diff --git a/deployments/examples/ocis_oc10_backend/docker-compose.yml b/deployments/examples/ocis_oc10_backend/docker-compose.yml index a2e58f25a..51edcd9a7 100644 --- a/deployments/examples/ocis_oc10_backend/docker-compose.yml +++ b/deployments/examples/ocis_oc10_backend/docker-compose.yml @@ -70,7 +70,6 @@ services: OWNCLOUD_MYSQL_UTF8MB4: "true" OWNCLOUD_REDIS_ENABLED: "true" OWNCLOUD_REDIS_HOST: redis - OWNCLOUD_DEBUG: "true" OWNCLOUD_TRUSTED_PROXIES: ${OC10_DOMAIN} OWNCLOUD_OVERWRITE_PROTOCOL: https OWNCLOUD_OVERWRITE_HOST: ${OC10_DOMAIN} @@ -111,6 +110,7 @@ services: PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN} PROXY_AUTOPROVISION_ACCOUNTS: "true" PROXY_OIDC_INSECURE: "${INSECURE}" + PROXY_ENABLE_PRESIGNEDURLS: "false" # konnectd - binddn must exist as oc10 admin user KONNECTD_ISS: https://${OCIS_DOMAIN} KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/config/identifier-registration.yaml" diff --git a/proxy/changelog/unreleased/add-basic-auth-option.md b/proxy/changelog/unreleased/add-basic-auth-option.md deleted file mode 100644 index 811d7388e..000000000 --- a/proxy/changelog/unreleased/add-basic-auth-option.md +++ /dev/null @@ -1,6 +0,0 @@ -Enhancement: Add basic auth option - -We added a new `enable-basic-auth` option and `PROXY_ENABLE_BASIC_AUTH` environment variable that can be set to `true` to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default. - -https://github.com/owncloud/ocis/pull/627 -https://github.com/owncloud/product/issues/198 diff --git a/proxy/go.mod b/proxy/go.mod index e504e956a..4d1595eb4 100644 --- a/proxy/go.mod +++ b/proxy/go.mod @@ -9,6 +9,7 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible github.com/cs3org/go-cs3apis v0.0.0-20201007120910-416ed6cf8b00 github.com/cs3org/reva v1.3.1-0.20201023144216-cdb3d6688da5 + github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/google/uuid v1.1.2 github.com/justinas/alice v1.2.0 github.com/micro/cli/v2 v2.1.2 diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go index b1f33510f..388d81914 100644 --- a/proxy/pkg/config/config.go +++ b/proxy/pkg/config/config.go @@ -135,6 +135,7 @@ type TokenManager struct { // PreSignedURL is the config for the presigned url middleware type PreSignedURL struct { AllowedHTTPMethods []string + Enabled bool } // MigrationSelectorConf is the config for the migration-selector diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 9aff3f364..3a1371a40 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -226,13 +226,19 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { }, // Presigned URLs - &cli.StringSliceFlag{ Name: "presignedurl-allow-method", Value: cli.NewStringSlice("GET"), Usage: "--presignedurl-allow-method GET [--presignedurl-allow-method POST]", EnvVars: []string{"PRESIGNEDURL_ALLOWED_METHODS"}, }, + &cli.BoolFlag{ + Name: "enable-presignedurls", + Value: true, + Usage: "Enable or disable handling the presigned urls in the proxy", + EnvVars: []string{"PROXY_ENABLE_PRESIGNEDURLS"}, + Destination: &cfg.PreSignedURL.Enabled, + }, // Basic auth &cli.BoolFlag{ diff --git a/proxy/pkg/middleware/signed_url_auth.go b/proxy/pkg/middleware/signed_url_auth.go index 247e8da3e..1e39df603 100644 --- a/proxy/pkg/middleware/signed_url_auth.go +++ b/proxy/pkg/middleware/signed_url_auth.go @@ -6,6 +6,11 @@ import ( "encoding/hex" "errors" "fmt" + "net/http" + "net/url" + "strings" + "time" + "github.com/google/uuid" accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0" "github.com/owncloud/ocis/ocis-pkg/log" @@ -13,10 +18,6 @@ import ( "github.com/owncloud/ocis/proxy/pkg/config" store "github.com/owncloud/ocis/store/pkg/proto/v0" "golang.org/x/crypto/pbkdf2" - "net/http" - "net/url" - "strings" - "time" ) // SignedURLAuth provides a middleware to check access secured by a signed URL. @@ -96,6 +97,9 @@ func (m signedURLAuth) claims(credential string) (*ocisoidc.StandardClaims, erro } func (m signedURLAuth) shouldServe(req *http.Request) bool { + if !m.preSignedURLConfig.Enabled { + return false + } return req.URL.Query().Get("OC-Signature") != "" } diff --git a/proxy/pkg/middleware/signed_url_auth_test.go b/proxy/pkg/middleware/signed_url_auth_test.go index e421ee0a1..856fcdb0e 100644 --- a/proxy/pkg/middleware/signed_url_auth_test.go +++ b/proxy/pkg/middleware/signed_url_auth_test.go @@ -10,13 +10,17 @@ func TestSignedURLAuth_shouldServe(t *testing.T) { pua := signedURLAuth{} tests := []struct { url string + enabled bool expected bool }{ - {"https://example.com/example.jpg", false}, - {"https://example.com/example.jpg?OC-Signature=something", true}, + {"https://example.com/example.jpg", true, false}, + {"https://example.com/example.jpg?OC-Signature=something", true, true}, + {"https://example.com/example.jpg", false, false}, + {"https://example.com/example.jpg?OC-Signature=something", false, false}, } for _, tt := range tests { + pua.preSignedURLConfig.Enabled = tt.enabled r := httptest.NewRequest("", tt.url, nil) result := pua.shouldServe(r) @@ -102,7 +106,7 @@ func TestSignedURLAuth_urlIsExpired(t *testing.T) { } tests := []struct { - url string + url string isExpired bool }{ {"http://example.com/example.jpg?OC-Date=2020-02-02T12:29:00.000Z&OC-Expires=61", false},