MachineAuthAPIKey -> SystemUserAPIKey (#3672)

* split machineauthapikey and systemuserapikey

Signed-off-by: jkoberg <jkoberg@owncloud.com>

* changelog

Signed-off-by: jkoberg <jkoberg@owncloud.com>

* specific errors and some reverts

Signed-off-by: jkoberg <jkoberg@owncloud.com>

* use correct machine auth api key

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

Co-authored-by: Jörn Friedrich Dreyer <jfd@butonic.de>

changelog/unreleased/split-machineauth-and-systemuserauth.md

@@ -0,0 +1,6 @@
+Change: Split MachineAuth from SystemUser
+
+We now have two different APIKeys: MachineAuth for the machine-auth service
+and SystemUser for the system user used e.g. by settings service
+
+https://github.com/owncloud/ocis/pull/3672

extensions/settings/pkg/config/config.go

@@ -39,7 +39,7 @@ type Metadata struct {
 	GatewayAddress string `yaml:"gateway_addr" env:"STORAGE_GATEWAY_GRPC_ADDR"`
 	StorageAddress string `yaml:"storage_addr" env:"STORAGE_GRPC_ADDR"`
 
-	ServiceUserID     string `yaml:"service_user_id" env:"METADATA_SERVICE_USER_UUID"`
-	ServiceUserIDP    string `yaml:"service_user_idp" env:"METADATA_SERVICE_USER_IDP"`
-	MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"`
+	ServiceUserID    string `yaml:"service_user_id" env:"METADATA_SERVICE_USER_UUID"`
+	ServiceUserIDP   string `yaml:"service_user_idp" env:"METADATA_SERVICE_USER_IDP"`
+	SystemUserAPIKey string `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY"`
 }

extensions/settings/pkg/config/defaults/defaultconfig.go

@@ -89,8 +89,8 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.TokenManager = &config.TokenManager{}
 	}
 
-	if cfg.Metadata.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" {
-		cfg.Metadata.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
+	if cfg.Metadata.SystemUserAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemUserAPIKey != "" {
+		cfg.Metadata.SystemUserAPIKey = cfg.Commons.SystemUserAPIKey
 	}
 
 	if cfg.Metadata.ServiceUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" {

extensions/settings/pkg/config/parser/parse.go

@@ -37,8 +37,8 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingJWTTokenError(cfg.Service.Name)
 	}
 
-	if cfg.Metadata.MachineAuthAPIKey == "" {
-		return shared.MissingMachineAuthApiKeyError(cfg.Service.Name)
+	if cfg.Metadata.SystemUserAPIKey == "" {
+		return shared.MissingSystemUserApiKeyError(cfg.Service.Name)
 	}
 
 	if cfg.AdminUserID == "" {

extensions/settings/pkg/store/metadata/store.go

@@ -84,7 +84,7 @@ func New(cfg *config.Config) settings.Manager {
 
 // NewMetadataClient returns the MetadataClient
 func NewMetadataClient(cfg config.Metadata) MetadataClient {
-	mdc, err := metadata.NewCS3Storage(cfg.GatewayAddress, cfg.StorageAddress, cfg.ServiceUserID, cfg.ServiceUserIDP, cfg.MachineAuthAPIKey)
+	mdc, err := metadata.NewCS3Storage(cfg.GatewayAddress, cfg.StorageAddress, cfg.ServiceUserID, cfg.ServiceUserIDP, cfg.SystemUserAPIKey)
 	if err != nil {
 		log.Fatal("error connecting to mdc:", err)
 	}

extensions/sharing/pkg/config/config.go

@@ -94,10 +94,10 @@ type UserSharingOwnCloudSQLDriver struct {
 }
 
 type UserSharingCS3Driver struct {
-	ProviderAddr      string `yaml:"provider_addr" env:"SHARING_USER_CS3_PROVIDER_ADDR"`
-	ServiceUserID     string `yaml:"service_user_id" env:"SHARING_USER_CS3_SERVICE_USER_ID"`
-	ServiceUserIDP    string `yaml:"service_user_idp" env:"OCIS_URL;SHARING_USER_CS3_SERVICE_USER_IDP"`
-	MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;SHARING_USER_CS3_MACHINE_AUTH_API_KEY"`
+	ProviderAddr     string `yaml:"provider_addr" env:"SHARING_USER_CS3_PROVIDER_ADDR"`
+	ServiceUserID    string `yaml:"service_user_id" env:"SHARING_USER_CS3_SERVICE_USER_ID"`
+	ServiceUserIDP   string `yaml:"service_user_idp" env:"OCIS_URL;SHARING_USER_CS3_SERVICE_USER_IDP"`
+	SystemUserAPIKey string `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY;SHARING_USER_CS3_SYSTEM_USER_API_KEY"`
 }
 
 type PublicSharingDrivers struct {
@@ -124,10 +124,10 @@ type PublicSharingSQLDriver struct {
 }
 
 type PublicSharingCS3Driver struct {
-	ProviderAddr      string `yaml:"provider_addr" env:"SHARING_PUBLIC_CS3_PROVIDER_ADDR"`
-	ServiceUserID     string `yaml:"service_user_id" env:"SHARING_PUBLIC_CS3_SERVICE_USER_ID"`
-	ServiceUserIDP    string `yaml:"service_user_idp" env:"OCIS_URL;SHARING_PUBLIC_CS3_SERVICE_USER_IDP"`
-	MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;SHARING_PUBLIC_CS3_MACHINE_AUTH_API_KEY"`
+	ProviderAddr     string `yaml:"provider_addr" env:"SHARING_PUBLIC_CS3_PROVIDER_ADDR"`
+	ServiceUserID    string `yaml:"service_user_id" env:"SHARING_PUBLIC_CS3_SERVICE_USER_ID"`
+	ServiceUserIDP   string `yaml:"service_user_idp" env:"OCIS_URL;SHARING_PUBLIC_CS3_SERVICE_USER_IDP"`
+	SystemUserAPIKey string `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY;SHARING_USER_CS3_SYSTEM_USER_API_KEY"`
 }
 
 type Events struct {

extensions/sharing/pkg/config/defaults/defaultconfig.go

@@ -100,16 +100,16 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.TokenManager = &config.TokenManager{}
 	}
 
-	if cfg.UserSharingDrivers.CS3.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" {
-		cfg.UserSharingDrivers.CS3.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
+	if cfg.UserSharingDrivers.CS3.SystemUserAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemUserAPIKey != "" {
+		cfg.UserSharingDrivers.CS3.SystemUserAPIKey = cfg.Commons.SystemUserAPIKey
 	}
 
 	if cfg.UserSharingDrivers.CS3.ServiceUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" {
 		cfg.UserSharingDrivers.CS3.ServiceUserID = cfg.Commons.SystemUserID
 	}
 
-	if cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" {
-		cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
+	if cfg.PublicSharingDrivers.CS3.SystemUserAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemUserAPIKey != "" {
+		cfg.PublicSharingDrivers.CS3.SystemUserAPIKey = cfg.Commons.SystemUserAPIKey
 	}
 
 	if cfg.PublicSharingDrivers.CS3.ServiceUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" {

extensions/sharing/pkg/config/parser/parse.go

@@ -38,16 +38,16 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingJWTTokenError(cfg.Service.Name)
 	}
 
-	if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey == "" {
-		return shared.MissingMachineAuthApiKeyError(cfg.Service.Name)
+	if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.SystemUserAPIKey == "" {
+		return shared.MissingSystemUserApiKeyError(cfg.Service.Name)
 	}
 
 	if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.ServiceUserID == "" {
 		return shared.MissingSystemUserID(cfg.Service.Name)
 	}
 
-	if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.MachineAuthAPIKey == "" {
-		return shared.MissingMachineAuthApiKeyError(cfg.Service.Name)
+	if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.SystemUserAPIKey == "" {
+		return shared.MissingSystemUserApiKeyError(cfg.Service.Name)
 	}
 
 	if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.ServiceUserID == "" {

extensions/sharing/pkg/revaconfig/config.go

@@ -52,7 +52,7 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} {
 							"provider_addr":       cfg.UserSharingDrivers.CS3.ProviderAddr,
 							"service_user_id":     cfg.UserSharingDrivers.CS3.ServiceUserID,
 							"service_user_idp":    cfg.UserSharingDrivers.CS3.ServiceUserIDP,
-							"machine_auth_apikey": cfg.UserSharingDrivers.CS3.MachineAuthAPIKey,
+							"machine_auth_apikey": cfg.UserSharingDrivers.CS3.SystemUserAPIKey,
 						},
 					},
 				},
@@ -77,7 +77,7 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} {
 							"provider_addr":       cfg.PublicSharingDrivers.CS3.ProviderAddr,
 							"service_user_id":     cfg.PublicSharingDrivers.CS3.ServiceUserID,
 							"service_user_idp":    cfg.PublicSharingDrivers.CS3.ServiceUserIDP,
-							"machine_auth_apikey": cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey,
+							"machine_auth_apikey": cfg.PublicSharingDrivers.CS3.SystemUserAPIKey,
 						},
 					},
 				},

extensions/storage-system/pkg/config/config.go

@@ -16,10 +16,10 @@ type Config struct {
 	GRPC GRPCConfig `yaml:"grpc"`
 	HTTP HTTPConfig `yaml:"http"`
 
-	TokenManager      *TokenManager `yaml:"token_manager"`
-	Reva              *Reva         `yaml:"reva"`
-	MachineAuthAPIKey string        `yaml:"machine_auth_api_key" env:"STORAGE_SYSTEM_MACHINE_AUTH_API_KEY"`
-	SystemUserID      string        `yaml:"system_user_id"`
+	TokenManager     *TokenManager `yaml:"token_manager"`
+	Reva             *Reva         `yaml:"reva"`
+	SystemUserID     string        `yaml:"system_user_id"`
+	SystemUserAPIKey string        `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY"`
 
 	SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"STORAGE_SYSTEM_SKIP_USER_GROUPS_IN_TOKEN"`
 

extensions/storage-system/pkg/config/defaults/defaultconfig.go

@@ -89,8 +89,8 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.TokenManager = &config.TokenManager{}
 	}
 
-	if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" {
-		cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
+	if cfg.SystemUserAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemUserAPIKey != "" {
+		cfg.SystemUserAPIKey = cfg.Commons.SystemUserAPIKey
 	}
 
 	if cfg.SystemUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" {

extensions/storage-system/pkg/config/parser/parse.go

@@ -38,8 +38,8 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingJWTTokenError(cfg.Service.Name)
 	}
 
-	if cfg.MachineAuthAPIKey == "" {
-		return shared.MissingMachineAuthApiKeyError(cfg.Service.Name)
+	if cfg.SystemUserAPIKey == "" {
+		return shared.MissingSystemUserApiKeyError(cfg.Service.Name)
 	}
 
 	if cfg.SystemUserID == "" {

extensions/storage-system/pkg/revaconfig/config.go

@@ -67,7 +67,7 @@ func StorageSystemFromStruct(cfg *config.Config) map[string]interface{} {
 					"auth_manager": "machine",
 					"auth_managers": map[string]interface{}{
 						"machine": map[string]interface{}{
-							"api_key":      cfg.MachineAuthAPIKey,
+							"api_key":      cfg.SystemUserAPIKey,
 							"gateway_addr": cfg.GRPC.Addr,
 						},
 					},

ocis-pkg/config/config.go

@@ -70,6 +70,7 @@ type Config struct {
 	MachineAuthAPIKey string               `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"`
 	TransferSecret    string               `yaml:"transfer_secret" env:"STORAGE_TRANSFER_SECRET"`
 	SystemUserID      string               `yaml:"system_user_id" env:"OCIS_SYSTEM_USER_ID"`
+	SystemUserAPIKey  string               `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY"`
 	AdminUserID       string               `yaml:"admin_user_id" env:"OCIS_ADMIN_USER_ID"`
 	Runtime           Runtime              `yaml:"runtime"`
 

ocis-pkg/config/parser/parse.go

@@ -89,6 +89,10 @@ func EnsureCommons(cfg *config.Config) {
 		cfg.Commons.MachineAuthAPIKey = cfg.MachineAuthAPIKey
 	}
 
+	if cfg.SystemUserAPIKey != "" {
+		cfg.Commons.SystemUserAPIKey = cfg.SystemUserAPIKey
+	}
+
 	// copy transfer secret to the commons part if set
 	if cfg.TransferSecret != "" {
 		cfg.Commons.TransferSecret = cfg.TransferSecret

ocis-pkg/shared/errors.go

@@ -14,6 +14,14 @@ func MissingMachineAuthApiKeyError(service string) error {
 		service, defaults.BaseConfigPath())
 }
 
+func MissingSystemUserApiKeyError(service string) error {
+	return fmt.Errorf("The SystemUser API key has not been configured for %s. "+
+		"Make sure your %s config contains the proper values "+
+		"(e.g. by running ocis init or setting it manually in "+
+		"the config/corresponding environment variable).",
+		service, defaults.BaseConfigPath())
+}
+
 func MissingJWTTokenError(service string) error {
 	return fmt.Errorf("jwt_secret has not been set properly in your config for %s. "+
 		"Make sure your %s config contains the proper values "+

ocis-pkg/shared/shared_types.go

@@ -45,5 +45,6 @@ type Commons struct {
 	MachineAuthAPIKey string        `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"`
 	TransferSecret    string        `yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET"`
 	SystemUserID      string        `yaml:"system_user_id" env:"OCIS_SYSTEM_USER_ID"`
+	SystemUserAPIKey  string        `yaml:"system_user_api_key" env:"SYSTEM_USER_API_KEY"`
 	AdminUserID       string        `yaml:"admin_user_id" env:"OCIS_ADMIN_USER_ID"`
 }

ocis/pkg/init/init.go

@@ -98,6 +98,7 @@ type ThumbNailExtension struct {
 type OcisConfig struct {
 	TokenManager      TokenManager `yaml:"token_manager"`
 	MachineAuthApiKey string       `yaml:"machine_auth_api_key"`
+	SystemUserAPIKey  string       `yaml:"system_user_api_key"`
 	TransferSecret    string       `yaml:"transfer_secret"`
 	SystemUserID      string       `yaml:"system_user_id"`
 	AdminUserID       string       `yaml:"admin_user_id"`
@@ -193,6 +194,10 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin
 	if err != nil {
 		return fmt.Errorf("could not generate random password for machineauthsecret: %s", err)
 	}
+	systemUserApiKey, err := generators.GenerateRandomPassword(passwordLength)
+	if err != nil {
+		return fmt.Errorf("could not generate random system user API key: %s", err)
+	}
 	revaTransferSecret, err := generators.GenerateRandomPassword(passwordLength)
 	if err != nil {
 		return fmt.Errorf("could not generate random password for machineauthsecret: %s", err)
@@ -203,6 +208,7 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin
 			JWTSecret: tokenManagerJwtSecret,
 		},
 		MachineAuthApiKey: machineAuthApiKey,
+		SystemUserAPIKey:  systemUserApiKey,
 		TransferSecret:    revaTransferSecret,
 		SystemUserID:      systemUserID,
 		AdminUserID:       adminUserID,