Add config to skip encoding user groups in reva tokens

changelog/unreleased/reva-tokens-skip-groups-config.md

@@ -0,0 +1,3 @@
+Enhancement: Add config to skip encoding user groups in reva tokens
+
+https://github.com/owncloud/ocis/pull/2529

proxy/pkg/user/backend/cs3.go

@@ -37,7 +37,7 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
 	}
 
 	res, err := c.authProvider.Authenticate(ctx, &gateway.AuthenticateRequest{
-		Type:         "machine",
+		Type:         "bearer",
 		ClientId:     value,
 		ClientSecret: c.machineAuthAPIKey,
 	})

storage/pkg/command/appprovider.go

@@ -91,8 +91,9 @@ func appProviderConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.AppProvider.GRPCNetwork,

storage/pkg/command/authbasic.go

@@ -102,8 +102,9 @@ func authBasicConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]in
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.AuthBasic.GRPCNetwork,

storage/pkg/command/authbearer.go

@@ -93,8 +93,9 @@ func authBearerConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]i
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.AuthBearer.GRPCNetwork,
@@ -113,7 +114,8 @@ func authBearerConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]i
 							"gatewaysvc": cfg.Reva.Gateway.Endpoint,
 						},
 						"machine": map[string]interface{}{
-							"api_key": cfg.Reva.AuthBearerConfig.MachineAuthAPIKey,
+							"api_key":      cfg.Reva.AuthBearerConfig.MachineAuthAPIKey,
+							"gateway_addr": cfg.Reva.Gateway.Endpoint,
 						},
 					},
 				},

storage/pkg/command/frontend.go

@@ -149,8 +149,9 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint, // Todo or address?
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint, // Todo or address?
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"http": map[string]interface{}{
 			"network": cfg.Reva.Frontend.HTTPNetwork,

storage/pkg/command/gateway.go

@@ -124,8 +124,9 @@ func gatewayConfigFromStruct(c *cli.Context, cfg *config.Config, logger log.Logg
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.Gateway.GRPCNetwork,

storage/pkg/command/groups.go

@@ -102,8 +102,9 @@ func groupsConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inter
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.Groups.GRPCNetwork,

storage/pkg/command/sharing.go

@@ -112,8 +112,9 @@ func sharingConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inte
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.Sharing.GRPCNetwork,

storage/pkg/command/storagehome.go

@@ -98,8 +98,9 @@ func storageHomeConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.StorageHome.GRPCNetwork,

storage/pkg/command/storagemetadata.go

@@ -120,8 +120,9 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.StorageMetadata.GRPCNetwork,

storage/pkg/command/storagepubliclink.go

@@ -88,8 +88,9 @@ func storagePublicLinkConfigFromStruct(c *cli.Context, cfg *config.Config) map[s
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.StoragePublicLink.GRPCNetwork,

storage/pkg/command/storageusers.go

@@ -98,8 +98,9 @@ func storageUsersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.StorageUsers.GRPCNetwork,

storage/pkg/command/users.go

@@ -109,8 +109,9 @@ func usersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]interf
 			"tracing_service_name": c.Command.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.Reva.JWTSecret,
-			"gatewaysvc": cfg.Reva.Gateway.Endpoint,
+			"jwt_secret":                cfg.Reva.JWTSecret,
+			"gatewaysvc":                cfg.Reva.Gateway.Endpoint,
+			"skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken,
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.Reva.Users.GRPCNetwork,

storage/pkg/config/config.go

@@ -430,17 +430,18 @@ type Archiver struct {
 // Reva defines the available reva configuration.
 type Reva struct {
 	// JWTSecret used to sign jwt tokens between services
-	JWTSecret       string
-	TransferSecret  string
-	TransferExpires int
-	OIDC            OIDC
-	LDAP            LDAP
-	UserGroupRest   UserGroupRest
-	UserOwnCloudSQL UserOwnCloudSQL
-	OCDav           OCDav
-	Archiver        Archiver
-	UserStorage     StorageConfig
-	MetadataStorage StorageConfig
+	JWTSecret             string
+	SkipUserGroupsInToken bool
+	TransferSecret        string
+	TransferExpires       int
+	OIDC                  OIDC
+	LDAP                  LDAP
+	UserGroupRest         UserGroupRest
+	UserOwnCloudSQL       UserOwnCloudSQL
+	OCDav                 OCDav
+	Archiver              Archiver
+	UserStorage           StorageConfig
+	MetadataStorage       StorageConfig
 	// Ports are used to configure which services to start on which port
 	Frontend          FrontendPort
 	DataGateway       DataGatewayPort

storage/pkg/flagset/secret.go

@@ -16,5 +16,12 @@ func SecretWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.Reva.JWTSecret,
 		},
+		&cli.BoolFlag{
+			Name:        "skip-user-groups-in-token",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.SkipUserGroupsInToken, false),
+			Usage:       "Whether to skip encoding user groups in reva's JWT token",
+			EnvVars:     []string{"STORAGE_SKIP_USER_GROUPS_IN_TOKEN"},
+			Destination: &cfg.Reva.SkipUserGroupsInToken,
+		},
 	}
 }