change secrets on deploy

2026-01-04 19:29:49 -06:00 · 2021-02-09 16:00:04 +01:00
parent c32dd3d362
commit 2efbb13e66
19 changed files with 227 additions and 43 deletions
--- a/accounts/pkg/flagset/flagset.go
+++ b/accounts/pkg/flagset/flagset.go
@@ -137,7 +137,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to create JWT to talk to reva, should equal reva's jwt-secret",
-			EnvVars:     []string{"ACCOUNTS_JWT_SECRET"},
+			EnvVars:     []string{"ACCOUNTS_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.TokenManager.JWTSecret,
 		},
 		&cli.StringFlag{
@@ -172,7 +172,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "storage-cs3-jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to create JWT to talk to reva, should equal reva's jwt-secret",
-			EnvVars:     []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET"},
+			EnvVars:     []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.Repo.CS3.JWTSecret,
 		},
 		&cli.StringFlag{
--- a/accounts/pkg/service/v0/service.go
+++ b/accounts/pkg/service/v0/service.go
@@ -268,6 +268,12 @@ func (s Service) createDefaultAccounts() (err error) {
 		},
 	}
 	for i := range accounts {
+		a := &proto.Account{}
+		err := s.repo.LoadAccount(context.Background(), accounts[i].Id, a)
+		if !storage.IsNotFoundErr(err) {
+			continue // account already exists -> do not overwrite
+		}
+
 		if err := s.repo.WriteAccount(context.Background(), &accounts[i]); err != nil {
 			return err
 		}
@@ -360,6 +366,12 @@ func (s Service) createDefaultGroups() (err error) {
 		}},
 	}
 	for i := range groups {
+		g := &proto.Group{}
+		err := s.repo.LoadGroup(context.Background(), groups[i].Id, g)
+		if !storage.IsNotFoundErr(err) {
+			continue // group already exists -> do not overwrite
+		}
+
 		if err := s.repo.WriteGroup(context.Background(), &groups[i]); err != nil {
 			return err
 		}
--- a/deployments/examples/cs3_users_ocis/.env
+++ b/deployments/examples/cs3_users_ocis/.env
@@ -17,6 +17,8 @@ TRAEFIK_ACME_MAIL=
 OCIS_DOCKER_TAG=
 # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
 OCIS_DOMAIN=
+# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+OCIS_JWT_SECRET=


 ### LDAP server settings ###
--- a/deployments/examples/cs3_users_ocis/docker-compose.yml
+++ b/deployments/examples/cs3_users_ocis/docker-compose.yml
@@ -51,14 +51,14 @@ services:
    environment:
      # CS3 users from ldap specific configuration
      PROXY_CONFIG_FILE: "/config/proxy-config.json"
-      LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))"
-      LDAP_URI: ldap://ldap-server:389
-      LDAP_BINDDN: "cn=admin,dc=owncloud,dc=com"
-      LDAP_BINDPW: ${LDAP_ADMIN_PASSWORD:-admin}
-      LDAP_BASEDN: "dc=owncloud,dc=com"
-      LDAP_LOGIN_ATTRIBUTE: uid
-      LDAP_UUID_ATTRIBUTE: "ownclouduuid"
-      LDAP_UUID_ATTRIBUTE_TYPE: binary
+      IDP_LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))"
+      IDP_LDAP_URI: ldap://ldap-server:389
+      IDP_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
+      IDP_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      IDP_LDAP_BASE_DN: "dc=owncloud,dc=com"
+      IDP_LDAP_LOGIN_ATTRIBUTE: uid
+      IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid"
+      IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
      PROXY_ACCOUNT_BACKEND_TYPE: cs3
      STORAGE_LDAP_HOSTNAME: ldap-server
      STORAGE_LDAP_PORT: 636
@@ -74,6 +74,8 @@ services:
      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
+      # change default secrets
+      OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
    volumes:
      - ./config/ocis/proxy-config.json:/config/proxy-config.json
      - ocis-data:/var/tmp/ocis
--- a/deployments/examples/ocis_keycloak/.env
+++ b/deployments/examples/ocis_keycloak/.env
@@ -19,6 +19,12 @@ OCIS_DOCKER_TAG=
 OCIS_DOMAIN=
 # owncloud Web openid connect client id. Defaults to "web"
 OCIS_OIDC_CLIENT_ID=
+# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
+IDP_LDAP_BIND_PASSWORD=
+# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
+STORAGE_LDAP_BIND_PASSWORD=
+# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+OCIS_JWT_SECRET=

 ### Keycloak ###
 # Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test"
--- a/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh
+++ b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -evx
+
+ocis server&
+sleep 10
+
+echo "##################################################"
+echo "change default secrets:"
+
+# IDP
+IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  IDP user UUID: $IDP_USER_UUID"
+ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID
+
+# REVA
+REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  Reva user UUID: $REVA_USER_UUID"
+ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID
+
+killall ocis
+echo "default serets changed"
+echo "##################################################"
+
+ocis server
--- a/deployments/examples/ocis_keycloak/docker-compose.yml
+++ b/deployments/examples/ocis_keycloak/docker-compose.yml
@@ -47,6 +47,9 @@ services:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    networks:
      ocis-net:
+    entrypoint:
+      - /bin/sh
+      - /entrypoint-override.sh
    environment:
      # Keycloak IDP specific configuration
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
@@ -60,7 +63,12 @@ services:
      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
+      # change default secrets
+      IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
+      STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
+      OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
    volumes:
+      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
      - ocis-data:/var/tmp/ocis
    labels:
      - "traefik.enable=true"
--- a/deployments/examples/ocis_traefik/.env
+++ b/deployments/examples/ocis_traefik/.env
@@ -17,7 +17,12 @@ TRAEFIK_ACME_MAIL=
 OCIS_DOCKER_TAG=
 # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
 OCIS_DOMAIN=
-
+# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
+IDP_LDAP_BIND_PASSWORD=
+# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
+STORAGE_LDAP_BIND_PASSWORD=
+# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+OCIS_JWT_SECRET=

 # If you want to use debugging and tracing with this stack,
 # you need uncomment following line. Please see documentation at
--- a/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh
+++ b/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -evx
+
+ocis server&
+sleep 10
+
+echo "##################################################"
+echo "change default secrets:"
+
+# IDP
+IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  IDP user UUID: $IDP_USER_UUID"
+ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID
+
+# REVA
+REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  Reva user UUID: $REVA_USER_UUID"
+ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID
+
+killall ocis
+echo "default serets changed"
+echo "##################################################"
+
+ocis server
--- a/deployments/examples/ocis_traefik/docker-compose.yml
+++ b/deployments/examples/ocis_traefik/docker-compose.yml
@@ -46,11 +46,19 @@ services:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    networks:
      ocis-net:
+    entrypoint:
+      - /bin/sh
+      - /entrypoint-override.sh
    environment:
      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
+      # change default secrets
+      IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
+      STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
+      OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
    volumes:
+      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
      - ocis-data:/var/tmp/ocis
    labels:
      - "traefik.enable=true"
--- a/idp/pkg/config/config.go
+++ b/idp/pkg/config/config.go
@@ -28,6 +28,21 @@ type HTTP struct {
 	TLS     bool
 }

+// Ldap defines the available LDAP configuration.
+type Ldap struct {
+	URI               string
+	BindDN            string
+	BindPassword      string
+	BaseDN            string
+	Scope             string
+	LoginAttribute    string
+	EmailAttribute    string
+	NameAttribute     string
+	UUIDAttribute     string
+	UUIDAttributeType string
+	Filter            string
+}
+
 // Service defines the available service configuration.
 type Service struct {
 	Name      string
@@ -51,14 +66,15 @@ type Asset struct {

 // Config combines all available configuration parts.
 type Config struct {
-	File     string
-	Log      Log
-	Debug    Debug
-	HTTP     HTTP
-	Tracing  Tracing
-	Asset    Asset
-	IDP bootstrap.Config
-	Service  Service
+	File    string
+	Log     Log
+	Debug   Debug
+	HTTP    HTTP
+	Tracing Tracing
+	Asset   Asset
+	IDP     bootstrap.Config
+	Ldap    Ldap
+	Service Service
 }

 // New initializes a new configuration with or without defaults.
--- a/idp/pkg/flagset/flagset.go
+++ b/idp/pkg/flagset/flagset.go
@@ -150,6 +150,83 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"IDP_IDENTITY_MANAGER"},
 			Destination: &cfg.IDP.IdentityManager,
 		},
+		&cli.StringFlag{
+			Name:        "ldap-uri",
+			Value:       "ldap://localhost:9125",
+			Usage:       "URI of the LDAP server (glauth)",
+			EnvVars:     []string{"IDP_LDAP_URI"},
+			Destination: &cfg.Ldap.URI,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-bind-dn",
+			Value:       "cn=idp,ou=sysusers,dc=example,dc=org",
+			Usage:       "Bind DN for the LDAP server (glauth)",
+			EnvVars:     []string{"IDP_LDAP_BIND_DN"},
+			Destination: &cfg.Ldap.BindDN,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-bind-password",
+			Value:       "idp",
+			Usage:       "Password for the Bind DN of the LDAP server (glauth)",
+			EnvVars:     []string{"IDP_LDAP_BIND_PASSWORD"},
+			Destination: &cfg.Ldap.BindPassword,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-base-dn",
+			Value:       "ou=users,dc=example,dc=org",
+			Usage:       "LDAP base DN of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_BASE_DN"},
+			Destination: &cfg.Ldap.BaseDN,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-scope",
+			Value:       "sub",
+			Usage:       "LDAP scope of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_SCOPE"},
+			Destination: &cfg.Ldap.Scope,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-login-attribute",
+			Value:       "cn",
+			Usage:       "LDAP login attribute of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_LOGIN_ATTRIBUTE"},
+			Destination: &cfg.Ldap.LoginAttribute,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-email-attribute",
+			Value:       "mail",
+			Usage:       "LDAP email attribute of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_EMAIL_ATTRIBUTE"},
+			Destination: &cfg.Ldap.EmailAttribute,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-name-attribute",
+			Value:       "sn",
+			Usage:       "LDAP name attribute of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_NAME_ATTRIBUTE"},
+			Destination: &cfg.Ldap.NameAttribute,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-uuid-attribute",
+			Value:       "uid",
+			Usage:       "LDAP UUID attribute of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_UUID_ATTRIBUTE"},
+			Destination: &cfg.Ldap.UUIDAttribute,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-uuid-attribute-type",
+			Value:       "text",
+			Usage:       "LDAP UUID attribute type of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_UUID_ATTRIBUTE_TYPE"},
+			Destination: &cfg.Ldap.UUIDAttributeType,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-filter",
+			Value:       "(objectClass=posixaccount)",
+			Usage:       "LDAP filter of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_FILTER"},
+			Destination: &cfg.Ldap.Filter,
+		},
 		&cli.StringFlag{
 			Name:        "transport-tls-cert",
 			Value:       "",
--- a/idp/pkg/service/v0/service.go
+++ b/idp/pkg/service/v0/service.go
@@ -38,7 +38,7 @@ func NewService(opts ...Option) Service {
 		assets.Config(options.Config),
 	)

-	if err := initKonnectInternalEnvVars(); err != nil {
+	if err := initKonnectInternalEnvVars(&options.Config.Ldap); err != nil {
 		logger.Fatal().Err(err).Msg("could not initialize env vars")
 	}

@@ -110,26 +110,24 @@ func createConfigsIfNotExist(assets http.FileSystem, ocisURL string) error {
 }

 // Init vars which are currently not accessible via idp api
-func initKonnectInternalEnvVars() error {
+func initKonnectInternalEnvVars(ldap *config.Ldap) error {
 	var defaults = map[string]string{
-		"LDAP_URI":                 "ldap://localhost:9125",
-		"LDAP_BINDDN":              "cn=idp,ou=sysusers,dc=example,dc=org",
-		"LDAP_BINDPW":              "idp",
-		"LDAP_BASEDN":              "ou=users,dc=example,dc=org",
-		"LDAP_SCOPE":               "sub",
-		"LDAP_LOGIN_ATTRIBUTE":     "cn",
-		"LDAP_EMAIL_ATTRIBUTE":     "mail",
-		"LDAP_NAME_ATTRIBUTE":      "sn",
-		"LDAP_UUID_ATTRIBUTE":      "uid",
-		"LDAP_UUID_ATTRIBUTE_TYPE": "text",
-		"LDAP_FILTER":              "(objectClass=posixaccount)",
+		"LDAP_URI":                 ldap.URI,
+		"LDAP_BINDDN":              ldap.BindDN,
+		"LDAP_BINDPW":              ldap.BindPassword,
+		"LDAP_BASEDN":              ldap.BaseDN,
+		"LDAP_SCOPE":               ldap.Scope,
+		"LDAP_LOGIN_ATTRIBUTE":     ldap.LoginAttribute,
+		"LDAP_EMAIL_ATTRIBUTE":     ldap.EmailAttribute,
+		"LDAP_NAME_ATTRIBUTE":      ldap.NameAttribute,
+		"LDAP_UUID_ATTRIBUTE":      ldap.UUIDAttribute,
+		"LDAP_UUID_ATTRIBUTE_TYPE": ldap.UUIDAttributeType,
+		"LDAP_FILTER":              ldap.Filter,
 	}

 	for k, v := range defaults {
-		if _, exists := os.LookupEnv(k); !exists {
-			if err := os.Setenv(k, v); err != nil {
-				return fmt.Errorf("could not set env var %s=%s", k, v)
-			}
+		if err := os.Setenv(k, v); err != nil {
+			return fmt.Errorf("could not set env var %s=%s", k, v)
 		}
 	}

--- a/ocis/pkg/config/config.go
+++ b/ocis/pkg/config/config.go
@@ -75,7 +75,7 @@ type Config struct {
 	Graph         *graph.Config
 	GraphExplorer *graphExplorer.Config
 	Hello         *hello.Config
-	IDP      	  *idp.Config
+	IDP           *idp.Config
 	OCS           *ocs.Config
 	Onlyoffice    *onlyoffice.Config
 	Web           *web.Config
@@ -96,7 +96,7 @@ func New() *Config {
 		Graph:         graph.New(),
 		GraphExplorer: graphExplorer.New(),
 		Hello:         hello.New(),
-		IDP:      	   idp.New(),
+		IDP:           idp.New(),
 		OCS:           ocs.New(),
 		Onlyoffice:    onlyoffice.New(),
 		Web:           web.New(),
--- a/ocis/pkg/flagset/flagset.go
+++ b/ocis/pkg/flagset/flagset.go
@@ -74,7 +74,7 @@ func RootWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to dismantle the access token, should equal reva's jwt-secret",
-			EnvVars:     []string{"OCIS_JWT_SECRET"},
+			EnvVars:     []string{"OCIS_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.TokenManager.JWTSecret,
 		},
 	}
--- a/ocs/pkg/flagset/flagset.go
+++ b/ocs/pkg/flagset/flagset.go
@@ -149,7 +149,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to dismantle the access token, should equal reva's jwt-secret",
-			EnvVars:     []string{"OCS_JWT_SECRET"},
+			EnvVars:     []string{"OCS_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.TokenManager.JWTSecret,
 		},
 	}
--- a/proxy/pkg/flagset/flagset.go
+++ b/proxy/pkg/flagset/flagset.go
@@ -175,7 +175,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to create JWT to talk to reva, should equal reva's jwt-secret",
-			EnvVars:     []string{"PROXY_JWT_SECRET"},
+			EnvVars:     []string{"PROXY_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.TokenManager.JWTSecret,
 		},
 		&cli.StringFlag{
--- a/settings/pkg/flagset/flagset.go
+++ b/settings/pkg/flagset/flagset.go
@@ -182,7 +182,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to create JWT to talk to reva, should equal reva's jwt-secret",
-			EnvVars:     []string{"SETTINGS_JWT_SECRET"},
+			EnvVars:     []string{"SETTINGS_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.TokenManager.JWTSecret,
 		},
 	}
--- a/storage/pkg/flagset/secret.go
+++ b/storage/pkg/flagset/secret.go
@@ -12,7 +12,7 @@ func SecretWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Shared jwt secret for reva service communication",
-			EnvVars:     []string{"STORAGE_JWT_SECRET"},
+			EnvVars:     []string{"STORAGE_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.Reva.JWTSecret,
 		},
 	}