feat!: Make the url signing secret a mandatory config option

This is required for allowing the web office to download images to insert into documents. The secret is generated by `opencloud init` and the server refuses to start now without a secret being set. (Breaking Change) Also the setting is now moved to the shared options as all involved services need the same secret to work properly. Related: https://github.com/opencloud-eu/web/issues/704
2026-01-08 05:59:29 -05:00 · 2025-10-29 12:06:44 +01:00
parent 589cee4ab3
commit 37609e52df
12 changed files with 54 additions and 18 deletions
--- a/opencloud/pkg/init/init.go
+++ b/opencloud/pkg/init/init.go
@@ -68,7 +68,7 @@ func CreateConfig(insecure, forceOverwrite, diff bool, configPath, adminPassword
 		systemUserID, adminUserID, graphApplicationID, storageUsersMountID, serviceAccountID string
 		idmServicePassword, idpServicePassword, ocAdminServicePassword, revaServicePassword  string
 		tokenManagerJwtSecret, collaborationWOPISecret, machineAuthAPIKey, systemUserAPIKey  string
-		revaTransferSecret, thumbnailsTransferSecret, serviceAccountSecret                   string
+		revaTransferSecret, thumbnailsTransferSecret, serviceAccountSecret, urlSigningSecret string
 	)

 	if diff {
@@ -95,6 +95,13 @@ func CreateConfig(insecure, forceOverwrite, diff bool, configPath, adminPassword
 		revaTransferSecret = oldCfg.TransferSecret
 		thumbnailsTransferSecret = oldCfg.Thumbnails.Thumbnail.TransferSecret
 		serviceAccountSecret = oldCfg.Graph.ServiceAccount.ServiceAccountSecret
+		urlSigningSecret = oldCfg.URLSigningSecret
+		if urlSigningSecret == "" {
+			urlSigningSecret, err = generators.GenerateRandomPassword(passwordLength)
+			if err != nil {
+				return fmt.Errorf("could not generate random secret for urlSigningSecret: %s", err)
+			}
+		}
 	} else {
 		systemUserID = uuid.Must(uuid.NewV4()).String()
 		adminUserID = uuid.Must(uuid.NewV4()).String()
@@ -142,13 +149,17 @@ func CreateConfig(insecure, forceOverwrite, diff bool, configPath, adminPassword
 		if err != nil {
 			return fmt.Errorf("could not generate random password for revaTransferSecret: %s", err)
 		}
+		urlSigningSecret, err = generators.GenerateRandomPassword(passwordLength)
+		if err != nil {
+			return fmt.Errorf("could not generate random secret for urlSigningSecret: %s", err)
+		}
 		thumbnailsTransferSecret, err = generators.GenerateRandomPassword(passwordLength)
 		if err != nil {
 			return fmt.Errorf("could not generate random password for thumbnailsTransferSecret: %s", err)
 		}
 		serviceAccountSecret, err = generators.GenerateRandomPassword(passwordLength)
 		if err != nil {
-			return fmt.Errorf("could not generate random password for thumbnailsTransferSecret: %s", err)
+			return fmt.Errorf("could not generate random secret for serviceAccountSecret: %s", err)
 		}
 	}

@@ -164,6 +175,7 @@ func CreateConfig(insecure, forceOverwrite, diff bool, configPath, adminPassword
 		MachineAuthAPIKey: machineAuthAPIKey,
 		SystemUserAPIKey:  systemUserAPIKey,
 		TransferSecret:    revaTransferSecret,
+		URLSigningSecret:  urlSigningSecret,
 		SystemUserID:      systemUserID,
 		AdminUserID:       adminUserID,
 		Idm: IdmService{
--- a/opencloud/pkg/init/structs.go
+++ b/opencloud/pkg/init/structs.go
@@ -19,6 +19,7 @@ type OpenCloudConfig struct {
 	MachineAuthAPIKey string                `yaml:"machine_auth_api_key"`
 	SystemUserAPIKey  string                `yaml:"system_user_api_key"`
 	TransferSecret    string                `yaml:"transfer_secret"`
+	URLSigningSecret  string                `yaml:"url_signing_secret"`
 	SystemUserID      string                `yaml:"system_user_id"`
 	AdminUserID       string                `yaml:"admin_user_id"`
 	Graph             GraphService          `yaml:"graph"`
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -78,6 +78,7 @@ type Config struct {
 	TokenManager      *shared.TokenManager `yaml:"token_manager"`
 	MachineAuthAPIKey string               `yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services." introductionVersion:"1.0.0"`
 	TransferSecret    string               `yaml:"transfer_secret" env:"OC_TRANSFER_SECRET" desc:"Transfer secret for signing file up- and download requests." introductionVersion:"1.0.0"`
+	URLSigningSecret  string               `yaml:"url_signing_secret" env:"OC_URL_SIGNING_SECRET" desc:"The shared secret used to sign URLs e.g. for image downloads by the web office suite." introductionVersion:"%%NEXT%%"`
 	SystemUserID      string               `yaml:"system_user_id" env:"OC_SYSTEM_USER_ID" desc:"ID of the OpenCloud storage-system system user. Admins need to set the ID for the storage-system system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format." introductionVersion:"1.0.0"`
 	SystemUserAPIKey  string               `yaml:"system_user_api_key" env:"OC_SYSTEM_USER_API_KEY" desc:"API key for the storage-system system user." introductionVersion:"1.0.0"`
 	AdminUserID       string               `yaml:"admin_user_id" env:"OC_ADMIN_USER_ID" desc:"ID of a user, that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand." introductionVersion:"1.0.0"`
--- a/pkg/config/parser/parse.go
+++ b/pkg/config/parser/parse.go
@@ -100,6 +100,11 @@ func EnsureCommons(cfg *config.Config) {
 		cfg.Commons.TransferSecret = cfg.TransferSecret
 	}

+	// copy url signing secret to the commons part if set
+	if cfg.URLSigningSecret != "" {
+		cfg.Commons.URLSigningSecret = cfg.URLSigningSecret
+	}
+
 	// copy metadata user id to the commons part if set
 	if cfg.SystemUserID != "" {
 		cfg.Commons.SystemUserID = cfg.SystemUserID
@@ -128,6 +133,10 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingRevaTransferSecretError("opencloud")
 	}

+	if cfg.URLSigningSecret == "" {
+		return shared.MissingURLSigningSecret("opencloud")
+	}
+
 	if cfg.MachineAuthAPIKey == "" {
 		return shared.MissingMachineAuthApiKeyError("opencloud")
 	}
--- a/pkg/shared/errors.go
+++ b/pkg/shared/errors.go
@@ -93,3 +93,11 @@ func MissingWOPISecretError(service string) error {
 		"the config/corresponding environment variable).",
 		service, defaults.BaseConfigPath())
 }
+
+func MissingURLSigningSecret(service string) error {
+	return fmt.Errorf("The URL signing secret has not been set properly in your config for %s. "+
+		"Make sure your %s config contains the proper values "+
+		"(e.g. by using 'opencloud init --diff' and applying the patch or setting a value manually in "+
+		"the config/corresponding environment variable).",
+		service, defaults.BaseConfigPath())
+}
--- a/pkg/shared/shared_types.go
+++ b/pkg/shared/shared_types.go
@@ -80,6 +80,7 @@ type Commons struct {
 	Reva               *Reva           `yaml:"reva"`
 	MachineAuthAPIKey  string          `mask:"password" yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services." introductionVersion:"1.0.0"`
 	TransferSecret     string          `mask:"password" yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET" desc:"The secret used for signing the requests towards the data gateway for up- and downloads." introductionVersion:"1.0.0"`
+	URLSigningSecret   string          `yaml:"url_signing_secret" env:"OC_URL_SIGNING_SECRET" desc:"The shared secret used to sign URLs e.g. for image downloads by the web office suite." introductionVersion:"%%NEXT%%"`
 	SystemUserID       string          `yaml:"system_user_id" env:"OC_SYSTEM_USER_ID" desc:"ID of the OpenCloud storage-system system user. Admins need to set the ID for the storage-system system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format." introductionVersion:"1.0.0"`
 	SystemUserAPIKey   string          `mask:"password" yaml:"system_user_api_key" env:"SYSTEM_USER_API_KEY" desc:"API key for all system users." introductionVersion:"1.0.0"`
 	AdminUserID        string          `yaml:"admin_user_id" env:"OC_ADMIN_USER_ID" desc:"ID of a user, that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand." introductionVersion:"1.0.0"`
--- a/services/ocdav/pkg/command/server.go
+++ b/services/ocdav/pkg/command/server.go
@@ -95,7 +95,7 @@ func Server(cfg *config.Config) *cli.Command {
 				ocdav.WithTraceProvider(traceProvider),
 				ocdav.RegisterTTL(registry.GetRegisterTTL()),
 				ocdav.RegisterInterval(registry.GetRegisterInterval()),
-				ocdav.URLSigningSharedSecret(cfg.URLSigningSharedSecret),
+				ocdav.URLSigningSharedSecret(cfg.Commons.URLSigningSecret),
 			}

 			s, err := ocdav.Service(opts...)
--- a/services/ocdav/pkg/config/config.go
+++ b/services/ocdav/pkg/config/config.go
@@ -34,9 +34,8 @@ type Config struct {

 	MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY;OCDAV_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services." introductionVersion:"1.0.0"`

-	URLSigningSharedSecret string          `yaml:"url_signing_shared_secret" env:"OC_URL_SIGNING_SHARED_SECRET" desc:"The shared secret used to sign URLs." introductionVersion:"4.0.0"`
-	Context                context.Context `yaml:"-"`
-	Status                 Status          `yaml:"-"`
+	Context context.Context `yaml:"-"`
+	Status  Status          `yaml:"-"`

 	AllowPropfindDepthInfinity bool `yaml:"allow_propfind_depth_infinity" env:"OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY" desc:"Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times." introductionVersion:"1.0.0"`
 }
--- a/services/ocdav/pkg/config/parser/parse.go
+++ b/services/ocdav/pkg/config/parser/parse.go
@@ -37,9 +37,14 @@ func Validate(cfg *config.Config) error {
 	if cfg.TokenManager.JWTSecret == "" {
 		return shared.MissingJWTTokenError(cfg.Service.Name)
 	}
+
 	if cfg.MachineAuthAPIKey == "" {
 		return shared.MissingMachineAuthApiKeyError(cfg.Service.Name)
 	}

+	if cfg.Commons.URLSigningSecret == "" {
+		return shared.MissingURLSigningSecret(cfg.Service.Name)
+	}
+
 	return nil
 }
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -311,15 +311,11 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
 		RevaGatewaySelector: gatewaySelector,
 	})

-	var signURLVerifier signedurl.Verifier
-
-	if cfg.PreSignedURL.JWTSigningSharedSecret != "" {
-		var err error
-		signURLVerifier, err = signedurl.NewJWTSignedURL(signedurl.WithSecret(cfg.PreSignedURL.JWTSigningSharedSecret))
-		if err != nil {
-			logger.Fatal().Err(err).Msg("Failed to initialize signed URL configuration.")
-		}
+	signURLVerifier, err := signedurl.NewJWTSignedURL(signedurl.WithSecret(cfg.Commons.URLSigningSecret))
+	if err != nil {
+		logger.Fatal().Err(err).Msg("Failed to initialize signed URL configuration.")
 	}
+
 	authenticators = append(authenticators, middleware.SignedURLAuthenticator{
 		Logger:             logger,
 		PreSignedURLConfig: cfg.PreSignedURL,
--- a/services/proxy/pkg/config/config.go
+++ b/services/proxy/pkg/config/config.go
@@ -180,10 +180,9 @@ type StaticSelectorConf struct {

 // PreSignedURL is the config for the pre-signed url middleware
 type PreSignedURL struct {
-	AllowedHTTPMethods     []string     `yaml:"allowed_http_methods"`
-	Enabled                bool         `yaml:"enabled" env:"PROXY_ENABLE_PRESIGNEDURLS" desc:"Allow OCS to get a signing key to sign requests." introductionVersion:"1.0.0"`
-	SigningKeys            *SigningKeys `yaml:"signing_keys"`
-	JWTSigningSharedSecret string       `yaml:"url_signing_shared_secret" env:"OC_URL_SIGNING_SHARED_SECRET" desc:"The shared secret used to sign URLs." introductionVersion:"4.0.0"`
+	AllowedHTTPMethods []string     `yaml:"allowed_http_methods"`
+	Enabled            bool         `yaml:"enabled" env:"PROXY_ENABLE_PRESIGNEDURLS" desc:"Allow OCS to get a signing key to sign requests." introductionVersion:"1.0.0"`
+	SigningKeys        *SigningKeys `yaml:"signing_keys"`
 }

 // SigningKeys is a store configuration.
--- a/services/proxy/pkg/config/parser/parse.go
+++ b/services/proxy/pkg/config/parser/parse.go
@@ -56,9 +56,14 @@ func Validate(cfg *config.Config) error {
 	if cfg.ServiceAccount.ServiceAccountID == "" {
 		return shared.MissingServiceAccountID(cfg.Service.Name)
 	}
+
 	if cfg.ServiceAccount.ServiceAccountSecret == "" {
 		return shared.MissingServiceAccountSecret(cfg.Service.Name)
 	}

+	if cfg.Commons.URLSigningSecret == "" {
+		return shared.MissingURLSigningSecret(cfg.Service.Name)
+	}
+
 	return nil
 }