From c17d9eb19e72437aff147aba802b761efdd223ab Mon Sep 17 00:00:00 2001 From: David Christofas Date: Tue, 7 Mar 2023 11:17:08 +0100 Subject: [PATCH] add config options to enforce passwords on public links --- changelog/unreleased/public-link-password.md | 5 +++++ services/frontend/pkg/config/config.go | 21 ++++++++++---------- services/frontend/pkg/revaconfig/config.go | 4 ++-- services/sharing/pkg/config/config.go | 9 +++++---- services/sharing/pkg/revaconfig/config.go | 3 ++- 5 files changed, 25 insertions(+), 17 deletions(-) create mode 100644 changelog/unreleased/public-link-password.md diff --git a/changelog/unreleased/public-link-password.md b/changelog/unreleased/public-link-password.md new file mode 100644 index 000000000..1b5324f12 --- /dev/null +++ b/changelog/unreleased/public-link-password.md @@ -0,0 +1,5 @@ +Enhancement: Add config option to enforce passwords on public links + +Added a new config option to enforce passwords on public links with "Uploader, Editor, Contributor" roles. + +https://github.com/owncloud/ocis/pull/5720 diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go index a9bf935b8..ba68cb200 100644 --- a/services/frontend/pkg/config/config.go +++ b/services/frontend/pkg/config/config.go @@ -118,16 +118,17 @@ type DataGateway struct { } type OCS struct { - Prefix string `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL prefix for the OCS service. Note that the string must not start with '/'."` - SharePrefix string `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of an ocis resource. Note that the path must start with '/'."` - HomeNamespace string `yaml:"home_namespace" env:"FRONTEND_OCS_HOME_NAMESPACE" desc:"Homespace namespace identifier."` - AdditionalInfoAttribute string `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}."` - ResourceInfoCacheTTL int `yaml:"resource_info_cache_ttl" env:"FRONTEND_OCS_RESOURCE_INFO_CACHE_TTL" desc:"Max TTL in seconds for the resource info cache. 0 disables the cache."` - ResourceInfoCacheType string `yaml:"resource_info_cache_type" env:"FRONTEND_OCS_RESOURCE_INFO_CACHE_TYPE" desc:"The type of the resource info cache. Supported values are 'memory' and 'redis'."` - ResourceInfoCaches ResourceInfoCaches `yaml:"resource_info_caches,omitempty"` // only used for redis - CacheWarmupDriver string `yaml:"cache_warmup_driver,omitempty"` // not supported by the oCIS product, therefore not part of docs - CacheWarmupDrivers CacheWarmupDrivers `yaml:"cache_warmup_drivers,omitempty"` // not supported by the oCIS product, therefore not part of docs - EnableDenials bool `yaml:"enable_denials" env:"FRONTEND_OCS_ENABLE_DENIALS" desc:"EXPERIMENTAL: enable the feature to deny access on folders."` + Prefix string `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL prefix for the OCS service. Note that the string must not start with '/'."` + SharePrefix string `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of an ocis resource. Note that the path must start with '/'."` + HomeNamespace string `yaml:"home_namespace" env:"FRONTEND_OCS_HOME_NAMESPACE" desc:"Homespace namespace identifier."` + AdditionalInfoAttribute string `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}."` + ResourceInfoCacheTTL int `yaml:"resource_info_cache_ttl" env:"FRONTEND_OCS_RESOURCE_INFO_CACHE_TTL" desc:"Max TTL in seconds for the resource info cache. 0 disables the cache."` + ResourceInfoCacheType string `yaml:"resource_info_cache_type" env:"FRONTEND_OCS_RESOURCE_INFO_CACHE_TYPE" desc:"The type of the resource info cache. Supported values are 'memory' and 'redis'."` + ResourceInfoCaches ResourceInfoCaches `yaml:"resource_info_caches,omitempty"` // only used for redis + CacheWarmupDriver string `yaml:"cache_warmup_driver,omitempty"` // not supported by the oCIS product, therefore not part of docs + CacheWarmupDrivers CacheWarmupDrivers `yaml:"cache_warmup_drivers,omitempty"` // not supported by the oCIS product, therefore not part of docs + EnableDenials bool `yaml:"enable_denials" env:"FRONTEND_OCS_ENABLE_DENIALS" desc:"EXPERIMENTAL: enable the feature to deny access on folders."` + WriteablePublicShareMustHavePassword bool `yaml:"public_sharing_writeableshare_must_have_password" env:"OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD" desc:"Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares."` } // ResourceInfoCaches holds resource info cache configurations diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go index 4fe63418f..80570badc 100644 --- a/services/frontend/pkg/revaconfig/config.go +++ b/services/frontend/pkg/revaconfig/config.go @@ -229,8 +229,8 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error "enforced": false, "enforced_for": map[string]interface{}{ "read_only": false, - "read_write": false, - "upload_only": false, + "read_write": cfg.OCS.WriteablePublicShareMustHavePassword, + "upload_only": cfg.OCS.WriteablePublicShareMustHavePassword, }, }, "expire_date": map[string]interface{}{ diff --git a/services/sharing/pkg/config/config.go b/services/sharing/pkg/config/config.go index c55c5e783..aae8dc278 100644 --- a/services/sharing/pkg/config/config.go +++ b/services/sharing/pkg/config/config.go @@ -21,10 +21,11 @@ type Config struct { SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"SHARING_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` - UserSharingDriver string `yaml:"user_sharing_driver" env:"SHARING_USER_DRIVER" desc:"Driver to be used to persist shares. Supported values are 'jsoncs3', 'json', 'cs3' and 'owncloudsql'."` - UserSharingDrivers UserSharingDrivers `yaml:"user_sharing_drivers"` - PublicSharingDriver string `yaml:"public_sharing_driver" env:"SHARING_PUBLIC_DRIVER" desc:"Driver to be used to persist public shares. Supported values are 'jsoncs3', 'json' and 'cs3'."` - PublicSharingDrivers PublicSharingDrivers `yaml:"public_sharing_drivers"` + UserSharingDriver string `yaml:"user_sharing_driver" env:"SHARING_USER_DRIVER" desc:"Driver to be used to persist shares. Supported values are 'jsoncs3', 'json', 'cs3' and 'owncloudsql'."` + UserSharingDrivers UserSharingDrivers `yaml:"user_sharing_drivers"` + PublicSharingDriver string `yaml:"public_sharing_driver" env:"SHARING_PUBLIC_DRIVER" desc:"Driver to be used to persist public shares. Supported values are 'jsoncs3', 'json' and 'cs3'."` + PublicSharingDrivers PublicSharingDrivers `yaml:"public_sharing_drivers"` + WriteableShareMustHavePassword bool `yaml:"public_sharing_writeableshare_must_have_password" env:"OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD" desc:"Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in the frontend service."` Supervised bool `yaml:"-"` Context context.Context `yaml:"-"` diff --git a/services/sharing/pkg/revaconfig/config.go b/services/sharing/pkg/revaconfig/config.go index 8af76974c..63b3f4649 100644 --- a/services/sharing/pkg/revaconfig/config.go +++ b/services/sharing/pkg/revaconfig/config.go @@ -79,7 +79,8 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} { }, }, "publicshareprovider": map[string]interface{}{ - "driver": cfg.PublicSharingDriver, + "driver": cfg.PublicSharingDriver, + "writeable_share_must_have_password": cfg.WriteableShareMustHavePassword, "drivers": map[string]interface{}{ "json": map[string]interface{}{ "file": cfg.PublicSharingDrivers.JSON.File,