diff --git a/.drone.star b/.drone.star index 06df1cb92..e591646d7 100644 --- a/.drone.star +++ b/.drone.star @@ -1466,6 +1466,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []): "IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml", "OCIS_LOG_LEVEL": "error", "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings", + "OCIS_INSECURE": "true", } # Pass in "default" accounts_hash_difficulty to not set this environment variable. diff --git a/.vscode/launch.json b/.vscode/launch.json index 37d283a4b..011c22d18 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -7,12 +7,18 @@ "request": "launch", "mode": "debug", "program": "${workspaceFolder}/ocis/cmd/ocis", - "args": ["server"], + "args": [ + "server" + ], "env": { + // log settings for human developers "OCIS_LOG_LEVEL": "debug", "OCIS_LOG_PRETTY": "true", "OCIS_LOG_COLOR": "true", - "PROXY_ENABLE_BASIC_AUTH": "true" + // enable basic auth for dev setup so that we can use curl for testing + "PROXY_ENABLE_BASIC_AUTH": "true", + // set insecure options because we don't have valid certificates in dev environments + "OCIS_INSECURE": "true", } }, ] diff --git a/changelog/unreleased/insecure-options.md b/changelog/unreleased/insecure-options.md new file mode 100644 index 000000000..ae56ea1ea --- /dev/null +++ b/changelog/unreleased/insecure-options.md @@ -0,0 +1,27 @@ +Change: Make all insecure options configurable and change the default to false + +We had several hard-coded 'insecure' flags. These options are now configurable and default to false. Also we changed all other 'insecure' flags with a previous default of true to false. + +In development environments using self signed certs (the default) you now need to set these flags: + +``` +PROXY_OIDC_INSECURE=true +STORAGE_FRONTEND_APPPROVIDER_INSECURE=true +STORAGE_FRONTEND_ARCHIVER_INSECURE=true +STORAGE_FRONTEND_OCDAV_INSECURE=true +STORAGE_HOME_DATAPROVIDER_INSECURE=true +STORAGE_METADATA_DATAPROVIDER_INSECURE=true +STORAGE_OIDC_INSECURE=true +STORAGE_USERS_DATAPROVIDER_INSECURE=true +THUMBNAILS_CS3SOURCE_INSECURE=true +THUMBNAILS_WEBDAVSOURCE_INSECURE=true +``` + +As an alternative you also can set a single flag, which configures all options together: + +``` +OCIS_INSECURE=true +``` + +https://github.com/owncloud/ocis/issues/2700 +https://github.com/owncloud/ocis/pull/2745 diff --git a/deployments/examples/cs3_users_ocis/docker-compose.yml b/deployments/examples/cs3_users_ocis/docker-compose.yml index 501e4af7f..e0a4dcc1e 100644 --- a/deployments/examples/cs3_users_ocis/docker-compose.yml +++ b/deployments/examples/cs3_users_ocis/docker-compose.yml @@ -81,12 +81,13 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/web-config.dist.json:/config/web-config.dist.json diff --git a/deployments/examples/oc10_ocis_parallel/docker-compose.yml b/deployments/examples/oc10_ocis_parallel/docker-compose.yml index cd02bd92b..86b448a4f 100644 --- a/deployments/examples/oc10_ocis_parallel/docker-compose.yml +++ b/deployments/examples/oc10_ocis_parallel/docker-compose.yml @@ -110,13 +110,14 @@ services: OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_LOG_LEVEL: ${PROXY_LOG_LEVEL:-error} OCIS_URL: https://${CLOUD_DOMAIN:-cloud.owncloud.test} - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json" # change default secrets OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json diff --git a/deployments/examples/ocis_hello/docker-compose.yml b/deployments/examples/ocis_hello/docker-compose.yml index bde3af9d8..d6c1c35f1 100644 --- a/deployments/examples/ocis_hello/docker-compose.yml +++ b/deployments/examples/ocis_hello/docker-compose.yml @@ -53,7 +53,6 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} @@ -67,6 +66,8 @@ services: PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json" # make settings service available to oCIS Hello SETTINGS_GRPC_ADDR: 0.0.0.0:9191 + # INSECURE: needed if oCIS / Traefik is using self generated certificates + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/web-config.dist.json:/config/web-config.dist.json diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 00301fa35..dd2be4da7 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -62,7 +62,6 @@ services: # general config OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS ACCOUNTS_DEMO_USERS_AND_GROUPS: false # don't generate demo users # change default secrets @@ -71,6 +70,8 @@ services: OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_s3/docker-compose.yml b/deployments/examples/ocis_s3/docker-compose.yml index 51b3a7c55..996262072 100644 --- a/deployments/examples/ocis_s3/docker-compose.yml +++ b/deployments/examples/ocis_s3/docker-compose.yml @@ -52,7 +52,6 @@ services: environment: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} @@ -70,6 +69,8 @@ services: STORAGE_USERS_DRIVER_S3NG_ACCESS_KEY: ${MINIO_ACCESS_KEY:-ocis} STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key} STORAGE_USERS_DRIVER_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 029f718b2..53b8ca154 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -52,7 +52,6 @@ services: environment: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} @@ -60,6 +59,8 @@ services: OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml index d67da4d99..a38ee897e 100644 --- a/deployments/examples/ocis_wopi/docker-compose.yml +++ b/deployments/examples/ocis_wopi/docker-compose.yml @@ -58,7 +58,6 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} @@ -69,6 +68,8 @@ services: # app registry STORAGE_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers STORAGE_APP_REGISTRY_MIMETYPES_JSON: /var/tmp/ocis/app-config/mimetypes.json + # INSECURE: needed if oCIS / Traefik is using self generated certificates + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/mimetypes.json:/var/tmp/ocis/app-config/mimetypes.json diff --git a/docs/ocis/deployment/basic-remote-setup.md b/docs/ocis/deployment/basic-remote-setup.md index 96974c153..6569309ab 100644 --- a/docs/ocis/deployment/basic-remote-setup.md +++ b/docs/ocis/deployment/basic-remote-setup.md @@ -29,9 +29,10 @@ For the following examples you need to have the oCIS binary in your current work ### Using automatically generated certificates -In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname. +In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname. Since you have only self signed certificates you need to have `OCIS_INSECURE` set to `true`. ```bash +OCIS_INSECURE=true \ PROXY_HTTP_ADDR=0.0.0.0:9200 \ OCIS_URL=https://your-host:9200 \ ./ocis server @@ -42,6 +43,7 @@ OCIS_URL=https://your-host:9200 \ If you have your own certificates already in place, you may want to make oCIS use them: ```bash +OCIS_INSECURE=false \ PROXY_HTTP_ADDR=0.0.0.0:9200 \ OCIS_URL=https://your-host:9200 \ PROXY_TRANSPORT_TLS_KEY=./certs/your-host.key \ @@ -49,6 +51,8 @@ PROXY_TRANSPORT_TLS_CERT=./certs/your-host.crt \ ./ocis server ``` +If you generated these certificates on your own, you might need to set `OCIS_INSECURE` to `true`. + For more configuration options check the configuration section in [oCIS]({{< ref "../configuration" >}}) and the oCIS extensions. ## Start the oCIS fullstack server with Docker Compose diff --git a/docs/ocis/deployment/systemd.md b/docs/ocis/deployment/systemd.md index 716e690ef..8ac0a1d8f 100644 --- a/docs/ocis/deployment/systemd.md +++ b/docs/ocis/deployment/systemd.md @@ -45,6 +45,7 @@ In order to create the file we need first to create the folder `/etc/ocis/` and ``` OCIS_URL=https://some-hostname-or-ip:9200 PROXY_HTTP_ADDR=0.0.0.0:9200 +OCIS_INSECURE=false OCIS_LOG_LEVEL=error @@ -56,7 +57,7 @@ PROXY_TRANSPORT_TLS_CERT=/etc/ocis/proxy/server.crt PROXY_TRANSPORT_TLS_KEY=/etc/ocis/proxy/server.key ``` -Please change your `OCIS_URL` in order to reflect your actual deployment. +Please change your `OCIS_URL` in order to reflect your actual deployment. If you are using self signed certificates you need to set `OCIS_INSECURE=true` in `/etc/ocis/ocis.env`. ## Starting the oCIS service diff --git a/graph/pkg/cs3/client.go b/graph/pkg/cs3/client.go deleted file mode 100644 index 9eed1a361..000000000 --- a/graph/pkg/cs3/client.go +++ /dev/null @@ -1,26 +0,0 @@ -package cs3 - -import ( - gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" - - "google.golang.org/grpc" -) - -func newConn(endpoint string) (*grpc.ClientConn, error) { - conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) - if err != nil { - return nil, err - } - - return conn, nil -} - -// GetGatewayServiceClient returns a new cs3 gateway client -func GetGatewayServiceClient(endpoint string) (gateway.GatewayAPIClient, error) { - conn, err := newConn(endpoint) - if err != nil { - return nil, err - } - - return gateway.NewGatewayAPIClient(conn), nil -} diff --git a/graph/pkg/service/v0/graph.go b/graph/pkg/service/v0/graph.go index 97005ce5a..51f5cc604 100644 --- a/graph/pkg/service/v0/graph.go +++ b/graph/pkg/service/v0/graph.go @@ -4,9 +4,9 @@ import ( "net/http" gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" + "github.com/cs3org/reva/pkg/rgrpc/todo/pool" "github.com/go-chi/chi/v5" "github.com/owncloud/ocis/graph/pkg/config" - "github.com/owncloud/ocis/graph/pkg/cs3" "github.com/owncloud/ocis/ocis-pkg/log" ) @@ -24,7 +24,7 @@ func (g Graph) ServeHTTP(w http.ResponseWriter, r *http.Request) { // GetClient returns a gateway client to talk to reva func (g Graph) GetClient() (gateway.GatewayAPIClient, error) { - return cs3.GetGatewayServiceClient(g.config.Reva.Address) + return pool.GetGatewayServiceClient(g.config.Reva.Address) } // The key type is unexported to prevent collisions with context keys defined in diff --git a/idp/pkg/flagset/flagset.go b/idp/pkg/flagset/flagset.go index fbb36d219..d9c9af81b 100644 --- a/idp/pkg/flagset/flagset.go +++ b/idp/pkg/flagset/flagset.go @@ -355,6 +355,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { &cli.BoolFlag{ Name: "insecure", Usage: "Disable TLS certificate and hostname validation", + Value: flags.OverrideDefaultBool(cfg.IDP.Insecure, false), EnvVars: []string{"IDP_INSECURE"}, Destination: &cfg.IDP.Insecure, }, diff --git a/ocs/pkg/config/config.go b/ocs/pkg/config/config.go index 6ee0377a4..5b3e9affc 100644 --- a/ocs/pkg/config/config.go +++ b/ocs/pkg/config/config.go @@ -49,6 +49,11 @@ type Tracing struct { Service string } +// Reva defines all available REVA configuration. +type Reva struct { + Address string +} + // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string @@ -71,7 +76,7 @@ type Config struct { TokenManager TokenManager Service Service AccountBackend string - RevaAddress string + Reva Reva StorageUsersDriver string MachineAuthAPIKey string IdentityManagement IdentityManagement diff --git a/ocs/pkg/flagset/flagset.go b/ocs/pkg/flagset/flagset.go index 378d07eaf..4eef288e2 100644 --- a/ocs/pkg/flagset/flagset.go +++ b/ocs/pkg/flagset/flagset.go @@ -184,10 +184,10 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { }, &cli.StringFlag{ Name: "reva-gateway-addr", - Value: flags.OverrideDefaultString(cfg.RevaAddress, "127.0.0.1:9142"), + Value: flags.OverrideDefaultString(cfg.Reva.Address, "127.0.0.1:9142"), Usage: "Address of REVA gateway endpoint", EnvVars: []string{"REVA_GATEWAY"}, - Destination: &cfg.RevaAddress, + Destination: &cfg.Reva.Address, }, &cli.StringFlag{ Name: "machine-auth-api-key", diff --git a/ocs/pkg/service/v0/service.go b/ocs/pkg/service/v0/service.go index a6875cc4b..146561f15 100644 --- a/ocs/pkg/service/v0/service.go +++ b/ocs/pkg/service/v0/service.go @@ -4,6 +4,7 @@ import ( "net/http" "time" + "github.com/cs3org/reva/pkg/rgrpc/todo/pool" "github.com/owncloud/ocis/ocis-pkg/service/grpc" "github.com/go-chi/chi/v5" @@ -19,7 +20,6 @@ import ( ocsm "github.com/owncloud/ocis/ocs/pkg/middleware" "github.com/owncloud/ocis/ocs/pkg/service/v0/data" "github.com/owncloud/ocis/ocs/pkg/service/v0/response" - "github.com/owncloud/ocis/proxy/pkg/cs3" "github.com/owncloud/ocis/proxy/pkg/user/backend" settings "github.com/owncloud/ocis/settings/pkg/proto/v0" ) @@ -161,9 +161,9 @@ func (o Ocs) getAccountService() accounts.AccountsService { } func (o Ocs) getCS3Backend() backend.UserBackend { - revaClient, err := cs3.GetGatewayServiceClient(o.config.RevaAddress) + revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address) if err != nil { - o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.RevaAddress) + o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address) } return backend.NewCS3UserBackend(nil, revaClient, o.config.MachineAuthAPIKey, o.logger) } diff --git a/ocs/pkg/service/v0/users.go b/ocs/pkg/service/v0/users.go index 78763f47d..c9108a156 100644 --- a/ocs/pkg/service/v0/users.go +++ b/ocs/pkg/service/v0/users.go @@ -375,7 +375,7 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) { return } - if o.config.RevaAddress != "" && o.config.StorageUsersDriver != "owncloud" { + if o.config.Reva.Address != "" && o.config.StorageUsersDriver != "owncloud" { t, err := o.mintTokenForUser(r.Context(), account) if err != nil { mustNotFail(render.Render(w, r, response.ErrRender(data.MetaServerError.StatusCode, errors.Wrap(err, "error minting token").Error()))) @@ -384,7 +384,7 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) { ctx := metadata.AppendToOutgoingContext(r.Context(), revactx.TokenHeader, t) - gwc, err := pool.GetGatewayServiceClient(o.config.RevaAddress) + gwc, err := pool.GetGatewayServiceClient(o.config.Reva.Address) if err != nil { o.logger.Error().Err(err).Msg("error securing a connection to Reva gateway") } diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 2f1d6b885..62e5f0d37 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -208,9 +208,9 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { }, &cli.BoolFlag{ Name: "oidc-insecure", - Value: flags.OverrideDefaultBool(cfg.OIDC.Insecure, true), + Value: flags.OverrideDefaultBool(cfg.OIDC.Insecure, false), Usage: "OIDC allow insecure communication", - EnvVars: []string{"PROXY_OIDC_INSECURE"}, + EnvVars: []string{"PROXY_OIDC_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.OIDC.Insecure, }, &cli.IntFlag{ diff --git a/storage/pkg/command/frontend.go b/storage/pkg/command/frontend.go index c2fc65405..19822f7f2 100644 --- a/storage/pkg/command/frontend.go +++ b/storage/pkg/command/frontend.go @@ -171,12 +171,12 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s "prefix": cfg.Reva.Frontend.AppProviderPrefix, "transfer_shared_secret": cfg.Reva.TransferSecret, "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.Frontend.AppProviderInsecure, }, "archiver": map[string]interface{}{ "prefix": cfg.Reva.Frontend.ArchiverPrefix, "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.Frontend.ArchiverInsecure, "max_num_files": cfg.Reva.Archiver.MaxNumFiles, "max_size": cfg.Reva.Archiver.MaxSize, }, @@ -191,7 +191,7 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s "files_namespace": cfg.Reva.OCDav.DavFilesNamespace, "webdav_namespace": cfg.Reva.OCDav.WebdavNamespace, "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.Frontend.OCDavInsecure, "public_url": cfg.Reva.Frontend.PublicURL, }, "ocs": map[string]interface{}{ diff --git a/storage/pkg/command/storagehome.go b/storage/pkg/command/storagehome.go index 4df8524e9..fff984b13 100644 --- a/storage/pkg/command/storagehome.go +++ b/storage/pkg/command/storagehome.go @@ -128,7 +128,7 @@ func storageHomeConfigFromStruct(c *cli.Context, cfg *config.Config) map[string] "driver": cfg.Reva.StorageHome.Driver, "drivers": storagedrivers.HomeDrivers(cfg), "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.StorageHome.DataProvider.Insecure, "disable_tus": false, }, }, diff --git a/storage/pkg/command/storagemetadata.go b/storage/pkg/command/storagemetadata.go index c27b27a42..74af72911 100644 --- a/storage/pkg/command/storagemetadata.go +++ b/storage/pkg/command/storagemetadata.go @@ -150,7 +150,7 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in "driver": cfg.Reva.StorageMetadata.Driver, "drivers": storagedrivers.MetadataDrivers(cfg), "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.StorageMetadata.DataProvider.Insecure, "disable_tus": true, }, }, diff --git a/storage/pkg/command/storageusers.go b/storage/pkg/command/storageusers.go index 6f01defad..99ae03348 100644 --- a/storage/pkg/command/storageusers.go +++ b/storage/pkg/command/storageusers.go @@ -128,7 +128,7 @@ func storageUsersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string "driver": cfg.Reva.StorageUsers.Driver, "drivers": storagedrivers.UserDrivers(cfg), "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.StorageUsers.DataProvider.Insecure, "disable_tus": false, }, }, diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go index a18c19ce3..4797b7736 100644 --- a/storage/pkg/config/config.go +++ b/storage/pkg/config/config.go @@ -144,10 +144,13 @@ type Groups struct { type FrontendPort struct { Port + AppProviderInsecure bool AppProviderPrefix string + ArchiverInsecure bool ArchiverPrefix string DatagatewayPrefix string Favorites bool + OCDavInsecure bool OCDavPrefix string OCSPrefix string OCSSharePrefix string @@ -175,6 +178,10 @@ type DataGatewayPort struct { PublicURL string } +type DataProvider struct { + Insecure bool +} + // StoragePort defines the available storage configuration. type StoragePort struct { Port @@ -186,9 +193,10 @@ type StoragePort struct { DataServerURL string // for HTTP ports with only one http service - HTTPPrefix string - TempFolder string - ReadOnly bool + HTTPPrefix string + TempFolder string + ReadOnly bool + DataProvider DataProvider } // PublicStorage configures a public storage provider diff --git a/storage/pkg/flagset/authbearer.go b/storage/pkg/flagset/authbearer.go index 73bfeb91e..d41a89558 100644 --- a/storage/pkg/flagset/authbearer.go +++ b/storage/pkg/flagset/authbearer.go @@ -30,9 +30,9 @@ func AuthBearerWithConfig(cfg *config.Config) []cli.Flag { }, &cli.BoolFlag{ Name: "oidc-insecure", - Value: flags.OverrideDefaultBool(cfg.Reva.OIDC.Insecure, true), + Value: flags.OverrideDefaultBool(cfg.Reva.OIDC.Insecure, false), Usage: "OIDC allow insecure communication", - EnvVars: []string{"STORAGE_OIDC_INSECURE"}, + EnvVars: []string{"STORAGE_OIDC_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Reva.OIDC.Insecure, }, &cli.StringFlag{ diff --git a/storage/pkg/flagset/frontend.go b/storage/pkg/flagset/frontend.go index 4f5956aec..3baa80ae2 100644 --- a/storage/pkg/flagset/frontend.go +++ b/storage/pkg/flagset/frontend.go @@ -119,6 +119,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_PREFIX"}, Destination: &cfg.Reva.Frontend.AppProviderPrefix, }, + &cli.BoolFlag{ + Name: "approvider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.AppProviderInsecure, false), + Usage: "approvider insecure", + EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE", "OCIS_INSECURE"}, + Destination: &cfg.Reva.Frontend.AppProviderInsecure, + }, &cli.StringFlag{ Name: "archiver-prefix", Value: flags.OverrideDefaultString(cfg.Reva.Frontend.ArchiverPrefix, "archiver"), @@ -126,6 +133,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_PREFIX"}, Destination: &cfg.Reva.Frontend.ArchiverPrefix, }, + &cli.BoolFlag{ + Name: "archiver-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.ArchiverInsecure, false), + Usage: "archiver insecure", + EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE", "OCIS_INSECURE"}, + Destination: &cfg.Reva.Frontend.ArchiverInsecure, + }, &cli.StringFlag{ Name: "datagateway-prefix", Value: flags.OverrideDefaultString(cfg.Reva.Frontend.DatagatewayPrefix, "data"), @@ -147,6 +161,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_FRONTEND_OCDAV_PREFIX"}, Destination: &cfg.Reva.Frontend.OCDavPrefix, }, + &cli.BoolFlag{ + Name: "ocdav-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.OCDavInsecure, false), + Usage: "owncloud webdav insecure", + EnvVars: []string{"STORAGE_FRONTEND_OCDAV_INSECURE", "OCIS_INSECURE"}, + Destination: &cfg.Reva.Frontend.OCDavInsecure, + }, &cli.StringFlag{ Name: "ocs-prefix", Value: flags.OverrideDefaultString(cfg.Reva.Frontend.OCSPrefix, "ocs"), diff --git a/storage/pkg/flagset/storagehome.go b/storage/pkg/flagset/storagehome.go index 6df9bf0c5..76eb53d70 100644 --- a/storage/pkg/flagset/storagehome.go +++ b/storage/pkg/flagset/storagehome.go @@ -130,6 +130,13 @@ func StorageHomeWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_HOME_TMP_FOLDER"}, Destination: &cfg.Reva.StorageHome.TempFolder, }, + &cli.BoolFlag{ + Name: "dataprovider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.StorageHome.DataProvider.Insecure, false), + Usage: "dataprovider insecure", + EnvVars: []string{"STORAGE_HOME_DATAPROVIDER_INSECURE", "OCIS_INSECURE"}, + Destination: &cfg.Reva.StorageHome.DataProvider.Insecure, + }, // some drivers need to look up users at the gateway diff --git a/storage/pkg/flagset/storagemetadata.go b/storage/pkg/flagset/storagemetadata.go index 6af75d2e3..4b80756f0 100644 --- a/storage/pkg/flagset/storagemetadata.go +++ b/storage/pkg/flagset/storagemetadata.go @@ -69,6 +69,13 @@ func StorageMetadata(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_METADATA_DRIVER"}, Destination: &cfg.Reva.StorageMetadata.Driver, }, + &cli.BoolFlag{ + Name: "dataprovider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.StorageMetadata.DataProvider.Insecure, false), + Usage: "dataprovider insecure", + EnvVars: []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE", "OCIS_INSECURE"}, + Destination: &cfg.Reva.StorageMetadata.DataProvider.Insecure, + }, // some drivers need to look up users at the gateway diff --git a/storage/pkg/flagset/storageusers.go b/storage/pkg/flagset/storageusers.go index b801d2dd8..6be58bc33 100644 --- a/storage/pkg/flagset/storageusers.go +++ b/storage/pkg/flagset/storageusers.go @@ -78,6 +78,13 @@ func StorageUsersWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_USERS_DRIVER"}, Destination: &cfg.Reva.StorageUsers.Driver, }, + &cli.BoolFlag{ + Name: "dataprovider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.StorageUsers.DataProvider.Insecure, false), + Usage: "dataprovider insecure", + EnvVars: []string{"STORAGE_USERS_DATAPROVIDER_INSECURE", "OCIS_INSECURE"}, + Destination: &cfg.Reva.StorageUsers.DataProvider.Insecure, + }, &cli.BoolFlag{ Name: "read-only", Value: flags.OverrideDefaultBool(cfg.Reva.StorageUsers.ReadOnly, false), diff --git a/tests/acceptance/docker/src/ocis-base.yml b/tests/acceptance/docker/src/ocis-base.yml index 4154bd0d7..7cd72650c 100644 --- a/tests/acceptance/docker/src/ocis-base.yml +++ b/tests/acceptance/docker/src/ocis-base.yml @@ -14,6 +14,7 @@ services: WEB_UI_CONFIG: /drone/src/tests/config/drone/ocis-config.json IDP_IDENTIFIER_REGISTRATION_CONF: /drone/src/tests/config/drone/identifier-registration.yml ACCOUNTS_HASH_DIFFICULTY: 4 + OCIS_INSECURE: "true" # s3ng specific settings STORAGE_USERS_DRIVER_S3NG_ENDPOINT: http://ceph:8080 STORAGE_USERS_DRIVER_S3NG_REGION: default diff --git a/thumbnails/pkg/config/config.go b/thumbnails/pkg/config/config.go index 7f8a97a81..4a19e13f4 100644 --- a/thumbnails/pkg/config/config.go +++ b/thumbnails/pkg/config/config.go @@ -63,6 +63,7 @@ type Thumbnail struct { Resolutions []string FileSystemStorage FileSystemStorage WebdavAllowInsecure bool + CS3AllowInsecure bool RevaGateway string WebdavNamespace string } diff --git a/thumbnails/pkg/flagset/flagset.go b/thumbnails/pkg/flagset/flagset.go index 6a877400e..9efd680a1 100644 --- a/thumbnails/pkg/flagset/flagset.go +++ b/thumbnails/pkg/flagset/flagset.go @@ -154,11 +154,18 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { }, &cli.BoolFlag{ Name: "webdavsource-insecure", - Value: flags.OverrideDefaultBool(cfg.Thumbnail.WebdavAllowInsecure, true), + Value: flags.OverrideDefaultBool(cfg.Thumbnail.WebdavAllowInsecure, false), Usage: "Whether to skip certificate checks", - EnvVars: []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE"}, + EnvVars: []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Thumbnail.WebdavAllowInsecure, }, + &cli.BoolFlag{ + Name: "cs3source-insecure", + Value: flags.OverrideDefaultBool(cfg.Thumbnail.CS3AllowInsecure, false), + Usage: "Whether to skip certificate checks", + EnvVars: []string{"THUMBNAILS_CS3SOURCE_INSECURE", "OCIS_INSECURE"}, + Destination: &cfg.Thumbnail.CS3AllowInsecure, + }, &cli.StringSliceFlag{ Name: "thumbnail-resolution", Value: cli.NewStringSlice("16x16", "32x32", "64x64", "128x128", "1920x1080", "3840x2160", "7680x4320"), diff --git a/thumbnails/pkg/server/grpc/server.go b/thumbnails/pkg/server/grpc/server.go index 866868d12..0c905c06e 100644 --- a/thumbnails/pkg/server/grpc/server.go +++ b/thumbnails/pkg/server/grpc/server.go @@ -42,7 +42,7 @@ func NewService(opts ...Option) grpc.Service { options.Logger, ), ), - svc.CS3Source(imgsource.NewCS3Source(gc)), + svc.CS3Source(imgsource.NewCS3Source(tconf, gc)), svc.CS3Client(gc), ) thumbnail = svc.NewInstrument(thumbnail, options.Metrics) diff --git a/thumbnails/pkg/thumbnail/imgsource/cs3.go b/thumbnails/pkg/thumbnail/imgsource/cs3.go index 68cf63750..072713978 100644 --- a/thumbnails/pkg/thumbnail/imgsource/cs3.go +++ b/thumbnails/pkg/thumbnail/imgsource/cs3.go @@ -12,6 +12,7 @@ import ( provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" revactx "github.com/cs3org/reva/pkg/ctx" "github.com/cs3org/reva/pkg/rhttp" + "github.com/owncloud/ocis/thumbnails/pkg/config" "github.com/pkg/errors" "google.golang.org/grpc/metadata" ) @@ -23,12 +24,14 @@ const ( ) type CS3 struct { - client gateway.GatewayAPIClient + client gateway.GatewayAPIClient + insecure bool } -func NewCS3Source(c gateway.GatewayAPIClient) CS3 { +func NewCS3Source(cfg config.Thumbnail, c gateway.GatewayAPIClient) CS3 { return CS3{ - client: c, + client: c, + insecure: cfg.CS3AllowInsecure, } } @@ -67,7 +70,9 @@ func (s CS3) Get(ctx context.Context, path string) (io.ReadCloser, error) { httpReq.Header.Set(revactx.TokenHeader, auth) httpReq.Header.Set(TokenTransportHeader, tk) - http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint:gosec + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{ + InsecureSkipVerify: s.insecure, //nolint:gosec + } client := &http.Client{} resp, err := client.Do(httpReq) // nolint:bodyclose