagehome.go
+++ b/storage/pkg/flagset/storagehome.go
@@ -130,6 +130,13 @@ func StorageHomeWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_HOME_TMP_FOLDER"},
 			Destination: &cfg.Reva.StorageHome.TempFolder,
 		},
+		&cli.BoolFlag{
+			Name:        "dataprovider-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.StorageHome.DataProvider.Insecure, false),
+			Usage:       "dataprovider insecure",
+			EnvVars:     []string{"STORAGE_HOME_DATAPROVIDER_INSECURE"},
+			Destination: &cfg.Reva.StorageHome.DataProvider.Insecure,
+		},

 		// some drivers need to look up users at the gateway

--- a/storage/pkg/flagset/storagemetadata.go
+++ b/storage/pkg/flagset/storagemetadata.go
@@ -69,6 +69,13 @@ func StorageMetadata(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_METADATA_DRIVER"},
 			Destination: &cfg.Reva.StorageMetadata.Driver,
 		},
+		&cli.BoolFlag{
+			Name:        "dataprovider-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.StorageMetadata.DataProvider.Insecure, false),
+			Usage:       "dataprovider insecure",
+			EnvVars:     []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE"},
+			Destination: &cfg.Reva.StorageMetadata.DataProvider.Insecure,
+		},

 		// some drivers need to look up users at the gateway