From 0ec64fe99fec6a1ac7570a53f7297f7404d45b8a Mon Sep 17 00:00:00 2001 From: David Christofas Date: Wed, 10 Nov 2021 13:18:04 +0100 Subject: [PATCH] make insecure options configurable --- .drone.star | 5 +++++ .vscode/launch.json | 7 ++++++- changelog/unreleased/insecure-options.md | 14 ++++++++++++++ storage/pkg/command/frontend.go | 6 +++--- storage/pkg/command/storagehome.go | 2 +- storage/pkg/command/storagemetadata.go | 2 +- storage/pkg/config/config.go | 14 +++++++++++--- storage/pkg/flagset/frontend.go | 21 +++++++++++++++++++++ storage/pkg/flagset/storagehome.go | 7 +++++++ storage/pkg/flagset/storagemetadata.go | 7 +++++++ 10 files changed, 76 insertions(+), 9 deletions(-) create mode 100644 changelog/unreleased/insecure-options.md diff --git a/.drone.star b/.drone.star index 11833cabdc..db2982e535 100644 --- a/.drone.star +++ b/.drone.star @@ -1474,6 +1474,11 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []): "IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml", "OCIS_LOG_LEVEL": "error", "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings", + "STORAGE_HOME_DATAPROVIDER_INSECURE": True, + "STORAGE_METADATA_DATAPROVIDER_INSECURE": True, + "STORAGE_FRONTEND_OCDAV_INSECURE": True, + "STORAGE_FRONTEND_ARCHIVER_INSECURE": True, + "STORAGE_FRONTEND_APPPROVIDER_INSECURE": True, } # Pass in "default" accounts_hash_difficulty to not set this environment variable. diff --git a/.vscode/launch.json b/.vscode/launch.json index 37d283a4bf..2a231cc675 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -12,7 +12,12 @@ "OCIS_LOG_LEVEL": "debug", "OCIS_LOG_PRETTY": "true", "OCIS_LOG_COLOR": "true", - "PROXY_ENABLE_BASIC_AUTH": "true" + "PROXY_ENABLE_BASIC_AUTH": "true", + "STORAGE_HOME_DATAPROVIDER_INSECURE": "true", + "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true", + "STORAGE_FRONTEND_OCDAV_INSECURE": "true", + "STORAGE_FRONTEND_ARCHIVER_INSECURE": "true", + "STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true", } }, ] diff --git a/changelog/unreleased/insecure-options.md b/changelog/unreleased/insecure-options.md new file mode 100644 index 0000000000..34f53f6570 --- /dev/null +++ b/changelog/unreleased/insecure-options.md @@ -0,0 +1,14 @@ +Enhancement: Make insecure options configurable + +We had several hard-coded 'insecure' flags. These options are now configurable. In development environments using self signed certs (the default) you need to set these flags: + +``` +STORAGE_HOME_DATAPROVIDER_INSECURE=true +STORAGE_METADATA_DATAPROVIDER_INSECURE=true +STORAGE_FRONTEND_OCDAV_INSECURE=true +STORAGE_FRONTEND_ARCHIVER_INSECURE=true +STORAGE_FRONTEND_APPPROVIDER_INSECURE=true +``` + +https://github.com/owncloud/ocis/issues/2700 +https://github.com/owncloud/ocis/pull/2745 diff --git a/storage/pkg/command/frontend.go b/storage/pkg/command/frontend.go index 43fb59a6f4..c9b2d94169 100644 --- a/storage/pkg/command/frontend.go +++ b/storage/pkg/command/frontend.go @@ -170,12 +170,12 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s "prefix": cfg.Reva.Frontend.AppProviderPrefix, "transfer_shared_secret": cfg.Reva.TransferSecret, "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.Frontend.AppProviderInsecure, }, "archiver": map[string]interface{}{ "prefix": cfg.Reva.Frontend.ArchiverPrefix, "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.Frontend.ArchiverInsecure, "max_num_files": cfg.Reva.Archiver.MaxNumFiles, "max_size": cfg.Reva.Archiver.MaxSize, }, @@ -190,7 +190,7 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s "files_namespace": cfg.Reva.OCDav.DavFilesNamespace, "webdav_namespace": cfg.Reva.OCDav.WebdavNamespace, "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.Frontend.OCDavInsecure, "public_url": cfg.Reva.Frontend.PublicURL, }, "ocs": map[string]interface{}{ diff --git a/storage/pkg/command/storagehome.go b/storage/pkg/command/storagehome.go index 4df8524e9a..fff984b13c 100644 --- a/storage/pkg/command/storagehome.go +++ b/storage/pkg/command/storagehome.go @@ -128,7 +128,7 @@ func storageHomeConfigFromStruct(c *cli.Context, cfg *config.Config) map[string] "driver": cfg.Reva.StorageHome.Driver, "drivers": storagedrivers.HomeDrivers(cfg), "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.StorageHome.DataProvider.Insecure, "disable_tus": false, }, }, diff --git a/storage/pkg/command/storagemetadata.go b/storage/pkg/command/storagemetadata.go index c27b27a424..74af72911e 100644 --- a/storage/pkg/command/storagemetadata.go +++ b/storage/pkg/command/storagemetadata.go @@ -150,7 +150,7 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in "driver": cfg.Reva.StorageMetadata.Driver, "drivers": storagedrivers.MetadataDrivers(cfg), "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.StorageMetadata.DataProvider.Insecure, "disable_tus": true, }, }, diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go index a18c19ce32..4797b77362 100644 --- a/storage/pkg/config/config.go +++ b/storage/pkg/config/config.go @@ -144,10 +144,13 @@ type Groups struct { type FrontendPort struct { Port + AppProviderInsecure bool AppProviderPrefix string + ArchiverInsecure bool ArchiverPrefix string DatagatewayPrefix string Favorites bool + OCDavInsecure bool OCDavPrefix string OCSPrefix string OCSSharePrefix string @@ -175,6 +178,10 @@ type DataGatewayPort struct { PublicURL string } +type DataProvider struct { + Insecure bool +} + // StoragePort defines the available storage configuration. type StoragePort struct { Port @@ -186,9 +193,10 @@ type StoragePort struct { DataServerURL string // for HTTP ports with only one http service - HTTPPrefix string - TempFolder string - ReadOnly bool + HTTPPrefix string + TempFolder string + ReadOnly bool + DataProvider DataProvider } // PublicStorage configures a public storage provider diff --git a/storage/pkg/flagset/frontend.go b/storage/pkg/flagset/frontend.go index 4f5956aec8..928798c8ec 100644 --- a/storage/pkg/flagset/frontend.go +++ b/storage/pkg/flagset/frontend.go @@ -119,6 +119,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_PREFIX"}, Destination: &cfg.Reva.Frontend.AppProviderPrefix, }, + &cli.BoolFlag{ + Name: "approvider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.AppProviderInsecure, false), + Usage: "approvider insecure", + EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE"}, + Destination: &cfg.Reva.Frontend.AppProviderInsecure, + }, &cli.StringFlag{ Name: "archiver-prefix", Value: flags.OverrideDefaultString(cfg.Reva.Frontend.ArchiverPrefix, "archiver"), @@ -126,6 +133,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_PREFIX"}, Destination: &cfg.Reva.Frontend.ArchiverPrefix, }, + &cli.BoolFlag{ + Name: "archiver-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.ArchiverInsecure, false), + Usage: "archiver insecure", + EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE"}, + Destination: &cfg.Reva.Frontend.ArchiverInsecure, + }, &cli.StringFlag{ Name: "datagateway-prefix", Value: flags.OverrideDefaultString(cfg.Reva.Frontend.DatagatewayPrefix, "data"), @@ -147,6 +161,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_FRONTEND_OCDAV_PREFIX"}, Destination: &cfg.Reva.Frontend.OCDavPrefix, }, + &cli.BoolFlag{ + Name: "ocdav-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.OCDavInsecure, false), + Usage: "owncloud webdav insecure", + EnvVars: []string{"STORAGE_FRONTEND_OCDAV_INSECURE"}, + Destination: &cfg.Reva.Frontend.OCDavInsecure, + }, &cli.StringFlag{ Name: "ocs-prefix", Value: flags.OverrideDefaultString(cfg.Reva.Frontend.OCSPrefix, "ocs"), diff --git a/storage/pkg/flagset/storagehome.go b/storage/pkg/flagset/storagehome.go index 6df9bf0c51..2ec1b71ac7 100644 --- a/storage/pkg/flagset/storagehome.go +++ b/storage/pkg/flagset/storagehome.go @@ -130,6 +130,13 @@ func StorageHomeWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_HOME_TMP_FOLDER"}, Destination: &cfg.Reva.StorageHome.TempFolder, }, + &cli.BoolFlag{ + Name: "dataprovider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.StorageHome.DataProvider.Insecure, false), + Usage: "dataprovider insecure", + EnvVars: []string{"STORAGE_HOME_DATAPROVIDER_INSECURE"}, + Destination: &cfg.Reva.StorageHome.DataProvider.Insecure, + }, // some drivers need to look up users at the gateway diff --git a/storage/pkg/flagset/storagemetadata.go b/storage/pkg/flagset/storagemetadata.go index 6af75d2e3e..10b07441ac 100644 --- a/storage/pkg/flagset/storagemetadata.go +++ b/storage/pkg/flagset/storagemetadata.go @@ -69,6 +69,13 @@ func StorageMetadata(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_METADATA_DRIVER"}, Destination: &cfg.Reva.StorageMetadata.Driver, }, + &cli.BoolFlag{ + Name: "dataprovider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.StorageMetadata.DataProvider.Insecure, false), + Usage: "dataprovider insecure", + EnvVars: []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE"}, + Destination: &cfg.Reva.StorageMetadata.DataProvider.Insecure, + }, // some drivers need to look up users at the gateway