From 0ec64fe99fec6a1ac7570a53f7297f7404d45b8a Mon Sep 17 00:00:00 2001 From: David Christofas Date: Wed, 10 Nov 2021 13:18:04 +0100 Subject: [PATCH 1/6] make insecure options configurable --- .drone.star | 5 +++++ .vscode/launch.json | 7 ++++++- changelog/unreleased/insecure-options.md | 14 ++++++++++++++ storage/pkg/command/frontend.go | 6 +++--- storage/pkg/command/storagehome.go | 2 +- storage/pkg/command/storagemetadata.go | 2 +- storage/pkg/config/config.go | 14 +++++++++++--- storage/pkg/flagset/frontend.go | 21 +++++++++++++++++++++ storage/pkg/flagset/storagehome.go | 7 +++++++ storage/pkg/flagset/storagemetadata.go | 7 +++++++ 10 files changed, 76 insertions(+), 9 deletions(-) create mode 100644 changelog/unreleased/insecure-options.md diff --git a/.drone.star b/.drone.star index 11833cabd..db2982e53 100644 --- a/.drone.star +++ b/.drone.star @@ -1474,6 +1474,11 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []): "IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml", "OCIS_LOG_LEVEL": "error", "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings", + "STORAGE_HOME_DATAPROVIDER_INSECURE": True, + "STORAGE_METADATA_DATAPROVIDER_INSECURE": True, + "STORAGE_FRONTEND_OCDAV_INSECURE": True, + "STORAGE_FRONTEND_ARCHIVER_INSECURE": True, + "STORAGE_FRONTEND_APPPROVIDER_INSECURE": True, } # Pass in "default" accounts_hash_difficulty to not set this environment variable. diff --git a/.vscode/launch.json b/.vscode/launch.json index 37d283a4b..2a231cc67 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -12,7 +12,12 @@ "OCIS_LOG_LEVEL": "debug", "OCIS_LOG_PRETTY": "true", "OCIS_LOG_COLOR": "true", - "PROXY_ENABLE_BASIC_AUTH": "true" + "PROXY_ENABLE_BASIC_AUTH": "true", + "STORAGE_HOME_DATAPROVIDER_INSECURE": "true", + "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true", + "STORAGE_FRONTEND_OCDAV_INSECURE": "true", + "STORAGE_FRONTEND_ARCHIVER_INSECURE": "true", + "STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true", } }, ] diff --git a/changelog/unreleased/insecure-options.md b/changelog/unreleased/insecure-options.md new file mode 100644 index 000000000..34f53f657 --- /dev/null +++ b/changelog/unreleased/insecure-options.md @@ -0,0 +1,14 @@ +Enhancement: Make insecure options configurable + +We had several hard-coded 'insecure' flags. These options are now configurable. In development environments using self signed certs (the default) you need to set these flags: + +``` +STORAGE_HOME_DATAPROVIDER_INSECURE=true +STORAGE_METADATA_DATAPROVIDER_INSECURE=true +STORAGE_FRONTEND_OCDAV_INSECURE=true +STORAGE_FRONTEND_ARCHIVER_INSECURE=true +STORAGE_FRONTEND_APPPROVIDER_INSECURE=true +``` + +https://github.com/owncloud/ocis/issues/2700 +https://github.com/owncloud/ocis/pull/2745 diff --git a/storage/pkg/command/frontend.go b/storage/pkg/command/frontend.go index 43fb59a6f..c9b2d9416 100644 --- a/storage/pkg/command/frontend.go +++ b/storage/pkg/command/frontend.go @@ -170,12 +170,12 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s "prefix": cfg.Reva.Frontend.AppProviderPrefix, "transfer_shared_secret": cfg.Reva.TransferSecret, "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.Frontend.AppProviderInsecure, }, "archiver": map[string]interface{}{ "prefix": cfg.Reva.Frontend.ArchiverPrefix, "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.Frontend.ArchiverInsecure, "max_num_files": cfg.Reva.Archiver.MaxNumFiles, "max_size": cfg.Reva.Archiver.MaxSize, }, @@ -190,7 +190,7 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s "files_namespace": cfg.Reva.OCDav.DavFilesNamespace, "webdav_namespace": cfg.Reva.OCDav.WebdavNamespace, "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.Frontend.OCDavInsecure, "public_url": cfg.Reva.Frontend.PublicURL, }, "ocs": map[string]interface{}{ diff --git a/storage/pkg/command/storagehome.go b/storage/pkg/command/storagehome.go index 4df8524e9..fff984b13 100644 --- a/storage/pkg/command/storagehome.go +++ b/storage/pkg/command/storagehome.go @@ -128,7 +128,7 @@ func storageHomeConfigFromStruct(c *cli.Context, cfg *config.Config) map[string] "driver": cfg.Reva.StorageHome.Driver, "drivers": storagedrivers.HomeDrivers(cfg), "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.StorageHome.DataProvider.Insecure, "disable_tus": false, }, }, diff --git a/storage/pkg/command/storagemetadata.go b/storage/pkg/command/storagemetadata.go index c27b27a42..74af72911 100644 --- a/storage/pkg/command/storagemetadata.go +++ b/storage/pkg/command/storagemetadata.go @@ -150,7 +150,7 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in "driver": cfg.Reva.StorageMetadata.Driver, "drivers": storagedrivers.MetadataDrivers(cfg), "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.StorageMetadata.DataProvider.Insecure, "disable_tus": true, }, }, diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go index a18c19ce3..4797b7736 100644 --- a/storage/pkg/config/config.go +++ b/storage/pkg/config/config.go @@ -144,10 +144,13 @@ type Groups struct { type FrontendPort struct { Port + AppProviderInsecure bool AppProviderPrefix string + ArchiverInsecure bool ArchiverPrefix string DatagatewayPrefix string Favorites bool + OCDavInsecure bool OCDavPrefix string OCSPrefix string OCSSharePrefix string @@ -175,6 +178,10 @@ type DataGatewayPort struct { PublicURL string } +type DataProvider struct { + Insecure bool +} + // StoragePort defines the available storage configuration. type StoragePort struct { Port @@ -186,9 +193,10 @@ type StoragePort struct { DataServerURL string // for HTTP ports with only one http service - HTTPPrefix string - TempFolder string - ReadOnly bool + HTTPPrefix string + TempFolder string + ReadOnly bool + DataProvider DataProvider } // PublicStorage configures a public storage provider diff --git a/storage/pkg/flagset/frontend.go b/storage/pkg/flagset/frontend.go index 4f5956aec..928798c8e 100644 --- a/storage/pkg/flagset/frontend.go +++ b/storage/pkg/flagset/frontend.go @@ -119,6 +119,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_PREFIX"}, Destination: &cfg.Reva.Frontend.AppProviderPrefix, }, + &cli.BoolFlag{ + Name: "approvider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.AppProviderInsecure, false), + Usage: "approvider insecure", + EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE"}, + Destination: &cfg.Reva.Frontend.AppProviderInsecure, + }, &cli.StringFlag{ Name: "archiver-prefix", Value: flags.OverrideDefaultString(cfg.Reva.Frontend.ArchiverPrefix, "archiver"), @@ -126,6 +133,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_PREFIX"}, Destination: &cfg.Reva.Frontend.ArchiverPrefix, }, + &cli.BoolFlag{ + Name: "archiver-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.ArchiverInsecure, false), + Usage: "archiver insecure", + EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE"}, + Destination: &cfg.Reva.Frontend.ArchiverInsecure, + }, &cli.StringFlag{ Name: "datagateway-prefix", Value: flags.OverrideDefaultString(cfg.Reva.Frontend.DatagatewayPrefix, "data"), @@ -147,6 +161,13 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_FRONTEND_OCDAV_PREFIX"}, Destination: &cfg.Reva.Frontend.OCDavPrefix, }, + &cli.BoolFlag{ + Name: "ocdav-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.OCDavInsecure, false), + Usage: "owncloud webdav insecure", + EnvVars: []string{"STORAGE_FRONTEND_OCDAV_INSECURE"}, + Destination: &cfg.Reva.Frontend.OCDavInsecure, + }, &cli.StringFlag{ Name: "ocs-prefix", Value: flags.OverrideDefaultString(cfg.Reva.Frontend.OCSPrefix, "ocs"), diff --git a/storage/pkg/flagset/storagehome.go b/storage/pkg/flagset/storagehome.go index 6df9bf0c5..2ec1b71ac 100644 --- a/storage/pkg/flagset/storagehome.go +++ b/storage/pkg/flagset/storagehome.go @@ -130,6 +130,13 @@ func StorageHomeWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_HOME_TMP_FOLDER"}, Destination: &cfg.Reva.StorageHome.TempFolder, }, + &cli.BoolFlag{ + Name: "dataprovider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.StorageHome.DataProvider.Insecure, false), + Usage: "dataprovider insecure", + EnvVars: []string{"STORAGE_HOME_DATAPROVIDER_INSECURE"}, + Destination: &cfg.Reva.StorageHome.DataProvider.Insecure, + }, // some drivers need to look up users at the gateway diff --git a/storage/pkg/flagset/storagemetadata.go b/storage/pkg/flagset/storagemetadata.go index 6af75d2e3..10b07441a 100644 --- a/storage/pkg/flagset/storagemetadata.go +++ b/storage/pkg/flagset/storagemetadata.go @@ -69,6 +69,13 @@ func StorageMetadata(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_METADATA_DRIVER"}, Destination: &cfg.Reva.StorageMetadata.Driver, }, + &cli.BoolFlag{ + Name: "dataprovider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.StorageMetadata.DataProvider.Insecure, false), + Usage: "dataprovider insecure", + EnvVars: []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE"}, + Destination: &cfg.Reva.StorageMetadata.DataProvider.Insecure, + }, // some drivers need to look up users at the gateway From 69cc11dbe6c59f574442598ff5c280e5f7c4f93c Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 10 Nov 2021 15:45:55 +0100 Subject: [PATCH 2/6] make more insecure options configurable and change insecure defaults from true to false --- .drone.star | 16 +++++++++---- .vscode/launch.json | 13 +++++++++- changelog/unreleased/insecure-options.md | 14 +++++++---- graph/pkg/cs3/client.go | 26 -------------------- graph/pkg/service/v0/graph.go | 4 ++-- idp/pkg/flagset/flagset.go | 1 + ocs/pkg/config/config.go | 7 +++++- ocs/pkg/flagset/flagset.go | 4 ++-- ocs/pkg/service/v0/service.go | 6 ++--- ocs/pkg/service/v0/users.go | 4 ++-- proxy/pkg/command/server.go | 2 +- proxy/pkg/config/config.go | 1 + proxy/pkg/cs3/client.go | 29 ++++++++++++++--------- proxy/pkg/flagset/flagset.go | 9 ++++++- storage/pkg/command/storageusers.go | 2 +- storage/pkg/flagset/authbearer.go | 2 +- storage/pkg/flagset/storageusers.go | 7 ++++++ thumbnails/pkg/config/config.go | 1 + thumbnails/pkg/flagset/flagset.go | 9 ++++++- thumbnails/pkg/server/grpc/server.go | 4 ++-- thumbnails/pkg/thumbnail/imgsource/cs3.go | 13 ++++++---- 21 files changed, 106 insertions(+), 68 deletions(-) delete mode 100644 graph/pkg/cs3/client.go diff --git a/.drone.star b/.drone.star index db2982e53..34ab845f4 100644 --- a/.drone.star +++ b/.drone.star @@ -1474,11 +1474,17 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []): "IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml", "OCIS_LOG_LEVEL": "error", "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings", - "STORAGE_HOME_DATAPROVIDER_INSECURE": True, - "STORAGE_METADATA_DATAPROVIDER_INSECURE": True, - "STORAGE_FRONTEND_OCDAV_INSECURE": True, - "STORAGE_FRONTEND_ARCHIVER_INSECURE": True, - "STORAGE_FRONTEND_APPPROVIDER_INSECURE": True, + "PROXY_OIDC_INSECURE": "true", + "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true", + "THUMBNAILS_CS3SOURCE_INSECURE": "true", + "REVA_GATEWAY_INSECURE": "true", + "STORAGE_OIDC_INSECURE": "true", + "STORAGE_HOME_DATAPROVIDER_INSECURE": "true", + "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true", + "STORAGE_USERS_DATAPROVIDER_INSECURE": "true", + "STORAGE_FRONTEND_OCDAV_INSECURE": "true", + "STORAGE_FRONTEND_ARCHIVER_INSECURE": "true", + "STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true", } # Pass in "default" accounts_hash_difficulty to not set this environment variable. diff --git a/.vscode/launch.json b/.vscode/launch.json index 2a231cc67..d00d1d4f4 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -7,14 +7,25 @@ "request": "launch", "mode": "debug", "program": "${workspaceFolder}/ocis/cmd/ocis", - "args": ["server"], + "args": [ + "server" + ], "env": { + // log settings for human developers "OCIS_LOG_LEVEL": "debug", "OCIS_LOG_PRETTY": "true", "OCIS_LOG_COLOR": "true", + // enable basic auth for dev setup so that we can use curl for testing "PROXY_ENABLE_BASIC_AUTH": "true", + // set insecure options because we don't have valid certificates in dev environments + "PROXY_OIDC_INSECURE": "true", + "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true", + "THUMBNAILS_CS3SOURCE_INSECURE": "true", + "REVA_GATEWAY_INSECURE": "true", + "STORAGE_OIDC_INSECURE": "true", "STORAGE_HOME_DATAPROVIDER_INSECURE": "true", "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true", + "STORAGE_USERS_DATAPROVIDER_INSECURE": "true", "STORAGE_FRONTEND_OCDAV_INSECURE": "true", "STORAGE_FRONTEND_ARCHIVER_INSECURE": "true", "STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true", diff --git a/changelog/unreleased/insecure-options.md b/changelog/unreleased/insecure-options.md index 34f53f657..ec7e032e5 100644 --- a/changelog/unreleased/insecure-options.md +++ b/changelog/unreleased/insecure-options.md @@ -1,13 +1,19 @@ Enhancement: Make insecure options configurable -We had several hard-coded 'insecure' flags. These options are now configurable. In development environments using self signed certs (the default) you need to set these flags: +We had several hard-coded 'insecure' flags. These options are now configurable and default to false. Also we changed all other 'insecure' flags with a previous default of true to false. In development environments using self signed certs (the default) you need to set these flags: ``` +PROXY_OIDC_INSECURE=true +REVA_GATEWAY_INSECURE=true +STORAGE_FRONTEND_APPPROVIDER_INSECURE=true +STORAGE_FRONTEND_ARCHIVER_INSECURE=true +STORAGE_FRONTEND_OCDAV_INSECURE=true STORAGE_HOME_DATAPROVIDER_INSECURE=true STORAGE_METADATA_DATAPROVIDER_INSECURE=true -STORAGE_FRONTEND_OCDAV_INSECURE=true -STORAGE_FRONTEND_ARCHIVER_INSECURE=true -STORAGE_FRONTEND_APPPROVIDER_INSECURE=true +STORAGE_OIDC_INSECURE=true +STORAGE_USERS_DATAPROVIDER_INSECURE=true +THUMBNAILS_CS3SOURCE_INSECURE=true +THUMBNAILS_WEBDAVSOURCE_INSECURE=true ``` https://github.com/owncloud/ocis/issues/2700 diff --git a/graph/pkg/cs3/client.go b/graph/pkg/cs3/client.go deleted file mode 100644 index 9eed1a361..000000000 --- a/graph/pkg/cs3/client.go +++ /dev/null @@ -1,26 +0,0 @@ -package cs3 - -import ( - gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" - - "google.golang.org/grpc" -) - -func newConn(endpoint string) (*grpc.ClientConn, error) { - conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) - if err != nil { - return nil, err - } - - return conn, nil -} - -// GetGatewayServiceClient returns a new cs3 gateway client -func GetGatewayServiceClient(endpoint string) (gateway.GatewayAPIClient, error) { - conn, err := newConn(endpoint) - if err != nil { - return nil, err - } - - return gateway.NewGatewayAPIClient(conn), nil -} diff --git a/graph/pkg/service/v0/graph.go b/graph/pkg/service/v0/graph.go index 97005ce5a..fb0c1c505 100644 --- a/graph/pkg/service/v0/graph.go +++ b/graph/pkg/service/v0/graph.go @@ -4,9 +4,9 @@ import ( "net/http" gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" + "github.com/cs3org/reva/pkg/rgrpc/todo/pool" "github.com/go-chi/chi/v5" "github.com/owncloud/ocis/graph/pkg/config" - "github.com/owncloud/ocis/graph/pkg/cs3" "github.com/owncloud/ocis/ocis-pkg/log" ) @@ -24,7 +24,7 @@ func (g Graph) ServeHTTP(w http.ResponseWriter, r *http.Request) { // GetClient returns a gateway client to talk to reva func (g Graph) GetClient() (gateway.GatewayAPIClient, error) { - return cs3.GetGatewayServiceClient(g.config.Reva.Address) + return pool.GetGatewayServiceClient(g.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 } // The key type is unexported to prevent collisions with context keys defined in diff --git a/idp/pkg/flagset/flagset.go b/idp/pkg/flagset/flagset.go index fbb36d219..d9c9af81b 100644 --- a/idp/pkg/flagset/flagset.go +++ b/idp/pkg/flagset/flagset.go @@ -355,6 +355,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { &cli.BoolFlag{ Name: "insecure", Usage: "Disable TLS certificate and hostname validation", + Value: flags.OverrideDefaultBool(cfg.IDP.Insecure, false), EnvVars: []string{"IDP_INSECURE"}, Destination: &cfg.IDP.Insecure, }, diff --git a/ocs/pkg/config/config.go b/ocs/pkg/config/config.go index 6ee0377a4..5b3e9affc 100644 --- a/ocs/pkg/config/config.go +++ b/ocs/pkg/config/config.go @@ -49,6 +49,11 @@ type Tracing struct { Service string } +// Reva defines all available REVA configuration. +type Reva struct { + Address string +} + // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string @@ -71,7 +76,7 @@ type Config struct { TokenManager TokenManager Service Service AccountBackend string - RevaAddress string + Reva Reva StorageUsersDriver string MachineAuthAPIKey string IdentityManagement IdentityManagement diff --git a/ocs/pkg/flagset/flagset.go b/ocs/pkg/flagset/flagset.go index 378d07eaf..4eef288e2 100644 --- a/ocs/pkg/flagset/flagset.go +++ b/ocs/pkg/flagset/flagset.go @@ -184,10 +184,10 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { }, &cli.StringFlag{ Name: "reva-gateway-addr", - Value: flags.OverrideDefaultString(cfg.RevaAddress, "127.0.0.1:9142"), + Value: flags.OverrideDefaultString(cfg.Reva.Address, "127.0.0.1:9142"), Usage: "Address of REVA gateway endpoint", EnvVars: []string{"REVA_GATEWAY"}, - Destination: &cfg.RevaAddress, + Destination: &cfg.Reva.Address, }, &cli.StringFlag{ Name: "machine-auth-api-key", diff --git a/ocs/pkg/service/v0/service.go b/ocs/pkg/service/v0/service.go index a6875cc4b..1262ccdf1 100644 --- a/ocs/pkg/service/v0/service.go +++ b/ocs/pkg/service/v0/service.go @@ -4,6 +4,7 @@ import ( "net/http" "time" + "github.com/cs3org/reva/pkg/rgrpc/todo/pool" "github.com/owncloud/ocis/ocis-pkg/service/grpc" "github.com/go-chi/chi/v5" @@ -19,7 +20,6 @@ import ( ocsm "github.com/owncloud/ocis/ocs/pkg/middleware" "github.com/owncloud/ocis/ocs/pkg/service/v0/data" "github.com/owncloud/ocis/ocs/pkg/service/v0/response" - "github.com/owncloud/ocis/proxy/pkg/cs3" "github.com/owncloud/ocis/proxy/pkg/user/backend" settings "github.com/owncloud/ocis/settings/pkg/proto/v0" ) @@ -161,9 +161,9 @@ func (o Ocs) getAccountService() accounts.AccountsService { } func (o Ocs) getCS3Backend() backend.UserBackend { - revaClient, err := cs3.GetGatewayServiceClient(o.config.RevaAddress) + revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 if err != nil { - o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.RevaAddress) + o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address) } return backend.NewCS3UserBackend(nil, revaClient, o.config.MachineAuthAPIKey, o.logger) } diff --git a/ocs/pkg/service/v0/users.go b/ocs/pkg/service/v0/users.go index 78763f47d..5b039016c 100644 --- a/ocs/pkg/service/v0/users.go +++ b/ocs/pkg/service/v0/users.go @@ -375,7 +375,7 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) { return } - if o.config.RevaAddress != "" && o.config.StorageUsersDriver != "owncloud" { + if o.config.Reva.Address != "" && o.config.StorageUsersDriver != "owncloud" { t, err := o.mintTokenForUser(r.Context(), account) if err != nil { mustNotFail(render.Render(w, r, response.ErrRender(data.MetaServerError.StatusCode, errors.Wrap(err, "error minting token").Error()))) @@ -384,7 +384,7 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) { ctx := metadata.AppendToOutgoingContext(r.Context(), revactx.TokenHeader, t) - gwc, err := pool.GetGatewayServiceClient(o.config.RevaAddress) + gwc, err := pool.GetGatewayServiceClient(o.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 if err != nil { o.logger.Error().Err(err).Msg("error securing a connection to Reva gateway") } diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go index 8b4341103..162ee2843 100644 --- a/proxy/pkg/command/server.go +++ b/proxy/pkg/command/server.go @@ -149,7 +149,7 @@ func Server(cfg *config.Config) *cli.Command { func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config) alice.Chain { rolesClient := settings.NewRoleService("com.owncloud.api.settings", grpc.DefaultClient) - revaClient, err := cs3.GetGatewayServiceClient(cfg.Reva.Address) + revaClient, err := cs3.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.Insecure) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 var userProvider backend.UserBackend switch cfg.AccountBackend { case "accounts": diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go index 9dd370118..7f839ef54 100644 --- a/proxy/pkg/config/config.go +++ b/proxy/pkg/config/config.go @@ -81,6 +81,7 @@ var ( // Reva defines all available REVA configuration. type Reva struct { Address string + Insecure bool Middleware Middleware } diff --git a/proxy/pkg/cs3/client.go b/proxy/pkg/cs3/client.go index 68f52d2d7..91a5c566a 100644 --- a/proxy/pkg/cs3/client.go +++ b/proxy/pkg/cs3/client.go @@ -7,17 +7,24 @@ import ( "google.golang.org/grpc" ) -func newConn(endpoint string) (*grpc.ClientConn, error) { - conn, err := grpc.Dial( - endpoint, - grpc.WithInsecure(), - grpc.WithUnaryInterceptor( - otelgrpc.UnaryClientInterceptor( - otelgrpc.WithTracerProvider( - proxytracing.TraceProvider, - ), +func newConn(endpoint string, insecure bool) (*grpc.ClientConn, error) { + opts := []grpc.DialOption{} + + opts = append(opts, grpc.WithUnaryInterceptor( + otelgrpc.UnaryClientInterceptor( + otelgrpc.WithTracerProvider( + proxytracing.TraceProvider, ), ), + )) + + if insecure { + opts = append(opts, grpc.WithInsecure()) + } + + conn, err := grpc.Dial( + endpoint, + opts..., ) if err != nil { return nil, err @@ -27,8 +34,8 @@ func newConn(endpoint string) (*grpc.ClientConn, error) { } // GetGatewayServiceClient returns a new cs3 gateway client -func GetGatewayServiceClient(endpoint string) (gateway.GatewayAPIClient, error) { - conn, err := newConn(endpoint) +func GetGatewayServiceClient(endpoint string, insecure bool) (gateway.GatewayAPIClient, error) { + conn, err := newConn(endpoint, insecure) if err != nil { return nil, err } diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 2f1d6b885..c16699f24 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -189,6 +189,13 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"REVA_GATEWAY"}, Destination: &cfg.Reva.Address, }, + &cli.BoolFlag{ + Name: "reva-gateway-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.Insecure, false), + Usage: "allow insecure communication to REVA gateway endpoint", + EnvVars: []string{"REVA_GATEWAY_INSECURE"}, + Destination: &cfg.Reva.Insecure, + }, &cli.BoolFlag{ Name: "insecure", Value: flags.OverrideDefaultBool(cfg.InsecureBackends, false), @@ -208,7 +215,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { }, &cli.BoolFlag{ Name: "oidc-insecure", - Value: flags.OverrideDefaultBool(cfg.OIDC.Insecure, true), + Value: flags.OverrideDefaultBool(cfg.OIDC.Insecure, false), Usage: "OIDC allow insecure communication", EnvVars: []string{"PROXY_OIDC_INSECURE"}, Destination: &cfg.OIDC.Insecure, diff --git a/storage/pkg/command/storageusers.go b/storage/pkg/command/storageusers.go index 6f01defad..99ae03348 100644 --- a/storage/pkg/command/storageusers.go +++ b/storage/pkg/command/storageusers.go @@ -128,7 +128,7 @@ func storageUsersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string "driver": cfg.Reva.StorageUsers.Driver, "drivers": storagedrivers.UserDrivers(cfg), "timeout": 86400, - "insecure": true, + "insecure": cfg.Reva.StorageUsers.DataProvider.Insecure, "disable_tus": false, }, }, diff --git a/storage/pkg/flagset/authbearer.go b/storage/pkg/flagset/authbearer.go index 73bfeb91e..90b14b7af 100644 --- a/storage/pkg/flagset/authbearer.go +++ b/storage/pkg/flagset/authbearer.go @@ -30,7 +30,7 @@ func AuthBearerWithConfig(cfg *config.Config) []cli.Flag { }, &cli.BoolFlag{ Name: "oidc-insecure", - Value: flags.OverrideDefaultBool(cfg.Reva.OIDC.Insecure, true), + Value: flags.OverrideDefaultBool(cfg.Reva.OIDC.Insecure, false), Usage: "OIDC allow insecure communication", EnvVars: []string{"STORAGE_OIDC_INSECURE"}, Destination: &cfg.Reva.OIDC.Insecure, diff --git a/storage/pkg/flagset/storageusers.go b/storage/pkg/flagset/storageusers.go index b801d2dd8..9c6e7d1ed 100644 --- a/storage/pkg/flagset/storageusers.go +++ b/storage/pkg/flagset/storageusers.go @@ -78,6 +78,13 @@ func StorageUsersWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_USERS_DRIVER"}, Destination: &cfg.Reva.StorageUsers.Driver, }, + &cli.BoolFlag{ + Name: "dataprovider-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.StorageUsers.DataProvider.Insecure, false), + Usage: "dataprovider insecure", + EnvVars: []string{"STORAGE_USERS_DATAPROVIDER_INSECURE"}, + Destination: &cfg.Reva.StorageUsers.DataProvider.Insecure, + }, &cli.BoolFlag{ Name: "read-only", Value: flags.OverrideDefaultBool(cfg.Reva.StorageUsers.ReadOnly, false), diff --git a/thumbnails/pkg/config/config.go b/thumbnails/pkg/config/config.go index 7f8a97a81..4a19e13f4 100644 --- a/thumbnails/pkg/config/config.go +++ b/thumbnails/pkg/config/config.go @@ -63,6 +63,7 @@ type Thumbnail struct { Resolutions []string FileSystemStorage FileSystemStorage WebdavAllowInsecure bool + CS3AllowInsecure bool RevaGateway string WebdavNamespace string } diff --git a/thumbnails/pkg/flagset/flagset.go b/thumbnails/pkg/flagset/flagset.go index 6a877400e..c9e0edc0d 100644 --- a/thumbnails/pkg/flagset/flagset.go +++ b/thumbnails/pkg/flagset/flagset.go @@ -154,11 +154,18 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { }, &cli.BoolFlag{ Name: "webdavsource-insecure", - Value: flags.OverrideDefaultBool(cfg.Thumbnail.WebdavAllowInsecure, true), + Value: flags.OverrideDefaultBool(cfg.Thumbnail.WebdavAllowInsecure, false), Usage: "Whether to skip certificate checks", EnvVars: []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE"}, Destination: &cfg.Thumbnail.WebdavAllowInsecure, }, + &cli.BoolFlag{ + Name: "cs3source-insecure", + Value: flags.OverrideDefaultBool(cfg.Thumbnail.CS3AllowInsecure, false), + Usage: "Whether to skip certificate checks", + EnvVars: []string{"THUMBNAILS_CS3SOURCE_INSECURE"}, + Destination: &cfg.Thumbnail.CS3AllowInsecure, + }, &cli.StringSliceFlag{ Name: "thumbnail-resolution", Value: cli.NewStringSlice("16x16", "32x32", "64x64", "128x128", "1920x1080", "3840x2160", "7680x4320"), diff --git a/thumbnails/pkg/server/grpc/server.go b/thumbnails/pkg/server/grpc/server.go index 866868d12..ccc99cbae 100644 --- a/thumbnails/pkg/server/grpc/server.go +++ b/thumbnails/pkg/server/grpc/server.go @@ -25,7 +25,7 @@ func NewService(opts ...Option) grpc.Service { grpc.Version(options.Config.Server.Version), ) tconf := options.Config.Thumbnail - gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway) + gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 if err != nil { options.Logger.Error().Err(err).Msg("could not get gateway client") return grpc.Service{} @@ -42,7 +42,7 @@ func NewService(opts ...Option) grpc.Service { options.Logger, ), ), - svc.CS3Source(imgsource.NewCS3Source(gc)), + svc.CS3Source(imgsource.NewCS3Source(tconf, gc)), svc.CS3Client(gc), ) thumbnail = svc.NewInstrument(thumbnail, options.Metrics) diff --git a/thumbnails/pkg/thumbnail/imgsource/cs3.go b/thumbnails/pkg/thumbnail/imgsource/cs3.go index 68cf63750..072713978 100644 --- a/thumbnails/pkg/thumbnail/imgsource/cs3.go +++ b/thumbnails/pkg/thumbnail/imgsource/cs3.go @@ -12,6 +12,7 @@ import ( provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" revactx "github.com/cs3org/reva/pkg/ctx" "github.com/cs3org/reva/pkg/rhttp" + "github.com/owncloud/ocis/thumbnails/pkg/config" "github.com/pkg/errors" "google.golang.org/grpc/metadata" ) @@ -23,12 +24,14 @@ const ( ) type CS3 struct { - client gateway.GatewayAPIClient + client gateway.GatewayAPIClient + insecure bool } -func NewCS3Source(c gateway.GatewayAPIClient) CS3 { +func NewCS3Source(cfg config.Thumbnail, c gateway.GatewayAPIClient) CS3 { return CS3{ - client: c, + client: c, + insecure: cfg.CS3AllowInsecure, } } @@ -67,7 +70,9 @@ func (s CS3) Get(ctx context.Context, path string) (io.ReadCloser, error) { httpReq.Header.Set(revactx.TokenHeader, auth) httpReq.Header.Set(TokenTransportHeader, tk) - http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint:gosec + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{ + InsecureSkipVerify: s.insecure, //nolint:gosec + } client := &http.Client{} resp, err := client.Do(httpReq) // nolint:bodyclose From e35d4fd0ac99d43a029eae09365bc0291b4ac1eb Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 10 Nov 2021 16:12:29 +0100 Subject: [PATCH 3/6] remove GRPC insecure config options, since it always needs to be set to insecure --- .drone.star | 1 - .vscode/launch.json | 1 - changelog/unreleased/insecure-options.md | 1 - graph/pkg/service/v0/graph.go | 2 +- ocs/pkg/service/v0/service.go | 2 +- ocs/pkg/service/v0/users.go | 2 +- proxy/pkg/command/server.go | 2 +- proxy/pkg/config/config.go | 1 - proxy/pkg/cs3/client.go | 29 +++++++++--------------- proxy/pkg/flagset/flagset.go | 7 ------ thumbnails/pkg/server/grpc/server.go | 2 +- 11 files changed, 16 insertions(+), 34 deletions(-) diff --git a/.drone.star b/.drone.star index 34ab845f4..40721e154 100644 --- a/.drone.star +++ b/.drone.star @@ -1477,7 +1477,6 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []): "PROXY_OIDC_INSECURE": "true", "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true", "THUMBNAILS_CS3SOURCE_INSECURE": "true", - "REVA_GATEWAY_INSECURE": "true", "STORAGE_OIDC_INSECURE": "true", "STORAGE_HOME_DATAPROVIDER_INSECURE": "true", "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true", diff --git a/.vscode/launch.json b/.vscode/launch.json index d00d1d4f4..06ddad706 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -21,7 +21,6 @@ "PROXY_OIDC_INSECURE": "true", "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true", "THUMBNAILS_CS3SOURCE_INSECURE": "true", - "REVA_GATEWAY_INSECURE": "true", "STORAGE_OIDC_INSECURE": "true", "STORAGE_HOME_DATAPROVIDER_INSECURE": "true", "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true", diff --git a/changelog/unreleased/insecure-options.md b/changelog/unreleased/insecure-options.md index ec7e032e5..5dde184e6 100644 --- a/changelog/unreleased/insecure-options.md +++ b/changelog/unreleased/insecure-options.md @@ -4,7 +4,6 @@ We had several hard-coded 'insecure' flags. These options are now configurable a ``` PROXY_OIDC_INSECURE=true -REVA_GATEWAY_INSECURE=true STORAGE_FRONTEND_APPPROVIDER_INSECURE=true STORAGE_FRONTEND_ARCHIVER_INSECURE=true STORAGE_FRONTEND_OCDAV_INSECURE=true diff --git a/graph/pkg/service/v0/graph.go b/graph/pkg/service/v0/graph.go index fb0c1c505..51f5cc604 100644 --- a/graph/pkg/service/v0/graph.go +++ b/graph/pkg/service/v0/graph.go @@ -24,7 +24,7 @@ func (g Graph) ServeHTTP(w http.ResponseWriter, r *http.Request) { // GetClient returns a gateway client to talk to reva func (g Graph) GetClient() (gateway.GatewayAPIClient, error) { - return pool.GetGatewayServiceClient(g.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 + return pool.GetGatewayServiceClient(g.config.Reva.Address) } // The key type is unexported to prevent collisions with context keys defined in diff --git a/ocs/pkg/service/v0/service.go b/ocs/pkg/service/v0/service.go index 1262ccdf1..146561f15 100644 --- a/ocs/pkg/service/v0/service.go +++ b/ocs/pkg/service/v0/service.go @@ -161,7 +161,7 @@ func (o Ocs) getAccountService() accounts.AccountsService { } func (o Ocs) getCS3Backend() backend.UserBackend { - revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 + revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address) if err != nil { o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address) } diff --git a/ocs/pkg/service/v0/users.go b/ocs/pkg/service/v0/users.go index 5b039016c..c9108a156 100644 --- a/ocs/pkg/service/v0/users.go +++ b/ocs/pkg/service/v0/users.go @@ -384,7 +384,7 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) { ctx := metadata.AppendToOutgoingContext(r.Context(), revactx.TokenHeader, t) - gwc, err := pool.GetGatewayServiceClient(o.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 + gwc, err := pool.GetGatewayServiceClient(o.config.Reva.Address) if err != nil { o.logger.Error().Err(err).Msg("error securing a connection to Reva gateway") } diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go index 162ee2843..8b4341103 100644 --- a/proxy/pkg/command/server.go +++ b/proxy/pkg/command/server.go @@ -149,7 +149,7 @@ func Server(cfg *config.Config) *cli.Command { func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config) alice.Chain { rolesClient := settings.NewRoleService("com.owncloud.api.settings", grpc.DefaultClient) - revaClient, err := cs3.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.Insecure) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 + revaClient, err := cs3.GetGatewayServiceClient(cfg.Reva.Address) var userProvider backend.UserBackend switch cfg.AccountBackend { case "accounts": diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go index 7f839ef54..9dd370118 100644 --- a/proxy/pkg/config/config.go +++ b/proxy/pkg/config/config.go @@ -81,7 +81,6 @@ var ( // Reva defines all available REVA configuration. type Reva struct { Address string - Insecure bool Middleware Middleware } diff --git a/proxy/pkg/cs3/client.go b/proxy/pkg/cs3/client.go index 91a5c566a..68f52d2d7 100644 --- a/proxy/pkg/cs3/client.go +++ b/proxy/pkg/cs3/client.go @@ -7,24 +7,17 @@ import ( "google.golang.org/grpc" ) -func newConn(endpoint string, insecure bool) (*grpc.ClientConn, error) { - opts := []grpc.DialOption{} - - opts = append(opts, grpc.WithUnaryInterceptor( - otelgrpc.UnaryClientInterceptor( - otelgrpc.WithTracerProvider( - proxytracing.TraceProvider, - ), - ), - )) - - if insecure { - opts = append(opts, grpc.WithInsecure()) - } - +func newConn(endpoint string) (*grpc.ClientConn, error) { conn, err := grpc.Dial( endpoint, - opts..., + grpc.WithInsecure(), + grpc.WithUnaryInterceptor( + otelgrpc.UnaryClientInterceptor( + otelgrpc.WithTracerProvider( + proxytracing.TraceProvider, + ), + ), + ), ) if err != nil { return nil, err @@ -34,8 +27,8 @@ func newConn(endpoint string, insecure bool) (*grpc.ClientConn, error) { } // GetGatewayServiceClient returns a new cs3 gateway client -func GetGatewayServiceClient(endpoint string, insecure bool) (gateway.GatewayAPIClient, error) { - conn, err := newConn(endpoint, insecure) +func GetGatewayServiceClient(endpoint string) (gateway.GatewayAPIClient, error) { + conn, err := newConn(endpoint) if err != nil { return nil, err } diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index c16699f24..0d4b82992 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -189,13 +189,6 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"REVA_GATEWAY"}, Destination: &cfg.Reva.Address, }, - &cli.BoolFlag{ - Name: "reva-gateway-insecure", - Value: flags.OverrideDefaultBool(cfg.Reva.Insecure, false), - Usage: "allow insecure communication to REVA gateway endpoint", - EnvVars: []string{"REVA_GATEWAY_INSECURE"}, - Destination: &cfg.Reva.Insecure, - }, &cli.BoolFlag{ Name: "insecure", Value: flags.OverrideDefaultBool(cfg.InsecureBackends, false), diff --git a/thumbnails/pkg/server/grpc/server.go b/thumbnails/pkg/server/grpc/server.go index ccc99cbae..0c905c06e 100644 --- a/thumbnails/pkg/server/grpc/server.go +++ b/thumbnails/pkg/server/grpc/server.go @@ -25,7 +25,7 @@ func NewService(opts ...Option) grpc.Service { grpc.Version(options.Config.Server.Version), ) tconf := options.Config.Thumbnail - gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216 + gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway) if err != nil { options.Logger.Error().Err(err).Msg("could not get gateway client") return grpc.Service{} From a6b2ea98956c2dff79184cb60f6406d1abeae432 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 10 Nov 2021 16:23:37 +0100 Subject: [PATCH 4/6] set insecure options on deployment examples --- .../examples/cs3_users_ocis/docker-compose.yml | 12 +++++++++++- .../examples/oc10_ocis_parallel/docker-compose.yml | 12 +++++++++++- deployments/examples/ocis_hello/docker-compose.yml | 12 +++++++++++- .../examples/ocis_keycloak/docker-compose.yml | 12 +++++++++++- deployments/examples/ocis_s3/docker-compose.yml | 12 +++++++++++- deployments/examples/ocis_traefik/docker-compose.yml | 12 +++++++++++- deployments/examples/ocis_wopi/docker-compose.yml | 12 +++++++++++- 7 files changed, 77 insertions(+), 7 deletions(-) diff --git a/deployments/examples/cs3_users_ocis/docker-compose.yml b/deployments/examples/cs3_users_ocis/docker-compose.yml index 501e4af7f..1ff0a61ad 100644 --- a/deployments/examples/cs3_users_ocis/docker-compose.yml +++ b/deployments/examples/cs3_users_ocis/docker-compose.yml @@ -81,12 +81,22 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + PROXY_OIDC_INSECURE: "${INSECURE:-false}" + THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" + THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" + STORAGE_OIDC_INSECURE: "${INSECURE:-false}" + STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/web-config.dist.json:/config/web-config.dist.json diff --git a/deployments/examples/oc10_ocis_parallel/docker-compose.yml b/deployments/examples/oc10_ocis_parallel/docker-compose.yml index cd02bd92b..66c6a4ce6 100644 --- a/deployments/examples/oc10_ocis_parallel/docker-compose.yml +++ b/deployments/examples/oc10_ocis_parallel/docker-compose.yml @@ -110,13 +110,23 @@ services: OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_LOG_LEVEL: ${PROXY_LOG_LEVEL:-error} OCIS_URL: https://${CLOUD_DOMAIN:-cloud.owncloud.test} - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json" # change default secrets OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + PROXY_OIDC_INSECURE: "${INSECURE:-false}" + THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" + THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" + STORAGE_OIDC_INSECURE: "${INSECURE:-false}" + STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json diff --git a/deployments/examples/ocis_hello/docker-compose.yml b/deployments/examples/ocis_hello/docker-compose.yml index bde3af9d8..be4b88a3b 100644 --- a/deployments/examples/ocis_hello/docker-compose.yml +++ b/deployments/examples/ocis_hello/docker-compose.yml @@ -53,7 +53,6 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} @@ -67,6 +66,17 @@ services: PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json" # make settings service available to oCIS Hello SETTINGS_GRPC_ADDR: 0.0.0.0:9191 + # INSECURE: needed if oCIS / Traefik is using self generated certificates + PROXY_OIDC_INSECURE: "${INSECURE:-false}" + THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" + THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" + STORAGE_OIDC_INSECURE: "${INSECURE:-false}" + STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/web-config.dist.json:/config/web-config.dist.json diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 00301fa35..ae1fdb267 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -62,7 +62,6 @@ services: # general config OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS ACCOUNTS_DEMO_USERS_AND_GROUPS: false # don't generate demo users # change default secrets @@ -71,6 +70,17 @@ services: OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + PROXY_OIDC_INSECURE: "${INSECURE:-false}" + THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" + THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" + STORAGE_OIDC_INSECURE: "${INSECURE:-false}" + STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_s3/docker-compose.yml b/deployments/examples/ocis_s3/docker-compose.yml index 51b3a7c55..0effba9f3 100644 --- a/deployments/examples/ocis_s3/docker-compose.yml +++ b/deployments/examples/ocis_s3/docker-compose.yml @@ -52,7 +52,6 @@ services: environment: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} @@ -70,6 +69,17 @@ services: STORAGE_USERS_DRIVER_S3NG_ACCESS_KEY: ${MINIO_ACCESS_KEY:-ocis} STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key} STORAGE_USERS_DRIVER_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + PROXY_OIDC_INSECURE: "${INSECURE:-false}" + THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" + THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" + STORAGE_OIDC_INSECURE: "${INSECURE:-false}" + STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 029f718b2..7982533ba 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -52,7 +52,6 @@ services: environment: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} @@ -60,6 +59,17 @@ services: OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} + # INSECURE: needed if oCIS / Traefik is using self generated certificates + PROXY_OIDC_INSECURE: "${INSECURE:-false}" + THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" + THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" + STORAGE_OIDC_INSECURE: "${INSECURE:-false}" + STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml index 473f9db59..42bd8354e 100644 --- a/deployments/examples/ocis_wopi/docker-compose.yml +++ b/deployments/examples/ocis_wopi/docker-compose.yml @@ -58,7 +58,6 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose - PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} @@ -69,6 +68,17 @@ services: # app registry STORAGE_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers STORAGE_APP_REGISTRY_MIMETYPES_JSON: /var/tmp/ocis/app-config/mimetypes.json + # INSECURE: needed if oCIS / Traefik is using self generated certificates + PROXY_OIDC_INSECURE: "${INSECURE:-false}" + THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" + THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" + STORAGE_OIDC_INSECURE: "${INSECURE:-false}" + STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" + STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/mimetypes.json:/var/tmp/ocis/app-config/mimetypes.json From 6590565a2fe5dc2649e3aa26de8af371ebaf24f5 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 10 Nov 2021 16:55:12 +0100 Subject: [PATCH 5/6] introduce OCIS_INSECURE option --- .drone.star | 11 +---------- .vscode/launch.json | 11 +---------- changelog/unreleased/insecure-options.md | 8 +++++++- .../examples/cs3_users_ocis/docker-compose.yml | 11 +---------- .../examples/oc10_ocis_parallel/docker-compose.yml | 11 +---------- deployments/examples/ocis_hello/docker-compose.yml | 11 +---------- deployments/examples/ocis_keycloak/docker-compose.yml | 11 +---------- deployments/examples/ocis_s3/docker-compose.yml | 11 +---------- deployments/examples/ocis_traefik/docker-compose.yml | 11 +---------- deployments/examples/ocis_wopi/docker-compose.yml | 11 +---------- docs/ocis/deployment/basic-remote-setup.md | 6 +++++- docs/ocis/deployment/systemd.md | 3 ++- proxy/pkg/flagset/flagset.go | 2 +- storage/pkg/flagset/authbearer.go | 2 +- storage/pkg/flagset/frontend.go | 6 +++--- storage/pkg/flagset/storagehome.go | 2 +- storage/pkg/flagset/storagemetadata.go | 2 +- storage/pkg/flagset/storageusers.go | 2 +- tests/acceptance/docker/src/ocis-base.yml | 1 + thumbnails/pkg/flagset/flagset.go | 4 ++-- 20 files changed, 34 insertions(+), 103 deletions(-) diff --git a/.drone.star b/.drone.star index 40721e154..1c8873e94 100644 --- a/.drone.star +++ b/.drone.star @@ -1474,16 +1474,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []): "IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml", "OCIS_LOG_LEVEL": "error", "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings", - "PROXY_OIDC_INSECURE": "true", - "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true", - "THUMBNAILS_CS3SOURCE_INSECURE": "true", - "STORAGE_OIDC_INSECURE": "true", - "STORAGE_HOME_DATAPROVIDER_INSECURE": "true", - "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true", - "STORAGE_USERS_DATAPROVIDER_INSECURE": "true", - "STORAGE_FRONTEND_OCDAV_INSECURE": "true", - "STORAGE_FRONTEND_ARCHIVER_INSECURE": "true", - "STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true", + "OCIS_INSECURE": "true", } # Pass in "default" accounts_hash_difficulty to not set this environment variable. diff --git a/.vscode/launch.json b/.vscode/launch.json index 06ddad706..011c22d18 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -18,16 +18,7 @@ // enable basic auth for dev setup so that we can use curl for testing "PROXY_ENABLE_BASIC_AUTH": "true", // set insecure options because we don't have valid certificates in dev environments - "PROXY_OIDC_INSECURE": "true", - "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true", - "THUMBNAILS_CS3SOURCE_INSECURE": "true", - "STORAGE_OIDC_INSECURE": "true", - "STORAGE_HOME_DATAPROVIDER_INSECURE": "true", - "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true", - "STORAGE_USERS_DATAPROVIDER_INSECURE": "true", - "STORAGE_FRONTEND_OCDAV_INSECURE": "true", - "STORAGE_FRONTEND_ARCHIVER_INSECURE": "true", - "STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true", + "OCIS_INSECURE": "true", } }, ] diff --git a/changelog/unreleased/insecure-options.md b/changelog/unreleased/insecure-options.md index 5dde184e6..3d66ab32f 100644 --- a/changelog/unreleased/insecure-options.md +++ b/changelog/unreleased/insecure-options.md @@ -1,4 +1,4 @@ -Enhancement: Make insecure options configurable +Change: Make insecure options configurable We had several hard-coded 'insecure' flags. These options are now configurable and default to false. Also we changed all other 'insecure' flags with a previous default of true to false. In development environments using self signed certs (the default) you need to set these flags: @@ -15,5 +15,11 @@ THUMBNAILS_CS3SOURCE_INSECURE=true THUMBNAILS_WEBDAVSOURCE_INSECURE=true ``` +As an alternative you also can set a single flag, which configures all options together: + +``` +OCIS_INSECURE=true +``` + https://github.com/owncloud/ocis/issues/2700 https://github.com/owncloud/ocis/pull/2745 diff --git a/deployments/examples/cs3_users_ocis/docker-compose.yml b/deployments/examples/cs3_users_ocis/docker-compose.yml index 1ff0a61ad..e0a4dcc1e 100644 --- a/deployments/examples/cs3_users_ocis/docker-compose.yml +++ b/deployments/examples/cs3_users_ocis/docker-compose.yml @@ -87,16 +87,7 @@ services: STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} # INSECURE: needed if oCIS / Traefik is using self generated certificates - PROXY_OIDC_INSECURE: "${INSECURE:-false}" - THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" - THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" - STORAGE_OIDC_INSECURE: "${INSECURE:-false}" - STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/web-config.dist.json:/config/web-config.dist.json diff --git a/deployments/examples/oc10_ocis_parallel/docker-compose.yml b/deployments/examples/oc10_ocis_parallel/docker-compose.yml index 66c6a4ce6..86b448a4f 100644 --- a/deployments/examples/oc10_ocis_parallel/docker-compose.yml +++ b/deployments/examples/oc10_ocis_parallel/docker-compose.yml @@ -117,16 +117,7 @@ services: STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} # INSECURE: needed if oCIS / Traefik is using self generated certificates - PROXY_OIDC_INSECURE: "${INSECURE:-false}" - THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" - THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" - STORAGE_OIDC_INSECURE: "${INSECURE:-false}" - STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json diff --git a/deployments/examples/ocis_hello/docker-compose.yml b/deployments/examples/ocis_hello/docker-compose.yml index be4b88a3b..d6c1c35f1 100644 --- a/deployments/examples/ocis_hello/docker-compose.yml +++ b/deployments/examples/ocis_hello/docker-compose.yml @@ -67,16 +67,7 @@ services: # make settings service available to oCIS Hello SETTINGS_GRPC_ADDR: 0.0.0.0:9191 # INSECURE: needed if oCIS / Traefik is using self generated certificates - PROXY_OIDC_INSECURE: "${INSECURE:-false}" - THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" - THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" - STORAGE_OIDC_INSECURE: "${INSECURE:-false}" - STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/web-config.dist.json:/config/web-config.dist.json diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index ae1fdb267..dd2be4da7 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -71,16 +71,7 @@ services: STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} # INSECURE: needed if oCIS / Traefik is using self generated certificates - PROXY_OIDC_INSECURE: "${INSECURE:-false}" - THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" - THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" - STORAGE_OIDC_INSECURE: "${INSECURE:-false}" - STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_s3/docker-compose.yml b/deployments/examples/ocis_s3/docker-compose.yml index 0effba9f3..996262072 100644 --- a/deployments/examples/ocis_s3/docker-compose.yml +++ b/deployments/examples/ocis_s3/docker-compose.yml @@ -70,16 +70,7 @@ services: STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key} STORAGE_USERS_DRIVER_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket} # INSECURE: needed if oCIS / Traefik is using self generated certificates - PROXY_OIDC_INSECURE: "${INSECURE:-false}" - THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" - THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" - STORAGE_OIDC_INSECURE: "${INSECURE:-false}" - STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 7982533ba..53b8ca154 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -60,16 +60,7 @@ services: STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please} # INSECURE: needed if oCIS / Traefik is using self generated certificates - PROXY_OIDC_INSECURE: "${INSECURE:-false}" - THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" - THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" - STORAGE_OIDC_INSECURE: "${INSECURE:-false}" - STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml index 42bd8354e..cc2cc7dab 100644 --- a/deployments/examples/ocis_wopi/docker-compose.yml +++ b/deployments/examples/ocis_wopi/docker-compose.yml @@ -69,16 +69,7 @@ services: STORAGE_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers STORAGE_APP_REGISTRY_MIMETYPES_JSON: /var/tmp/ocis/app-config/mimetypes.json # INSECURE: needed if oCIS / Traefik is using self generated certificates - PROXY_OIDC_INSECURE: "${INSECURE:-false}" - THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}" - THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}" - STORAGE_OIDC_INSECURE: "${INSECURE:-false}" - STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}" - STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}" + OCIS_INSECURE: "${INSECURE:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/mimetypes.json:/var/tmp/ocis/app-config/mimetypes.json diff --git a/docs/ocis/deployment/basic-remote-setup.md b/docs/ocis/deployment/basic-remote-setup.md index 96974c153..6569309ab 100644 --- a/docs/ocis/deployment/basic-remote-setup.md +++ b/docs/ocis/deployment/basic-remote-setup.md @@ -29,9 +29,10 @@ For the following examples you need to have the oCIS binary in your current work ### Using automatically generated certificates -In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname. +In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname. Since you have only self signed certificates you need to have `OCIS_INSECURE` set to `true`. ```bash +OCIS_INSECURE=true \ PROXY_HTTP_ADDR=0.0.0.0:9200 \ OCIS_URL=https://your-host:9200 \ ./ocis server @@ -42,6 +43,7 @@ OCIS_URL=https://your-host:9200 \ If you have your own certificates already in place, you may want to make oCIS use them: ```bash +OCIS_INSECURE=false \ PROXY_HTTP_ADDR=0.0.0.0:9200 \ OCIS_URL=https://your-host:9200 \ PROXY_TRANSPORT_TLS_KEY=./certs/your-host.key \ @@ -49,6 +51,8 @@ PROXY_TRANSPORT_TLS_CERT=./certs/your-host.crt \ ./ocis server ``` +If you generated these certificates on your own, you might need to set `OCIS_INSECURE` to `true`. + For more configuration options check the configuration section in [oCIS]({{< ref "../configuration" >}}) and the oCIS extensions. ## Start the oCIS fullstack server with Docker Compose diff --git a/docs/ocis/deployment/systemd.md b/docs/ocis/deployment/systemd.md index 716e690ef..8ac0a1d8f 100644 --- a/docs/ocis/deployment/systemd.md +++ b/docs/ocis/deployment/systemd.md @@ -45,6 +45,7 @@ In order to create the file we need first to create the folder `/etc/ocis/` and ``` OCIS_URL=https://some-hostname-or-ip:9200 PROXY_HTTP_ADDR=0.0.0.0:9200 +OCIS_INSECURE=false OCIS_LOG_LEVEL=error @@ -56,7 +57,7 @@ PROXY_TRANSPORT_TLS_CERT=/etc/ocis/proxy/server.crt PROXY_TRANSPORT_TLS_KEY=/etc/ocis/proxy/server.key ``` -Please change your `OCIS_URL` in order to reflect your actual deployment. +Please change your `OCIS_URL` in order to reflect your actual deployment. If you are using self signed certificates you need to set `OCIS_INSECURE=true` in `/etc/ocis/ocis.env`. ## Starting the oCIS service diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 0d4b82992..62e5f0d37 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -210,7 +210,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "oidc-insecure", Value: flags.OverrideDefaultBool(cfg.OIDC.Insecure, false), Usage: "OIDC allow insecure communication", - EnvVars: []string{"PROXY_OIDC_INSECURE"}, + EnvVars: []string{"PROXY_OIDC_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.OIDC.Insecure, }, &cli.IntFlag{ diff --git a/storage/pkg/flagset/authbearer.go b/storage/pkg/flagset/authbearer.go index 90b14b7af..d41a89558 100644 --- a/storage/pkg/flagset/authbearer.go +++ b/storage/pkg/flagset/authbearer.go @@ -32,7 +32,7 @@ func AuthBearerWithConfig(cfg *config.Config) []cli.Flag { Name: "oidc-insecure", Value: flags.OverrideDefaultBool(cfg.Reva.OIDC.Insecure, false), Usage: "OIDC allow insecure communication", - EnvVars: []string{"STORAGE_OIDC_INSECURE"}, + EnvVars: []string{"STORAGE_OIDC_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Reva.OIDC.Insecure, }, &cli.StringFlag{ diff --git a/storage/pkg/flagset/frontend.go b/storage/pkg/flagset/frontend.go index 928798c8e..3baa80ae2 100644 --- a/storage/pkg/flagset/frontend.go +++ b/storage/pkg/flagset/frontend.go @@ -123,7 +123,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { Name: "approvider-insecure", Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.AppProviderInsecure, false), Usage: "approvider insecure", - EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE"}, + EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Reva.Frontend.AppProviderInsecure, }, &cli.StringFlag{ @@ -137,7 +137,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { Name: "archiver-insecure", Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.ArchiverInsecure, false), Usage: "archiver insecure", - EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE"}, + EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Reva.Frontend.ArchiverInsecure, }, &cli.StringFlag{ @@ -165,7 +165,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag { Name: "ocdav-insecure", Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.OCDavInsecure, false), Usage: "owncloud webdav insecure", - EnvVars: []string{"STORAGE_FRONTEND_OCDAV_INSECURE"}, + EnvVars: []string{"STORAGE_FRONTEND_OCDAV_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Reva.Frontend.OCDavInsecure, }, &cli.StringFlag{ diff --git a/storage/pkg/flagset/storagehome.go b/storage/pkg/flagset/storagehome.go index 2ec1b71ac..76eb53d70 100644 --- a/storage/pkg/flagset/storagehome.go +++ b/storage/pkg/flagset/storagehome.go @@ -134,7 +134,7 @@ func StorageHomeWithConfig(cfg *config.Config) []cli.Flag { Name: "dataprovider-insecure", Value: flags.OverrideDefaultBool(cfg.Reva.StorageHome.DataProvider.Insecure, false), Usage: "dataprovider insecure", - EnvVars: []string{"STORAGE_HOME_DATAPROVIDER_INSECURE"}, + EnvVars: []string{"STORAGE_HOME_DATAPROVIDER_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Reva.StorageHome.DataProvider.Insecure, }, diff --git a/storage/pkg/flagset/storagemetadata.go b/storage/pkg/flagset/storagemetadata.go index 10b07441a..4b80756f0 100644 --- a/storage/pkg/flagset/storagemetadata.go +++ b/storage/pkg/flagset/storagemetadata.go @@ -73,7 +73,7 @@ func StorageMetadata(cfg *config.Config) []cli.Flag { Name: "dataprovider-insecure", Value: flags.OverrideDefaultBool(cfg.Reva.StorageMetadata.DataProvider.Insecure, false), Usage: "dataprovider insecure", - EnvVars: []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE"}, + EnvVars: []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Reva.StorageMetadata.DataProvider.Insecure, }, diff --git a/storage/pkg/flagset/storageusers.go b/storage/pkg/flagset/storageusers.go index 9c6e7d1ed..6be58bc33 100644 --- a/storage/pkg/flagset/storageusers.go +++ b/storage/pkg/flagset/storageusers.go @@ -82,7 +82,7 @@ func StorageUsersWithConfig(cfg *config.Config) []cli.Flag { Name: "dataprovider-insecure", Value: flags.OverrideDefaultBool(cfg.Reva.StorageUsers.DataProvider.Insecure, false), Usage: "dataprovider insecure", - EnvVars: []string{"STORAGE_USERS_DATAPROVIDER_INSECURE"}, + EnvVars: []string{"STORAGE_USERS_DATAPROVIDER_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Reva.StorageUsers.DataProvider.Insecure, }, &cli.BoolFlag{ diff --git a/tests/acceptance/docker/src/ocis-base.yml b/tests/acceptance/docker/src/ocis-base.yml index 4154bd0d7..7cd72650c 100644 --- a/tests/acceptance/docker/src/ocis-base.yml +++ b/tests/acceptance/docker/src/ocis-base.yml @@ -14,6 +14,7 @@ services: WEB_UI_CONFIG: /drone/src/tests/config/drone/ocis-config.json IDP_IDENTIFIER_REGISTRATION_CONF: /drone/src/tests/config/drone/identifier-registration.yml ACCOUNTS_HASH_DIFFICULTY: 4 + OCIS_INSECURE: "true" # s3ng specific settings STORAGE_USERS_DRIVER_S3NG_ENDPOINT: http://ceph:8080 STORAGE_USERS_DRIVER_S3NG_REGION: default diff --git a/thumbnails/pkg/flagset/flagset.go b/thumbnails/pkg/flagset/flagset.go index c9e0edc0d..9efd680a1 100644 --- a/thumbnails/pkg/flagset/flagset.go +++ b/thumbnails/pkg/flagset/flagset.go @@ -156,14 +156,14 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "webdavsource-insecure", Value: flags.OverrideDefaultBool(cfg.Thumbnail.WebdavAllowInsecure, false), Usage: "Whether to skip certificate checks", - EnvVars: []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE"}, + EnvVars: []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Thumbnail.WebdavAllowInsecure, }, &cli.BoolFlag{ Name: "cs3source-insecure", Value: flags.OverrideDefaultBool(cfg.Thumbnail.CS3AllowInsecure, false), Usage: "Whether to skip certificate checks", - EnvVars: []string{"THUMBNAILS_CS3SOURCE_INSECURE"}, + EnvVars: []string{"THUMBNAILS_CS3SOURCE_INSECURE", "OCIS_INSECURE"}, Destination: &cfg.Thumbnail.CS3AllowInsecure, }, &cli.StringSliceFlag{ From 28af5f74f372e43c47f4ee892074b7e49d64987e Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 10 Nov 2021 16:58:45 +0100 Subject: [PATCH 6/6] change change title --- changelog/unreleased/insecure-options.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/changelog/unreleased/insecure-options.md b/changelog/unreleased/insecure-options.md index 3d66ab32f..ae56ea1ea 100644 --- a/changelog/unreleased/insecure-options.md +++ b/changelog/unreleased/insecure-options.md @@ -1,6 +1,8 @@ -Change: Make insecure options configurable +Change: Make all insecure options configurable and change the default to false -We had several hard-coded 'insecure' flags. These options are now configurable and default to false. Also we changed all other 'insecure' flags with a previous default of true to false. In development environments using self signed certs (the default) you need to set these flags: +We had several hard-coded 'insecure' flags. These options are now configurable and default to false. Also we changed all other 'insecure' flags with a previous default of true to false. + +In development environments using self signed certs (the default) you now need to set these flags: ``` PROXY_OIDC_INSECURE=true