From 2efbb13e669dd633d7b6ca6299d3feb0ec977a40 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Tue, 9 Feb 2021 16:00:04 +0100 Subject: [PATCH 1/4] change secrets on deploy --- accounts/pkg/flagset/flagset.go | 4 +- accounts/pkg/service/v0/service.go | 12 +++ deployments/examples/cs3_users_ocis/.env | 2 + .../cs3_users_ocis/docker-compose.yml | 18 +++-- deployments/examples/ocis_keycloak/.env | 6 ++ .../config/ocis/entrypoint-override.sh | 25 ++++++ .../examples/ocis_keycloak/docker-compose.yml | 8 ++ deployments/examples/ocis_traefik/.env | 7 +- .../config/ocis/entrypoint-override.sh | 25 ++++++ .../examples/ocis_traefik/docker-compose.yml | 8 ++ idp/pkg/config/config.go | 32 ++++++-- idp/pkg/flagset/flagset.go | 77 +++++++++++++++++++ idp/pkg/service/v0/service.go | 32 ++++---- ocis/pkg/config/config.go | 4 +- ocis/pkg/flagset/flagset.go | 2 +- ocs/pkg/flagset/flagset.go | 2 +- proxy/pkg/flagset/flagset.go | 2 +- settings/pkg/flagset/flagset.go | 2 +- storage/pkg/flagset/secret.go | 2 +- 19 files changed, 227 insertions(+), 43 deletions(-) create mode 100644 deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh create mode 100644 deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh diff --git a/accounts/pkg/flagset/flagset.go b/accounts/pkg/flagset/flagset.go index b58bcce547..e4f90896ab 100644 --- a/accounts/pkg/flagset/flagset.go +++ b/accounts/pkg/flagset/flagset.go @@ -137,7 +137,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"ACCOUNTS_JWT_SECRET"}, + EnvVars: []string{"ACCOUNTS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, &cli.StringFlag{ @@ -172,7 +172,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "storage-cs3-jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET"}, + EnvVars: []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.Repo.CS3.JWTSecret, }, &cli.StringFlag{ diff --git a/accounts/pkg/service/v0/service.go b/accounts/pkg/service/v0/service.go index cb74008c52..a0d882dc18 100644 --- a/accounts/pkg/service/v0/service.go +++ b/accounts/pkg/service/v0/service.go @@ -268,6 +268,12 @@ func (s Service) createDefaultAccounts() (err error) { }, } for i := range accounts { + a := &proto.Account{} + err := s.repo.LoadAccount(context.Background(), accounts[i].Id, a) + if !storage.IsNotFoundErr(err) { + continue // account already exists -> do not overwrite + } + if err := s.repo.WriteAccount(context.Background(), &accounts[i]); err != nil { return err } @@ -360,6 +366,12 @@ func (s Service) createDefaultGroups() (err error) { }}, } for i := range groups { + g := &proto.Group{} + err := s.repo.LoadGroup(context.Background(), groups[i].Id, g) + if !storage.IsNotFoundErr(err) { + continue // group already exists -> do not overwrite + } + if err := s.repo.WriteGroup(context.Background(), &groups[i]); err != nil { return err } diff --git a/deployments/examples/cs3_users_ocis/.env b/deployments/examples/cs3_users_ocis/.env index 016f879e48..b1ceeece47 100644 --- a/deployments/examples/cs3_users_ocis/.env +++ b/deployments/examples/cs3_users_ocis/.env @@ -17,6 +17,8 @@ TRAEFIK_ACME_MAIL= OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= ### LDAP server settings ### diff --git a/deployments/examples/cs3_users_ocis/docker-compose.yml b/deployments/examples/cs3_users_ocis/docker-compose.yml index 5513f2745d..af468f5f63 100644 --- a/deployments/examples/cs3_users_ocis/docker-compose.yml +++ b/deployments/examples/cs3_users_ocis/docker-compose.yml @@ -51,14 +51,14 @@ services: environment: # CS3 users from ldap specific configuration PROXY_CONFIG_FILE: "/config/proxy-config.json" - LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))" - LDAP_URI: ldap://ldap-server:389 - LDAP_BINDDN: "cn=admin,dc=owncloud,dc=com" - LDAP_BINDPW: ${LDAP_ADMIN_PASSWORD:-admin} - LDAP_BASEDN: "dc=owncloud,dc=com" - LDAP_LOGIN_ATTRIBUTE: uid - LDAP_UUID_ATTRIBUTE: "ownclouduuid" - LDAP_UUID_ATTRIBUTE_TYPE: binary + IDP_LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))" + IDP_LDAP_URI: ldap://ldap-server:389 + IDP_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" + IDP_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + IDP_LDAP_BASE_DN: "dc=owncloud,dc=com" + IDP_LDAP_LOGIN_ATTRIBUTE: uid + IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid" + IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary PROXY_ACCOUNT_BACKEND_TYPE: cs3 STORAGE_LDAP_HOSTNAME: ldap-server STORAGE_LDAP_PORT: 636 @@ -74,6 +74,8 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} volumes: - ./config/ocis/proxy-config.json:/config/proxy-config.json - ocis-data:/var/tmp/ocis diff --git a/deployments/examples/ocis_keycloak/.env b/deployments/examples/ocis_keycloak/.env index e21b3d4d57..4ca629463b 100644 --- a/deployments/examples/ocis_keycloak/.env +++ b/deployments/examples/ocis_keycloak/.env @@ -19,6 +19,12 @@ OCIS_DOCKER_TAG= OCIS_DOMAIN= # owncloud Web openid connect client id. Defaults to "web" OCIS_OIDC_CLIENT_ID= +# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". +IDP_LDAP_BIND_PASSWORD= +# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". +STORAGE_LDAP_BIND_PASSWORD= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= ### Keycloak ### # Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test" diff --git a/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh new file mode 100644 index 0000000000..65a1ed4758 --- /dev/null +++ b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -evx + +ocis server& +sleep 10 + +echo "##################################################" +echo "change default secrets:" + +# IDP +IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " IDP user UUID: $IDP_USER_UUID" +ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID + +# REVA +REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " Reva user UUID: $REVA_USER_UUID" +ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID + +killall ocis +echo "default serets changed" +echo "##################################################" + +ocis server diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 97aacea282..55c7d20f51 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -47,6 +47,9 @@ services: image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} networks: ocis-net: + entrypoint: + - /bin/sh + - /entrypoint-override.sh environment: # Keycloak IDP specific configuration PROXY_AUTOPROVISION_ACCOUNTS: "true" @@ -60,7 +63,12 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} + STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} + OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} volumes: + - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis labels: - "traefik.enable=true" diff --git a/deployments/examples/ocis_traefik/.env b/deployments/examples/ocis_traefik/.env index 132b2c6b7c..94906757f0 100644 --- a/deployments/examples/ocis_traefik/.env +++ b/deployments/examples/ocis_traefik/.env @@ -17,7 +17,12 @@ TRAEFIK_ACME_MAIL= OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= - +# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". +IDP_LDAP_BIND_PASSWORD= +# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". +STORAGE_LDAP_BIND_PASSWORD= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= # If you want to use debugging and tracing with this stack, # you need uncomment following line. Please see documentation at diff --git a/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh new file mode 100644 index 0000000000..65a1ed4758 --- /dev/null +++ b/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -evx + +ocis server& +sleep 10 + +echo "##################################################" +echo "change default secrets:" + +# IDP +IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " IDP user UUID: $IDP_USER_UUID" +ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID + +# REVA +REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o) +echo " Reva user UUID: $REVA_USER_UUID" +ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID + +killall ocis +echo "default serets changed" +echo "##################################################" + +ocis server diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 2419b62c86..284d33efaf 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -46,11 +46,19 @@ services: image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} networks: ocis-net: + entrypoint: + - /bin/sh + - /entrypoint-override.sh environment: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + # change default secrets + IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} + STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} + OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4} volumes: + - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis labels: - "traefik.enable=true" diff --git a/idp/pkg/config/config.go b/idp/pkg/config/config.go index 617fda130c..9e051be630 100644 --- a/idp/pkg/config/config.go +++ b/idp/pkg/config/config.go @@ -28,6 +28,21 @@ type HTTP struct { TLS bool } +// Ldap defines the available LDAP configuration. +type Ldap struct { + URI string + BindDN string + BindPassword string + BaseDN string + Scope string + LoginAttribute string + EmailAttribute string + NameAttribute string + UUIDAttribute string + UUIDAttributeType string + Filter string +} + // Service defines the available service configuration. type Service struct { Name string @@ -51,14 +66,15 @@ type Asset struct { // Config combines all available configuration parts. type Config struct { - File string - Log Log - Debug Debug - HTTP HTTP - Tracing Tracing - Asset Asset - IDP bootstrap.Config - Service Service + File string + Log Log + Debug Debug + HTTP HTTP + Tracing Tracing + Asset Asset + IDP bootstrap.Config + Ldap Ldap + Service Service } // New initializes a new configuration with or without defaults. diff --git a/idp/pkg/flagset/flagset.go b/idp/pkg/flagset/flagset.go index ed348e2c06..68b2561a8a 100644 --- a/idp/pkg/flagset/flagset.go +++ b/idp/pkg/flagset/flagset.go @@ -150,6 +150,83 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"IDP_IDENTITY_MANAGER"}, Destination: &cfg.IDP.IdentityManager, }, + &cli.StringFlag{ + Name: "ldap-uri", + Value: "ldap://localhost:9125", + Usage: "URI of the LDAP server (glauth)", + EnvVars: []string{"IDP_LDAP_URI"}, + Destination: &cfg.Ldap.URI, + }, + &cli.StringFlag{ + Name: "ldap-bind-dn", + Value: "cn=idp,ou=sysusers,dc=example,dc=org", + Usage: "Bind DN for the LDAP server (glauth)", + EnvVars: []string{"IDP_LDAP_BIND_DN"}, + Destination: &cfg.Ldap.BindDN, + }, + &cli.StringFlag{ + Name: "ldap-bind-password", + Value: "idp", + Usage: "Password for the Bind DN of the LDAP server (glauth)", + EnvVars: []string{"IDP_LDAP_BIND_PASSWORD"}, + Destination: &cfg.Ldap.BindPassword, + }, + &cli.StringFlag{ + Name: "ldap-base-dn", + Value: "ou=users,dc=example,dc=org", + Usage: "LDAP base DN of the oCIS users", + EnvVars: []string{"IDP_LDAP_BASE_DN"}, + Destination: &cfg.Ldap.BaseDN, + }, + &cli.StringFlag{ + Name: "ldap-scope", + Value: "sub", + Usage: "LDAP scope of the oCIS users", + EnvVars: []string{"IDP_LDAP_SCOPE"}, + Destination: &cfg.Ldap.Scope, + }, + &cli.StringFlag{ + Name: "ldap-login-attribute", + Value: "cn", + Usage: "LDAP login attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_LOGIN_ATTRIBUTE"}, + Destination: &cfg.Ldap.LoginAttribute, + }, + &cli.StringFlag{ + Name: "ldap-email-attribute", + Value: "mail", + Usage: "LDAP email attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_EMAIL_ATTRIBUTE"}, + Destination: &cfg.Ldap.EmailAttribute, + }, + &cli.StringFlag{ + Name: "ldap-name-attribute", + Value: "sn", + Usage: "LDAP name attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_NAME_ATTRIBUTE"}, + Destination: &cfg.Ldap.NameAttribute, + }, + &cli.StringFlag{ + Name: "ldap-uuid-attribute", + Value: "uid", + Usage: "LDAP UUID attribute of the oCIS users", + EnvVars: []string{"IDP_LDAP_UUID_ATTRIBUTE"}, + Destination: &cfg.Ldap.UUIDAttribute, + }, + &cli.StringFlag{ + Name: "ldap-uuid-attribute-type", + Value: "text", + Usage: "LDAP UUID attribute type of the oCIS users", + EnvVars: []string{"IDP_LDAP_UUID_ATTRIBUTE_TYPE"}, + Destination: &cfg.Ldap.UUIDAttributeType, + }, + &cli.StringFlag{ + Name: "ldap-filter", + Value: "(objectClass=posixaccount)", + Usage: "LDAP filter of the oCIS users", + EnvVars: []string{"IDP_LDAP_FILTER"}, + Destination: &cfg.Ldap.Filter, + }, &cli.StringFlag{ Name: "transport-tls-cert", Value: "", diff --git a/idp/pkg/service/v0/service.go b/idp/pkg/service/v0/service.go index 419726212b..c3a8be6780 100644 --- a/idp/pkg/service/v0/service.go +++ b/idp/pkg/service/v0/service.go @@ -38,7 +38,7 @@ func NewService(opts ...Option) Service { assets.Config(options.Config), ) - if err := initKonnectInternalEnvVars(); err != nil { + if err := initKonnectInternalEnvVars(&options.Config.Ldap); err != nil { logger.Fatal().Err(err).Msg("could not initialize env vars") } @@ -110,26 +110,24 @@ func createConfigsIfNotExist(assets http.FileSystem, ocisURL string) error { } // Init vars which are currently not accessible via idp api -func initKonnectInternalEnvVars() error { +func initKonnectInternalEnvVars(ldap *config.Ldap) error { var defaults = map[string]string{ - "LDAP_URI": "ldap://localhost:9125", - "LDAP_BINDDN": "cn=idp,ou=sysusers,dc=example,dc=org", - "LDAP_BINDPW": "idp", - "LDAP_BASEDN": "ou=users,dc=example,dc=org", - "LDAP_SCOPE": "sub", - "LDAP_LOGIN_ATTRIBUTE": "cn", - "LDAP_EMAIL_ATTRIBUTE": "mail", - "LDAP_NAME_ATTRIBUTE": "sn", - "LDAP_UUID_ATTRIBUTE": "uid", - "LDAP_UUID_ATTRIBUTE_TYPE": "text", - "LDAP_FILTER": "(objectClass=posixaccount)", + "LDAP_URI": ldap.URI, + "LDAP_BINDDN": ldap.BindDN, + "LDAP_BINDPW": ldap.BindPassword, + "LDAP_BASEDN": ldap.BaseDN, + "LDAP_SCOPE": ldap.Scope, + "LDAP_LOGIN_ATTRIBUTE": ldap.LoginAttribute, + "LDAP_EMAIL_ATTRIBUTE": ldap.EmailAttribute, + "LDAP_NAME_ATTRIBUTE": ldap.NameAttribute, + "LDAP_UUID_ATTRIBUTE": ldap.UUIDAttribute, + "LDAP_UUID_ATTRIBUTE_TYPE": ldap.UUIDAttributeType, + "LDAP_FILTER": ldap.Filter, } for k, v := range defaults { - if _, exists := os.LookupEnv(k); !exists { - if err := os.Setenv(k, v); err != nil { - return fmt.Errorf("could not set env var %s=%s", k, v) - } + if err := os.Setenv(k, v); err != nil { + return fmt.Errorf("could not set env var %s=%s", k, v) } } diff --git a/ocis/pkg/config/config.go b/ocis/pkg/config/config.go index 4c9bce3751..ca7d907ae9 100644 --- a/ocis/pkg/config/config.go +++ b/ocis/pkg/config/config.go @@ -75,7 +75,7 @@ type Config struct { Graph *graph.Config GraphExplorer *graphExplorer.Config Hello *hello.Config - IDP *idp.Config + IDP *idp.Config OCS *ocs.Config Onlyoffice *onlyoffice.Config Web *web.Config @@ -96,7 +96,7 @@ func New() *Config { Graph: graph.New(), GraphExplorer: graphExplorer.New(), Hello: hello.New(), - IDP: idp.New(), + IDP: idp.New(), OCS: ocs.New(), Onlyoffice: onlyoffice.New(), Web: web.New(), diff --git a/ocis/pkg/flagset/flagset.go b/ocis/pkg/flagset/flagset.go index 8daa92c78d..00ba858972 100644 --- a/ocis/pkg/flagset/flagset.go +++ b/ocis/pkg/flagset/flagset.go @@ -74,7 +74,7 @@ func RootWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to dismantle the access token, should equal reva's jwt-secret", - EnvVars: []string{"OCIS_JWT_SECRET"}, + EnvVars: []string{"OCIS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, } diff --git a/ocs/pkg/flagset/flagset.go b/ocs/pkg/flagset/flagset.go index 21665d9aa5..909840335a 100644 --- a/ocs/pkg/flagset/flagset.go +++ b/ocs/pkg/flagset/flagset.go @@ -149,7 +149,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to dismantle the access token, should equal reva's jwt-secret", - EnvVars: []string{"OCS_JWT_SECRET"}, + EnvVars: []string{"OCS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, } diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 81af13c7a3..83f73fdda4 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -175,7 +175,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"PROXY_JWT_SECRET"}, + EnvVars: []string{"PROXY_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, &cli.StringFlag{ diff --git a/settings/pkg/flagset/flagset.go b/settings/pkg/flagset/flagset.go index f4d04aba48..a84964c896 100644 --- a/settings/pkg/flagset/flagset.go +++ b/settings/pkg/flagset/flagset.go @@ -182,7 +182,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to create JWT to talk to reva, should equal reva's jwt-secret", - EnvVars: []string{"SETTINGS_JWT_SECRET"}, + EnvVars: []string{"SETTINGS_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, } diff --git a/storage/pkg/flagset/secret.go b/storage/pkg/flagset/secret.go index e51b7acd73..d7004e4812 100644 --- a/storage/pkg/flagset/secret.go +++ b/storage/pkg/flagset/secret.go @@ -12,7 +12,7 @@ func SecretWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Shared jwt secret for reva service communication", - EnvVars: []string{"STORAGE_JWT_SECRET"}, + EnvVars: []string{"STORAGE_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.Reva.JWTSecret, }, } From f2e90149ae29b89475eb0a2ae0b5d4538d450262 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 10 Feb 2021 16:30:14 +0100 Subject: [PATCH 2/4] add docs --- docs/ocis/deployment/_index.md | 26 ++++++++++++++++++++++ docs/ocis/deployment/basic-remote-setup.md | 4 ++++ docs/ocis/deployment/ocis_keycloak.md | 8 +++++++ docs/ocis/deployment/ocis_traefik.md | 8 +++++++ docs/ocis/deployment/preparing_server.md | 2 +- 5 files changed, 47 insertions(+), 1 deletion(-) diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md index ab101b652e..3c3159a4e7 100644 --- a/docs/ocis/deployment/_index.md +++ b/docs/ocis/deployment/_index.md @@ -26,3 +26,29 @@ You can run ownCloud 10 and oCIS together. This allows you to use new parts of o - [ownCloud 10 setup with oCIS serving ownCloud Web and acting as OIDC provider]({{< ref "owncloud10_with_oc_web.md" >}}) - This allows you to switch between the traditional ownCloud 10 frontend and the new ownCloud Web frontend - Run ownCloud 10 and oCIS in parallel - together - Migrate users from ownCloud 10 to oCIS + + +## Secure an oCIS instance + +### Change default secrets +oCIS uses two system users which are needed for being operational: +- Reva Inter Operability Platform (bc596f3c-c955-4328-80a0-60d018b4ad57) +- Kopano IDP (820ba2a1-3f54-4538-80a4-2d73007e30bf) + +Both have simple default passwords which need to be changed. Currently, changing a password is only possible on the command line. You need to run `ocis accounts update --password ` for both users. + +The new password for the Reva Inter Operability Platform user must be made available to oCIS by using the environment variable `STORAGE_LDAP_BIND_PASSWORD`. The same applies to the new Kopano IDP user password, which needs do be made available to oCIS in `IDP_LDAP_BIND_PASSWORD`. + +Furthermore oCIS needs to share a JWT token with REVA, wich also need to be changed by the user. +You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string. + +### Delete demo users +oCIS ships with a few demo users besides the system users: +- Admin (ddc2004c-0977-11eb-9d3f-a793888cd0f8) +- Albert Einstein (4c510ada-c86b-4815-8820-42cdf82c3d51) +- Richard Feynman (932b4540-8d16-481e-8ef4-588e4b6b151c) +- Maurice Moss (058bff95-6708-4fe5-91e4-9ea3d377588b) +- Marie Curie (f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c) + +You can view them in ownCloud Web if you log in as Admin user or list them by running `ocis accounts list`. +Before deleting all demo users mentioned above, you must create a new account for yourself and assign it to the administrator role. After doing so it is safe to delete the demo users in the web UI or with the command `ocis accounts remove `. Please do not delete the system users (see [change default secrets]({{< ref "_index.md#change-default-secrets" >}})) or oCIS will not function properly anymore. diff --git a/docs/ocis/deployment/basic-remote-setup.md b/docs/ocis/deployment/basic-remote-setup.md index b28d30f7c2..48a828206a 100644 --- a/docs/ocis/deployment/basic-remote-setup.md +++ b/docs/ocis/deployment/basic-remote-setup.md @@ -21,6 +21,10 @@ Upon first start of the oCIS fullstack server with `./bin/ocis server` it will g The `identifier-registration.yml` file will only be generated if does not exist. If you want to change certain environment variables like `OCIS_URL`, please delete this file first before doing so. Otherwise your changes will not be applied correctly and you will run into errors. {{< /hint >}} +{{< hint warning >}} +oCIS is currently in a Tech Preview state and is shipped with demo users. In order to secure your oCIS instances please follow following guide: [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}) +{{< /hint >}} + For the following examples you need to have the oCIS binary in your current working directory, we assume it is named `ocis` and it needs to be marked as executable. See [Getting Started]({{< ref "../getting-started/#binaries" >}}) for where to get the binary from. ### Using automatically generated certificates diff --git a/docs/ocis/deployment/ocis_keycloak.md b/docs/ocis/deployment/ocis_keycloak.md index ea85f9fcd2..9f901d0233 100644 --- a/docs/ocis/deployment/ocis_keycloak.md +++ b/docs/ocis/deployment/ocis_keycloak.md @@ -70,6 +70,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) OCIS_DOMAIN= # ownCloud Web openid connect client id. Defaults to "ocis-web" OCIS_OIDC_CLIENT_ID= + # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". + IDP_LDAP_BIND_PASSWORD= + # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". + STORAGE_LDAP_BIND_PASSWORD= + # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" + OCIS_JWT_SECRET= ### Keycloak ### # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test" @@ -97,6 +103,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) If you want to change the OIDC client id of th ownCloud Web frontend, you can do this by setting the name to `OCIS_OIDC_CLIENT_ID=`. + You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}). + Set your domain for the Keycloak administration panel and authentication endpoints to `KEYCLOAK_DOMAIN=` eg. `KEYCLOAK_DOMAIN=keycloak.owncloud.test`. Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the oCIS realm `KEYCLOAK_REALM=oCIS`. The oCIS realm will be automatically imported on startup and includes our demo users. diff --git a/docs/ocis/deployment/ocis_traefik.md b/docs/ocis/deployment/ocis_traefik.md index 0e96a35ff9..34ccc422bf 100644 --- a/docs/ocis/deployment/ocis_traefik.md +++ b/docs/ocis/deployment/ocis_traefik.md @@ -64,6 +64,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= + # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". + IDP_LDAP_BIND_PASSWORD= + # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". + STORAGE_LDAP_BIND_PASSWORD= + # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" + OCIS_JWT_SECRET= ``` You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. @@ -78,6 +84,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) Set your domain for the oCIS frontend in `OCIS_DOMAIN=`, eg. `OCIS_DOMAIN=ocis.owncloud.test`. + You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}). + Now you have configured everything and can save the file. * Start the docker stack diff --git a/docs/ocis/deployment/preparing_server.md b/docs/ocis/deployment/preparing_server.md index 5e6bba68e4..8bd1724c9d 100644 --- a/docs/ocis/deployment/preparing_server.md +++ b/docs/ocis/deployment/preparing_server.md @@ -1,7 +1,7 @@ --- title: "Preparing a server" date: 2020-10-12T14:04:00+01:00 -weight: 10 +weight: 100 geekdocRepo: https://github.com/owncloud/ocis geekdocEditPath: edit/master/docs/ocis/deployment geekdocFilePath: preparing_server.md From 9c648f93ccd420351135082617f10070b65c624c Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 11 Feb 2021 10:24:01 +0100 Subject: [PATCH 3/4] add review feedback --- docs/ocis/deployment/_index.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md index 3c3159a4e7..08e95760b3 100644 --- a/docs/ocis/deployment/_index.md +++ b/docs/ocis/deployment/_index.md @@ -39,10 +39,15 @@ Both have simple default passwords which need to be changed. Currently, changing The new password for the Reva Inter Operability Platform user must be made available to oCIS by using the environment variable `STORAGE_LDAP_BIND_PASSWORD`. The same applies to the new Kopano IDP user password, which needs do be made available to oCIS in `IDP_LDAP_BIND_PASSWORD`. -Furthermore oCIS needs to share a JWT token with REVA, wich also need to be changed by the user. +Furthermore oCIS needs to share a JWT token with REVA, which also need to be changed by the user. You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string. ### Delete demo users + +{{< hint info >}} +Before deleting the demo users mentioned below, you must create a new account for yourself and assign it to the administrator role. +{{< /hint >}} + oCIS ships with a few demo users besides the system users: - Admin (ddc2004c-0977-11eb-9d3f-a793888cd0f8) - Albert Einstein (4c510ada-c86b-4815-8820-42cdf82c3d51) @@ -51,4 +56,4 @@ oCIS ships with a few demo users besides the system users: - Marie Curie (f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c) You can view them in ownCloud Web if you log in as Admin user or list them by running `ocis accounts list`. -Before deleting all demo users mentioned above, you must create a new account for yourself and assign it to the administrator role. After doing so it is safe to delete the demo users in the web UI or with the command `ocis accounts remove `. Please do not delete the system users (see [change default secrets]({{< ref "_index.md#change-default-secrets" >}})) or oCIS will not function properly anymore. +After adding your own user it is safe to delete the demo users in the web UI or with the command `ocis accounts remove `. Please do not delete the system users (see [change default secrets]({{< ref "_index.md#change-default-secrets" >}})) or oCIS will not function properly anymore. From 9bfe930978c6811eece43e7c1003bbea70b526c7 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 11 Feb 2021 10:53:07 +0100 Subject: [PATCH 4/4] add feedback from review --- .../ocis_keycloak/config/ocis/entrypoint-override.sh | 2 +- deployments/examples/ocis_traefik/.env | 6 +++--- .../ocis_traefik/config/ocis/entrypoint-override.sh | 2 +- docs/ocis/deployment/_index.md | 2 +- ocis/pkg/flagset/flagset.go | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh index 65a1ed4758..9e0a524ac1 100644 --- a/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh +++ b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh @@ -19,7 +19,7 @@ echo " Reva user UUID: $REVA_USER_UUID" ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID killall ocis -echo "default serets changed" +echo "default secrets changed" echo "##################################################" ocis server diff --git a/deployments/examples/ocis_traefik/.env b/deployments/examples/ocis_traefik/.env index 94906757f0..a93b12e07c 100644 --- a/deployments/examples/ocis_traefik/.env +++ b/deployments/examples/ocis_traefik/.env @@ -18,11 +18,11 @@ OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". -IDP_LDAP_BIND_PASSWORD= +IDP_LDAP_BIND_PASSWORD=foo # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". -STORAGE_LDAP_BIND_PASSWORD= +STORAGE_LDAP_BIND_PASSWORD=foo # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" -OCIS_JWT_SECRET= +OCIS_JWT_SECRET=foo # If you want to use debugging and tracing with this stack, # you need uncomment following line. Please see documentation at diff --git a/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh index 65a1ed4758..9e0a524ac1 100644 --- a/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh +++ b/deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh @@ -19,7 +19,7 @@ echo " Reva user UUID: $REVA_USER_UUID" ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID killall ocis -echo "default serets changed" +echo "default secrets changed" echo "##################################################" ocis server diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md index 08e95760b3..694c6dc2cf 100644 --- a/docs/ocis/deployment/_index.md +++ b/docs/ocis/deployment/_index.md @@ -39,7 +39,7 @@ Both have simple default passwords which need to be changed. Currently, changing The new password for the Reva Inter Operability Platform user must be made available to oCIS by using the environment variable `STORAGE_LDAP_BIND_PASSWORD`. The same applies to the new Kopano IDP user password, which needs do be made available to oCIS in `IDP_LDAP_BIND_PASSWORD`. -Furthermore oCIS needs to share a JWT token with REVA, which also need to be changed by the user. +Furthermore, oCIS uses a shared secret to sign JWT tokens for inter service authorization, which also needs to be changed by the user. You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string. ### Delete demo users diff --git a/ocis/pkg/flagset/flagset.go b/ocis/pkg/flagset/flagset.go index 00ba858972..8daa92c78d 100644 --- a/ocis/pkg/flagset/flagset.go +++ b/ocis/pkg/flagset/flagset.go @@ -74,7 +74,7 @@ func RootWithConfig(cfg *config.Config) []cli.Flag { Name: "jwt-secret", Value: "Pive-Fumkiu4", Usage: "Used to dismantle the access token, should equal reva's jwt-secret", - EnvVars: []string{"OCIS_JWT_SECRET", "OCIS_JWT_SECRET"}, + EnvVars: []string{"OCIS_JWT_SECRET"}, Destination: &cfg.TokenManager.JWTSecret, }, }