mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-05-04 10:00:10 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat!: Make the url signing secret a mandatory config option

Browse Source 
This is required for allowing the web office to download images to
insert into documents.

The secret is generated by `opencloud init` and the server refuses
to start now without a secret being set. (Breaking Change)

Also the setting is now moved to the shared options as all involved
services need the same secret to work properly.

Related: https://github.com/opencloud-eu/web/issues/704
This commit is contained in:
Ralf Haferkamp
2025-10-29 12:06:44 +01:00
committed by Ralf Haferkamp
parent 589cee4ab3
commit 37609e52df
12 changed files with 54 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/proxy/pkg/command/server.go
+4 -8
View File
@@ -311,15 +311,11 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
RevaGatewaySelector: gatewaySelector,
})
var signURLVerifier signedurl.Verifier
if cfg.PreSignedURL.JWTSigningSharedSecret != "" {
var err error
signURLVerifier, err = signedurl.NewJWTSignedURL(signedurl.WithSecret(cfg.PreSignedURL.JWTSigningSharedSecret))
if err != nil {
logger.Fatal().Err(err).Msg("Failed to initialize signed URL configuration.")
}
signURLVerifier, err := signedurl.NewJWTSignedURL(signedurl.WithSecret(cfg.Commons.URLSigningSecret))
if err != nil {
logger.Fatal().Err(err).Msg("Failed to initialize signed URL configuration.")
}
authenticators = append(authenticators, middleware.SignedURLAuthenticator{
Logger: logger,
PreSignedURLConfig: cfg.PreSignedURL,
services/proxy/pkg/config/config.go
+3 -4
View File
@@ -180,10 +180,9 @@ type StaticSelectorConf struct {
// PreSignedURL is the config for the pre-signed url middleware
type PreSignedURL struct {
AllowedHTTPMethods []string `yaml:"allowed_http_methods"`
Enabled bool `yaml:"enabled" env:"PROXY_ENABLE_PRESIGNEDURLS" desc:"Allow OCS to get a signing key to sign requests." introductionVersion:"1.0.0"`
SigningKeys *SigningKeys `yaml:"signing_keys"`
JWTSigningSharedSecret string `yaml:"url_signing_shared_secret" env:"OC_URL_SIGNING_SHARED_SECRET" desc:"The shared secret used to sign URLs." introductionVersion:"4.0.0"`
AllowedHTTPMethods []string `yaml:"allowed_http_methods"`
Enabled bool `yaml:"enabled" env:"PROXY_ENABLE_PRESIGNEDURLS" desc:"Allow OCS to get a signing key to sign requests." introductionVersion:"1.0.0"`
SigningKeys *SigningKeys `yaml:"signing_keys"`
}
// SigningKeys is a store configuration.
services/proxy/pkg/config/parser/parse.go
+5
View File
@@ -56,9 +56,14 @@ func Validate(cfg *config.Config) error {
if cfg.ServiceAccount.ServiceAccountID == "" {
return shared.MissingServiceAccountID(cfg.Service.Name)
}
if cfg.ServiceAccount.ServiceAccountSecret == "" {
return shared.MissingServiceAccountSecret(cfg.Service.Name)
}
if cfg.Commons.URLSigningSecret == "" {
return shared.MissingURLSigningSecret(cfg.Service.Name)
}
return nil
}