Add option to disable signing keys in the proxy

This commit is contained in:
Benedikt Kulmann
2020-11-20 16:00:11 +01:00
parent 206980238c
commit edc252e1a0
5 changed files with 17 additions and 12 deletions

View File

@@ -70,7 +70,6 @@ services:
OWNCLOUD_MYSQL_UTF8MB4: "true"
OWNCLOUD_REDIS_ENABLED: "true"
OWNCLOUD_REDIS_HOST: redis
OWNCLOUD_DEBUG: "true"
OWNCLOUD_TRUSTED_PROXIES: ${OC10_DOMAIN}
OWNCLOUD_OVERWRITE_PROTOCOL: https
OWNCLOUD_OVERWRITE_HOST: ${OC10_DOMAIN}
@@ -111,6 +110,7 @@ services:
PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN}
PROXY_AUTOPROVISION_ACCOUNTS: "true"
PROXY_OIDC_INSECURE: "${INSECURE}"
PROXY_ENABLE_PRESIGNEDURLS: "false"
# konnectd - binddn must exist as oc10 admin user
KONNECTD_ISS: https://${OCIS_DOMAIN}
KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/config/identifier-registration.yaml"

View File

@@ -1,6 +0,0 @@
Enhancement: Add basic auth option
We added a new `enable-basic-auth` option and `PROXY_ENABLE_BASIC_AUTH` environment variable that can be set to `true` to make the proxy verify the basic auth header with the accounts service. This should only be used for testing and development and is disabled by default.
https://github.com/owncloud/ocis/pull/627
https://github.com/owncloud/product/issues/198

View File

@@ -135,6 +135,7 @@ type TokenManager struct {
// PreSignedURL is the config for the presigned url middleware
type PreSignedURL struct {
AllowedHTTPMethods []string
Enabled bool
}
// MigrationSelectorConf is the config for the migration-selector

View File

@@ -226,13 +226,19 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
},
// Presigned URLs
&cli.StringSliceFlag{
Name: "presignedurl-allow-method",
Value: cli.NewStringSlice("GET"),
Usage: "--presignedurl-allow-method GET [--presignedurl-allow-method POST]",
EnvVars: []string{"PRESIGNEDURL_ALLOWED_METHODS"},
},
&cli.BoolFlag{
Name: "enable-presignedurls",
Value: true,
Usage: "Enable or disable handling the presigned urls in the proxy",
EnvVars: []string{"PROXY_ENABLE_PRESIGNEDURLS"},
Destination: &cfg.PreSignedURL.Enabled,
},
// Basic auth
&cli.BoolFlag{

View File

@@ -6,6 +6,11 @@ import (
"encoding/hex"
"errors"
"fmt"
"net/http"
"net/url"
"strings"
"time"
"github.com/google/uuid"
accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0"
"github.com/owncloud/ocis/ocis-pkg/log"
@@ -13,10 +18,6 @@ import (
"github.com/owncloud/ocis/proxy/pkg/config"
store "github.com/owncloud/ocis/store/pkg/proto/v0"
"golang.org/x/crypto/pbkdf2"
"net/http"
"net/url"
"strings"
"time"
)
// SignedURLAuth provides a middleware to check access secured by a signed URL.
@@ -96,6 +97,9 @@ func (m signedURLAuth) claims(credential string) (*ocisoidc.StandardClaims, erro
}
func (m signedURLAuth) shouldServe(req *http.Request) bool {
if !m.preSignedURLConfig.Enabled {
return false
}
return req.URL.Query().Get("OC-Signature") != ""
}