Merge pull request #2745 from owncloud/insecure-options

make all insecure options configurable and change the default to false

.drone.star

@@ -1466,6 +1466,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []):
         "IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml",
         "OCIS_LOG_LEVEL": "error",
         "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings",
+        "OCIS_INSECURE": "true",
     }
 
     # Pass in "default" accounts_hash_difficulty to not set this environment variable.

.vscode/launch.json

@@ -7,12 +7,18 @@
             "request": "launch",
             "mode": "debug",
             "program": "${workspaceFolder}/ocis/cmd/ocis",
-            "args": ["server"],
+            "args": [
+                "server"
+            ],
             "env": {
+                // log settings for human developers
                 "OCIS_LOG_LEVEL": "debug",
                 "OCIS_LOG_PRETTY": "true",
                 "OCIS_LOG_COLOR": "true",
-                "PROXY_ENABLE_BASIC_AUTH": "true"
+                // enable basic auth for dev setup so that we can use curl for testing
+                "PROXY_ENABLE_BASIC_AUTH": "true",
+                // set insecure options because we don't have valid certificates in dev environments
+                "OCIS_INSECURE": "true",
             }
         },
     ]

changelog/unreleased/insecure-options.md

@@ -0,0 +1,27 @@
+Change: Make all insecure options configurable and change the default to false
+
+We had several hard-coded 'insecure' flags. These options are now configurable and default to false. Also we changed all other 'insecure' flags with a previous default of true to false.
+
+In development environments using self signed certs (the default) you now need to set these flags:
+
+```
+PROXY_OIDC_INSECURE=true
+STORAGE_FRONTEND_APPPROVIDER_INSECURE=true
+STORAGE_FRONTEND_ARCHIVER_INSECURE=true
+STORAGE_FRONTEND_OCDAV_INSECURE=true
+STORAGE_HOME_DATAPROVIDER_INSECURE=true
+STORAGE_METADATA_DATAPROVIDER_INSECURE=true
+STORAGE_OIDC_INSECURE=true
+STORAGE_USERS_DATAPROVIDER_INSECURE=true
+THUMBNAILS_CS3SOURCE_INSECURE=true
+THUMBNAILS_WEBDAVSOURCE_INSECURE=true
+```
+
+As an alternative you also can set a single flag, which configures all options together:
+
+```
+OCIS_INSECURE=true
+```
+
+https://github.com/owncloud/ocis/issues/2700
+https://github.com/owncloud/ocis/pull/2745

deployments/examples/cs3_users_ocis/docker-compose.yml

@@ -81,12 +81,13 @@ services:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # change default secrets
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
+      # INSECURE: needed if oCIS / Traefik is using self generated certificates
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/web-config.dist.json:/config/web-config.dist.json

deployments/examples/oc10_ocis_parallel/docker-compose.yml

@@ -110,13 +110,14 @@ services:
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       PROXY_LOG_LEVEL: ${PROXY_LOG_LEVEL:-error}
       OCIS_URL: https://${CLOUD_DOMAIN:-cloud.owncloud.test}
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json"
       # change default secrets
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
+      # INSECURE: needed if oCIS / Traefik is using self generated certificates
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json

deployments/examples/ocis_hello/docker-compose.yml

@@ -53,7 +53,6 @@ services:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # change default secrets
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
@@ -67,6 +66,8 @@ services:
       PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json"
       # make settings service available to oCIS Hello
       SETTINGS_GRPC_ADDR: 0.0.0.0:9191
+      # INSECURE: needed if oCIS / Traefik is using self generated certificates
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/web-config.dist.json:/config/web-config.dist.json

deployments/examples/ocis_keycloak/docker-compose.yml

@@ -62,7 +62,6 @@ services:
       # general config
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       ACCOUNTS_DEMO_USERS_AND_GROUPS: false # don't generate demo users
       # change default secrets
@@ -71,6 +70,8 @@ services:
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
+      # INSECURE: needed if oCIS / Traefik is using self generated certificates
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/lib/ocis

deployments/examples/ocis_s3/docker-compose.yml

@@ -52,7 +52,6 @@ services:
     environment:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # change default secrets
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
@@ -70,6 +69,8 @@ services:
       STORAGE_USERS_DRIVER_S3NG_ACCESS_KEY: ${MINIO_ACCESS_KEY:-ocis}
       STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key}
       STORAGE_USERS_DRIVER_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket}
+      # INSECURE: needed if oCIS / Traefik is using self generated certificates
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/lib/ocis

deployments/examples/ocis_traefik/docker-compose.yml

@@ -52,7 +52,6 @@ services:
     environment:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # change default secrets
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
@@ -60,6 +59,8 @@ services:
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
+      # INSECURE: needed if oCIS / Traefik is using self generated certificates
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/lib/ocis

deployments/examples/ocis_wopi/docker-compose.yml

@@ -58,7 +58,6 @@ services:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # change default secrets
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
@@ -69,6 +68,8 @@ services:
       # app registry
       STORAGE_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
       STORAGE_APP_REGISTRY_MIMETYPES_JSON: /var/tmp/ocis/app-config/mimetypes.json
+      # INSECURE: needed if oCIS / Traefik is using self generated certificates
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/mimetypes.json:/var/tmp/ocis/app-config/mimetypes.json

docs/ocis/deployment/basic-remote-setup.md

@@ -29,9 +29,10 @@ For the following examples you need to have the oCIS binary in your current work
 
 ### Using automatically generated certificates
 
-In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname.
+In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname. Since you have only self signed certificates you need to have `OCIS_INSECURE` set to `true`.
 
 ```bash
+OCIS_INSECURE=true \
 PROXY_HTTP_ADDR=0.0.0.0:9200 \
 OCIS_URL=https://your-host:9200 \
 ./ocis server
@@ -42,6 +43,7 @@ OCIS_URL=https://your-host:9200 \
 If you have your own certificates already in place, you may want to make oCIS use them:
 
 ```bash
+OCIS_INSECURE=false \
 PROXY_HTTP_ADDR=0.0.0.0:9200 \
 OCIS_URL=https://your-host:9200 \
 PROXY_TRANSPORT_TLS_KEY=./certs/your-host.key \
@@ -49,6 +51,8 @@ PROXY_TRANSPORT_TLS_CERT=./certs/your-host.crt \
 ./ocis server
 ```
 
+If you generated these certificates on your own, you might need to set `OCIS_INSECURE` to `true`.
+
 For more configuration options check the configuration section in [oCIS]({{< ref "../configuration" >}}) and the oCIS extensions.
 
 ## Start the oCIS fullstack server with Docker Compose

docs/ocis/deployment/systemd.md

@@ -45,6 +45,7 @@ In order to create the file we need first to create the folder `/etc/ocis/` and
 ```
 OCIS_URL=https://some-hostname-or-ip:9200
 PROXY_HTTP_ADDR=0.0.0.0:9200
+OCIS_INSECURE=false
 
 OCIS_LOG_LEVEL=error
 
@@ -56,7 +57,7 @@ PROXY_TRANSPORT_TLS_CERT=/etc/ocis/proxy/server.crt
 PROXY_TRANSPORT_TLS_KEY=/etc/ocis/proxy/server.key
 ```
 
-Please change your `OCIS_URL` in order to reflect your actual deployment.
+Please change your `OCIS_URL` in order to reflect your actual deployment. If you are using self signed certificates you need to set `OCIS_INSECURE=true` in `/etc/ocis/ocis.env`.
 
 
 ## Starting the oCIS service

graph/pkg/cs3/client.go

@@ -1,26 +0,0 @@
-package cs3
-
-import (
-	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
-
-	"google.golang.org/grpc"
-)
-
-func newConn(endpoint string) (*grpc.ClientConn, error) {
-	conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
-	if err != nil {
-		return nil, err
-	}
-
-	return conn, nil
-}
-
-// GetGatewayServiceClient returns a new cs3 gateway client
-func GetGatewayServiceClient(endpoint string) (gateway.GatewayAPIClient, error) {
-	conn, err := newConn(endpoint)
-	if err != nil {
-		return nil, err
-	}
-
-	return gateway.NewGatewayAPIClient(conn), nil
-}

graph/pkg/service/v0/graph.go

@@ -4,9 +4,9 @@ import (
 	"net/http"
 
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	"github.com/cs3org/reva/pkg/rgrpc/todo/pool"
 	"github.com/go-chi/chi/v5"
 	"github.com/owncloud/ocis/graph/pkg/config"
-	"github.com/owncloud/ocis/graph/pkg/cs3"
 	"github.com/owncloud/ocis/ocis-pkg/log"
 )
 
@@ -24,7 +24,7 @@ func (g Graph) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 // GetClient returns a gateway client to talk to reva
 func (g Graph) GetClient() (gateway.GatewayAPIClient, error) {
-	return cs3.GetGatewayServiceClient(g.config.Reva.Address)
+	return pool.GetGatewayServiceClient(g.config.Reva.Address)
 }
 
 // The key type is unexported to prevent collisions with context keys defined in

idp/pkg/flagset/flagset.go

@@ -355,6 +355,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 		&cli.BoolFlag{
 			Name:        "insecure",
 			Usage:       "Disable TLS certificate and hostname validation",
+			Value:       flags.OverrideDefaultBool(cfg.IDP.Insecure, false),
 			EnvVars:     []string{"IDP_INSECURE"},
 			Destination: &cfg.IDP.Insecure,
 		},

ocs/pkg/config/config.go

@@ -49,6 +49,11 @@ type Tracing struct {
 	Service   string
 }
 
+// Reva defines all available REVA configuration.
+type Reva struct {
+	Address string
+}
+
 // TokenManager is the config for using the reva token manager
 type TokenManager struct {
 	JWTSecret string
@@ -71,7 +76,7 @@ type Config struct {
 	TokenManager       TokenManager
 	Service            Service
 	AccountBackend     string
-	RevaAddress        string
+	Reva               Reva
 	StorageUsersDriver string
 	MachineAuthAPIKey  string
 	IdentityManagement IdentityManagement

ocs/pkg/flagset/flagset.go

@@ -184,10 +184,10 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringFlag{
 			Name:        "reva-gateway-addr",
-			Value:       flags.OverrideDefaultString(cfg.RevaAddress, "127.0.0.1:9142"),
+			Value:       flags.OverrideDefaultString(cfg.Reva.Address, "127.0.0.1:9142"),
 			Usage:       "Address of REVA gateway endpoint",
 			EnvVars:     []string{"REVA_GATEWAY"},
-			Destination: &cfg.RevaAddress,
+			Destination: &cfg.Reva.Address,
 		},
 		&cli.StringFlag{
 			Name:        "machine-auth-api-key",

ocs/pkg/service/v0/service.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/cs3org/reva/pkg/rgrpc/todo/pool"
 	"github.com/owncloud/ocis/ocis-pkg/service/grpc"
 
 	"github.com/go-chi/chi/v5"
@@ -19,7 +20,6 @@ import (
 	ocsm "github.com/owncloud/ocis/ocs/pkg/middleware"
 	"github.com/owncloud/ocis/ocs/pkg/service/v0/data"
 	"github.com/owncloud/ocis/ocs/pkg/service/v0/response"
-	"github.com/owncloud/ocis/proxy/pkg/cs3"
 	"github.com/owncloud/ocis/proxy/pkg/user/backend"
 	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
 )
@@ -161,9 +161,9 @@ func (o Ocs) getAccountService() accounts.AccountsService {
 }
 
 func (o Ocs) getCS3Backend() backend.UserBackend {
-	revaClient, err := cs3.GetGatewayServiceClient(o.config.RevaAddress)
+	revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address)
 	if err != nil {
-		o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.RevaAddress)
+		o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address)
 	}
 	return backend.NewCS3UserBackend(nil, revaClient, o.config.MachineAuthAPIKey, o.logger)
 }

ocs/pkg/service/v0/users.go

@@ -375,7 +375,7 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if o.config.RevaAddress != "" && o.config.StorageUsersDriver != "owncloud" {
+	if o.config.Reva.Address != "" && o.config.StorageUsersDriver != "owncloud" {
 		t, err := o.mintTokenForUser(r.Context(), account)
 		if err != nil {
 			mustNotFail(render.Render(w, r, response.ErrRender(data.MetaServerError.StatusCode, errors.Wrap(err, "error minting token").Error())))
@@ -384,7 +384,7 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) {
 
 		ctx := metadata.AppendToOutgoingContext(r.Context(), revactx.TokenHeader, t)
 
-		gwc, err := pool.GetGatewayServiceClient(o.config.RevaAddress)
+		gwc, err := pool.GetGatewayServiceClient(o.config.Reva.Address)
 		if err != nil {
 			o.logger.Error().Err(err).Msg("error securing a connection to Reva gateway")
 		}

proxy/pkg/flagset/flagset.go

@@ -208,9 +208,9 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.BoolFlag{
 			Name:        "oidc-insecure",
-			Value:       flags.OverrideDefaultBool(cfg.OIDC.Insecure, true),
+			Value:       flags.OverrideDefaultBool(cfg.OIDC.Insecure, false),
 			Usage:       "OIDC allow insecure communication",
-			EnvVars:     []string{"PROXY_OIDC_INSECURE"},
+			EnvVars:     []string{"PROXY_OIDC_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.OIDC.Insecure,
 		},
 		&cli.IntFlag{

storage/pkg/command/frontend.go

@@ -171,12 +171,12 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s
 					"prefix":                 cfg.Reva.Frontend.AppProviderPrefix,
 					"transfer_shared_secret": cfg.Reva.TransferSecret,
 					"timeout":                86400,
-					"insecure":               true,
+					"insecure":               cfg.Reva.Frontend.AppProviderInsecure,
 				},
 				"archiver": map[string]interface{}{
 					"prefix":        cfg.Reva.Frontend.ArchiverPrefix,
 					"timeout":       86400,
-					"insecure":      true,
+					"insecure":      cfg.Reva.Frontend.ArchiverInsecure,
 					"max_num_files": cfg.Reva.Archiver.MaxNumFiles,
 					"max_size":      cfg.Reva.Archiver.MaxSize,
 				},
@@ -191,7 +191,7 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s
 					"files_namespace":  cfg.Reva.OCDav.DavFilesNamespace,
 					"webdav_namespace": cfg.Reva.OCDav.WebdavNamespace,
 					"timeout":          86400,
-					"insecure":         true,
+					"insecure":         cfg.Reva.Frontend.OCDavInsecure,
 					"public_url":       cfg.Reva.Frontend.PublicURL,
 				},
 				"ocs": map[string]interface{}{

storage/pkg/command/storagehome.go

@@ -128,7 +128,7 @@ func storageHomeConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]
 					"driver":      cfg.Reva.StorageHome.Driver,
 					"drivers":     storagedrivers.HomeDrivers(cfg),
 					"timeout":     86400,
-					"insecure":    true,
+					"insecure":    cfg.Reva.StorageHome.DataProvider.Insecure,
 					"disable_tus": false,
 				},
 			},

storage/pkg/command/storagemetadata.go

@@ -150,7 +150,7 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in
 					"driver":      cfg.Reva.StorageMetadata.Driver,
 					"drivers":     storagedrivers.MetadataDrivers(cfg),
 					"timeout":     86400,
-					"insecure":    true,
+					"insecure":    cfg.Reva.StorageMetadata.DataProvider.Insecure,
 					"disable_tus": true,
 				},
 			},

storage/pkg/command/storageusers.go

@@ -128,7 +128,7 @@ func storageUsersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string
 					"driver":      cfg.Reva.StorageUsers.Driver,
 					"drivers":     storagedrivers.UserDrivers(cfg),
 					"timeout":     86400,
-					"insecure":    true,
+					"insecure":    cfg.Reva.StorageUsers.DataProvider.Insecure,
 					"disable_tus": false,
 				},
 			},

storage/pkg/config/config.go

@@ -144,10 +144,13 @@ type Groups struct {
 type FrontendPort struct {
 	Port
 
+	AppProviderInsecure        bool
 	AppProviderPrefix          string
+	ArchiverInsecure           bool
 	ArchiverPrefix             string
 	DatagatewayPrefix          string
 	Favorites                  bool
+	OCDavInsecure              bool
 	OCDavPrefix                string
 	OCSPrefix                  string
 	OCSSharePrefix             string
@@ -175,6 +178,10 @@ type DataGatewayPort struct {
 	PublicURL string
 }
 
+type DataProvider struct {
+	Insecure bool
+}
+
 // StoragePort defines the available storage configuration.
 type StoragePort struct {
 	Port
@@ -186,9 +193,10 @@ type StoragePort struct {
 	DataServerURL string
 
 	// for HTTP ports with only one http service
-	HTTPPrefix string
-	TempFolder string
-	ReadOnly   bool
+	HTTPPrefix   string
+	TempFolder   string
+	ReadOnly     bool
+	DataProvider DataProvider
 }
 
 // PublicStorage configures a public storage provider

storage/pkg/flagset/authbearer.go

@@ -30,9 +30,9 @@ func AuthBearerWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.BoolFlag{
 			Name:        "oidc-insecure",
-			Value:       flags.OverrideDefaultBool(cfg.Reva.OIDC.Insecure, true),
+			Value:       flags.OverrideDefaultBool(cfg.Reva.OIDC.Insecure, false),
 			Usage:       "OIDC allow insecure communication",
-			EnvVars:     []string{"STORAGE_OIDC_INSECURE"},
+			EnvVars:     []string{"STORAGE_OIDC_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Reva.OIDC.Insecure,
 		},
 		&cli.StringFlag{

storage/pkg/flagset/frontend.go

@@ -119,6 +119,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_FRONTEND_APPPROVIDER_PREFIX"},
 			Destination: &cfg.Reva.Frontend.AppProviderPrefix,
 		},
+		&cli.BoolFlag{
+			Name:        "approvider-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.Frontend.AppProviderInsecure, false),
+			Usage:       "approvider insecure",
+			EnvVars:     []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE", "OCIS_INSECURE"},
+			Destination: &cfg.Reva.Frontend.AppProviderInsecure,
+		},
 		&cli.StringFlag{
 			Name:        "archiver-prefix",
 			Value:       flags.OverrideDefaultString(cfg.Reva.Frontend.ArchiverPrefix, "archiver"),
@@ -126,6 +133,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_FRONTEND_ARCHIVER_PREFIX"},
 			Destination: &cfg.Reva.Frontend.ArchiverPrefix,
 		},
+		&cli.BoolFlag{
+			Name:        "archiver-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.Frontend.ArchiverInsecure, false),
+			Usage:       "archiver insecure",
+			EnvVars:     []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE", "OCIS_INSECURE"},
+			Destination: &cfg.Reva.Frontend.ArchiverInsecure,
+		},
 		&cli.StringFlag{
 			Name:        "datagateway-prefix",
 			Value:       flags.OverrideDefaultString(cfg.Reva.Frontend.DatagatewayPrefix, "data"),
@@ -147,6 +161,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_FRONTEND_OCDAV_PREFIX"},
 			Destination: &cfg.Reva.Frontend.OCDavPrefix,
 		},
+		&cli.BoolFlag{
+			Name:        "ocdav-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.Frontend.OCDavInsecure, false),
+			Usage:       "owncloud webdav insecure",
+			EnvVars:     []string{"STORAGE_FRONTEND_OCDAV_INSECURE", "OCIS_INSECURE"},
+			Destination: &cfg.Reva.Frontend.OCDavInsecure,
+		},
 		&cli.StringFlag{
 			Name:        "ocs-prefix",
 			Value:       flags.OverrideDefaultString(cfg.Reva.Frontend.OCSPrefix, "ocs"),

storage/pkg/flagset/storagehome.go

@@ -130,6 +130,13 @@ func StorageHomeWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_HOME_TMP_FOLDER"},
 			Destination: &cfg.Reva.StorageHome.TempFolder,
 		},
+		&cli.BoolFlag{
+			Name:        "dataprovider-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.StorageHome.DataProvider.Insecure, false),
+			Usage:       "dataprovider insecure",
+			EnvVars:     []string{"STORAGE_HOME_DATAPROVIDER_INSECURE", "OCIS_INSECURE"},
+			Destination: &cfg.Reva.StorageHome.DataProvider.Insecure,
+		},
 
 		// some drivers need to look up users at the gateway
 

storage/pkg/flagset/storagemetadata.go

@@ -69,6 +69,13 @@ func StorageMetadata(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_METADATA_DRIVER"},
 			Destination: &cfg.Reva.StorageMetadata.Driver,
 		},
+		&cli.BoolFlag{
+			Name:        "dataprovider-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.StorageMetadata.DataProvider.Insecure, false),
+			Usage:       "dataprovider insecure",
+			EnvVars:     []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE", "OCIS_INSECURE"},
+			Destination: &cfg.Reva.StorageMetadata.DataProvider.Insecure,
+		},
 
 		// some drivers need to look up users at the gateway
 

storage/pkg/flagset/storageusers.go

@@ -78,6 +78,13 @@ func StorageUsersWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_USERS_DRIVER"},
 			Destination: &cfg.Reva.StorageUsers.Driver,
 		},
+		&cli.BoolFlag{
+			Name:        "dataprovider-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.StorageUsers.DataProvider.Insecure, false),
+			Usage:       "dataprovider insecure",
+			EnvVars:     []string{"STORAGE_USERS_DATAPROVIDER_INSECURE", "OCIS_INSECURE"},
+			Destination: &cfg.Reva.StorageUsers.DataProvider.Insecure,
+		},
 		&cli.BoolFlag{
 			Name:        "read-only",
 			Value:       flags.OverrideDefaultBool(cfg.Reva.StorageUsers.ReadOnly, false),

tests/acceptance/docker/src/ocis-base.yml

@@ -14,6 +14,7 @@ services:
       WEB_UI_CONFIG: /drone/src/tests/config/drone/ocis-config.json
       IDP_IDENTIFIER_REGISTRATION_CONF: /drone/src/tests/config/drone/identifier-registration.yml
       ACCOUNTS_HASH_DIFFICULTY: 4
+      OCIS_INSECURE: "true"
       # s3ng specific settings
       STORAGE_USERS_DRIVER_S3NG_ENDPOINT: http://ceph:8080
       STORAGE_USERS_DRIVER_S3NG_REGION: default

thumbnails/pkg/config/config.go

@@ -63,6 +63,7 @@ type Thumbnail struct {
 	Resolutions         []string
 	FileSystemStorage   FileSystemStorage
 	WebdavAllowInsecure bool
+	CS3AllowInsecure    bool
 	RevaGateway         string
 	WebdavNamespace     string
 }

thumbnails/pkg/flagset/flagset.go

@@ -154,11 +154,18 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.BoolFlag{
 			Name:        "webdavsource-insecure",
-			Value:       flags.OverrideDefaultBool(cfg.Thumbnail.WebdavAllowInsecure, true),
+			Value:       flags.OverrideDefaultBool(cfg.Thumbnail.WebdavAllowInsecure, false),
 			Usage:       "Whether to skip certificate checks",
-			EnvVars:     []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE"},
+			EnvVars:     []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Thumbnail.WebdavAllowInsecure,
 		},
+		&cli.BoolFlag{
+			Name:        "cs3source-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Thumbnail.CS3AllowInsecure, false),
+			Usage:       "Whether to skip certificate checks",
+			EnvVars:     []string{"THUMBNAILS_CS3SOURCE_INSECURE", "OCIS_INSECURE"},
+			Destination: &cfg.Thumbnail.CS3AllowInsecure,
+		},
 		&cli.StringSliceFlag{
 			Name:    "thumbnail-resolution",
 			Value:   cli.NewStringSlice("16x16", "32x32", "64x64", "128x128", "1920x1080", "3840x2160", "7680x4320"),

thumbnails/pkg/server/grpc/server.go

@@ -42,7 +42,7 @@ func NewService(opts ...Option) grpc.Service {
 					options.Logger,
 				),
 			),
-			svc.CS3Source(imgsource.NewCS3Source(gc)),
+			svc.CS3Source(imgsource.NewCS3Source(tconf, gc)),
 			svc.CS3Client(gc),
 		)
 		thumbnail = svc.NewInstrument(thumbnail, options.Metrics)

thumbnails/pkg/thumbnail/imgsource/cs3.go

@@ -12,6 +12,7 @@ import (
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	revactx "github.com/cs3org/reva/pkg/ctx"
 	"github.com/cs3org/reva/pkg/rhttp"
+	"github.com/owncloud/ocis/thumbnails/pkg/config"
 	"github.com/pkg/errors"
 	"google.golang.org/grpc/metadata"
 )
@@ -23,12 +24,14 @@ const (
 )
 
 type CS3 struct {
-	client gateway.GatewayAPIClient
+	client   gateway.GatewayAPIClient
+	insecure bool
 }
 
-func NewCS3Source(c gateway.GatewayAPIClient) CS3 {
+func NewCS3Source(cfg config.Thumbnail, c gateway.GatewayAPIClient) CS3 {
 	return CS3{
-		client: c,
+		client:   c,
+		insecure: cfg.CS3AllowInsecure,
 	}
 }
 
@@ -67,7 +70,9 @@ func (s CS3) Get(ctx context.Context, path string) (io.ReadCloser, error) {
 	httpReq.Header.Set(revactx.TokenHeader, auth)
 	httpReq.Header.Set(TokenTransportHeader, tk)
 
-	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint:gosec
+	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
+		InsecureSkipVerify: s.insecure, //nolint:gosec
+	}
 	client := &http.Client{}
 
 	resp, err := client.Do(httpReq) // nolint:bodyclose