Merge branch 'master' into fix-2453

2026-01-05 11:51:16 -06:00 · 2021-09-03 15:35:52 +02:00
parent 84d6962d15 dff0ea4f0f
commit 8ba432e117
29 changed files with 601 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,9 @@ The following sections list the changes for unreleased.
 ## Summary

 * Change - Remove OnlyOffice extension: [#2433](https://github.com/owncloud/ocis/pull/2433)
+* Enhancement - Add app provider and app provider registry: [#2204](https://github.com/owncloud/ocis/pull/2204)
+* Enhancement - Add the create space permission: [#2461](https://github.com/owncloud/ocis/pull/2461)
+* Enhancement - Add set space quota permission: [#2459](https://github.com/owncloud/ocis/pull/2459)
 * Enhancement - Update go-chi/chi to version 5.0.3: [#2429](https://github.com/owncloud/ocis/pull/2429)
 * Enhancement - Upgrade go micro to v3.6.0: [#2451](https://github.com/owncloud/ocis/pull/2451)

@@ -23,6 +26,26 @@ The following sections list the changes for unreleased.

   https://github.com/owncloud/ocis/pull/2433

+* Enhancement - Add app provider and app provider registry: [#2204](https://github.com/owncloud/ocis/pull/2204)
+
+   We added the app provider and app provider registry. Now the CS3org WOPI server can be
+   registered and OpenInApp requests can be done.
+
+   https://github.com/owncloud/ocis/pull/2204
+   https://github.com/cs3org/reva/pull/1785
+
+* Enhancement - Add the create space permission: [#2461](https://github.com/owncloud/ocis/pull/2461)
+
+   In preparation for the upcoming spaces features a `Create Space` permission was added.
+
+   https://github.com/owncloud/ocis/pull/2461
+
+* Enhancement - Add set space quota permission: [#2459](https://github.com/owncloud/ocis/pull/2459)
+
+   In preparation for the upcoming spaces features a `SetSpaceQuota` permission was added.
+
+   https://github.com/owncloud/ocis/pull/2459
+
 * Enhancement - Update go-chi/chi to version 5.0.3: [#2429](https://github.com/owncloud/ocis/pull/2429)

   Updated go-chi/chi to the lastest release
--- a/changelog/unreleased/app-provider.md
+++ b/changelog/unreleased/app-provider.md
@@ -0,0 +1,6 @@
+Enhancement: Add app provider and app provider registry
+
+We added the app provider and app provider registry. Now the CS3org WOPI server can be registered and OpenInApp requests can be done.
+
+https://github.com/owncloud/ocis/pull/2204
+https://github.com/cs3org/reva/pull/1785
--- a/changelog/unreleased/create-space-permission.md
+++ b/changelog/unreleased/create-space-permission.md
@@ -0,0 +1,5 @@
+Enhancement: add the create space permission
+
+In preparation for the upcoming spaces features a `Create Space` permission was added.
+
+https://github.com/owncloud/ocis/pull/2461
--- a/changelog/unreleased/set-quota-permission.md
+++ b/changelog/unreleased/set-quota-permission.md
@@ -0,0 +1,5 @@
+Enhancement: add set space quota permission
+
+In preparation for the upcoming spaces features a `SetSpaceQuota` permission was added.
+
+https://github.com/owncloud/ocis/pull/2459
--- a/deployments/continuous-deployment-config/cs3_users_ocis/latest.yml
+++ b/deployments/continuous-deployment-config/cs3_users_ocis/latest.yml
@@ -17,6 +17,16 @@
    - "*.ocis-cs3-users.latest.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/continuous-deployment-config/cs3_users_ocis/released.yml
+++ b/deployments/continuous-deployment-config/cs3_users_ocis/released.yml
@@ -17,6 +17,16 @@
    - "*.ocis-cs3-users.released.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/continuous-deployment-config/ocis_hello/latest.yml
+++ b/deployments/continuous-deployment-config/ocis_hello/latest.yml
@@ -17,6 +17,16 @@
    - "*.ocis-s3.latest.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/continuous-deployment-config/ocis_keycloak/latest.yml
+++ b/deployments/continuous-deployment-config/ocis_keycloak/latest.yml
@@ -17,6 +17,16 @@
    - "*.ocis-keycloak.latest.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/continuous-deployment-config/ocis_keycloak/released.yml
+++ b/deployments/continuous-deployment-config/ocis_keycloak/released.yml
@@ -17,6 +17,16 @@
    - "*.ocis-keycloak.released.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/continuous-deployment-config/ocis_s3/latest.yml
+++ b/deployments/continuous-deployment-config/ocis_s3/latest.yml
@@ -17,6 +17,16 @@
    - "*.ocis-hello.latest.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/continuous-deployment-config/ocis_traefik/latest.yml
+++ b/deployments/continuous-deployment-config/ocis_traefik/latest.yml
@@ -17,6 +17,16 @@
    - "*.ocis-traefik.latest.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/continuous-deployment-config/ocis_traefik/released.yml
+++ b/deployments/continuous-deployment-config/ocis_traefik/released.yml
@@ -17,6 +17,16 @@
    - "*.ocis-traefik.released.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/continuous-deployment-config/ocis_wopi/latest.yml
+++ b/deployments/continuous-deployment-config/ocis_wopi/latest.yml
@@ -17,6 +17,16 @@
    - "*.ocis-wopi.latest.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/continuous-deployment-config/ocis_wopi/released.yml
+++ b/deployments/continuous-deployment-config/ocis_wopi/released.yml
@@ -17,6 +17,16 @@
    - "*.ocis-wopi.released.owncloud.works"

  vars:
+    ssh_authorized_keys:
+      - https://github.com/butonic.keys
+      - https://github.com/C0rby.keys
+      - https://github.com/fschade.keys
+      - https://github.com/kulmann.keys
+      - https://github.com/micbar.keys
+      - https://github.com/pascalwengerter.keys
+      - https://github.com/paulcod3.keys
+      - https://github.com/refs.keys
+      - https://github.com/wkloucek.keys
    docker_compose_projects:
      - name: ocis
        git_url: https://github.com/owncloud/ocis.git
--- a/deployments/examples/ocis_wopi/config/ocis/proxy-config.json
+++ b/deployments/examples/ocis_wopi/config/ocis/proxy-config.json
@@ -32,6 +32,10 @@
          "endpoint": "/ocs/v[12].php/cloud/(users?|groups)",
          "backend": "http://localhost:9110"
        },
+        {
+          "endpoint": "/app/",
+          "backend": "http://localhost:9140"
+        },
        {
          "endpoint": "/ocs/",
          "backend": "http://localhost:9140"
--- a/deployments/examples/ocis_wopi/docker-compose.yml
+++ b/deployments/examples/ocis_wopi/docker-compose.yml
@@ -66,6 +66,13 @@ services:
      WEB_UI_CONFIG: "/var/tmp/ocis/.config/web-config.json"
      # proxy
      PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json"
+      # app provider
+      APP_PROVIDER_DRIVER: wopi
+      APP_PROVIDER_WOPI_DRIVER_APP_NAME: Collabora
+      APP_PROVIDER_WOPI_DRIVER_APP_URL: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}
+      APP_PROVIDER_WOPI_DRIVER_INSECURE: "${INSECURE:-false}"
+      APP_PROVIDER_WOPI_DRIVER_IOP_SECRET: ${WOPI_IOP_SECRET:-LoremIpsum123}
+      APP_PROVIDER_WOPI_DRIVER_WOPI_URL: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
    volumes:
      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
      - ./config/ocis/web-config.dist.json:/config/web-config.dist.json
@@ -90,9 +97,6 @@ services:
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
      WOPISERVER_REVA_GATEWAY_ADDR: ocis:9142
      OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
-      WOPISERVER_WOPI_SERVER_HOST: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
-      WOPISERVER_WOPI_SERVER_IOP_SECRET: ${WOPI_IOP_SECRET:-LoremIpsum123}
-      WOPISERVER_WOPI_SERVER_INSECURE: "${INSECURE:-false}"
    logging:
      driver: "local"
    restart: always
--- a/docs/extensions/storage/ports.md
+++ b/docs/extensions/storage/ports.md
@@ -34,6 +34,8 @@ For now, the storage service uses these ports to preconfigure those services:
 | 9159      | storage users debug                           |
 | 9160      | groups                                        |
 | 9161      | groups debug                                  |
+| 9164      | storage appprovider                                   |
+| 9165      | storage appprovider debug                             |
 | 9178      | storage public link                           |
 | 9179      | storage public link data                      |
 | 9215      | storage meta grpc                             |
--- a/ocis/pkg/command/storageappprovider.go
+++ b/ocis/pkg/command/storageappprovider.go
@@ -0,0 +1,45 @@
+// +build !simple
+
+package command
+
+import (
+	"github.com/micro/cli/v2"
+	"github.com/owncloud/ocis/ocis-pkg/config"
+	"github.com/owncloud/ocis/ocis/pkg/register"
+	"github.com/owncloud/ocis/storage/pkg/command"
+	svcconfig "github.com/owncloud/ocis/storage/pkg/config"
+	"github.com/owncloud/ocis/storage/pkg/flagset"
+)
+
+// StorageAppProviderCommand is the entrypoint for the reva-app-provider command.
+func StorageAppProviderCommand(cfg *config.Config) *cli.Command {
+	return &cli.Command{
+		Name:     "storage-app-provider",
+		Usage:    "Start storage app-provider service",
+		Category: "Extensions",
+		Flags:    flagset.AppProviderWithConfig(cfg.Storage),
+		Action: func(c *cli.Context) error {
+			origCmd := command.AppProvider(configureStorageAppProvider(cfg))
+			return handleOriginalAction(c, origCmd)
+		},
+	}
+}
+
+func configureStorageAppProvider(cfg *config.Config) *svcconfig.Config {
+	cfg.Storage.Log.Level = cfg.Log.Level
+	cfg.Storage.Log.Pretty = cfg.Log.Pretty
+	cfg.Storage.Log.Color = cfg.Log.Color
+
+	if cfg.Tracing.Enabled {
+		cfg.Storage.Tracing.Enabled = cfg.Tracing.Enabled
+		cfg.Storage.Tracing.Type = cfg.Tracing.Type
+		cfg.Storage.Tracing.Endpoint = cfg.Tracing.Endpoint
+		cfg.Storage.Tracing.Collector = cfg.Tracing.Collector
+	}
+
+	return cfg.Storage
+}
+
+func init() {
+	register.AddCommand(StorageAppProviderCommand)
+}
--- a/ocis/pkg/runtime/service/service.go
+++ b/ocis/pkg/runtime/service/service.go
@@ -108,6 +108,7 @@ func NewService(options ...Option) (*Service, error) {
 	s.ServicesRegistry["storage-home"] = storage.NewStorageHome
 	s.ServicesRegistry["storage-users"] = storage.NewStorageUsers
 	s.ServicesRegistry["storage-public-link"] = storage.NewStoragePublicLink
+	s.ServicesRegistry["storage-appprovider"] = storage.NewAppProvider

 	// populate delayed services
 	s.Delayed["storage-sharing"] = storage.NewSharing
--- a/proxy/pkg/proxy/proxy.go
+++ b/proxy/pkg/proxy/proxy.go
@@ -295,6 +295,10 @@ func defaultPolicies() []config.Policy {
 					Endpoint: "/ocs/v[12].php/cloud/(users?|groups)", // we have `user`, `users` and `groups` in ocis-ocs
 					Backend:  "http://localhost:9110",
 				},
+				{
+					Endpoint: "/app/",
+					Backend:  "http://localhost:9140",
+				},
 				{
 					Endpoint: "/ocs/",
 					Backend:  "http://localhost:9140",
--- a/settings/pkg/service/v0/settings.go
+++ b/settings/pkg/service/v0/settings.go
@@ -24,6 +24,16 @@ const (
 	// SettingsManagementPermissionName is the hardcoded setting name for the settings management permission
 	SettingsManagementPermissionName string = "settings-management"

+	// SetSpaceQuotaPermissionID is the hardcoded setting UUID for the set space quota permission
+	SetSpaceQuotaPermissionID string = "4e6f9709-f9e7-44f1-95d4-b762d27b7896"
+	// SetSpaceQuotaPermissionName is the hardcoded setting name for the set space quota permission
+	SetSpaceQuotaPermissionName string = "set-space-quota"
+
+	// CreateSpacePermissionID is the hardcoded setting UUID for the create space permission
+	CreateSpacePermissionID string = "79e13b30-3e22-11eb-bc51-0b9f0bad9a58"
+	// CreateSpacePermissionName is the hardcoded setting name for the create space permission
+	CreateSpacePermissionName string = "create-space"
+
 	settingUUIDProfileLanguage = "aa8cfbe5-95d4-4f7e-a032-c3c01f5f062f"

 	// AccountManagementPermissionID is the hardcoded setting UUID for the account management permission
@@ -331,6 +341,42 @@ func generatePermissionRequests() []*settings.AddSettingToBundleRequest {
 				},
 			},
 		},
+		{
+			BundleId: BundleUUIDRoleAdmin,
+			Setting: &settings.Setting{
+				Id:          SetSpaceQuotaPermissionID,
+				Name:        SetSpaceQuotaPermissionName,
+				DisplayName: "Set Space Quota",
+				Description: "This permission allows to manage space quotas.",
+				Resource: &settings.Resource{
+					Type: settings.Resource_TYPE_SYSTEM,
+				},
+				Value: &settings.Setting_PermissionValue{
+					PermissionValue: &settings.Permission{
+						Operation:  settings.Permission_OPERATION_READWRITE,
+						Constraint: settings.Permission_CONSTRAINT_ALL,
+					},
+				},
+			},
+		},
+		{
+			BundleId: BundleUUIDRoleAdmin,
+			Setting: &settings.Setting{
+				Id:          CreateSpacePermissionID,
+				Name:        CreateSpacePermissionName,
+				DisplayName: "Create Space",
+				Description: "This permission allows to create new spaces.",
+				Resource: &settings.Resource{
+					Type: settings.Resource_TYPE_SYSTEM,
+				},
+				Value: &settings.Setting_PermissionValue{
+					PermissionValue: &settings.Permission{
+						Operation:  settings.Permission_OPERATION_READWRITE,
+						Constraint: settings.Permission_CONSTRAINT_ALL,
+					},
+				},
+			},
+		},
 	}
 }

--- a/storage/pkg/command/appprovider.go
+++ b/storage/pkg/command/appprovider.go
@@ -0,0 +1,160 @@
+package command
+
+import (
+	"context"
+	"flag"
+	"os"
+	"path"
+
+	"github.com/cs3org/reva/cmd/revad/runtime"
+	"github.com/gofrs/uuid"
+	"github.com/micro/cli/v2"
+	"github.com/oklog/run"
+	ociscfg "github.com/owncloud/ocis/ocis-pkg/config"
+	"github.com/owncloud/ocis/ocis-pkg/sync"
+	"github.com/owncloud/ocis/storage/pkg/config"
+	"github.com/owncloud/ocis/storage/pkg/flagset"
+	"github.com/owncloud/ocis/storage/pkg/server/debug"
+	"github.com/owncloud/ocis/storage/pkg/tracing"
+	"github.com/thejerf/suture/v4"
+)
+
+// AppProvider is the entrypoint for the app provider command.
+func AppProvider(cfg *config.Config) *cli.Command {
+	return &cli.Command{
+		Name:  "app-provider",
+		Usage: "Start appprovider for providing apps",
+		Flags: flagset.AppProviderWithConfig(cfg),
+		Before: func(c *cli.Context) error {
+			cfg.Reva.AppProvider.Services = c.StringSlice("service")
+
+			return nil
+		},
+		Action: func(c *cli.Context) error {
+			logger := NewLogger(cfg)
+			tracing.Configure(cfg, logger)
+			gr := run.Group{}
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			uuid := uuid.Must(uuid.NewV4())
+			pidFile := path.Join(os.TempDir(), "revad-"+c.Command.Name+"-"+uuid.String()+".pid")
+
+			rcfg := appProviderConfigFromStruct(c, cfg)
+
+			gr.Add(func() error {
+				runtime.RunWithOptions(rcfg, pidFile, runtime.WithLogger(&logger.Logger))
+				return nil
+			}, func(_ error) {
+				logger.Info().
+					Str("server", c.Command.Name).
+					Msg("Shutting down server")
+
+				cancel()
+			})
+
+			debugServer, err := debug.Server(
+				debug.Name(c.Command.Name+"-debug"),
+				debug.Addr(cfg.Reva.AppProvider.DebugAddr),
+				debug.Logger(logger),
+				debug.Context(ctx),
+				debug.Config(cfg),
+			)
+
+			if err != nil {
+				logger.Info().Err(err).Str("server", "debug").Msg("Failed to initialize server")
+				return err
+			}
+
+			gr.Add(debugServer.ListenAndServe, func(_ error) {
+				cancel()
+			})
+
+			if !cfg.Reva.AppProvider.Supervised {
+				sync.Trap(&gr, cancel)
+			}
+
+			return gr.Run()
+		},
+	}
+}
+
+// appProviderConfigFromStruct will adapt an oCIS config struct into a reva mapstructure to start a reva service.
+func appProviderConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]interface{} {
+
+	rcfg := map[string]interface{}{
+		"core": map[string]interface{}{
+			"max_cpus":             cfg.Reva.AppProvider.MaxCPUs,
+			"tracing_enabled":      cfg.Tracing.Enabled,
+			"tracing_endpoint":     cfg.Tracing.Endpoint,
+			"tracing_collector":    cfg.Tracing.Collector,
+			"tracing_service_name": c.Command.Name,
+		},
+		"shared": map[string]interface{}{
+			"jwt_secret": cfg.Reva.JWTSecret,
+		},
+		"grpc": map[string]interface{}{
+			"network": cfg.Reva.AppProvider.GRPCNetwork,
+			"address": cfg.Reva.AppProvider.GRPCAddr,
+			// TODO build services dynamically
+			"services": map[string]interface{}{
+				"appprovider": map[string]interface{}{
+					"gatewaysvc":       cfg.Reva.Gateway.Endpoint,
+					"app_provider_url": cfg.Reva.AppProvider.ExternalAddr,
+					"driver":           cfg.Reva.AppProvider.Driver,
+					"drivers": map[string]interface{}{
+						"wopi": map[string]interface{}{
+							"app_api_key":          cfg.Reva.AppProvider.WopiDriver.AppAPIKey,
+							"app_desktop_only":     cfg.Reva.AppProvider.WopiDriver.AppDesktopOnly,
+							"app_icon_uri":         cfg.Reva.AppProvider.WopiDriver.AppIconURI,
+							"app_int_url":          cfg.Reva.AppProvider.WopiDriver.AppInternalURL,
+							"app_name":             cfg.Reva.AppProvider.WopiDriver.AppName,
+							"app_url":              cfg.Reva.AppProvider.WopiDriver.AppURL,
+							"insecure_connections": cfg.Reva.AppProvider.WopiDriver.Insecure,
+							"iop_secret":           cfg.Reva.AppProvider.WopiDriver.IopSecret,
+							"jwt_secret":           cfg.Reva.AppProvider.WopiDriver.JWTSecret,
+							"wopi_url":             cfg.Reva.AppProvider.WopiDriver.WopiURL,
+						},
+					},
+				},
+			},
+		},
+	}
+	return rcfg
+}
+
+// AppProviderSutureService allows for the app-provider command to be embedded and supervised by a suture supervisor tree.
+type AppProviderSutureService struct {
+	cfg *config.Config
+}
+
+// NewAppProvider creates a new store.AppProviderSutureService
+func NewAppProvider(cfg *ociscfg.Config) suture.Service {
+	if cfg.Mode == 0 {
+		cfg.Storage.Reva.AppProvider.Supervised = true
+	}
+	return AppProviderSutureService{
+		cfg: cfg.Storage,
+	}
+}
+
+func (s AppProviderSutureService) Serve(ctx context.Context) error {
+	s.cfg.Reva.AppProvider.Context = ctx
+	f := &flag.FlagSet{}
+	for k := range AppProvider(s.cfg).Flags {
+		if err := AppProvider(s.cfg).Flags[k].Apply(f); err != nil {
+			return err
+		}
+	}
+	cliCtx := cli.NewContext(nil, f, nil)
+	if AppProvider(s.cfg).Before != nil {
+		if err := AppProvider(s.cfg).Before(cliCtx); err != nil {
+			return err
+		}
+	}
+	if err := AppProvider(s.cfg).Action(cliCtx); err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/storage/pkg/command/frontend.go
+++ b/storage/pkg/command/frontend.go
@@ -141,6 +141,12 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s
 			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
+				"appprovider": map[string]interface{}{
+					"prefix":                 cfg.Reva.Frontend.AppProviderPrefix,
+					"transfer_shared_secret": cfg.Reva.TransferSecret,
+					"timeout":                86400,
+					"insecure":               true,
+				},
 				"datagateway": map[string]interface{}{
 					"prefix":                 cfg.Reva.Frontend.DatagatewayPrefix,
 					"transfer_shared_secret": cfg.Reva.TransferSecret,
--- a/storage/pkg/command/gateway.go
+++ b/storage/pkg/command/gateway.go
@@ -160,6 +160,9 @@ func gatewayConfigFromStruct(c *cli.Context, cfg *config.Config, logger log.Logg
 						},
 					},
 				},
+				"appregistry": map[string]interface{}{
+					"driver": "static",
+				},
 				"storageregistry": map[string]interface{}{
 					"driver": cfg.Reva.StorageRegistry.Driver,
 					"drivers": map[string]interface{}{
--- a/storage/pkg/command/root.go
+++ b/storage/pkg/command/root.go
@@ -76,6 +76,7 @@ func Execute(cfg *config.Config) error {
 			Gateway(cfg),
 			Users(cfg),
 			Groups(cfg),
+			AppProvider(cfg),
 			AuthBasic(cfg),
 			AuthBearer(cfg),
 			Sharing(cfg),
--- a/storage/pkg/config/config.go
+++ b/storage/pkg/config/config.go
@@ -39,6 +39,27 @@ type StorageRegistry struct {
 	JSON         string
 }

+// AppProvider defines the available app provider configuration
+type AppProvider struct {
+	Port
+	ExternalAddr string
+	Driver       string
+	WopiDriver   WopiDriver
+}
+
+type WopiDriver struct {
+	AppAPIKey      string
+	AppDesktopOnly bool
+	AppIconURI     string
+	AppInternalURL string
+	AppName        string
+	AppURL         string
+	Insecure       bool
+	IopSecret      string
+	JWTSecret      string
+	WopiURL        string
+}
+
 // Sharing defines the available sharing configuration.
 type Sharing struct {
 	Port
@@ -109,6 +130,7 @@ type Groups struct {
 type FrontendPort struct {
 	Port

+	AppProviderPrefix       string
 	DatagatewayPrefix       string
 	OCDavPrefix             string
 	OCSPrefix               string
@@ -390,6 +412,7 @@ type Reva struct {
 	StorageUsers      StoragePort
 	StoragePublicLink PublicStorage
 	StorageMetadata   StoragePort
+	AppProvider       AppProvider
 	// Configs can be used to configure the reva instance.
 	// Services and Ports will be ignored if this is used
 	Configs map[string]interface{}
--- a/storage/pkg/flagset/appprovider.go
+++ b/storage/pkg/flagset/appprovider.go
@@ -0,0 +1,144 @@
+package flagset
+
+import (
+	"github.com/micro/cli/v2"
+	"github.com/owncloud/ocis/ocis-pkg/flags"
+	"github.com/owncloud/ocis/storage/pkg/config"
+)
+
+// AppProviderWithConfig applies cfg to the root flagset
+func AppProviderWithConfig(cfg *config.Config) []cli.Flag {
+	flags := []cli.Flag{
+
+		// debug ports are the odd ports
+		&cli.StringFlag{
+			Name:        "debug-addr",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.DebugAddr, "0.0.0.0:9165"),
+			Usage:       "Address to bind debug server",
+			EnvVars:     []string{"APP_PROVIDER_BASIC_DEBUG_ADDR"},
+			Destination: &cfg.Reva.AppProvider.DebugAddr,
+		},
+
+		// Auth
+
+		// Services
+
+		// AppProvider
+
+		&cli.StringFlag{
+			Name:        "network",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.GRPCNetwork, "tcp"),
+			Usage:       "Network to use for the storage auth-basic service, can be 'tcp', 'udp' or 'unix'",
+			EnvVars:     []string{"APP_PROVIDER_BASIC_GRPC_NETWORK"},
+			Destination: &cfg.Reva.AppProvider.GRPCNetwork,
+		},
+		&cli.StringFlag{
+			Name:        "addr",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.GRPCAddr, "0.0.0.0:9164"),
+			Usage:       "Address to bind storage service",
+			EnvVars:     []string{"APP_PROVIDER_BASIC_GRPC_ADDR"},
+			Destination: &cfg.Reva.AppProvider.GRPCAddr,
+		},
+		&cli.StringFlag{
+			Name:        "external-addr",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.ExternalAddr, "127.0.0.1:9164"),
+			Usage:       "Address to connect to the storage service for other services",
+			EnvVars:     []string{"APP_PROVIDER_BASIC_EXTERNAL_ADDR"},
+			Destination: &cfg.Reva.AppProvider.ExternalAddr,
+		},
+		&cli.StringSliceFlag{
+			Name:    "service",
+			Value:   cli.NewStringSlice("appprovider"),
+			Usage:   "--service appprovider [--service otherservice]",
+			EnvVars: []string{"APP_PROVIDER_BASIC_SERVICES"},
+		},
+
+		&cli.StringFlag{
+			Name:        "driver",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.Driver, ""),
+			Usage:       "Driver to use for app provider",
+			EnvVars:     []string{"APP_PROVIDER_DRIVER"},
+			Destination: &cfg.Reva.AppProvider.Driver,
+		},
+
+		// WOPI driver
+		&cli.StringFlag{
+			Name:        "wopi-driver-app-apikey",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.WopiDriver.AppAPIKey, ""),
+			Usage:       "The API key used by the app, if applicable.",
+			EnvVars:     []string{"APP_PROVIDER_WOPI_DRIVER_APP_API_KEY"},
+			Destination: &cfg.Reva.AppProvider.WopiDriver.AppAPIKey,
+		},
+		&cli.BoolFlag{
+			Name:        "wopi-driver-app-desktop-only",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.AppProvider.WopiDriver.AppDesktopOnly, false),
+			Usage:       "Whether the app can be opened only on desktop",
+			EnvVars:     []string{"APP_PROVIDER_WOPI_DRIVER_APP_DESKTOP_ONLY"},
+			Destination: &cfg.Reva.AppProvider.WopiDriver.AppDesktopOnly,
+		},
+		&cli.StringFlag{
+			Name:        "wopi-driver-app-icon-uri",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.WopiDriver.AppIconURI, ""),
+			Usage:       "IOP Secret (Shared with WOPI server)",
+			EnvVars:     []string{"APP_PROVIDER_WOPI_DRIVER_APP_ICON_URI"},
+			Destination: &cfg.Reva.AppProvider.WopiDriver.AppIconURI,
+		},
+		&cli.StringFlag{
+			Name:        "wopi-driver-app-internal-url",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.WopiDriver.AppInternalURL, ""),
+			Usage:       "The internal app URL in case of dockerized deployments. Defaults to AppURL",
+			EnvVars:     []string{"APP_PROVIDER_WOPI_DRIVER_APP_INTERNAL_URL"},
+			Destination: &cfg.Reva.AppProvider.WopiDriver.AppInternalURL,
+		},
+		&cli.StringFlag{
+			Name:        "wopi-driver-app-name",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.WopiDriver.AppName, ""),
+			Usage:       "The App user-friendly name.",
+			EnvVars:     []string{"APP_PROVIDER_WOPI_DRIVER_APP_NAME"},
+			Destination: &cfg.Reva.AppProvider.WopiDriver.AppName,
+		},
+		&cli.StringFlag{
+			Name:        "wopi-driver-app-url",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.WopiDriver.AppURL, ""),
+			Usage:       "App server URL",
+			EnvVars:     []string{"APP_PROVIDER_WOPI_DRIVER_APP_URL"},
+			Destination: &cfg.Reva.AppProvider.WopiDriver.AppURL,
+		},
+		&cli.BoolFlag{
+			Name:        "wopi-driver-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.AppProvider.WopiDriver.Insecure, false),
+			Usage:       "Disable SSL certificate verification of WOPI server and WOPI bridge",
+			EnvVars:     []string{"APP_PROVIDER_WOPI_DRIVER_INSECURE"},
+			Destination: &cfg.Reva.AppProvider.WopiDriver.Insecure,
+		},
+		&cli.StringFlag{
+			Name:        "wopi-driver-iopsecret",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.WopiDriver.IopSecret, ""),
+			Usage:       "IOP Secret (Shared with WOPI server)",
+			EnvVars:     []string{"APP_PROVIDER_WOPI_DRIVER_IOP_SECRET"},
+			Destination: &cfg.Reva.AppProvider.WopiDriver.IopSecret,
+		},
+		&cli.StringFlag{
+			Name:        "wopi-driver-wopiurl",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.WopiDriver.WopiURL, ""),
+			Usage:       "WOPI server URL",
+			EnvVars:     []string{"APP_PROVIDER_WOPI_DRIVER_WOPI_URL"},
+			Destination: &cfg.Reva.AppProvider.WopiDriver.WopiURL,
+		},
+
+		// Gateway
+		&cli.StringFlag{
+			Name:        "gateway-url",
+			Value:       flags.OverrideDefaultString(cfg.Reva.Gateway.Endpoint, "localhost:9142"),
+			Usage:       "URL to use for the storage gateway service",
+			EnvVars:     []string{"STORAGE_GATEWAY_ENDPOINT"},
+			Destination: &cfg.Reva.Gateway.Endpoint,
+		},
+	}
+
+	flags = append(flags, TracingWithConfig(cfg)...)
+	flags = append(flags, DebugWithConfig(cfg)...)
+	flags = append(flags, SecretWithConfig(cfg)...)
+
+	return flags
+}
--- a/storage/pkg/flagset/frontend.go
+++ b/storage/pkg/flagset/frontend.go
@@ -87,10 +87,17 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringSliceFlag{
 			Name:    "service",
-			Value:   cli.NewStringSlice("datagateway", "ocdav", "ocs"),
+			Value:   cli.NewStringSlice("datagateway", "ocdav", "ocs", "appprovider"),
 			Usage:   "--service ocdav [--service ocs]",
 			EnvVars: []string{"STORAGE_FRONTEND_SERVICES"},
 		},
+		&cli.StringFlag{
+			Name:        "approvider-prefix",
+			Value:       flags.OverrideDefaultString(cfg.Reva.Frontend.AppProviderPrefix, ""),
+			Usage:       "approvider prefix",
+			EnvVars:     []string{"STORAGE_FRONTEND_APPPROVIDER_PREFIX"},
+			Destination: &cfg.Reva.Frontend.AppProviderPrefix,
+		},
 		&cli.StringFlag{
 			Name:        "datagateway-prefix",
 			Value:       flags.OverrideDefaultString(cfg.Reva.Frontend.DatagatewayPrefix, "data"),
--- a/storage/pkg/flagset/gateway.go
+++ b/storage/pkg/flagset/gateway.go
@@ -62,7 +62,7 @@ func GatewayWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringSliceFlag{
 			Name:    "service",
-			Value:   cli.NewStringSlice("gateway", "authregistry", "storageregistry"), // TODO appregistry
+			Value:   cli.NewStringSlice("gateway", "authregistry", "storageregistry", "appregistry"),
 			Usage:   "--service gateway [--service authregistry]",
 			EnvVars: []string{"STORAGE_GATEWAY_SERVICES"},
 		},
@@ -193,6 +193,13 @@ func GatewayWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_SHARING_ENDPOINT"},
 			Destination: &cfg.Reva.Sharing.Endpoint,
 		},
+		&cli.StringFlag{
+			Name:        "appprovider-endpoint",
+			Value:       flags.OverrideDefaultString(cfg.Reva.AppProvider.Endpoint, "localhost:9164"),
+			Usage:       "endpoint to use for the app provider",
+			EnvVars:     []string{"STORAGE_APPPROVIDER_ENDPOINT"},
+			Destination: &cfg.Reva.AppProvider.Endpoint,
+		},

 		// register home storage