From 71790089fd1b0ff1f401bd0a2d867a40f783eb15 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Fri, 16 Sep 2022 12:36:45 +0200 Subject: [PATCH 1/2] change insecure option defaulting to false --- .../unreleased/fix-insecure-option-with-default-true.md | 6 ++++++ services/proxy/pkg/config/defaults/defaultconfig.go | 5 ++--- 2 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 changelog/unreleased/fix-insecure-option-with-default-true.md diff --git a/changelog/unreleased/fix-insecure-option-with-default-true.md b/changelog/unreleased/fix-insecure-option-with-default-true.md new file mode 100644 index 0000000000..c62f6156aa --- /dev/null +++ b/changelog/unreleased/fix-insecure-option-with-default-true.md @@ -0,0 +1,6 @@ +Bugfix: Change the default value for PROXY_OIDC_INSECURE to false + +We've changed the default value for PROXY_OIDC_INSECURE to `false`. +Previously the default values was `true` which is not acceptable since default values need to be secure. + +https://github.com/owncloud/ocis/pull/4601 diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go index 05740a72ef..931a5c3a76 100644 --- a/services/proxy/pkg/config/defaults/defaultconfig.go +++ b/services/proxy/pkg/config/defaults/defaultconfig.go @@ -33,9 +33,8 @@ func DefaultConfig() *config.Config { Name: "proxy", }, OIDC: config.OIDC{ - Issuer: "https://localhost:9200", - Insecure: true, - //Insecure: true, + Issuer: "https://localhost:9200", + AccessTokenVerifyMethod: config.AccessTokenVerificationJWT, UserinfoCache: config.UserinfoCache{ Size: 1024, From c997e50b8d177cd72e97a8a12b20585dc1272dbd Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Mon, 26 Sep 2022 09:06:13 +0200 Subject: [PATCH 2/2] add insecure option to `ocis init` --- ocis/pkg/init/init.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ocis/pkg/init/init.go b/ocis/pkg/init/init.go index a700bcdee6..512ba4ae69 100644 --- a/ocis/pkg/init/init.go +++ b/ocis/pkg/init/init.go @@ -28,7 +28,12 @@ type InsecureService struct { } type InsecureProxyService struct { - InsecureBackends bool `yaml:"insecure_backends"` + OIDC InsecureProxyOIDC `yaml:"oidc"` + InsecureBackends bool `yaml:"insecure_backends"` +} + +type InsecureProxyOIDC struct { + Insecure bool `yaml:"insecure"` } type LdapSettings struct { @@ -282,6 +287,9 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin } cfg.Proxy = InsecureProxyService{ InsecureBackends: true, + OIDC: InsecureProxyOIDC{ + Insecure: true, + }, } cfg.Thumbnails.Thumbnail.WebdavAllowInsecure = true