Enable TLS (insecure) for all reva grpc services and clients

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/blevesearch/bleve/v2 v2.3.4
 	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/cs3org/go-cs3apis v0.0.0-20221005085457-19ea8088a512
-	github.com/cs3org/reva/v2 v2.10.1-0.20221012104058-ae7c58b9bffa
+	github.com/cs3org/reva/v2 v2.0.0-00010101000000-000000000000
 	github.com/disintegration/imaging v1.6.2
 	github.com/ggwhite/go-masker v1.0.9
 	github.com/go-chi/chi/v5 v5.0.7
@@ -287,3 +287,5 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	stash.kopano.io/kgol/kcc-go/v5 v5.0.1 // indirect
 )
+
+replace github.com/cs3org/reva/v2 => github.com/rhafer/reva/v2 v2.0.0-20221012130608-0e5cf039743a

go.sum

@@ -295,8 +295,6 @@ github.com/crewjam/saml v0.4.6 h1:XCUFPkQSJLvzyl4cW9OvpWUbRf0gE7VUpU8ZnilbeM4=
 github.com/crewjam/saml v0.4.6/go.mod h1:ZBOXnNPFzB3CgOkRm7Nd6IVdkG+l/wF+0ZXLqD96t1A=
 github.com/cs3org/go-cs3apis v0.0.0-20221005085457-19ea8088a512 h1:xTvaIsLu1ezoWOJKnV0ehgiowkOiEhMaylaI1lD/Axw=
 github.com/cs3org/go-cs3apis v0.0.0-20221005085457-19ea8088a512/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
-github.com/cs3org/reva/v2 v2.10.1-0.20221012104058-ae7c58b9bffa h1:DSeaakiPW5zYrGGEDO0BkSZWhqq6LS+rd1DQ1DPztJo=
-github.com/cs3org/reva/v2 v2.10.1-0.20221012104058-ae7c58b9bffa/go.mod h1:QUHLTf/ACFG2ueNP3u1dslv1bIWTTQAqvWFCorVke6o=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
@@ -1092,6 +1090,8 @@ github.com/prometheus/statsd_exporter v0.22.4/go.mod h1:N4Z1+iSqc9rnxlT1N8Qn3l65
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKcyumwBO6qip7RNQ5r77yrssm9bfCowcLEBcU5IA=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/rhafer/reva/v2 v2.0.0-20221012130608-0e5cf039743a h1:kHfNaTc5Hn3srh2Ss8mVMZfgZ32tOQXPstrQLKZYxHU=
+github.com/rhafer/reva/v2 v2.0.0-20221012130608-0e5cf039743a/go.mod h1:QUHLTf/ACFG2ueNP3u1dslv1bIWTTQAqvWFCorVke6o=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=

ocis-pkg/shared/reva.go

@@ -0,0 +1,10 @@
+package shared
+
+import "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+
+func (r *Reva) GetRevaOptions() []pool.Option {
+	opts := []pool.Option{
+		pool.WithTLSMode(pool.TLSInsecure),
+	}
+	return opts
+}

services/app-provider/pkg/revaconfig/config.go

@@ -17,10 +17,16 @@ func AppProviderConfigFromStruct(cfg *config.Config) map[string]interface{} {
 		"shared": map[string]interface{}{
 			"jwt_secret": cfg.TokenManager.JWTSecret,
 			"gatewaysvc": cfg.Reva.Address,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			"services": map[string]interface{}{
 				"appprovider": map[string]interface{}{
 					"app_provider_url": cfg.ExternalAddr,

services/app-registry/pkg/revaconfig/config.go

@@ -19,10 +19,16 @@ func AppRegistryConfigFromStruct(cfg *config.Config, logger log.Logger) map[stri
 		"shared": map[string]interface{}{
 			"jwt_secret": cfg.TokenManager.JWTSecret,
 			"gatewaysvc": cfg.Reva.Address,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			"services": map[string]interface{}{
 				"appregistry": map[string]interface{}{
 					"driver": "static",

services/auth-basic/pkg/revaconfig/config.go

@@ -15,10 +15,16 @@ func AuthBasicConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{

services/auth-bearer/pkg/revaconfig/config.go

@@ -15,10 +15,16 @@ func AuthBearerConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{
 					"auth_manager": "oidc",

services/auth-machine/pkg/revaconfig/config.go

@@ -17,10 +17,16 @@ func AuthMachineConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{
 					"auth_manager": "machine",

services/frontend/pkg/revaconfig/config.go

@@ -73,6 +73,9 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address, // Todo or address?
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"http": map[string]interface{}{
 			"network": cfg.HTTP.Protocol,

services/gateway/pkg/revaconfig/config.go

@@ -24,10 +24,16 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]i
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"gateway": map[string]interface{}{

services/graph/pkg/identity/cs3.go

@@ -40,7 +40,7 @@ func (i *CS3) UpdateUser(ctx context.Context, nameOrID string, user libregraph.U
 }
 
 func (i *CS3) GetUser(ctx context.Context, userID string, queryParam url.Values) (*libregraph.User, error) {
-	client, err := pool.GetGatewayServiceClient(i.Config.Address)
+	client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...)
 	if err != nil {
 		i.Logger.Error().Err(err).Msg("could not get client")
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
@@ -66,7 +66,7 @@ func (i *CS3) GetUser(ctx context.Context, userID string, queryParam url.Values)
 }
 
 func (i *CS3) GetUsers(ctx context.Context, queryParam url.Values) ([]*libregraph.User, error) {
-	client, err := pool.GetGatewayServiceClient(i.Config.Address)
+	client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...)
 	if err != nil {
 		i.Logger.Error().Err(err).Msg("could not get client")
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
@@ -104,7 +104,7 @@ func (i *CS3) GetUsers(ctx context.Context, queryParam url.Values) ([]*libregrap
 }
 
 func (i *CS3) GetGroups(ctx context.Context, queryParam url.Values) ([]*libregraph.Group, error) {
-	client, err := pool.GetGatewayServiceClient(i.Config.Address)
+	client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...)
 	if err != nil {
 		i.Logger.Error().Err(err).Msg("could not get client")
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
@@ -148,7 +148,7 @@ func (i *CS3) CreateGroup(ctx context.Context, group libregraph.Group) (*libregr
 }
 
 func (i *CS3) GetGroup(ctx context.Context, groupID string, queryParam url.Values) (*libregraph.Group, error) {
-	client, err := pool.GetGatewayServiceClient(i.Config.Address)
+	client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...)
 	if err != nil {
 		i.Logger.Error().Err(err).Msg("could not get client")
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())

services/graph/pkg/service/v0/service.go

@@ -66,7 +66,7 @@ func NewService(opts ...Option) Service {
 	}
 	if options.GatewayClient == nil {
 		var err error
-		svc.gatewayClient, err = pool.GetGatewayServiceClient(options.Config.Reva.Address)
+		svc.gatewayClient, err = pool.GetGatewayServiceClient(options.Config.Reva.Address, options.Config.Reva.GetRevaOptions()...)
 		if err != nil {
 			options.Logger.Error().Err(err).Msg("Could not get gateway client")
 			return nil

services/groups/pkg/revaconfig/config.go

@@ -21,6 +21,9 @@ func GroupsConfigFromStruct(cfg *config.Config) map[string]interface{} {
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"groupprovider": map[string]interface{}{

services/notifications/pkg/channels/channels.go

@@ -27,7 +27,7 @@ type Channel interface {
 
 // NewMailChannel instantiates a new mail communication channel.
 func NewMailChannel(cfg config.Config, logger log.Logger) (Channel, error) {
-	gc, err := pool.GetGatewayServiceClient(cfg.Notifications.Reva.Address)
+	gc, err := pool.GetGatewayServiceClient(cfg.Notifications.Reva.Address, cfg.Notifications.Reva.GetRevaOptions()...)
 	if err != nil {
 		logger.Error().Err(err).Msg("could not get gateway client")
 		return nil, err

services/notifications/pkg/command/server.go

@@ -73,7 +73,10 @@ func Server(cfg *config.Config) *cli.Command {
 			if err != nil {
 				return err
 			}
-			gwclient, err := pool.GetGatewayServiceClient(cfg.Notifications.Reva.Address)
+			gwclient, err := pool.GetGatewayServiceClient(
+				cfg.Notifications.Reva.Address,
+				cfg.Notifications.Reva.GetRevaOptions()...,
+			)
 			if err != nil {
 				logger.Fatal().Err(err).Str("addr", cfg.Notifications.Reva.Address).Msg("could not get reva client")
 			}

services/ocs/pkg/service/v0/service.go

@@ -118,7 +118,7 @@ func (o Ocs) NotFound(w http.ResponseWriter, r *http.Request) {
 }
 
 func (o Ocs) getCS3Backend() backend.UserBackend {
-	revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address)
+	revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address, o.config.Reva.GetRevaOptions()...)
 	if err != nil {
 		o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address)
 	}

services/proxy/pkg/command/server.go

@@ -128,7 +128,7 @@ func Server(cfg *config.Config) *cli.Command {
 
 func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config) alice.Chain {
 	rolesClient := settingssvc.NewRoleService("com.owncloud.api.settings", grpc.DefaultClient())
-	revaClient, err := pool.GetGatewayServiceClient(cfg.Reva.Address)
+	revaClient, err := pool.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.GetRevaOptions()...)
 	var userProvider backend.UserBackend
 	switch cfg.AccountBackend {
 	case "cs3":

services/search/pkg/service/v0/service.go

@@ -85,7 +85,7 @@ func NewHandler(opts ...Option) (searchsvc.SearchProviderHandler, error) {
 		return nil, err
 	}
 
-	gwclient, err := pool.GetGatewayServiceClient(cfg.Reva.Address)
+	gwclient, err := pool.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.GetRevaOptions()...)
 	if err != nil {
 		logger.Fatal().Err(err).Str("addr", cfg.Reva.Address).Msg("could not get reva client")
 	}

services/sharing/pkg/revaconfig/config.go

@@ -21,6 +21,9 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} {
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"usershareprovider": map[string]interface{}{

services/storage-publiclink/pkg/revaconfig/config.go

@@ -17,10 +17,16 @@ func StoragePublicLinkConfigFromStruct(cfg *config.Config) map[string]interface{
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			"interceptors": map[string]interface{}{
 				"log": map[string]interface{}{},
 			},

services/storage-shares/pkg/revaconfig/config.go

@@ -17,10 +17,16 @@ func StorageSharesConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			"services": map[string]interface{}{
 				"sharesstorageprovider": map[string]interface{}{
 					"usershareprovidersvc": cfg.SharesProviderEndpoint,

services/storage-system/pkg/revaconfig/config.go

@@ -18,10 +18,16 @@ func StorageSystemFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			"services": map[string]interface{}{
 				"gateway": map[string]interface{}{
 					// registries are located on the gateway

services/storage-users/pkg/revaconfig/config.go

@@ -17,10 +17,16 @@ func StorageUsersConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode": "insecure",
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"storageprovider": map[string]interface{}{

services/thumbnails/pkg/server/grpc/server.go

@@ -26,7 +26,7 @@ func NewService(opts ...Option) grpc.Service {
 		grpc.Version(version.GetString()),
 	)
 	tconf := options.Config.Thumbnail
-	gc, err := pool.GetGatewayServiceClient(tconf.Reva.Address)
+	gc, err := pool.GetGatewayServiceClient(tconf.Reva.Address, tconf.Reva.GetRevaOptions()...)
 	if err != nil {
 		options.Logger.Error().Err(err).Msg("could not get gateway client")
 		return grpc.Service{}

services/users/pkg/revaconfig/config.go

@@ -21,6 +21,9 @@ func UsersConfigFromStruct(cfg *config.Config) map[string]interface{} {
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled": true,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"userprovider": map[string]interface{}{

services/webdav/pkg/service/v0/service.go

@@ -60,7 +60,7 @@ func NewService(opts ...Option) (Service, error) {
 	// chi.RegisterMethod("REPORT")
 	m.Use(options.Middleware...)
 
-	gwc, err := pool.GetGatewayServiceClient(conf.Reva.Address)
+	gwc, err := pool.GetGatewayServiceClient(conf.Reva.Address, conf.Reva.GetRevaOptions()...)
 	if err != nil {
 		return nil, err
 	}