mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-05-18 13:35:37 -04:00
Code Issues Packages Projects Releases Wiki Activity

introduce OCIS_INSECURE option

Browse Source
This commit is contained in:
Willy Kloucek
2021-11-10 16:55:12 +01:00
parent a6b2ea9895
commit 6590565a2f
20 changed files with 34 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.drone.star
View File

@@ -1474,16 +1474,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []):
"IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml",
"OCIS_LOG_LEVEL": "error",
"SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings",
"PROXY_OIDC_INSECURE": "true",
"THUMBNAILS_WEBDAVSOURCE_INSECURE": "true",
"THUMBNAILS_CS3SOURCE_INSECURE": "true",
"STORAGE_OIDC_INSECURE": "true",
"STORAGE_HOME_DATAPROVIDER_INSECURE": "true",
"STORAGE_METADATA_DATAPROVIDER_INSECURE": "true",
"STORAGE_USERS_DATAPROVIDER_INSECURE": "true",
"STORAGE_FRONTEND_OCDAV_INSECURE": "true",
"STORAGE_FRONTEND_ARCHIVER_INSECURE": "true",
"STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true",
"OCIS_INSECURE": "true",
}
# Pass in "default" accounts_hash_difficulty to not set this environment variable.

11
.vscode/launch.json vendored
View File

@@ -18,16 +18,7 @@
// enable basic auth for dev setup so that we can use curl for testing
"PROXY_ENABLE_BASIC_AUTH": "true",
// set insecure options because we don't have valid certificates in dev environments
"PROXY_OIDC_INSECURE": "true",
"THUMBNAILS_WEBDAVSOURCE_INSECURE": "true",
"THUMBNAILS_CS3SOURCE_INSECURE": "true",
"STORAGE_OIDC_INSECURE": "true",
"STORAGE_HOME_DATAPROVIDER_INSECURE": "true",
"STORAGE_METADATA_DATAPROVIDER_INSECURE": "true",
"STORAGE_USERS_DATAPROVIDER_INSECURE": "true",
"STORAGE_FRONTEND_OCDAV_INSECURE": "true",
"STORAGE_FRONTEND_ARCHIVER_INSECURE": "true",
"STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true",
"OCIS_INSECURE": "true",
}
},
]

8
changelog/unreleased/insecure-options.md
View File

@@ -1,4 +1,4 @@
Enhancement: Make insecure options configurable
Change: Make insecure options configurable
We had several hard-coded 'insecure' flags. These options are now configurable and default to false. Also we changed all other 'insecure' flags with a previous default of true to false. In development environments using self signed certs (the default) you need to set these flags:
@@ -15,5 +15,11 @@ THUMBNAILS_CS3SOURCE_INSECURE=true
THUMBNAILS_WEBDAVSOURCE_INSECURE=true
```
As an alternative you also can set a single flag, which configures all options together:
```
OCIS_INSECURE=true
```
https://github.com/owncloud/ocis/issues/2700
https://github.com/owncloud/ocis/pull/2745

11
deployments/examples/cs3_users_ocis/docker-compose.yml
View File

@@ -87,16 +87,7 @@ services:
STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
# INSECURE: needed if oCIS / Traefik is using self generated certificates
PROXY_OIDC_INSECURE: "${INSECURE:-false}"
THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
OCIS_INSECURE: "${INSECURE:-false}"
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ./config/ocis/web-config.dist.json:/config/web-config.dist.json

11
deployments/examples/oc10_ocis_parallel/docker-compose.yml
View File

@@ -117,16 +117,7 @@ services:
STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
# INSECURE: needed if oCIS / Traefik is using self generated certificates
PROXY_OIDC_INSECURE: "${INSECURE:-false}"
THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
OCIS_INSECURE: "${INSECURE:-false}"
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json

11
deployments/examples/ocis_hello/docker-compose.yml
View File

@@ -67,16 +67,7 @@ services:
# make settings service available to oCIS Hello
SETTINGS_GRPC_ADDR: 0.0.0.0:9191
# INSECURE: needed if oCIS / Traefik is using self generated certificates
PROXY_OIDC_INSECURE: "${INSECURE:-false}"
THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
OCIS_INSECURE: "${INSECURE:-false}"
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ./config/ocis/web-config.dist.json:/config/web-config.dist.json

11
deployments/examples/ocis_keycloak/docker-compose.yml
View File

@@ -71,16 +71,7 @@ services:
STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
# INSECURE: needed if oCIS / Traefik is using self generated certificates
PROXY_OIDC_INSECURE: "${INSECURE:-false}"
THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
OCIS_INSECURE: "${INSECURE:-false}"
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ocis-data:/var/lib/ocis

11
deployments/examples/ocis_s3/docker-compose.yml
View File

@@ -70,16 +70,7 @@ services:
STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key}
STORAGE_USERS_DRIVER_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket}
# INSECURE: needed if oCIS / Traefik is using self generated certificates
PROXY_OIDC_INSECURE: "${INSECURE:-false}"
THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
OCIS_INSECURE: "${INSECURE:-false}"
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ocis-data:/var/lib/ocis

11
deployments/examples/ocis_traefik/docker-compose.yml
View File

@@ -60,16 +60,7 @@ services:
STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
# INSECURE: needed if oCIS / Traefik is using self generated certificates
PROXY_OIDC_INSECURE: "${INSECURE:-false}"
THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
OCIS_INSECURE: "${INSECURE:-false}"
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ocis-data:/var/lib/ocis

11
deployments/examples/ocis_wopi/docker-compose.yml
View File

@@ -69,16 +69,7 @@ services:
STORAGE_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
STORAGE_APP_REGISTRY_MIMETYPES_JSON: /var/tmp/ocis/app-config/mimetypes.json
# INSECURE: needed if oCIS / Traefik is using self generated certificates
PROXY_OIDC_INSECURE: "${INSECURE:-false}"
THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
OCIS_INSECURE: "${INSECURE:-false}"
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ./config/ocis/mimetypes.json:/var/tmp/ocis/app-config/mimetypes.json

6
docs/ocis/deployment/basic-remote-setup.md
View File

@@ -29,9 +29,10 @@ For the following examples you need to have the oCIS binary in your current work
### Using automatically generated certificates
In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname.
In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname. Since you have only self signed certificates you need to have `OCIS_INSECURE` set to `true`.
```bash
OCIS_INSECURE=true \
PROXY_HTTP_ADDR=0.0.0.0:9200 \
OCIS_URL=https://your-host:9200 \
./ocis server
@@ -42,6 +43,7 @@ OCIS_URL=https://your-host:9200 \
If you have your own certificates already in place, you may want to make oCIS use them:
```bash
OCIS_INSECURE=false \
PROXY_HTTP_ADDR=0.0.0.0:9200 \
OCIS_URL=https://your-host:9200 \
PROXY_TRANSPORT_TLS_KEY=./certs/your-host.key \
@@ -49,6 +51,8 @@ PROXY_TRANSPORT_TLS_CERT=./certs/your-host.crt \
./ocis server
```
If you generated these certificates on your own, you might need to set `OCIS_INSECURE` to `true`.
For more configuration options check the configuration section in [oCIS]({{< ref "../configuration" >}}) and the oCIS extensions.
## Start the oCIS fullstack server with Docker Compose

3
docs/ocis/deployment/systemd.md
View File

@@ -45,6 +45,7 @@ In order to create the file we need first to create the folder `/etc/ocis/` and
```
OCIS_URL=https://some-hostname-or-ip:9200
PROXY_HTTP_ADDR=0.0.0.0:9200
OCIS_INSECURE=false
OCIS_LOG_LEVEL=error
@@ -56,7 +57,7 @@ PROXY_TRANSPORT_TLS_CERT=/etc/ocis/proxy/server.crt
PROXY_TRANSPORT_TLS_KEY=/etc/ocis/proxy/server.key
```
Please change your `OCIS_URL` in order to reflect your actual deployment.
Please change your `OCIS_URL` in order to reflect your actual deployment. If you are using self signed certificates you need to set `OCIS_INSECURE=true` in `/etc/ocis/ocis.env`.
## Starting the oCIS service

2
proxy/pkg/flagset/flagset.go
View File

@@ -210,7 +210,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
Name: "oidc-insecure",
Value: flags.OverrideDefaultBool(cfg.OIDC.Insecure, false),
Usage: "OIDC allow insecure communication",
EnvVars: []string{"PROXY_OIDC_INSECURE"},
EnvVars: []string{"PROXY_OIDC_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.OIDC.Insecure,
},
&cli.IntFlag{

2
storage/pkg/flagset/authbearer.go
View File

@@ -32,7 +32,7 @@ func AuthBearerWithConfig(cfg *config.Config) []cli.Flag {
Name: "oidc-insecure",
Value: flags.OverrideDefaultBool(cfg.Reva.OIDC.Insecure, false),
Usage: "OIDC allow insecure communication",
EnvVars: []string{"STORAGE_OIDC_INSECURE"},
EnvVars: []string{"STORAGE_OIDC_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.Reva.OIDC.Insecure,
},
&cli.StringFlag{

6
storage/pkg/flagset/frontend.go
View File

@@ -123,7 +123,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
Name: "approvider-insecure",
Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.AppProviderInsecure, false),
Usage: "approvider insecure",
EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE"},
EnvVars: []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.Reva.Frontend.AppProviderInsecure,
},
&cli.StringFlag{
@@ -137,7 +137,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
Name: "archiver-insecure",
Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.ArchiverInsecure, false),
Usage: "archiver insecure",
EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE"},
EnvVars: []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.Reva.Frontend.ArchiverInsecure,
},
&cli.StringFlag{
@@ -165,7 +165,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
Name: "ocdav-insecure",
Value: flags.OverrideDefaultBool(cfg.Reva.Frontend.OCDavInsecure, false),
Usage: "owncloud webdav insecure",
EnvVars: []string{"STORAGE_FRONTEND_OCDAV_INSECURE"},
EnvVars: []string{"STORAGE_FRONTEND_OCDAV_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.Reva.Frontend.OCDavInsecure,
},
&cli.StringFlag{

2
storage/pkg/flagset/storagehome.go
View File

@@ -134,7 +134,7 @@ func StorageHomeWithConfig(cfg *config.Config) []cli.Flag {
Name: "dataprovider-insecure",
Value: flags.OverrideDefaultBool(cfg.Reva.StorageHome.DataProvider.Insecure, false),
Usage: "dataprovider insecure",
EnvVars: []string{"STORAGE_HOME_DATAPROVIDER_INSECURE"},
EnvVars: []string{"STORAGE_HOME_DATAPROVIDER_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.Reva.StorageHome.DataProvider.Insecure,
},

2
storage/pkg/flagset/storagemetadata.go
View File

@@ -73,7 +73,7 @@ func StorageMetadata(cfg *config.Config) []cli.Flag {
Name: "dataprovider-insecure",
Value: flags.OverrideDefaultBool(cfg.Reva.StorageMetadata.DataProvider.Insecure, false),
Usage: "dataprovider insecure",
EnvVars: []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE"},
EnvVars: []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.Reva.StorageMetadata.DataProvider.Insecure,
},

2
storage/pkg/flagset/storageusers.go
View File

@@ -82,7 +82,7 @@ func StorageUsersWithConfig(cfg *config.Config) []cli.Flag {
Name: "dataprovider-insecure",
Value: flags.OverrideDefaultBool(cfg.Reva.StorageUsers.DataProvider.Insecure, false),
Usage: "dataprovider insecure",
EnvVars: []string{"STORAGE_USERS_DATAPROVIDER_INSECURE"},
EnvVars: []string{"STORAGE_USERS_DATAPROVIDER_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.Reva.StorageUsers.DataProvider.Insecure,
},
&cli.BoolFlag{

1
tests/acceptance/docker/src/ocis-base.yml
View File

@@ -14,6 +14,7 @@ services:
WEB_UI_CONFIG: /drone/src/tests/config/drone/ocis-config.json
IDP_IDENTIFIER_REGISTRATION_CONF: /drone/src/tests/config/drone/identifier-registration.yml
ACCOUNTS_HASH_DIFFICULTY: 4
OCIS_INSECURE: "true"
# s3ng specific settings
STORAGE_USERS_DRIVER_S3NG_ENDPOINT: http://ceph:8080
STORAGE_USERS_DRIVER_S3NG_REGION: default

4
thumbnails/pkg/flagset/flagset.go
View File

@@ -156,14 +156,14 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
Name: "webdavsource-insecure",
Value: flags.OverrideDefaultBool(cfg.Thumbnail.WebdavAllowInsecure, false),
Usage: "Whether to skip certificate checks",
EnvVars: []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE"},
EnvVars: []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.Thumbnail.WebdavAllowInsecure,
},
&cli.BoolFlag{
Name: "cs3source-insecure",
Value: flags.OverrideDefaultBool(cfg.Thumbnail.CS3AllowInsecure, false),
Usage: "Whether to skip certificate checks",
EnvVars: []string{"THUMBNAILS_CS3SOURCE_INSECURE"},
EnvVars: []string{"THUMBNAILS_CS3SOURCE_INSECURE", "OCIS_INSECURE"},
Destination: &cfg.Thumbnail.CS3AllowInsecure,
},
&cli.StringSliceFlag{