From 518e8747b2b73bc2b519bdb4925ed5d539fb230e Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Thu, 23 Sep 2021 15:19:32 +0200 Subject: [PATCH] Add config to skip encoding user groups in reva tokens --- .../reva-tokens-skip-groups-config.md | 3 +++ proxy/pkg/user/backend/cs3.go | 2 +- storage/pkg/command/appprovider.go | 5 ++-- storage/pkg/command/authbasic.go | 5 ++-- storage/pkg/command/authbearer.go | 8 ++++--- storage/pkg/command/frontend.go | 5 ++-- storage/pkg/command/gateway.go | 5 ++-- storage/pkg/command/groups.go | 5 ++-- storage/pkg/command/sharing.go | 5 ++-- storage/pkg/command/storagehome.go | 5 ++-- storage/pkg/command/storagemetadata.go | 5 ++-- storage/pkg/command/storagepubliclink.go | 5 ++-- storage/pkg/command/storageusers.go | 5 ++-- storage/pkg/command/users.go | 5 ++-- storage/pkg/config/config.go | 23 ++++++++++--------- storage/pkg/flagset/secret.go | 7 ++++++ 16 files changed, 61 insertions(+), 37 deletions(-) create mode 100644 changelog/unreleased/reva-tokens-skip-groups-config.md diff --git a/changelog/unreleased/reva-tokens-skip-groups-config.md b/changelog/unreleased/reva-tokens-skip-groups-config.md new file mode 100644 index 0000000000..6620f48a20 --- /dev/null +++ b/changelog/unreleased/reva-tokens-skip-groups-config.md @@ -0,0 +1,3 @@ +Enhancement: Add config to skip encoding user groups in reva tokens + +https://github.com/owncloud/ocis/pull/2529 diff --git a/proxy/pkg/user/backend/cs3.go b/proxy/pkg/user/backend/cs3.go index dc413919a5..3dcd9c3657 100644 --- a/proxy/pkg/user/backend/cs3.go +++ b/proxy/pkg/user/backend/cs3.go @@ -37,7 +37,7 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w } res, err := c.authProvider.Authenticate(ctx, &gateway.AuthenticateRequest{ - Type: "machine", + Type: "bearer", ClientId: value, ClientSecret: c.machineAuthAPIKey, }) diff --git a/storage/pkg/command/appprovider.go b/storage/pkg/command/appprovider.go index 2989f7c39a..1a8b9e5d95 100644 --- a/storage/pkg/command/appprovider.go +++ b/storage/pkg/command/appprovider.go @@ -91,8 +91,9 @@ func appProviderConfigFromStruct(c *cli.Context, cfg *config.Config) map[string] "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.AppProvider.GRPCNetwork, diff --git a/storage/pkg/command/authbasic.go b/storage/pkg/command/authbasic.go index 3a3d227db0..840963058d 100644 --- a/storage/pkg/command/authbasic.go +++ b/storage/pkg/command/authbasic.go @@ -102,8 +102,9 @@ func authBasicConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]in "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.AuthBasic.GRPCNetwork, diff --git a/storage/pkg/command/authbearer.go b/storage/pkg/command/authbearer.go index b3937ed11f..94e0023ff3 100644 --- a/storage/pkg/command/authbearer.go +++ b/storage/pkg/command/authbearer.go @@ -93,8 +93,9 @@ func authBearerConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]i "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.AuthBearer.GRPCNetwork, @@ -113,7 +114,8 @@ func authBearerConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]i "gatewaysvc": cfg.Reva.Gateway.Endpoint, }, "machine": map[string]interface{}{ - "api_key": cfg.Reva.AuthBearerConfig.MachineAuthAPIKey, + "api_key": cfg.Reva.AuthBearerConfig.MachineAuthAPIKey, + "gateway_addr": cfg.Reva.Gateway.Endpoint, }, }, }, diff --git a/storage/pkg/command/frontend.go b/storage/pkg/command/frontend.go index 925c115d25..9e14b53de5 100644 --- a/storage/pkg/command/frontend.go +++ b/storage/pkg/command/frontend.go @@ -149,8 +149,9 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, // Todo or address? + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, // Todo or address? + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "http": map[string]interface{}{ "network": cfg.Reva.Frontend.HTTPNetwork, diff --git a/storage/pkg/command/gateway.go b/storage/pkg/command/gateway.go index 7008fbbd1e..d8a363d759 100644 --- a/storage/pkg/command/gateway.go +++ b/storage/pkg/command/gateway.go @@ -124,8 +124,9 @@ func gatewayConfigFromStruct(c *cli.Context, cfg *config.Config, logger log.Logg "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.Gateway.GRPCNetwork, diff --git a/storage/pkg/command/groups.go b/storage/pkg/command/groups.go index c9c35394f4..e3758080f7 100644 --- a/storage/pkg/command/groups.go +++ b/storage/pkg/command/groups.go @@ -102,8 +102,9 @@ func groupsConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inter "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.Groups.GRPCNetwork, diff --git a/storage/pkg/command/sharing.go b/storage/pkg/command/sharing.go index 354bb0d643..50f50c64b6 100644 --- a/storage/pkg/command/sharing.go +++ b/storage/pkg/command/sharing.go @@ -112,8 +112,9 @@ func sharingConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inte "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.Sharing.GRPCNetwork, diff --git a/storage/pkg/command/storagehome.go b/storage/pkg/command/storagehome.go index bcea78c22c..4df8524e9a 100644 --- a/storage/pkg/command/storagehome.go +++ b/storage/pkg/command/storagehome.go @@ -98,8 +98,9 @@ func storageHomeConfigFromStruct(c *cli.Context, cfg *config.Config) map[string] "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.StorageHome.GRPCNetwork, diff --git a/storage/pkg/command/storagemetadata.go b/storage/pkg/command/storagemetadata.go index dde9a6aa5c..c27b27a424 100644 --- a/storage/pkg/command/storagemetadata.go +++ b/storage/pkg/command/storagemetadata.go @@ -120,8 +120,9 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.StorageMetadata.GRPCNetwork, diff --git a/storage/pkg/command/storagepubliclink.go b/storage/pkg/command/storagepubliclink.go index d222717776..d90b971fc0 100644 --- a/storage/pkg/command/storagepubliclink.go +++ b/storage/pkg/command/storagepubliclink.go @@ -88,8 +88,9 @@ func storagePublicLinkConfigFromStruct(c *cli.Context, cfg *config.Config) map[s "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.StoragePublicLink.GRPCNetwork, diff --git a/storage/pkg/command/storageusers.go b/storage/pkg/command/storageusers.go index 85b1dfd95b..6f01defad9 100644 --- a/storage/pkg/command/storageusers.go +++ b/storage/pkg/command/storageusers.go @@ -98,8 +98,9 @@ func storageUsersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.StorageUsers.GRPCNetwork, diff --git a/storage/pkg/command/users.go b/storage/pkg/command/users.go index d01757ae81..2f4c3e87cc 100644 --- a/storage/pkg/command/users.go +++ b/storage/pkg/command/users.go @@ -109,8 +109,9 @@ func usersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]interf "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.Users.GRPCNetwork, diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go index 42426f5cae..c05e689907 100644 --- a/storage/pkg/config/config.go +++ b/storage/pkg/config/config.go @@ -430,17 +430,18 @@ type Archiver struct { // Reva defines the available reva configuration. type Reva struct { // JWTSecret used to sign jwt tokens between services - JWTSecret string - TransferSecret string - TransferExpires int - OIDC OIDC - LDAP LDAP - UserGroupRest UserGroupRest - UserOwnCloudSQL UserOwnCloudSQL - OCDav OCDav - Archiver Archiver - UserStorage StorageConfig - MetadataStorage StorageConfig + JWTSecret string + SkipUserGroupsInToken bool + TransferSecret string + TransferExpires int + OIDC OIDC + LDAP LDAP + UserGroupRest UserGroupRest + UserOwnCloudSQL UserOwnCloudSQL + OCDav OCDav + Archiver Archiver + UserStorage StorageConfig + MetadataStorage StorageConfig // Ports are used to configure which services to start on which port Frontend FrontendPort DataGateway DataGatewayPort diff --git a/storage/pkg/flagset/secret.go b/storage/pkg/flagset/secret.go index 2519caa61a..8504bd56b1 100644 --- a/storage/pkg/flagset/secret.go +++ b/storage/pkg/flagset/secret.go @@ -16,5 +16,12 @@ func SecretWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.Reva.JWTSecret, }, + &cli.BoolFlag{ + Name: "skip-user-groups-in-token", + Value: flags.OverrideDefaultBool(cfg.Reva.SkipUserGroupsInToken, false), + Usage: "Whether to skip encoding user groups in reva's JWT token", + EnvVars: []string{"STORAGE_SKIP_USER_GROUPS_IN_TOKEN"}, + Destination: &cfg.Reva.SkipUserGroupsInToken, + }, } }