diff --git a/changelog/unreleased/split-machineauth-and-systemuserauth.md b/changelog/unreleased/split-machineauth-and-systemuserauth.md new file mode 100644 index 0000000000..8afeb7ed47 --- /dev/null +++ b/changelog/unreleased/split-machineauth-and-systemuserauth.md @@ -0,0 +1,6 @@ +Change: Split MachineAuth from SystemUser + +We now have two different APIKeys: MachineAuth for the machine-auth service +and SystemUser for the system user used e.g. by settings service + +https://github.com/owncloud/ocis/pull/3672 diff --git a/extensions/settings/pkg/config/config.go b/extensions/settings/pkg/config/config.go index 8182911bf5..9bae2fae42 100644 --- a/extensions/settings/pkg/config/config.go +++ b/extensions/settings/pkg/config/config.go @@ -39,7 +39,7 @@ type Metadata struct { GatewayAddress string `yaml:"gateway_addr" env:"STORAGE_GATEWAY_GRPC_ADDR"` StorageAddress string `yaml:"storage_addr" env:"STORAGE_GRPC_ADDR"` - ServiceUserID string `yaml:"service_user_id" env:"METADATA_SERVICE_USER_UUID"` - ServiceUserIDP string `yaml:"service_user_idp" env:"METADATA_SERVICE_USER_IDP"` - MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"` + ServiceUserID string `yaml:"service_user_id" env:"METADATA_SERVICE_USER_UUID"` + ServiceUserIDP string `yaml:"service_user_idp" env:"METADATA_SERVICE_USER_IDP"` + SystemUserAPIKey string `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY"` } diff --git a/extensions/settings/pkg/config/defaults/defaultconfig.go b/extensions/settings/pkg/config/defaults/defaultconfig.go index 23173a8fc1..236bad6f45 100644 --- a/extensions/settings/pkg/config/defaults/defaultconfig.go +++ b/extensions/settings/pkg/config/defaults/defaultconfig.go @@ -89,8 +89,8 @@ func EnsureDefaults(cfg *config.Config) { cfg.TokenManager = &config.TokenManager{} } - if cfg.Metadata.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { - cfg.Metadata.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey + if cfg.Metadata.SystemUserAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemUserAPIKey != "" { + cfg.Metadata.SystemUserAPIKey = cfg.Commons.SystemUserAPIKey } if cfg.Metadata.ServiceUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" { diff --git a/extensions/settings/pkg/config/parser/parse.go b/extensions/settings/pkg/config/parser/parse.go index 5fa45bac68..2018f2e141 100644 --- a/extensions/settings/pkg/config/parser/parse.go +++ b/extensions/settings/pkg/config/parser/parse.go @@ -37,8 +37,8 @@ func Validate(cfg *config.Config) error { return shared.MissingJWTTokenError(cfg.Service.Name) } - if cfg.Metadata.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + if cfg.Metadata.SystemUserAPIKey == "" { + return shared.MissingSystemUserApiKeyError(cfg.Service.Name) } if cfg.AdminUserID == "" { diff --git a/extensions/settings/pkg/store/metadata/store.go b/extensions/settings/pkg/store/metadata/store.go index e9d8739dd3..7511c510e3 100644 --- a/extensions/settings/pkg/store/metadata/store.go +++ b/extensions/settings/pkg/store/metadata/store.go @@ -84,7 +84,7 @@ func New(cfg *config.Config) settings.Manager { // NewMetadataClient returns the MetadataClient func NewMetadataClient(cfg config.Metadata) MetadataClient { - mdc, err := metadata.NewCS3Storage(cfg.GatewayAddress, cfg.StorageAddress, cfg.ServiceUserID, cfg.ServiceUserIDP, cfg.MachineAuthAPIKey) + mdc, err := metadata.NewCS3Storage(cfg.GatewayAddress, cfg.StorageAddress, cfg.ServiceUserID, cfg.ServiceUserIDP, cfg.SystemUserAPIKey) if err != nil { log.Fatal("error connecting to mdc:", err) } diff --git a/extensions/sharing/pkg/config/config.go b/extensions/sharing/pkg/config/config.go index 553ba05ec7..8926fcc731 100644 --- a/extensions/sharing/pkg/config/config.go +++ b/extensions/sharing/pkg/config/config.go @@ -94,10 +94,10 @@ type UserSharingOwnCloudSQLDriver struct { } type UserSharingCS3Driver struct { - ProviderAddr string `yaml:"provider_addr" env:"SHARING_USER_CS3_PROVIDER_ADDR"` - ServiceUserID string `yaml:"service_user_id" env:"SHARING_USER_CS3_SERVICE_USER_ID"` - ServiceUserIDP string `yaml:"service_user_idp" env:"OCIS_URL;SHARING_USER_CS3_SERVICE_USER_IDP"` - MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;SHARING_USER_CS3_MACHINE_AUTH_API_KEY"` + ProviderAddr string `yaml:"provider_addr" env:"SHARING_USER_CS3_PROVIDER_ADDR"` + ServiceUserID string `yaml:"service_user_id" env:"SHARING_USER_CS3_SERVICE_USER_ID"` + ServiceUserIDP string `yaml:"service_user_idp" env:"OCIS_URL;SHARING_USER_CS3_SERVICE_USER_IDP"` + SystemUserAPIKey string `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY;SHARING_USER_CS3_SYSTEM_USER_API_KEY"` } type PublicSharingDrivers struct { @@ -124,10 +124,10 @@ type PublicSharingSQLDriver struct { } type PublicSharingCS3Driver struct { - ProviderAddr string `yaml:"provider_addr" env:"SHARING_PUBLIC_CS3_PROVIDER_ADDR"` - ServiceUserID string `yaml:"service_user_id" env:"SHARING_PUBLIC_CS3_SERVICE_USER_ID"` - ServiceUserIDP string `yaml:"service_user_idp" env:"OCIS_URL;SHARING_PUBLIC_CS3_SERVICE_USER_IDP"` - MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;SHARING_PUBLIC_CS3_MACHINE_AUTH_API_KEY"` + ProviderAddr string `yaml:"provider_addr" env:"SHARING_PUBLIC_CS3_PROVIDER_ADDR"` + ServiceUserID string `yaml:"service_user_id" env:"SHARING_PUBLIC_CS3_SERVICE_USER_ID"` + ServiceUserIDP string `yaml:"service_user_idp" env:"OCIS_URL;SHARING_PUBLIC_CS3_SERVICE_USER_IDP"` + SystemUserAPIKey string `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY;SHARING_USER_CS3_SYSTEM_USER_API_KEY"` } type Events struct { diff --git a/extensions/sharing/pkg/config/defaults/defaultconfig.go b/extensions/sharing/pkg/config/defaults/defaultconfig.go index 518c0ae58e..c191a21d21 100644 --- a/extensions/sharing/pkg/config/defaults/defaultconfig.go +++ b/extensions/sharing/pkg/config/defaults/defaultconfig.go @@ -100,16 +100,16 @@ func EnsureDefaults(cfg *config.Config) { cfg.TokenManager = &config.TokenManager{} } - if cfg.UserSharingDrivers.CS3.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { - cfg.UserSharingDrivers.CS3.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey + if cfg.UserSharingDrivers.CS3.SystemUserAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemUserAPIKey != "" { + cfg.UserSharingDrivers.CS3.SystemUserAPIKey = cfg.Commons.SystemUserAPIKey } if cfg.UserSharingDrivers.CS3.ServiceUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" { cfg.UserSharingDrivers.CS3.ServiceUserID = cfg.Commons.SystemUserID } - if cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { - cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey + if cfg.PublicSharingDrivers.CS3.SystemUserAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemUserAPIKey != "" { + cfg.PublicSharingDrivers.CS3.SystemUserAPIKey = cfg.Commons.SystemUserAPIKey } if cfg.PublicSharingDrivers.CS3.ServiceUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" { diff --git a/extensions/sharing/pkg/config/parser/parse.go b/extensions/sharing/pkg/config/parser/parse.go index df63239c29..9b12b8f56a 100644 --- a/extensions/sharing/pkg/config/parser/parse.go +++ b/extensions/sharing/pkg/config/parser/parse.go @@ -38,16 +38,16 @@ func Validate(cfg *config.Config) error { return shared.MissingJWTTokenError(cfg.Service.Name) } - if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.SystemUserAPIKey == "" { + return shared.MissingSystemUserApiKeyError(cfg.Service.Name) } if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.ServiceUserID == "" { return shared.MissingSystemUserID(cfg.Service.Name) } - if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.SystemUserAPIKey == "" { + return shared.MissingSystemUserApiKeyError(cfg.Service.Name) } if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.ServiceUserID == "" { diff --git a/extensions/sharing/pkg/revaconfig/config.go b/extensions/sharing/pkg/revaconfig/config.go index 00a8d3a251..a7099520d2 100644 --- a/extensions/sharing/pkg/revaconfig/config.go +++ b/extensions/sharing/pkg/revaconfig/config.go @@ -52,7 +52,7 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} { "provider_addr": cfg.UserSharingDrivers.CS3.ProviderAddr, "service_user_id": cfg.UserSharingDrivers.CS3.ServiceUserID, "service_user_idp": cfg.UserSharingDrivers.CS3.ServiceUserIDP, - "machine_auth_apikey": cfg.UserSharingDrivers.CS3.MachineAuthAPIKey, + "machine_auth_apikey": cfg.UserSharingDrivers.CS3.SystemUserAPIKey, }, }, }, @@ -77,7 +77,7 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} { "provider_addr": cfg.PublicSharingDrivers.CS3.ProviderAddr, "service_user_id": cfg.PublicSharingDrivers.CS3.ServiceUserID, "service_user_idp": cfg.PublicSharingDrivers.CS3.ServiceUserIDP, - "machine_auth_apikey": cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey, + "machine_auth_apikey": cfg.PublicSharingDrivers.CS3.SystemUserAPIKey, }, }, }, diff --git a/extensions/storage-system/pkg/config/config.go b/extensions/storage-system/pkg/config/config.go index 7939194666..de922df884 100644 --- a/extensions/storage-system/pkg/config/config.go +++ b/extensions/storage-system/pkg/config/config.go @@ -16,10 +16,10 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` HTTP HTTPConfig `yaml:"http"` - TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` - MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"STORAGE_SYSTEM_MACHINE_AUTH_API_KEY"` - SystemUserID string `yaml:"system_user_id"` + TokenManager *TokenManager `yaml:"token_manager"` + Reva *Reva `yaml:"reva"` + SystemUserID string `yaml:"system_user_id"` + SystemUserAPIKey string `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"STORAGE_SYSTEM_SKIP_USER_GROUPS_IN_TOKEN"` diff --git a/extensions/storage-system/pkg/config/defaults/defaultconfig.go b/extensions/storage-system/pkg/config/defaults/defaultconfig.go index 3fa3162adf..3d08c4fbee 100644 --- a/extensions/storage-system/pkg/config/defaults/defaultconfig.go +++ b/extensions/storage-system/pkg/config/defaults/defaultconfig.go @@ -89,8 +89,8 @@ func EnsureDefaults(cfg *config.Config) { cfg.TokenManager = &config.TokenManager{} } - if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { - cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey + if cfg.SystemUserAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemUserAPIKey != "" { + cfg.SystemUserAPIKey = cfg.Commons.SystemUserAPIKey } if cfg.SystemUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" { diff --git a/extensions/storage-system/pkg/config/parser/parse.go b/extensions/storage-system/pkg/config/parser/parse.go index 7932a4548d..70763f2345 100644 --- a/extensions/storage-system/pkg/config/parser/parse.go +++ b/extensions/storage-system/pkg/config/parser/parse.go @@ -38,8 +38,8 @@ func Validate(cfg *config.Config) error { return shared.MissingJWTTokenError(cfg.Service.Name) } - if cfg.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + if cfg.SystemUserAPIKey == "" { + return shared.MissingSystemUserApiKeyError(cfg.Service.Name) } if cfg.SystemUserID == "" { diff --git a/extensions/storage-system/pkg/revaconfig/config.go b/extensions/storage-system/pkg/revaconfig/config.go index 0489758df4..32cd9a8b42 100644 --- a/extensions/storage-system/pkg/revaconfig/config.go +++ b/extensions/storage-system/pkg/revaconfig/config.go @@ -67,7 +67,7 @@ func StorageSystemFromStruct(cfg *config.Config) map[string]interface{} { "auth_manager": "machine", "auth_managers": map[string]interface{}{ "machine": map[string]interface{}{ - "api_key": cfg.MachineAuthAPIKey, + "api_key": cfg.SystemUserAPIKey, "gateway_addr": cfg.GRPC.Addr, }, }, diff --git a/ocis-pkg/config/config.go b/ocis-pkg/config/config.go index 2d5474e4b8..6cf8ab32fe 100644 --- a/ocis-pkg/config/config.go +++ b/ocis-pkg/config/config.go @@ -70,6 +70,7 @@ type Config struct { MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"` TransferSecret string `yaml:"transfer_secret" env:"STORAGE_TRANSFER_SECRET"` SystemUserID string `yaml:"system_user_id" env:"OCIS_SYSTEM_USER_ID"` + SystemUserAPIKey string `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY"` AdminUserID string `yaml:"admin_user_id" env:"OCIS_ADMIN_USER_ID"` Runtime Runtime `yaml:"runtime"` diff --git a/ocis-pkg/config/parser/parse.go b/ocis-pkg/config/parser/parse.go index b5381afc56..aa1ffe286b 100644 --- a/ocis-pkg/config/parser/parse.go +++ b/ocis-pkg/config/parser/parse.go @@ -89,6 +89,10 @@ func EnsureCommons(cfg *config.Config) { cfg.Commons.MachineAuthAPIKey = cfg.MachineAuthAPIKey } + if cfg.SystemUserAPIKey != "" { + cfg.Commons.SystemUserAPIKey = cfg.SystemUserAPIKey + } + // copy transfer secret to the commons part if set if cfg.TransferSecret != "" { cfg.Commons.TransferSecret = cfg.TransferSecret diff --git a/ocis-pkg/shared/errors.go b/ocis-pkg/shared/errors.go index 394407bba4..3a14d13765 100644 --- a/ocis-pkg/shared/errors.go +++ b/ocis-pkg/shared/errors.go @@ -14,6 +14,14 @@ func MissingMachineAuthApiKeyError(service string) error { service, defaults.BaseConfigPath()) } +func MissingSystemUserApiKeyError(service string) error { + return fmt.Errorf("The SystemUser API key has not been configured for %s. "+ + "Make sure your %s config contains the proper values "+ + "(e.g. by running ocis init or setting it manually in "+ + "the config/corresponding environment variable).", + service, defaults.BaseConfigPath()) +} + func MissingJWTTokenError(service string) error { return fmt.Errorf("jwt_secret has not been set properly in your config for %s. "+ "Make sure your %s config contains the proper values "+ diff --git a/ocis-pkg/shared/shared_types.go b/ocis-pkg/shared/shared_types.go index 33aa70b9e3..5ef2c69766 100644 --- a/ocis-pkg/shared/shared_types.go +++ b/ocis-pkg/shared/shared_types.go @@ -45,5 +45,6 @@ type Commons struct { MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"` TransferSecret string `yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET"` SystemUserID string `yaml:"system_user_id" env:"OCIS_SYSTEM_USER_ID"` + SystemUserAPIKey string `yaml:"system_user_api_key" env:"SYSTEM_USER_API_KEY"` AdminUserID string `yaml:"admin_user_id" env:"OCIS_ADMIN_USER_ID"` } diff --git a/ocis/pkg/init/init.go b/ocis/pkg/init/init.go index 2651683e3d..7de9e9dad4 100644 --- a/ocis/pkg/init/init.go +++ b/ocis/pkg/init/init.go @@ -98,6 +98,7 @@ type ThumbNailExtension struct { type OcisConfig struct { TokenManager TokenManager `yaml:"token_manager"` MachineAuthApiKey string `yaml:"machine_auth_api_key"` + SystemUserAPIKey string `yaml:"system_user_api_key"` TransferSecret string `yaml:"transfer_secret"` SystemUserID string `yaml:"system_user_id"` AdminUserID string `yaml:"admin_user_id"` @@ -193,6 +194,10 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin if err != nil { return fmt.Errorf("could not generate random password for machineauthsecret: %s", err) } + systemUserApiKey, err := generators.GenerateRandomPassword(passwordLength) + if err != nil { + return fmt.Errorf("could not generate random system user API key: %s", err) + } revaTransferSecret, err := generators.GenerateRandomPassword(passwordLength) if err != nil { return fmt.Errorf("could not generate random password for machineauthsecret: %s", err) @@ -203,6 +208,7 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin JWTSecret: tokenManagerJwtSecret, }, MachineAuthApiKey: machineAuthApiKey, + SystemUserAPIKey: systemUserApiKey, TransferSecret: revaTransferSecret, SystemUserID: systemUserID, AdminUserID: adminUserID,