From 7306abaaf953305ba848a43fc7a337e09c15943f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Thu, 18 Dec 2025 16:55:54 +0100 Subject: [PATCH 1/8] add tls support for all nats connections MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer (cherry picked from commit 77fd4fca69fba979912e1191fb24a8b805a1bcbf) Backports: https://github.com/opencloud-eu/opencloud/pull/2063 --- pkg/nats/options.go | 20 +++ pkg/shared/shared_types.go | 19 +- services/activitylog/pkg/command/server.go | 12 -- services/activitylog/pkg/config/config.go | 16 +- .../pkg/config/defaults/defaultconfig.go | 1 - .../activitylog/pkg/server/debug/server.go | 8 +- .../activitylog/pkg/server/http/server.go | 1 - services/activitylog/pkg/service/options.go | 9 - services/activitylog/pkg/service/service.go | 13 ++ services/antivirus/pkg/server/debug/server.go | 8 +- services/audit/pkg/server/debug/server.go | 8 +- services/clientlog/pkg/server/debug/server.go | 8 +- services/collaboration/pkg/command/server.go | 3 + services/collaboration/pkg/config/store.go | 17 +- services/eventhistory/pkg/command/server.go | 3 + services/eventhistory/pkg/config/config.go | 17 +- .../eventhistory/pkg/server/debug/server.go | 8 +- services/frontend/pkg/config/config.go | 27 +-- services/frontend/pkg/revaconfig/config.go | 19 +- services/frontend/pkg/server/debug/server.go | 8 +- services/gateway/pkg/config/config.go | 21 ++- services/gateway/pkg/revaconfig/config.go | 35 ++-- services/gateway/pkg/server/debug/server.go | 1 + services/graph/pkg/command/server.go | 12 +- services/graph/pkg/config/cache.go | 19 +- services/graph/pkg/config/config.go | 11 +- services/graph/pkg/server/debug/server.go | 8 +- services/nats/pkg/server/debug/server.go | 8 +- services/notifications/pkg/command/server.go | 3 + services/notifications/pkg/config/config.go | 17 +- .../notifications/pkg/server/debug/server.go | 8 +- services/ocm/pkg/revaconfig/config.go | 1 + services/ocm/pkg/server/debug/server.go | 8 +- services/ocs/pkg/config/config.go | 13 +- services/ocs/pkg/server/debug/server.go | 1 + services/ocs/pkg/server/http/server.go | 3 + services/policies/pkg/server/debug/server.go | 8 +- services/postprocessing/pkg/command/server.go | 3 + services/postprocessing/pkg/config/config.go | 17 +- .../postprocessing/pkg/server/debug/server.go | 8 +- services/proxy/pkg/command/server.go | 6 + services/proxy/pkg/config/config.go | 34 ++-- services/proxy/pkg/server/debug/server.go | 8 +- services/search/pkg/server/debug/server.go | 8 +- services/settings/pkg/config/config.go | 21 ++- services/settings/pkg/store/metadata/cache.go | 6 + services/sharing/pkg/config/config.go | 1 + services/sharing/pkg/revaconfig/config.go | 1 + services/sharing/pkg/server/debug/server.go | 8 +- services/sse/pkg/server/debug/server.go | 8 +- services/storage-system/pkg/config/config.go | 17 +- .../storage-system/pkg/revaconfig/config.go | 17 +- services/storage-users/pkg/config/config.go | 34 ++-- .../storage-users/pkg/revaconfig/drivers.go | 165 +++++++++++------- .../storage-users/pkg/server/debug/server.go | 8 +- services/userlog/pkg/command/server.go | 3 + services/userlog/pkg/config/config.go | 17 +- services/userlog/pkg/server/debug/server.go | 8 +- 58 files changed, 527 insertions(+), 273 deletions(-) create mode 100644 pkg/nats/options.go diff --git a/pkg/nats/options.go b/pkg/nats/options.go new file mode 100644 index 0000000000..43d54be2e6 --- /dev/null +++ b/pkg/nats/options.go @@ -0,0 +1,20 @@ +package nats + +import ( + "crypto/tls" + + "github.com/nats-io/nats.go" +) + +func Secure(enableTLS, insecure bool, rootCA string) nats.Option { + if enableTLS { + if rootCA != "" { + return nats.RootCAs(rootCA) + } + return nats.Secure(&tls.Config{ + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: insecure, + }) + } + return nil +} diff --git a/pkg/shared/shared_types.go b/pkg/shared/shared_types.go index a3dc0437d0..16f7fbda7e 100644 --- a/pkg/shared/shared_types.go +++ b/pkg/shared/shared_types.go @@ -48,14 +48,17 @@ type HTTPServiceTLS struct { } type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided OC_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // Commons holds configuration that are common to all extensions. Each extension can then decide whether diff --git a/services/activitylog/pkg/command/server.go b/services/activitylog/pkg/command/server.go index 10533fa9a5..59b7cef3a8 100644 --- a/services/activitylog/pkg/command/server.go +++ b/services/activitylog/pkg/command/server.go @@ -9,9 +9,7 @@ import ( "github.com/opencloud-eu/reva/v2/pkg/events" "github.com/opencloud-eu/reva/v2/pkg/events/stream" "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" - "github.com/opencloud-eu/reva/v2/pkg/store" "github.com/spf13/cobra" - microstore "go-micro.dev/v4/store" "github.com/opencloud-eu/opencloud/pkg/config/configlog" "github.com/opencloud-eu/opencloud/pkg/generators" @@ -77,15 +75,6 @@ func Server(cfg *config.Config) *cobra.Command { return err } - evStore := store.Create( - store.Store(cfg.Store.Store), - store.TTL(cfg.Store.TTL), - microstore.Nodes(cfg.Store.Nodes...), - microstore.Database(cfg.Store.Database), - microstore.Table(cfg.Store.Table), - store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), - ) - tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode) if err != nil { logger.Error().Err(err).Msg("Failed to parse tls mode") @@ -120,7 +109,6 @@ func Server(cfg *config.Config) *cobra.Command { http.Context(ctx), // NOTE: not passing this "option" leads to a panic in go-micro http.TraceProvider(tracerProvider), http.Stream(evStream), - http.Store(evStore), http.GatewaySelector(gatewaySelector), http.HistoryClient(hClient), http.ValueClient(vClient), diff --git a/services/activitylog/pkg/config/config.go b/services/activitylog/pkg/config/config.go index 3e904571c9..41cd8ea96c 100644 --- a/services/activitylog/pkg/config/config.go +++ b/services/activitylog/pkg/config/config.go @@ -50,13 +50,15 @@ type Events struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"ACTIVITYLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;ACTIVITYLOG_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;ACTIVITYLOG_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;ACTIVITYLOG_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided ACTIVITYLOG_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // ServiceAccount is the configuration for the used service account diff --git a/services/activitylog/pkg/config/defaults/defaultconfig.go b/services/activitylog/pkg/config/defaults/defaultconfig.go index 7265cd56eb..7b6e8306d7 100644 --- a/services/activitylog/pkg/config/defaults/defaultconfig.go +++ b/services/activitylog/pkg/config/defaults/defaultconfig.go @@ -37,7 +37,6 @@ func DefaultConfig() *config.Config { Store: "nats-js-kv", Nodes: []string{"127.0.0.1:9233"}, Database: "activitylog", - Table: "", }, RevaGateway: shared.DefaultRevaConfig().Address, DefaultLanguage: "en", diff --git a/services/activitylog/pkg/server/debug/server.go b/services/activitylog/pkg/server/debug/server.go index 4d29a4480f..79a016f421 100644 --- a/services/activitylog/pkg/server/debug/server.go +++ b/services/activitylog/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("http reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/activitylog/pkg/server/http/server.go b/services/activitylog/pkg/server/http/server.go index 2e4515806c..735a33d011 100644 --- a/services/activitylog/pkg/server/http/server.go +++ b/services/activitylog/pkg/server/http/server.go @@ -81,7 +81,6 @@ func Server(opts ...Option) (http.Service, error) { svc.Logger(options.Logger), svc.Stream(options.Stream), svc.Mux(mux), - svc.Store(options.Store), svc.Config(options.Config), svc.GatewaySelector(options.GatewaySelector), svc.TraceProvider(options.TraceProvider), diff --git a/services/activitylog/pkg/service/options.go b/services/activitylog/pkg/service/options.go index 22c6d6282b..282b1147f1 100644 --- a/services/activitylog/pkg/service/options.go +++ b/services/activitylog/pkg/service/options.go @@ -11,7 +11,6 @@ import ( "github.com/opencloud-eu/opencloud/services/activitylog/pkg/config" "github.com/opencloud-eu/reva/v2/pkg/events" "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" - microstore "go-micro.dev/v4/store" "go.opentelemetry.io/otel/trace" ) @@ -25,7 +24,6 @@ type Options struct { TraceProvider trace.TracerProvider Stream events.Stream RegisteredEvents []events.Unmarshaller - Store microstore.Store GatewaySelector pool.Selectable[gateway.GatewayAPIClient] Mux *chi.Mux HistoryClient ehsvc.EventHistoryService @@ -69,13 +67,6 @@ func RegisteredEvents(e []events.Unmarshaller) Option { } } -// Store configures the store to use -func Store(store microstore.Store) Option { - return func(o *Options) { - o.Store = store - } -} - // GatewaySelector adds a grpc client selector for the gateway service func GatewaySelector(gatewaySelector pool.Selectable[gateway.GatewayAPIClient]) Option { return func(o *Options) { diff --git a/services/activitylog/pkg/service/service.go b/services/activitylog/pkg/service/service.go index c97c855b54..9eec13962c 100644 --- a/services/activitylog/pkg/service/service.go +++ b/services/activitylog/pkg/service/service.go @@ -2,6 +2,7 @@ package service import ( "context" + "crypto/tls" "encoding/base32" "encoding/json" "fmt" @@ -166,6 +167,18 @@ func New(opts ...Option) (*ActivitylogService, error) { natsOptions := nats.Options{ Servers: o.Config.Store.Nodes, } + if o.Config.Store.EnableTLS { + if o.Config.Store.TLSRootCACertificate != "" { + // when root ca is configured use it. an insecure flag is ignored. + nats.RootCAs(o.Config.Store.TLSRootCACertificate)(&natsOptions) + } else { + // enable tls and use insecure flag + nats.Secure(&tls.Config{MinVersion: tls.VersionTLS12, InsecureSkipVerify: o.Config.Store.TLSInsecure})(&natsOptions) + } + } + if o.Config.Store.AuthUsername != "" && o.Config.Store.AuthPassword != "" { + nats.UserInfo(o.Config.Store.AuthUsername, o.Config.Store.AuthPassword)(&natsOptions) + } conn, err := natsOptions.Connect() if err != nil { return nil, err diff --git a/services/antivirus/pkg/server/debug/server.go b/services/antivirus/pkg/server/debug/server.go index 7916f6f887..29836059ce 100644 --- a/services/antivirus/pkg/server/debug/server.go +++ b/services/antivirus/pkg/server/debug/server.go @@ -10,6 +10,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -18,9 +19,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)). WithCheck("antivirus reachability", func(ctx context.Context) error { cfg := options.Config switch cfg.Scanner.Type { diff --git a/services/audit/pkg/server/debug/server.go b/services/audit/pkg/server/debug/server.go index eb0f31b16c..0fb247d718 100644 --- a/services/audit/pkg/server/debug/server.go +++ b/services/audit/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/clientlog/pkg/server/debug/server.go b/services/clientlog/pkg/server/debug/server.go index eb0f31b16c..0fb247d718 100644 --- a/services/clientlog/pkg/server/debug/server.go +++ b/services/clientlog/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/collaboration/pkg/command/server.go b/services/collaboration/pkg/command/server.go index afbd1ebf7f..2eeb48c0b5 100644 --- a/services/collaboration/pkg/command/server.go +++ b/services/collaboration/pkg/command/server.go @@ -101,6 +101,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) gr := runner.NewGroup() diff --git a/services/collaboration/pkg/config/store.go b/services/collaboration/pkg/config/store.go index ab2f5e4e2e..5386fa43f5 100644 --- a/services/collaboration/pkg/config/store.go +++ b/services/collaboration/pkg/config/store.go @@ -4,11 +4,14 @@ import "time" // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;COLLABORATION_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;COLLABORATION_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;COLLABORATION_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided COLLABORATION_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/eventhistory/pkg/command/server.go b/services/eventhistory/pkg/command/server.go index d3612fc251..84d7f3d7b2 100644 --- a/services/eventhistory/pkg/command/server.go +++ b/services/eventhistory/pkg/command/server.go @@ -71,6 +71,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) service := grpc.NewService( diff --git a/services/eventhistory/pkg/config/config.go b/services/eventhistory/pkg/config/config.go index 5b93e5f2ed..e0b20253bd 100644 --- a/services/eventhistory/pkg/config/config.go +++ b/services/eventhistory/pkg/config/config.go @@ -36,13 +36,16 @@ type GRPCConfig struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;EVENTHISTORY_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;EVENTHISTORY_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;EVENTHISTORY_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided EVENTHISTORY_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // Events combines the configuration options for the event bus. diff --git a/services/eventhistory/pkg/server/debug/server.go b/services/eventhistory/pkg/server/debug/server.go index 57a232dd05..664ff2558a 100644 --- a/services/eventhistory/pkg/server/debug/server.go +++ b/services/eventhistory/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go index 96a475fb5c..5077b6d849 100644 --- a/services/frontend/pkg/config/config.go +++ b/services/frontend/pkg/config/config.go @@ -121,18 +121,21 @@ type DataGateway struct { } type OCS struct { - Prefix string `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - SharePrefix string `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - HomeNamespace string `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - AdditionalInfoAttribute string `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - StatCacheType string `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""` - StatCacheNodes []string `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""` - StatCacheDatabase string `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - StatCacheTable string `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - StatCacheTTL time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""` - StatCacheDisablePersistence bool `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""` - StatCacheAuthUsername string `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""` - StatCacheAuthPassword string `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""` + Prefix string `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + SharePrefix string `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + HomeNamespace string `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + AdditionalInfoAttribute string `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + StatCacheType string `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""` + StatCacheNodes []string `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""` + StatCacheDatabase string `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + StatCacheTable string `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + StatCacheTTL time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""` + StatCacheDisablePersistence bool `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""` + StatCacheAuthUsername string `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""` + StatCacheAuthPassword string `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""` + StatCacheEnableTLS bool `yaml:"stat_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;FRONTEND_OCS_STAT_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + StatCacheTLSInsecure bool `yaml:"stat_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;FRONTEND_OCS_STAT_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + StatCacheTLSRootCACertificate string `yaml:"stat_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;FRONTEND_OCS_STAT_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` CacheWarmupDriver string `yaml:"cache_warmup_driver,omitempty"` // not supported by the OpenCloud product, therefore not part of docs CacheWarmupDrivers CacheWarmupDrivers `yaml:"cache_warmup_drivers,omitempty"` // not supported by the OpenCloud product, therefore not part of docs diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go index faa7d3b42d..7c86a5b5d2 100644 --- a/services/frontend/pkg/revaconfig/config.go +++ b/services/frontend/pkg/revaconfig/config.go @@ -164,14 +164,17 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string "share_prefix": cfg.OCS.SharePrefix, "home_namespace": cfg.OCS.HomeNamespace, "stat_cache_config": map[string]any{ - "cache_store": cfg.OCS.StatCacheType, - "cache_nodes": cfg.OCS.StatCacheNodes, - "cache_database": cfg.OCS.StatCacheDatabase, - "cache_table": cfg.OCS.StatCacheTable, - "cache_ttl": cfg.OCS.StatCacheTTL, - "cache_disable_persistence": cfg.OCS.StatCacheDisablePersistence, - "cache_auth_username": cfg.OCS.StatCacheAuthUsername, - "cache_auth_password": cfg.OCS.StatCacheAuthPassword, + "cache_store": cfg.OCS.StatCacheType, + "cache_nodes": cfg.OCS.StatCacheNodes, + "cache_database": cfg.OCS.StatCacheDatabase, + "cache_table": cfg.OCS.StatCacheTable, + "cache_ttl": cfg.OCS.StatCacheTTL, + "cache_disable_persistence": cfg.OCS.StatCacheDisablePersistence, + "cache_auth_username": cfg.OCS.StatCacheAuthUsername, + "cache_auth_password": cfg.OCS.StatCacheAuthPassword, + "cache_tls_enabled": cfg.OCS.StatCacheEnableTLS, + "cache_tls_insecure": cfg.OCS.StatCacheTLSInsecure, + "cache_tls_root_ca_certificate": cfg.OCS.StatCacheTLSRootCACertificate, }, "prefix": cfg.OCS.Prefix, "additional_info_attribute": cfg.OCS.AdditionalInfoAttribute, diff --git a/services/frontend/pkg/server/debug/server.go b/services/frontend/pkg/server/debug/server.go index afdc2bc6aa..47a6f84555 100644 --- a/services/frontend/pkg/server/debug/server.go +++ b/services/frontend/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/gateway/pkg/config/config.go b/services/gateway/pkg/config/config.go index 4e1ad995e5..fb10a4cce2 100644 --- a/services/gateway/pkg/config/config.go +++ b/services/gateway/pkg/config/config.go @@ -84,11 +84,18 @@ type Cache struct { ProviderCacheDisablePersistence bool `yaml:"provider_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` ProviderCacheAuthUsername string `yaml:"provider_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` ProviderCacheAuthPassword string `yaml:"provider_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - CreateHomeCacheStore string `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - CreateHomeCacheNodes []string `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - CreateHomeCacheDatabase string `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - CreateHomeCacheTTL time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - CreateHomeCacheDisablePersistence bool `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - CreateHomeCacheAuthUsername string `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - CreateHomeCacheAuthPassword string `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + ProviderCacheEnableTLS bool `yaml:"provider_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_PROVIDER_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + ProviderCacheTLSInsecure bool `yaml:"provider_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_PROVIDER_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + ProviderCacheTLSRootCACertificate string `yaml:"provider_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_PROVIDER_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_PROVIDER_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` + + CreateHomeCacheStore string `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + CreateHomeCacheNodes []string `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + CreateHomeCacheDatabase string `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + CreateHomeCacheTTL time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + CreateHomeCacheDisablePersistence bool `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + CreateHomeCacheAuthUsername string `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + CreateHomeCacheAuthPassword string `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + CreateHomeCacheEnableTLS bool `yaml:"create_home_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_CREATE_HOME_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + CreateHomeCacheTLSInsecure bool `yaml:"create_home_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + CreateHomeCacheTLSRootCACertificate string `yaml:"create_home_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_CREATE_HOME_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/gateway/pkg/revaconfig/config.go b/services/gateway/pkg/revaconfig/config.go index 55790fe3b6..97ce19dfa2 100644 --- a/services/gateway/pkg/revaconfig/config.go +++ b/services/gateway/pkg/revaconfig/config.go @@ -45,15 +45,15 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]a "groupprovidersvc": cfg.GroupsEndpoint, "permissionssvc": cfg.PermissionsEndpoint, // sharing is located on the sharing service - "usershareprovidersvc": cfg.SharingEndpoint, - "publicshareprovidersvc": cfg.SharingEndpoint, - "ocmshareprovidersvc": cfg.OCMEndpoint, - "ocminvitemanagersvc": cfg.OCMEndpoint, - "ocmproviderauthorizersvc": cfg.OCMEndpoint, - "ocmcoresvc": cfg.OCMEndpoint, + "usershareprovidersvc": cfg.SharingEndpoint, + "publicshareprovidersvc": cfg.SharingEndpoint, + "ocmshareprovidersvc": cfg.OCMEndpoint, + "ocminvitemanagersvc": cfg.OCMEndpoint, + "ocmproviderauthorizersvc": cfg.OCMEndpoint, + "ocmcoresvc": cfg.OCMEndpoint, "use_common_space_root_share_logic": true, - "commit_share_to_storage_grant": cfg.CommitShareToStorageGrant, - "share_folder": cfg.ShareFolder, // ShareFolder is the location where to create shares in the recipient's storage provider. + "commit_share_to_storage_grant": cfg.CommitShareToStorageGrant, + "share_folder": cfg.ShareFolder, // ShareFolder is the location where to create shares in the recipient's storage provider. // other "disable_home_creation_on_login": cfg.DisableHomeCreationOnLogin, "datagateway": strings.TrimRight(cfg.FrontendPublicURL, "/") + "/data", @@ -71,14 +71,17 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]a "cache_auth_password": cfg.Cache.ProviderCacheAuthPassword, }, "create_personal_space_cache_config": map[string]any{ - "cache_store": cfg.Cache.CreateHomeCacheStore, - "cache_nodes": cfg.Cache.CreateHomeCacheNodes, - "cache_database": cfg.Cache.CreateHomeCacheDatabase, - "cache_table": "create_personal_space", - "cache_ttl": cfg.Cache.CreateHomeCacheTTL, - "cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence, - "cache_auth_username": cfg.Cache.CreateHomeCacheAuthUsername, - "cache_auth_password": cfg.Cache.CreateHomeCacheAuthPassword, + "cache_store": cfg.Cache.CreateHomeCacheStore, + "cache_nodes": cfg.Cache.CreateHomeCacheNodes, + "cache_database": cfg.Cache.CreateHomeCacheDatabase, + "cache_table": "create_personal_space", + "cache_ttl": cfg.Cache.CreateHomeCacheTTL, + "cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence, + "cache_auth_username": cfg.Cache.CreateHomeCacheAuthUsername, + "cache_auth_password": cfg.Cache.CreateHomeCacheAuthPassword, + "cache_tls_enabled": cfg.Cache.CreateHomeCacheEnableTLS, + "cache_tls_insecure": cfg.Cache.CreateHomeCacheTLSInsecure, + "cache_tls_root_ca_certificate": cfg.Cache.CreateHomeCacheTLSRootCACertificate, }, }, "authregistry": map[string]any{ diff --git a/services/gateway/pkg/server/debug/server.go b/services/gateway/pkg/server/debug/server.go index 9827c3e9b2..1bf19e49b6 100644 --- a/services/gateway/pkg/server/debug/server.go +++ b/services/gateway/pkg/server/debug/server.go @@ -18,6 +18,7 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("nats reachability", func(ctx context.Context) error { if options.Config.Cache.ProviderCacheStore == "nats-js-kv" && len(options.Config.Cache.ProviderCacheNodes) > 0 { + // no secureOption because we cannot yet configure tls for the cache store return checks.NewNatsCheck(options.Config.Cache.ProviderCacheNodes[0])(ctx) } return nil diff --git a/services/graph/pkg/command/server.go b/services/graph/pkg/command/server.go index 5d4dadbe17..b8cdc7f977 100644 --- a/services/graph/pkg/command/server.go +++ b/services/graph/pkg/command/server.go @@ -4,9 +4,11 @@ import ( "context" "fmt" "os/signal" + "strings" "github.com/opencloud-eu/opencloud/pkg/config/configlog" "github.com/opencloud-eu/opencloud/pkg/log" + natspkg "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/runner" "github.com/opencloud-eu/opencloud/pkg/tracing" "github.com/opencloud-eu/opencloud/pkg/version" @@ -50,13 +52,9 @@ func Server(cfg *config.Config) *cobra.Command { var kv jetstream.KeyValue // Allow to run without a NATS store (e.g. for the standalone Education provisioning service) if len(cfg.Store.Nodes) > 0 { - //Connect to NATS servers - natsOptions := nats.Options{ - Servers: cfg.Store.Nodes, - User: cfg.Store.AuthUsername, - Password: cfg.Store.AuthPassword, - } - conn, err := natsOptions.Connect() + // Connect to NATS servers + secureOption := natspkg.Secure(cfg.Store.EnableTLS, cfg.Store.TLSInsecure, cfg.Store.TLSRootCACertificate) + conn, err := nats.Connect(strings.Join(cfg.Store.Nodes, ","), secureOption, nats.UserInfo(cfg.Store.AuthUsername, cfg.Store.AuthPassword)) if err != nil { return err } diff --git a/services/graph/pkg/config/cache.go b/services/graph/pkg/config/cache.go index a5e638185f..ee24675524 100644 --- a/services/graph/pkg/config/cache.go +++ b/services/graph/pkg/config/cache.go @@ -4,12 +4,15 @@ import "time" // Cache defines the available configuration for a cache store type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;GRAPH_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GRAPH_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GRAPH_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/graph/pkg/config/config.go b/services/graph/pkg/config/config.go index 51571c4607..ea8c1c665e 100644 --- a/services/graph/pkg/config/config.go +++ b/services/graph/pkg/config/config.go @@ -172,8 +172,11 @@ type Metadata struct { // Store configures the store to use type Store struct { - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;GRAPH_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;GRAPH_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;GRAPH_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/graph/pkg/server/debug/server.go b/services/graph/pkg/server/debug/server.go index 100c7987cd..83e3dbb0f1 100644 --- a/services/graph/pkg/server/debug/server.go +++ b/services/graph/pkg/server/debug/server.go @@ -6,6 +6,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -32,8 +33,13 @@ func Server(opts ...Option) (*http.Server, error) { // only check nats if really needed if options.Config.Events.Endpoint != "" { + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration = readyHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) } return debug.NewService( diff --git a/services/nats/pkg/server/debug/server.go b/services/nats/pkg/server/debug/server.go index 5939241662..c44c941289 100644 --- a/services/nats/pkg/server/debug/server.go +++ b/services/nats/pkg/server/debug/server.go @@ -6,6 +6,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -14,12 +15,17 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Nats.EnableTLS, + options.Config.Nats.TLSSkipVerifyClientCert, + options.Config.Nats.TLSCert, + ) // For nats readiness and liveness checks are identical // the nats server will neither be healthy nor ready when it can not reach the nats server/cluster checkHandler := handlers.NewCheckHandler( handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port))), + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port), secureOption)), ) return debug.NewService( diff --git a/services/notifications/pkg/command/server.go b/services/notifications/pkg/command/server.go index e512286a6a..3bec9a15f8 100644 --- a/services/notifications/pkg/command/server.go +++ b/services/notifications/pkg/command/server.go @@ -130,6 +130,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) svc := service.NewEventsNotifier(evts, channel, logger, gatewaySelector, valueService, diff --git a/services/notifications/pkg/config/config.go b/services/notifications/pkg/config/config.go index 5206eae5ff..84550c13c1 100644 --- a/services/notifications/pkg/config/config.go +++ b/services/notifications/pkg/config/config.go @@ -70,11 +70,14 @@ type ServiceAccount struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;NOTIFICATIONS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;NOTIFICATIONS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;NOTIFICATIONS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/notifications/pkg/server/debug/server.go b/services/notifications/pkg/server/debug/server.go index bc9fb202dc..99b75a57e6 100644 --- a/services/notifications/pkg/server/debug/server.go +++ b/services/notifications/pkg/server/debug/server.go @@ -6,6 +6,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -14,9 +15,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Notifications.Events.EnableTLS, + options.Config.Notifications.Events.TLSInsecure, + options.Config.Notifications.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint, secureOption)). WithCheck("smtp-check", checks.NewTCPCheck(options.Config.Notifications.SMTP.Host+":"+strconv.Itoa(options.Config.Notifications.SMTP.Port))) return debug.NewService( diff --git a/services/ocm/pkg/revaconfig/config.go b/services/ocm/pkg/revaconfig/config.go index 46fcb7f3a7..cdc562d7a4 100644 --- a/services/ocm/pkg/revaconfig/config.go +++ b/services/ocm/pkg/revaconfig/config.go @@ -81,6 +81,7 @@ func OCMConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]any { "events": map[string]any{ "natsaddress": cfg.Events.Endpoint, "natsclusterid": cfg.Events.Cluster, + "enabletls": cfg.Events.EnableTLS, "tlsinsecure": cfg.Events.TLSInsecure, "tlsrootcacertificate": cfg.Events.TLSRootCACertificate, "authusername": cfg.Events.AuthUsername, diff --git a/services/ocm/pkg/server/debug/server.go b/services/ocm/pkg/server/debug/server.go index cb738fcd21..492224d24e 100644 --- a/services/ocm/pkg/server/debug/server.go +++ b/services/ocm/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) return debug.NewService( diff --git a/services/ocs/pkg/config/config.go b/services/ocs/pkg/config/config.go index bbfbe587e3..732382ccd9 100644 --- a/services/ocs/pkg/config/config.go +++ b/services/ocs/pkg/config/config.go @@ -31,9 +31,12 @@ type Config struct { // SigningKeys is a store configuration. type SigningKeys struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/ocs/pkg/server/debug/server.go b/services/ocs/pkg/server/debug/server.go index 848a6032ef..c428bb5f1d 100644 --- a/services/ocs/pkg/server/debug/server.go +++ b/services/ocs/pkg/server/debug/server.go @@ -21,6 +21,7 @@ func Server(opts ...Option) (*http.Server, error) { readyHandlerConfiguration := healthHandlerConfiguration. WithCheck("nats reachability", func(ctx context.Context) error { if len(options.Config.SigningKeys.Nodes) > 0 { + // no secureOption because we cannot configure it return checks.NewNatsCheck(options.Config.SigningKeys.Nodes[0])(ctx) } return nil diff --git a/services/ocs/pkg/server/http/server.go b/services/ocs/pkg/server/http/server.go index 0f9a50a465..74c42b43c4 100644 --- a/services/ocs/pkg/server/http/server.go +++ b/services/ocs/pkg/server/http/server.go @@ -44,6 +44,9 @@ func Server(opts ...Option) (http.Service, error) { microstore.Database("proxy"), microstore.Table("signing-keys"), store.Authentication(options.Config.SigningKeys.AuthUsername, options.Config.SigningKeys.AuthPassword), + store.TLSEnabled(options.Config.SigningKeys.EnableTLS), + store.TLSInsecure(options.Config.SigningKeys.TLSInsecure), + store.TLSRootCA(options.Config.SigningKeys.TLSRootCACertificate), ) handle := svc.NewService( diff --git a/services/policies/pkg/server/debug/server.go b/services/policies/pkg/server/debug/server.go index 57a232dd05..664ff2558a 100644 --- a/services/policies/pkg/server/debug/server.go +++ b/services/policies/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/postprocessing/pkg/command/server.go b/services/postprocessing/pkg/command/server.go index c80e00f9f2..738a493f81 100644 --- a/services/postprocessing/pkg/command/server.go +++ b/services/postprocessing/pkg/command/server.go @@ -56,6 +56,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) svc, err := service.NewPostprocessingService(ctx, logger, st, traceProvider, cfg) diff --git a/services/postprocessing/pkg/config/config.go b/services/postprocessing/pkg/config/config.go index 858f6e5148..d6a28c4581 100644 --- a/services/postprocessing/pkg/config/config.go +++ b/services/postprocessing/pkg/config/config.go @@ -59,11 +59,14 @@ type Debug struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;POSTPROCESSING_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;POSTPROCESSING_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;POSTPROCESSING_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/postprocessing/pkg/server/debug/server.go b/services/postprocessing/pkg/server/debug/server.go index e512688d1d..b0d0050cec 100644 --- a/services/postprocessing/pkg/server/debug/server.go +++ b/services/postprocessing/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Postprocessing.Events.EnableTLS, + options.Config.Postprocessing.Events.TLSInsecure, + options.Config.Postprocessing.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Postprocessing.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Postprocessing.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go index 01e485733c..3c0406671e 100644 --- a/services/proxy/pkg/command/server.go +++ b/services/proxy/pkg/command/server.go @@ -66,6 +66,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Table(cfg.OIDC.UserinfoCache.Table), store.DisablePersistence(cfg.OIDC.UserinfoCache.DisablePersistence), store.Authentication(cfg.OIDC.UserinfoCache.AuthUsername, cfg.OIDC.UserinfoCache.AuthPassword), + store.TLSEnabled(cfg.OIDC.UserinfoCache.EnableTLS), + store.TLSInsecure(cfg.OIDC.UserinfoCache.TLSInsecure), + store.TLSRootCA(cfg.OIDC.UserinfoCache.TLSRootCACertificate), ) signingKeyStore := store.Create( @@ -76,6 +79,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Table("signing-keys"), store.DisablePersistence(cfg.PreSignedURL.SigningKeys.DisablePersistence), store.Authentication(cfg.PreSignedURL.SigningKeys.AuthUsername, cfg.PreSignedURL.SigningKeys.AuthPassword), + store.TLSEnabled(cfg.PreSignedURL.SigningKeys.EnableTLS), + store.TLSInsecure(cfg.PreSignedURL.SigningKeys.TLSInsecure), + store.TLSRootCA(cfg.PreSignedURL.SigningKeys.TLSRootCACertificate), ) logger := log.Configure(cfg.Service.Name, cfg.Commons, cfg.LogLevel) diff --git a/services/proxy/pkg/config/config.go b/services/proxy/pkg/config/config.go index cdaa3e81e7..efa4a9886f 100644 --- a/services/proxy/pkg/config/config.go +++ b/services/proxy/pkg/config/config.go @@ -132,14 +132,17 @@ type JWKS struct { // Cache is a TTL cache configuration. type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"PROXY_OIDC_USERINFO_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. This value is only applied when the token expiration cannot be extracted from the access tokens (e.g. when non-JWT access tokes are used). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"PROXY_OIDC_USERINFO_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;PROXY_OIDC_USERINFO_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;PROXY_OIDC_USERINFO_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // RoleAssignment contains the configuration for how to assign roles to users during login @@ -189,12 +192,15 @@ type PreSignedURL struct { // SigningKeys is a store configuration. type SigningKeys struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE" desc:"Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE" desc:"Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // ClaimsSelectorConf is the config for the claims-selector diff --git a/services/proxy/pkg/server/debug/server.go b/services/proxy/pkg/server/debug/server.go index 2a76c506d4..1420ee0226 100644 --- a/services/proxy/pkg/server/debug/server.go +++ b/services/proxy/pkg/server/debug/server.go @@ -8,6 +8,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" "github.com/opencloud-eu/opencloud/services/proxy/pkg/config" @@ -21,8 +22,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) var configDumpFunc http.HandlerFunc = configDump(options.Config) return debug.NewService( diff --git a/services/search/pkg/server/debug/server.go b/services/search/pkg/server/debug/server.go index 49d087cf58..2aae46e07c 100644 --- a/services/search/pkg/server/debug/server.go +++ b/services/search/pkg/server/debug/server.go @@ -7,6 +7,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -19,8 +20,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)). WithCheck("tika-check", func(ctx context.Context) error { if options.Config.Extractor.Type == "tika" { u, err := url.Parse(options.Config.Extractor.Tika.TikaURL) diff --git a/services/settings/pkg/config/config.go b/services/settings/pkg/config/config.go index d4ba71e3c4..607c14fd69 100644 --- a/services/settings/pkg/config/config.go +++ b/services/settings/pkg/config/config.go @@ -55,13 +55,16 @@ type Metadata struct { // Cache configures the cache of the Metadata store type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;SETTINGS_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;SETTINGS_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - FileTable string `yaml:"files_table" env:"SETTINGS_FILE_CACHE_TABLE" desc:"The database table the store should use for the file cache." introductionVersion:"1.0.0"` - DirectoryTable string `yaml:"directories_table" env:"SETTINGS_DIRECTORY_CACHE_TABLE" desc:"The database table the store should use for the directory cache." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;SETTINGS_CACHE_TTL" desc:"Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;SETTINGS_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;SETTINGS_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + FileTable string `yaml:"files_table" env:"SETTINGS_FILE_CACHE_TABLE" desc:"The database table the store should use for the file cache." introductionVersion:"1.0.0"` + DirectoryTable string `yaml:"directories_table" env:"SETTINGS_DIRECTORY_CACHE_TABLE" desc:"The database table the store should use for the directory cache." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;SETTINGS_CACHE_TTL" desc:"Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;SETTINGS_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;SETTINGS_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;SETTINGS_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SETTINGS_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/settings/pkg/store/metadata/cache.go b/services/settings/pkg/store/metadata/cache.go index bdd632eb29..e7b55c5c9e 100644 --- a/services/settings/pkg/store/metadata/cache.go +++ b/services/settings/pkg/store/metadata/cache.go @@ -140,6 +140,9 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error { microstore.Table(c.cfg.Metadata.Cache.DirectoryTable), store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence), store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword), + store.TLSEnabled(c.cfg.Metadata.Cache.EnableTLS), + store.TLSInsecure(c.cfg.Metadata.Cache.TLSInsecure), + store.TLSRootCA(c.cfg.Metadata.Cache.TLSRootCACertificate), ) c.filesCache = store.Create( store.Store(c.cfg.Metadata.Cache.Store), @@ -149,6 +152,9 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error { microstore.Table(c.cfg.Metadata.Cache.FileTable), store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence), store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword), + store.TLSEnabled(c.cfg.Metadata.Cache.EnableTLS), + store.TLSInsecure(c.cfg.Metadata.Cache.TLSInsecure), + store.TLSRootCA(c.cfg.Metadata.Cache.TLSRootCACertificate), ) return c.next.Init(ctx, id) } diff --git a/services/sharing/pkg/config/config.go b/services/sharing/pkg/config/config.go index 8f76ff81a8..e376e07f36 100644 --- a/services/sharing/pkg/config/config.go +++ b/services/sharing/pkg/config/config.go @@ -155,6 +155,7 @@ type Events struct { EnableTLS bool `yaml:"enable_tls" env:"OC_EVENTS_ENABLE_TLS;SHARING_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"` AuthUsername string `yaml:"auth_username" env:"OC_EVENTS_AUTH_USERNAME;SHARING_EVENTS_AUTH_USERNAME" desc:"Username for the events broker." introductionVersion:"1.0.0"` AuthPassword string `yaml:"auth_password" env:"OC_EVENTS_AUTH_PASSWORD;SHARING_EVENTS_AUTH_PASSWORD" desc:"Password for the events broker." introductionVersion:"1.0.0"` + // TODO use TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"` } // PasswordPolicy configures reva password policy diff --git a/services/sharing/pkg/revaconfig/config.go b/services/sharing/pkg/revaconfig/config.go index b7244e37b8..278d4359c3 100644 --- a/services/sharing/pkg/revaconfig/config.go +++ b/services/sharing/pkg/revaconfig/config.go @@ -83,6 +83,7 @@ func SharingConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string] "events": map[string]any{ "natsaddress": cfg.Events.Addr, "natsclusterid": cfg.Events.ClusterID, + "enabletls": cfg.Events.EnableTLS, "tlsinsecure": cfg.Events.TLSInsecure, "tlsrootcacertificate": cfg.Events.TLSRootCaCertPath, "authusername": cfg.Events.AuthUsername, diff --git a/services/sharing/pkg/server/debug/server.go b/services/sharing/pkg/server/debug/server.go index 1c5f26ae30..c1cfbcfe7c 100644 --- a/services/sharing/pkg/server/debug/server.go +++ b/services/sharing/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCaCertPath, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr, secureOption)). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) return debug.NewService( diff --git a/services/sse/pkg/server/debug/server.go b/services/sse/pkg/server/debug/server.go index 83e14bcecb..26e785c319 100644 --- a/services/sse/pkg/server/debug/server.go +++ b/services/sse/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/storage-system/pkg/config/config.go b/services/storage-system/pkg/config/config.go index 98f2ef0c82..261b2f3376 100644 --- a/services/storage-system/pkg/config/config.go +++ b/services/storage-system/pkg/config/config.go @@ -77,11 +77,14 @@ type DecomposedDriver struct { // Cache holds cache config type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_SYSTEM_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_SYSTEM_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_SYSTEM_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME" desc:"Username for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD" desc:"Password for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_SYSTEM_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_SYSTEM_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_SYSTEM_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME" desc:"Username for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD" desc:"Password for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_SYSTEM_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_SYSTEM_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_SYSTEM_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_SYSTEM_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/storage-system/pkg/revaconfig/config.go b/services/storage-system/pkg/revaconfig/config.go index a18413f5db..fbdcf0ceea 100644 --- a/services/storage-system/pkg/revaconfig/config.go +++ b/services/storage-system/pkg/revaconfig/config.go @@ -165,13 +165,16 @@ func metadataDrivers(localEndpoint string, cfg *config.Config) map[string]any { "cache_database": "system", }, "filemetadatacache": map[string]any{ - "cache_store": cfg.FileMetadataCache.Store, - "cache_nodes": cfg.FileMetadataCache.Nodes, - "cache_database": cfg.FileMetadataCache.Database, - "cache_ttl": cfg.FileMetadataCache.TTL, - "cache_disable_persistence": cfg.FileMetadataCache.DisablePersistence, - "cache_auth_username": cfg.FileMetadataCache.AuthUsername, - "cache_auth_password": cfg.FileMetadataCache.AuthPassword, + "cache_store": cfg.FileMetadataCache.Store, + "cache_nodes": cfg.FileMetadataCache.Nodes, + "cache_database": cfg.FileMetadataCache.Database, + "cache_ttl": cfg.FileMetadataCache.TTL, + "cache_disable_persistence": cfg.FileMetadataCache.DisablePersistence, + "cache_auth_username": cfg.FileMetadataCache.AuthUsername, + "cache_auth_password": cfg.FileMetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FileMetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FileMetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FileMetadataCache.TLSRootCACertificate, }, } diff --git a/services/storage-users/pkg/config/config.go b/services/storage-users/pkg/config/config.go index dae6d371bc..3c363cb18d 100644 --- a/services/storage-users/pkg/config/config.go +++ b/services/storage-users/pkg/config/config.go @@ -223,27 +223,35 @@ type Events struct { NumConsumers int `yaml:"num_consumers" env:"STORAGE_USERS_EVENTS_NUM_CONSUMERS" desc:"The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1." introductionVersion:"1.0.0"` AuthUsername string `yaml:"username" env:"OC_EVENTS_AUTH_USERNAME;STORAGE_USERS_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"` AuthPassword string `yaml:"password" env:"OC_EVENTS_AUTH_PASSWORD;STORAGE_USERS_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"` + // TODO use TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"` } // FilemetadataCache holds cache config type FilemetadataCache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_FILEMETADATA_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_FILEMETADATA_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_FILEMETADATA_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE;STORAGE_USERS_FILEMETADATA_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_FILEMETADATA_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_USERS_FILEMETADATA_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_FILEMETADATA_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // IDCache holds cache config type IDCache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_ID_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_USERS_ID_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_USERS_ID_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_ID_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_ID_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // EOSDriver is the storage driver configuration when using 'eos' storage driver diff --git a/services/storage-users/pkg/revaconfig/drivers.go b/services/storage-users/pkg/revaconfig/drivers.go index 01c3cc7101..03e57f6041 100644 --- a/services/storage-users/pkg/revaconfig/drivers.go +++ b/services/storage-users/pkg/revaconfig/drivers.go @@ -109,21 +109,28 @@ func Posix(cfg *config.Config, enableFSScan, enableFSWatch bool) map[string]any "lock_cycle_duration_factor": cfg.Drivers.Posix.LockCycleDurationFactor, "max_concurrency": cfg.Drivers.Posix.MaxConcurrency, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "events": map[string]any{ "numconsumers": cfg.Events.NumConsumers, @@ -205,21 +212,28 @@ func Decomposed(cfg *config.Config) map[string]any { "disable_versioning": cfg.Drivers.Decomposed.DisableVersioning, "multi_tenant_enabled": cfg.Commons.MultiTenantEnabled, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, "events": map[string]any{ "numconsumers": cfg.Events.NumConsumers, @@ -259,21 +273,28 @@ func DecomposedNoEvents(cfg *config.Config) map[string]any { "disable_versioning": cfg.Drivers.Decomposed.DisableVersioning, "multi_tenant_enabled": cfg.Commons.MultiTenantEnabled, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, } } @@ -315,21 +336,28 @@ func DecomposedS3(cfg *config.Config) map[string]any { "multi_tenant_enabled": cfg.Commons.MultiTenantEnabled, "asyncfileuploads": cfg.Drivers.DecomposedS3.AsyncUploads, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, "events": map[string]any{ "numconsumers": cfg.Events.NumConsumers, @@ -373,21 +401,28 @@ func DecomposedS3NoEvents(cfg *config.Config) map[string]any { "multi_tenant_enabled": cfg.Commons.MultiTenantEnabled, "lock_cycle_duration_factor": cfg.Drivers.DecomposedS3.LockCycleDurationFactor, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, } } diff --git a/services/storage-users/pkg/server/debug/server.go b/services/storage-users/pkg/server/debug/server.go index 33a7b8e8fc..9c22609340 100644 --- a/services/storage-users/pkg/server/debug/server.go +++ b/services/storage-users/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCaCertPath, + ) readyHandler := handlers.NewCheckHandler(handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr, secureOption)). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)), ) diff --git a/services/userlog/pkg/command/server.go b/services/userlog/pkg/command/server.go index 445bb6810e..0a7c9587f9 100644 --- a/services/userlog/pkg/command/server.go +++ b/services/userlog/pkg/command/server.go @@ -92,6 +92,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Persistence.Database), microstore.Table(cfg.Persistence.Table), store.Authentication(cfg.Persistence.AuthUsername, cfg.Persistence.AuthPassword), + store.TLSEnabled(cfg.Persistence.EnableTLS), + store.TLSInsecure(cfg.Persistence.TLSInsecure), + store.TLSRootCA(cfg.Persistence.TLSRootCACertificate), ) tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode) diff --git a/services/userlog/pkg/config/config.go b/services/userlog/pkg/config/config.go index ff2d440e09..73860fa340 100644 --- a/services/userlog/pkg/config/config.go +++ b/services/userlog/pkg/config/config.go @@ -39,13 +39,16 @@ type Config struct { // Persistence configures the store to use type Persistence struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;USERLOG_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;USERLOG_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;USERLOG_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided USERLOG_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // Events combines the configuration options for the event bus. diff --git a/services/userlog/pkg/server/debug/server.go b/services/userlog/pkg/server/debug/server.go index 83e14bcecb..26e785c319 100644 --- a/services/userlog/pkg/server/debug/server.go +++ b/services/userlog/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), From 7eb08af8aebf9c92b48895e980f5cd434cf931ed Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 11 Jun 2026 14:31:44 +0200 Subject: [PATCH 2/8] fix(graph): translate sharing roles consitently GetRoleDefinition/s does now handle l10n correctly. Previsouly it just returned the non-localized string. What made things worse was that ListPermissions() mutated global list of available roles and replaced some strings with translated values depending on the `accept-language` header. Which resulted in GetRoleDefinition returning results in mixed localization depending on who/what called ListPermissions before. Fixes: #2800 (cherry picked from commit d163c8ed29d46c0c70b343079dfedbb081fa73d9) Backports: https://github.com/opencloud-eu/opencloud/pull/2935 --- .../service/v0/api_driveitem_permissions.go | 31 +--- .../graph/pkg/service/v0/rolemanagement.go | 9 +- .../pkg/service/v0/rolemanagement_test.go | 170 ++++++++++++++++++ services/graph/pkg/unifiedrole/roles.go | 44 ++++- services/graph/pkg/unifiedrole/roles_test.go | 82 +++++++++ 5 files changed, 307 insertions(+), 29 deletions(-) create mode 100644 services/graph/pkg/service/v0/rolemanagement_test.go diff --git a/services/graph/pkg/service/v0/api_driveitem_permissions.go b/services/graph/pkg/service/v0/api_driveitem_permissions.go index 70ee8c236d..63d9ec49af 100644 --- a/services/graph/pkg/service/v0/api_driveitem_permissions.go +++ b/services/graph/pkg/service/v0/api_driveitem_permissions.go @@ -22,7 +22,6 @@ import ( "github.com/go-chi/chi/v5" "github.com/go-chi/render" libregraph "github.com/opencloud-eu/libre-graph-api-go" - revactx "github.com/opencloud-eu/reva/v2/pkg/ctx" "github.com/opencloud-eu/reva/v2/pkg/publicshare" "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" @@ -30,16 +29,14 @@ import ( "github.com/opencloud-eu/reva/v2/pkg/storagespace" "github.com/opencloud-eu/reva/v2/pkg/utils" - "github.com/opencloud-eu/opencloud/pkg/l10n" - l10n_pkg "github.com/opencloud-eu/opencloud/services/graph/pkg/l10n" - "github.com/opencloud-eu/opencloud/services/graph/pkg/odata" - "github.com/opencloud-eu/opencloud/pkg/conversions" + "github.com/opencloud-eu/opencloud/pkg/l10n" "github.com/opencloud-eu/opencloud/pkg/log" "github.com/opencloud-eu/opencloud/services/graph/pkg/config" "github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode" "github.com/opencloud-eu/opencloud/services/graph/pkg/identity" "github.com/opencloud-eu/opencloud/services/graph/pkg/identity/cache" + "github.com/opencloud-eu/opencloud/services/graph/pkg/odata" "github.com/opencloud-eu/opencloud/services/graph/pkg/unifiedrole" "github.com/opencloud-eu/opencloud/services/graph/pkg/validate" ) @@ -755,16 +752,8 @@ func (api DriveItemPermissionsApi) ListPermissions(w http.ResponseWriter, r *htt loc := r.Header.Get(l10n.HeaderAcceptLanguage) w.Header().Add("Content-Language", loc) - if loc != "" && loc != "en" { - err := l10n_pkg.TranslateEntity(loc, "en", permissions, - l10n.TranslateEach("LibreGraphPermissionsRolesAllowedValues", - l10n.TranslateField("Description"), - l10n.TranslateField("DisplayName"), - ), - ) - if err != nil { - api.logger.Error().Err(err).Msg("tranlation error") - } + for i := range permissions.LibreGraphPermissionsRolesAllowedValues { + permissions.LibreGraphPermissionsRolesAllowedValues[i] = unifiedrole.LocalizeRole(&permissions.LibreGraphPermissionsRolesAllowedValues[i], loc) } render.Status(r, http.StatusOK) @@ -806,16 +795,8 @@ func (api DriveItemPermissionsApi) ListSpaceRootPermissions(w http.ResponseWrite loc := r.Header.Get(l10n.HeaderAcceptLanguage) w.Header().Add("Content-Language", loc) - if loc != "" && loc != "en" { - err := l10n_pkg.TranslateEntity(loc, "en", permissions, - l10n.TranslateEach("LibreGraphPermissionsRolesAllowedValues", - l10n.TranslateField("Description"), - l10n.TranslateField("DisplayName"), - ), - ) - if err != nil { - api.logger.Error().Err(err).Msg("tranlation error") - } + for i := range permissions.LibreGraphPermissionsRolesAllowedValues { + permissions.LibreGraphPermissionsRolesAllowedValues[i] = unifiedrole.LocalizeRole(&permissions.LibreGraphPermissionsRolesAllowedValues[i], loc) } render.Status(r, http.StatusOK) diff --git a/services/graph/pkg/service/v0/rolemanagement.go b/services/graph/pkg/service/v0/rolemanagement.go index d5121e7140..0755d18c67 100644 --- a/services/graph/pkg/service/v0/rolemanagement.go +++ b/services/graph/pkg/service/v0/rolemanagement.go @@ -7,14 +7,17 @@ import ( "github.com/go-chi/chi/v5" "github.com/go-chi/render" + "github.com/opencloud-eu/opencloud/pkg/l10n" "github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode" "github.com/opencloud-eu/opencloud/services/graph/pkg/unifiedrole" ) // GetRoleDefinitions a list of permission roles than can be used when sharing with users or groups func (g Graph) GetRoleDefinitions(w http.ResponseWriter, r *http.Request) { + loc := r.Header.Get(l10n.HeaderAcceptLanguage) + w.Header().Add("Content-Language", loc) render.Status(r, http.StatusOK) - render.JSON(w, r, g.availableRoles) + render.JSON(w, r, unifiedrole.LocalizeRoles(g.availableRoles, loc)) } // GetRoleDefinition a permission role than can be used when sharing with users or groups @@ -32,6 +35,8 @@ func (g Graph) GetRoleDefinition(w http.ResponseWriter, r *http.Request) { errorcode.ItemNotFound.Render(w, r, http.StatusNotFound, err.Error()) return } + loc := r.Header.Get(l10n.HeaderAcceptLanguage) + w.Header().Add("Content-Language", loc) render.Status(r, http.StatusOK) - render.JSON(w, r, role) + render.JSON(w, r, unifiedrole.LocalizeRole(role, loc)) } diff --git a/services/graph/pkg/service/v0/rolemanagement_test.go b/services/graph/pkg/service/v0/rolemanagement_test.go new file mode 100644 index 0000000000..fcb77f7c6b --- /dev/null +++ b/services/graph/pkg/service/v0/rolemanagement_test.go @@ -0,0 +1,170 @@ +package svc_test + +import ( + "context" + "encoding/json" + "net/http" + "net/http/httptest" + + gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + libregraph "github.com/opencloud-eu/libre-graph-api-go" + "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" + cs3mocks "github.com/opencloud-eu/reva/v2/tests/cs3mocks/mocks" + "google.golang.org/grpc" + + "github.com/opencloud-eu/opencloud/pkg/shared" + "github.com/opencloud-eu/opencloud/services/graph/mocks" + "github.com/opencloud-eu/opencloud/services/graph/pkg/config" + "github.com/opencloud-eu/opencloud/services/graph/pkg/config/defaults" + service "github.com/opencloud-eu/opencloud/services/graph/pkg/service/v0" + "github.com/opencloud-eu/opencloud/services/graph/pkg/unifiedrole" +) + +var _ = Describe("RoleManagement", func() { + var ( + svc service.Service + gatewayClient *cs3mocks.GatewayAPIClient + gatewaySelector pool.Selectable[gateway.GatewayAPIClient] + eventsPublisher mocks.Publisher + permSvc mocks.Permissions + cfg *config.Config + rr *httptest.ResponseRecorder + ctx context.Context + ) + + BeforeEach(func() { + rr = httptest.NewRecorder() + ctx = context.Background() + + cfg = defaults.FullDefaultConfig() + cfg.Identity.LDAP.CACert = "" + cfg.TokenManager.JWTSecret = "loremipsum" + cfg.Commons = &shared.Commons{} + cfg.GRPCClientTLS = &shared.GRPCClientTLS{} + + pool.RemoveSelector("GatewaySelector" + "eu.opencloud.api.gateway") + gatewayClient = &cs3mocks.GatewayAPIClient{} + gatewaySelector = pool.GetSelector[gateway.GatewayAPIClient]( + "GatewaySelector", + "eu.opencloud.api.gateway", + func(cc grpc.ClientConnInterface) gateway.GatewayAPIClient { + return gatewayClient + }, + ) + eventsPublisher = mocks.Publisher{} + permSvc = mocks.Permissions{} + + var err error + svc, err = service.NewService( + service.Config(cfg), + service.WithGatewaySelector(gatewaySelector), + service.EventsPublisher(&eventsPublisher), + service.PermissionService(&permSvc), + ) + Expect(err).ToNot(HaveOccurred()) + }) + + Describe("GetRoleDefinitions", func() { + It("returns all available roles in English when no Accept-Language is set", func() { + r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions", nil) + r = r.WithContext(ctx) + svc.ServeHTTP(rr, r) + + Expect(rr.Code).To(Equal(http.StatusOK)) + + var roles []libregraph.UnifiedRoleDefinition + Expect(json.Unmarshal(rr.Body.Bytes(), &roles)).To(Succeed()) + Expect(roles).NotTo(BeEmpty()) + + viewer := findRoleByID(roles, unifiedrole.UnifiedRoleViewerID) + Expect(viewer).NotTo(BeNil()) + Expect(viewer.GetDisplayName()).To(Equal("Can view")) + }) + + It("returns translated roles when Accept-Language is German", func() { + r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions", nil) + r.Header.Set("Accept-Language", "de") + r = r.WithContext(ctx) + svc.ServeHTTP(rr, r) + + Expect(rr.Code).To(Equal(http.StatusOK)) + Expect(rr.Header().Get("Content-Language")).To(Equal("de")) + + var roles []libregraph.UnifiedRoleDefinition + Expect(json.Unmarshal(rr.Body.Bytes(), &roles)).To(Succeed()) + + viewer := findRoleByID(roles, unifiedrole.UnifiedRoleViewerID) + Expect(viewer).NotTo(BeNil()) + Expect(viewer.GetDisplayName()).To(Equal("Kann anzeigen")) + Expect(viewer.GetDescription()).To(Equal("Ansehen und herunterladen.")) + }) + + It("does not mutate the global buildInRoles after a German request", func() { + r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions", nil) + r.Header.Set("Accept-Language", "de") + r = r.WithContext(ctx) + svc.ServeHTTP(rr, r) + Expect(rr.Code).To(Equal(http.StatusOK)) + + // A second request without a locale must still return English + rr2 := httptest.NewRecorder() + r2 := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions", nil) + r2 = r2.WithContext(ctx) + svc.ServeHTTP(rr2, r2) + Expect(rr2.Code).To(Equal(http.StatusOK)) + + var roles []libregraph.UnifiedRoleDefinition + Expect(json.Unmarshal(rr2.Body.Bytes(), &roles)).To(Succeed()) + viewer := findRoleByID(roles, unifiedrole.UnifiedRoleViewerID) + Expect(viewer).NotTo(BeNil()) + Expect(viewer.GetDisplayName()).To(Equal("Can view")) + }) + }) + + Describe("GetRoleDefinition", func() { + It("returns a single role in English when no Accept-Language is set", func() { + r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions/"+unifiedrole.UnifiedRoleViewerID, nil) + r = r.WithContext(ctx) + svc.ServeHTTP(rr, r) + + Expect(rr.Code).To(Equal(http.StatusOK)) + var role libregraph.UnifiedRoleDefinition + Expect(json.Unmarshal(rr.Body.Bytes(), &role)).To(Succeed()) + Expect(role.GetDisplayName()).To(Equal("Can view")) + }) + + It("returns a single role translated when Accept-Language is German", func() { + r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions/"+unifiedrole.UnifiedRoleViewerID, nil) + r.Header.Set("Accept-Language", "de") + r = r.WithContext(ctx) + svc.ServeHTTP(rr, r) + + Expect(rr.Code).To(Equal(http.StatusOK)) + Expect(rr.Header().Get("Content-Language")).To(Equal("de")) + var role libregraph.UnifiedRoleDefinition + Expect(json.Unmarshal(rr.Body.Bytes(), &role)).To(Succeed()) + Expect(role.GetDisplayName()).To(Equal("Kann anzeigen")) + Expect(role.GetDescription()).To(Equal("Ansehen und herunterladen.")) + }) + + It("returns 404 for an unknown roleID", func() { + r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions/unknown-role-id", nil) + r = r.WithContext(ctx) + svc.ServeHTTP(rr, r) + + Expect(rr.Code).To(Equal(http.StatusNotFound)) + }) + }) +}) + +// findRoleByID returns the first role with the given ID from the slice, or nil. +func findRoleByID(roles []libregraph.UnifiedRoleDefinition, id string) *libregraph.UnifiedRoleDefinition { + for i := range roles { + if roles[i].GetId() == id { + return &roles[i] + } + } + return nil +} diff --git a/services/graph/pkg/unifiedrole/roles.go b/services/graph/pkg/unifiedrole/roles.go index 5b866e70ef..b076aef28e 100644 --- a/services/graph/pkg/unifiedrole/roles.go +++ b/services/graph/pkg/unifiedrole/roles.go @@ -6,11 +6,11 @@ import ( "strings" libregraph "github.com/opencloud-eu/libre-graph-api-go" + "github.com/opencloud-eu/reva/v2/pkg/conversions" "google.golang.org/protobuf/proto" - "github.com/opencloud-eu/reva/v2/pkg/conversions" - "github.com/opencloud-eu/opencloud/pkg/l10n" + graphl10n "github.com/opencloud-eu/opencloud/services/graph/pkg/l10n" ) const ( @@ -546,6 +546,46 @@ func weightRoles(roleSet []*libregraph.UnifiedRoleDefinition, constraints string return roleSet } +// cloneRole returns a shallow struct copy of r with independent allocations for +// the Description and DisplayName pointer fields — the only fields mutated by +// TranslateEntity. All other fields (Id, LibreGraphWeight, RolePermissions) are +// either read-only or stripped before rendering, so sharing their values is safe. +func cloneRole(r *libregraph.UnifiedRoleDefinition) libregraph.UnifiedRoleDefinition { + c := *r + if r.Description != nil { + s := *r.Description + c.Description = &s + } + if r.DisplayName != nil { + s := *r.DisplayName + c.DisplayName = &s + } + return c +} + +// LocalizeRole returns a translated, independent copy of a single role definition. +// The global buildInRoles singleton is never modified. +func LocalizeRole(r *libregraph.UnifiedRoleDefinition, locale string) libregraph.UnifiedRoleDefinition { + c := cloneRole(r) + if locale != "" && locale != "en" { + _ = graphl10n.TranslateEntity(locale, "en", &c, + l10n.TranslateField("Description"), + l10n.TranslateField("DisplayName"), + ) + } + return c +} + +// LocalizeRoles returns a translated, independent copy of each role definition. +// The global buildInRoles singleton is never modified. +func LocalizeRoles(roles []*libregraph.UnifiedRoleDefinition, locale string) []libregraph.UnifiedRoleDefinition { + out := make([]libregraph.UnifiedRoleDefinition, len(roles)) + for i, r := range roles { + out[i] = LocalizeRole(r, locale) + } + return out +} + // GetAllowedResourceActions returns the allowed resource actions for the provided role by condition func GetAllowedResourceActions(role *libregraph.UnifiedRoleDefinition, condition string) []string { if role == nil { diff --git a/services/graph/pkg/unifiedrole/roles_test.go b/services/graph/pkg/unifiedrole/roles_test.go index aae4733a4a..104e5660e6 100644 --- a/services/graph/pkg/unifiedrole/roles_test.go +++ b/services/graph/pkg/unifiedrole/roles_test.go @@ -2,6 +2,7 @@ package unifiedrole_test import ( "slices" + "sync" "testing" . "github.com/onsi/gomega" @@ -267,3 +268,84 @@ func TestGetAllowedResourceActions(t *testing.T) { }) } } + +func TestLocalizeRole_English(t *testing.T) { + g := NewWithT(t) + original := unifiedrole.RoleViewer + + result := unifiedrole.LocalizeRole(original, "en") + + // Strings are unchanged for English + g.Expect(result.GetDisplayName()).To(Equal(original.GetDisplayName())) + g.Expect(result.GetDescription()).To(Equal(original.GetDescription())) + + // Result is an independent copy — mutating it must not touch the global + translated := "mutated" + result.DisplayName = &translated + g.Expect(original.GetDisplayName()).NotTo(Equal("mutated")) +} + +func TestLocalizeRole_German(t *testing.T) { + g := NewWithT(t) + original := unifiedrole.RoleViewer + + result := unifiedrole.LocalizeRole(original, "de") + + g.Expect(result.GetDisplayName()).To(Equal("Kann anzeigen")) + g.Expect(result.GetDescription()).To(Equal("Ansehen und herunterladen.")) + + // Global singleton must be untouched + g.Expect(original.GetDisplayName()).NotTo(Equal("Kann anzeigen")) + g.Expect(original.GetDescription()).NotTo(Equal("Ansehen und herunterladen.")) +} + +func TestLocalizeRole_EmptyLocale(t *testing.T) { + g := NewWithT(t) + original := unifiedrole.RoleViewer + + result := unifiedrole.LocalizeRole(original, "") + + // Empty locale falls back to source strings + g.Expect(result.GetDisplayName()).To(Equal(original.GetDisplayName())) + g.Expect(result.GetDescription()).To(Equal(original.GetDescription())) +} + +func TestLocalizeRoles_German(t *testing.T) { + g := NewWithT(t) + roles := unifiedrole.BuildInRoles + + results := unifiedrole.LocalizeRoles(roles, "de") + + g.Expect(results).To(HaveLen(len(roles))) + + // Every result is a value (not a pointer) + for i, r := range results { + // Id is preserved + g.Expect(r.GetId()).To(Equal(roles[i].GetId())) + // Global singleton is not mutated + g.Expect(roles[i].GetDisplayName()).NotTo(Equal(r.GetDisplayName()), + "global displayName for role %s was mutated", r.GetId()) + } +} + +func TestLocalizeRole_ConcurrentCallsDoNotRace(t *testing.T) { + // Run with -race to detect data races on the global buildInRoles strings. + const goroutines = 20 + var wg sync.WaitGroup + wg.Add(goroutines) + for i := 0; i < goroutines; i++ { + locale := "de" + if i%2 == 0 { + locale = "fr" + } + go func(loc string) { + defer wg.Done() + _ = unifiedrole.LocalizeRoles(unifiedrole.BuildInRoles, loc) + }(locale) + } + wg.Wait() + + // After all concurrent translations the globals must still hold English strings + g := NewWithT(t) + g.Expect(unifiedrole.RoleViewer.GetDisplayName()).To(Equal("Can view")) +} From 6ce5943e0710f4bdae14faa77fa7b04d0d65eb80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Duffeck?= Date: Fri, 12 Jun 2026 15:13:32 +0200 Subject: [PATCH 3/8] Do not choke on users that weren't cleaned up yet (cherry picked from commit 92e6c8f3ff2327376164d632feecac353d6a6503) Backports: https://github.com/opencloud-eu/opencloud/pull/2944 --- tests/acceptance/bootstrap/GraphContext.php | 4 +- tests/acceptance/bootstrap/Provisioning.php | 126 ++++++++++++-------- 2 files changed, 77 insertions(+), 53 deletions(-) diff --git a/tests/acceptance/bootstrap/GraphContext.php b/tests/acceptance/bootstrap/GraphContext.php index 49782fa137..cf350be6be 100644 --- a/tests/acceptance/bootstrap/GraphContext.php +++ b/tests/acceptance/bootstrap/GraphContext.php @@ -287,9 +287,7 @@ class GraphContext implements Context { public function adminDeletesUserUsingTheGraphApi(string $user, ?string $byUser = null): ?ResponseInterface { $credentials = $this->getAdminOrUserCredentials($byUser); $userId = $this->featureContext->getAttributeOfCreatedUser($user, 'id'); - if ($userId === null) { - throw new \RuntimeException("Cannot delete user '$user': no userId found"); - } + $userId = $userId ?: $user; return GraphHelper::deleteUserByUserId( $this->featureContext->getBaseUrl(), $this->featureContext->getStepLineRef(), diff --git a/tests/acceptance/bootstrap/Provisioning.php b/tests/acceptance/bootstrap/Provisioning.php index 00a8cc26c8..b50ccf1f4e 100644 --- a/tests/acceptance/bootstrap/Provisioning.php +++ b/tests/acceptance/bootstrap/Provisioning.php @@ -469,6 +469,80 @@ trait Provisioning { $this->ldapCreatedUsers[] = $setting["userid"]; } + /** + * Creates a user through the Graph API and replaces a stale existing user if needed. + * + * @param string $userName + * @param string $password + * @param string|null $email + * @param string|null $displayName + * @param string|null $byUser + * + * @return string + * @throws Exception|GuzzleException + */ + private function createGraphUserWithReplacement( + string $userName, + string $password, + ?string $email, + ?string $displayName, + ?string $byUser = null + ): string { + $userName = $this->getActualUsername($userName); + $userName = \trim($userName); + if ($displayName === null) { + $displayName = $this->getDisplayNameForUser($userName); + if ($displayName === null) { + $displayName = $this->getDisplayNameForUser('regularuser'); + } + } + if ($email === null) { + $email = $this->getEmailAddressForUser($userName); + if ($email === null) { + $email = \str_replace(["@", " "], "", $userName) . '@opencloud.eu'; + } + } + $reqUser = $byUser ? $this->getActualUsername($byUser) : $this->getAdminUsername(); + $response = GraphHelper::createUser( + $this->getBaseUrl(), + $this->getStepLineRef(), + $reqUser, + $this->getPasswordForUser($reqUser), + $userName, + $password, + $email, + $displayName, + ); + + if ($response->getStatusCode() === 409) { + $responseBody = $this->getJsonDecodedResponse($response); + if (($responseBody['error']['code'] ?? null) === 'nameAlreadyExists') { + $deleteResponse = $this->deleteUser($userName); + $this->theHTTPStatusCodeShouldBe(204, "", $deleteResponse); + + $response = GraphHelper::createUser( + $this->getBaseUrl(), + $this->getStepLineRef(), + $reqUser, + $this->getPasswordForUser($reqUser), + $userName, + $password, + $email, + $displayName, + ); + } + } + + Assert::assertEquals( + 201, + $response->getStatusCode(), + __METHOD__ . " cannot create user '$userName'.\nResponse:" . + json_encode($this->getJsonDecodedResponse($response)) + ); + + return (string)$this->getJsonDecodedResponse($response)['id']; + } + /** * @param string $group group name * @@ -581,37 +655,7 @@ trait Provisioning { ); } } else { - // Use the same logic as userHasBeenCreated for email generation - if ($email === null) { - $email = $this->getEmailAddressForUser($userName); - if ($email === null) { - // escape @ & space if present in userId - $email = \str_replace(["@", " "], "", $userName) . '@opencloud.eu'; - } - } - - $userName = $this->getActualUsername($userName); - $userName = \trim($userName); - - $response = GraphHelper::createUser( - $this->getBaseUrl(), - $this->getStepLineRef(), - $this->getAdminUsername(), - $this->getAdminPassword(), - $userName, - $password, - $email, - $displayName, - ); - - Assert::assertEquals( - 201, - $response->getStatusCode(), - __METHOD__ . " cannot create user '$userName'.\nResponse:" . - json_encode($this->getJsonDecodedResponse($response)) - ); - - $userId = $this->getJsonDecodedResponse($response)['id']; + $userId = $this->createGraphUserWithReplacement($userName, $password, $email, $displayName); } $this->addUserToCreatedUsersList($userName, $password, $displayName, $email, $userId ?? null); @@ -1069,24 +1113,7 @@ trait Provisioning { ); } } else { - $reqUser = $byUser ? $this->getActualUsername($byUser) : $this->getAdminUsername(); - $response = GraphHelper::createUser( - $this->getBaseUrl(), - $this->getStepLineRef(), - $reqUser, - $this->getPasswordForUser($reqUser), - $user, - $password, - $email, - $displayName, - ); - Assert::assertEquals( - 201, - $response->getStatusCode(), - __METHOD__ . " cannot create user '$user'.\nResponse:" . - json_encode($this->getJsonDecodedResponse($response)) - ); - $userId = $this->getJsonDecodedResponse($response)['id']; + $userId = $this->createGraphUserWithReplacement($user, $password, $email, $displayName, $byUser); } $this->addUserToCreatedUsersList($user, $password, $displayName, $email, $userId); @@ -1709,7 +1736,6 @@ trait Provisioning { $this->ocsApiVersion ); } else { - // users can be deleted using the username in the GraphApi too $response = $this->graphContext->adminDeletesUserUsingTheGraphApi($user); } return $response; From 3f83cbc524558b591e112308dcec49d1f2fe9041 Mon Sep 17 00:00:00 2001 From: Christian Richter Date: Mon, 15 Jun 2026 09:46:59 +0200 Subject: [PATCH 4/8] change error level for trashing items interaction with search Signed-off-by: Christian Richter (cherry picked from commit faf3ff19596aca582055c6a04dcc74bc3312398e) Backports: https://github.com/opencloud-eu/opencloud/pull/2951 --- services/search/pkg/search/service.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/search/pkg/search/service.go b/services/search/pkg/search/service.go index 980f332572..a13ccd3b3b 100644 --- a/services/search/pkg/search/service.go +++ b/services/search/pkg/search/service.go @@ -535,7 +535,7 @@ func (s *Service) IndexSpace(spaceID *provider.StorageSpaceId, forceRescan bool) // TrashItem marks the item as deleted. func (s *Service) TrashItem(rID *provider.ResourceId) { if err := s.engine.Delete(storagespace.FormatResourceID(rID)); err != nil { - s.logger.Error().Err(err).Interface("Id", rID).Msg("failed to remove item from index") + s.logger.Info().Err(err).Interface("Id", rID).Msg("failed to remove item from index") } } From 7143dc9cba38fcee3cdfedda591f57c01a59a504 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 18 Jun 2026 11:34:37 +0200 Subject: [PATCH 5/8] Revert "fix: disallow thumbnails for tiff and jpeg2000 images" The alpine base images now has a fixed libvips. So we can enable previews for these formats again. This reverts commit c40629dd8532d94861506bd2597557c24c6c9bcf. (cherry picked from commit fab1986fb6e86f6f24185ab758d1872862738709) Backports: https://github.com/opencloud-eu/opencloud/pull/2973 --- services/thumbnails/pkg/thumbnail/mimetypes_vips.go | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/services/thumbnails/pkg/thumbnail/mimetypes_vips.go b/services/thumbnails/pkg/thumbnail/mimetypes_vips.go index 597d2e742e..b94fafafaf 100644 --- a/services/thumbnails/pkg/thumbnail/mimetypes_vips.go +++ b/services/thumbnails/pkg/thumbnail/mimetypes_vips.go @@ -2,15 +2,6 @@ package thumbnail -import "github.com/davidbyttow/govips/v2/vips" - -func init() { - // temporary remove TIFF and JP2K from go-vips' list of supported - // imagetypes - delete(vips.ImageTypes, vips.ImageTypeTIFF) - delete(vips.ImageTypes, vips.ImageTypeJP2K) -} - var ( // SupportedMimeTypes contains an all mimetypes which are supported by the thumbnailer. SupportedMimeTypes = map[string]struct{}{ @@ -20,6 +11,7 @@ var ( "image/gif": {}, "image/bmp": {}, "image/x-ms-bmp": {}, + "image/tiff": {}, "text/plain": {}, "audio/flac": {}, "audio/mpeg": {}, From 569e630fe0d60d298d34ddd921ca3603522dde21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Duffeck?= Date: Thu, 18 Jun 2026 15:05:49 +0200 Subject: [PATCH 6/8] Handle events asynchronously That should help to keep up with the stream of messages and prevent services from being flagged as slow consumers. (cherry picked from commit 06365d97397a889cd60d06d549a15ce843e2d77c) Backports: #2974 --- services/clientlog/pkg/service/service.go | 3 ++- services/sse/pkg/service/service.go | 22 ++++++++++++---------- services/userlog/pkg/service/service.go | 2 +- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/services/clientlog/pkg/service/service.go b/services/clientlog/pkg/service/service.go index 2cdeccbea7..b0f5a30c23 100644 --- a/services/clientlog/pkg/service/service.go +++ b/services/clientlog/pkg/service/service.go @@ -83,7 +83,8 @@ EventLoop: if !ok { break EventLoop } - cl.processEvent(event) + + go cl.processEvent(event) if cl.stopped.Load() { break EventLoop diff --git a/services/sse/pkg/service/service.go b/services/sse/pkg/service/service.go index 97a211e215..b4b9b26fbf 100644 --- a/services/sse/pkg/service/service.go +++ b/services/sse/pkg/service/service.go @@ -49,17 +49,19 @@ func (s SSE) ServeHTTP(w http.ResponseWriter, r *http.Request) { // ListenForEvents listens for events func (s SSE) ListenForEvents() { for e := range s.evChannel { - switch ev := e.Event.(type) { - default: - s.l.Error().Interface("event", ev).Msg("unhandled event") - case events.SendSSE: - for _, uid := range ev.UserIDs { - s.sse.Publish(uid, &sse.Event{ - Event: []byte(ev.Type), - Data: ev.Message, - }) + go func() { + switch ev := e.Event.(type) { + default: + s.l.Error().Interface("event", ev).Msg("unhandled event") + case events.SendSSE: + for _, uid := range ev.UserIDs { + s.sse.Publish(uid, &sse.Event{ + Event: []byte(ev.Type), + Data: ev.Message, + }) + } } - } + }() } } diff --git a/services/userlog/pkg/service/service.go b/services/userlog/pkg/service/service.go index b58538aad7..eca49890be 100644 --- a/services/userlog/pkg/service/service.go +++ b/services/userlog/pkg/service/service.go @@ -101,7 +101,7 @@ func (ul *UserlogService) MemorizeEvents(ch <-chan events.Event) { for i := 0; i < ul.cfg.MaxConcurrency; i++ { go func(ch <-chan events.Event) { for event := range ch { - ul.processEvent(event) + go ul.processEvent(event) } }(ch) } From c24b6f1c3362d4aa315a53ed7e3ae83deab89a24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Duffeck?= Date: Fri, 19 Jun 2026 11:05:17 +0200 Subject: [PATCH 7/8] Do not try to create personal spaces for lightweight or service users This fixes error logs like RR error when calling Createhome error="gateway: grpc failed with code CODE_INVALID_ARGUMENT" line=github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/create_home.go:87 service=proxy e.g. during internal requests to the data provider. (cherry picked from commit 1ea634e6e350d6fdb5f1eff8c4221485888ff8bc) Backports: https://github.com/opencloud-eu/opencloud/pull/2978 --- services/proxy/pkg/middleware/create_home.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/services/proxy/pkg/middleware/create_home.go b/services/proxy/pkg/middleware/create_home.go index bb329ab75a..9979367367 100644 --- a/services/proxy/pkg/middleware/create_home.go +++ b/services/proxy/pkg/middleware/create_home.go @@ -11,6 +11,7 @@ import ( provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" "github.com/opencloud-eu/opencloud/pkg/log" "github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode" + "github.com/opencloud-eu/opencloud/services/proxy/pkg/router" revactx "github.com/opencloud-eu/reva/v2/pkg/ctx" "github.com/opencloud-eu/reva/v2/pkg/rgrpc/status" "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" @@ -48,9 +49,13 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) { ctx, span := m.tracer.Start(req.Context(), fmt.Sprintf("%s %s", req.Method, req.URL.Path), trace.WithSpanKind(trace.SpanKindServer)) req = req.WithContext(ctx) defer span.End() - if !m.shouldServe(req) { + next := func() { span.End() m.next.ServeHTTP(w, req) + } + + if !m.shouldServe(req) { + next() return } @@ -63,6 +68,10 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) { createHomeReq := &provider.CreateHomeRequest{} u, ok := revactx.ContextGetUser(ctx) if ok { + if u.GetId().GetType() == userv1beta1.UserType_USER_TYPE_LIGHTWEIGHT || u.GetId().GetType() == userv1beta1.UserType_USER_TYPE_SERVICE { + next() + return + } roleIDs, err := m.getUserRoles(u) if err != nil { m.logger.Error().Err(err).Str("userid", u.Id.OpaqueId).Msg("failed to get roles for user") @@ -88,12 +97,12 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) { } } } - span.End() - m.next.ServeHTTP(w, req) + next() } func (m createHome) shouldServe(req *http.Request) bool { - return req.Header.Get(revactx.TokenHeader) != "" + ri := router.ContextRoutingInfo(req.Context()) + return req.Header.Get(revactx.TokenHeader) != "" && !ri.IsRouteUnprotected() } func (m createHome) getUserRoles(user *userv1beta1.User) ([]string, error) { From cd99a6fd44d6e24bd7f6421e3282b37b198fa4c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Duffeck?= Date: Fri, 19 Jun 2026 12:37:40 +0200 Subject: [PATCH 8/8] Extend the posixfs consistency command to fix name attr mismatches (cherry picked from commit cadd02ce2952fea5ca0cbaa7512b13bfa36a0783) Backports: https://github.com/opencloud-eu/opencloud/pull/2980 --- opencloud/pkg/command/posixfs.go | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/opencloud/pkg/command/posixfs.go b/opencloud/pkg/command/posixfs.go index d0218ecf75..de40a093cc 100644 --- a/opencloud/pkg/command/posixfs.go +++ b/opencloud/pkg/command/posixfs.go @@ -31,6 +31,7 @@ import ( const ( parentIDAttrName = "user.oc.parentid" idAttrName = "user.oc.id" + nameAttrName = "user.oc.name" spaceIDAttrName = "user.oc.space.id" ownerIDAttrName = "user.oc.owner.id" ) @@ -292,7 +293,7 @@ func checkSpaceID(spacePath string) { } } -func walkParentIDs(dir string, parentID string) int { +func walkNodes(dir string, parentID string) int { fixes := 0 entries, err := os.ReadDir(dir) if err != nil { @@ -307,6 +308,7 @@ func walkParentIDs(dir string, parentID string) int { continue } + // Check if the parent ID attribute matches the expected parent ID, if not, fix it. actualParentID, err := xattr.Get(fullPath, parentIDAttrName) if err != nil || string(actualParentID) != parentID { err = xattr.Set(fullPath, parentIDAttrName, []byte(parentID)) @@ -314,7 +316,22 @@ func walkParentIDs(dir string, parentID string) int { logFailure("Failed to fix parent ID for '%s': %v", fullPath, err) } else { spinner.Pause() - fmt.Printf("\n + Fixed parent ID for '%s'\n", fullPath) + fmt.Printf(" + Fixed parent ID for '%s'", fullPath) + spinner.Unpause() + fixes++ + restartRequired = true + } + } + + // Check that the name attribute matches the actual name of the file/directory, if not, fix it. + nameAttr, err := xattr.Get(fullPath, nameAttrName) + if err != nil || string(nameAttr) != entry.Name() { + err = xattr.Set(fullPath, nameAttrName, []byte(entry.Name())) + if err != nil { + logFailure("Failed to fix name attribute for '%s': %v", fullPath, err) + } else { + spinner.Pause() + fmt.Printf(" + Fixed name attribute for '%s'", fullPath) spinner.Unpause() fixes++ restartRequired = true @@ -327,14 +344,14 @@ func walkParentIDs(dir string, parentID string) int { logFailure("Directory '%s' missing '%s', skipping its children", fullPath, idAttrName) continue } - walkParentIDs(fullPath, string(nodeID)) + walkNodes(fullPath, string(nodeID)) } } return fixes } func checkNodeIDs(spacePath string) { - spinner.Message(" - checking parent IDs") + spinner.Message(" - checking nodes") rootID, err := xattr.Get(spacePath, idAttrName) if err != nil || len(rootID) == 0 { @@ -342,11 +359,11 @@ func checkNodeIDs(spacePath string) { return } - fixes := walkParentIDs(spacePath, string(rootID)) + fixes := walkNodes(spacePath, string(rootID)) if fixes > 0 { spinner.Pause() - fmt.Printf("\n ✓ Fixed %d incorrect parent IDs in %s\n", fixes, filepath.Base(spacePath)) + fmt.Printf("\n ✓ Fixed %d incorrect node attributes in %s\n", fixes, filepath.Base(spacePath)) spinner.Unpause() } }