commit 2e64042

Merge: 3374467 703b488 Author: Jörn Friedrich Dreyer <jfd@owncloud.com> Date: Tue Jul 5 18:14:41 2022 +0000 Merge pull request #4076 from aduffeck/enabled-machine-auth-in-ocdav [full-ci] Enable machine auth in ocdav
owncloud · Jul 5, 2022 · 62ee570 · 62ee570
1 parent 024379e
commit 62ee570
Show file tree

Hide file tree

Showing 25 changed files with 33 additions and 23 deletions.
diff --git a/grpc_apis/ocis/messages/search/v0/grpc.md b/grpc_apis/ocis/messages/search/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.search.v0"
 url: /grpc_apis/ocis_messages_search_v0
-date: 2022-07-05T13:51:57Z
+date: 2022-07-05T18:17:52Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/messages/settings/v0/grpc.md b/grpc_apis/ocis/messages/settings/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.settings.v0"
 url: /grpc_apis/ocis_messages_settings_v0
-date: 2022-07-05T13:51:57Z
+date: 2022-07-05T18:17:52Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/messages/store/v0/grpc.md b/grpc_apis/ocis/messages/store/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.store.v0"
 url: /grpc_apis/ocis_messages_store_v0
-date: 2022-07-05T13:51:57Z
+date: 2022-07-05T18:17:52Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/messages/thumbnails/v0/grpc.md b/grpc_apis/ocis/messages/thumbnails/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.thumbnails.v0"
 url: /grpc_apis/ocis_messages_thumbnails_v0
-date: 2022-07-05T13:51:57Z
+date: 2022-07-05T18:17:52Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/services/search/v0/grpc.md b/grpc_apis/ocis/services/search/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.search.v0"
 url: /grpc_apis/ocis_services_search_v0
-date: 2022-07-05T13:51:57Z
+date: 2022-07-05T18:17:52Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/services/settings/v0/grpc.md b/grpc_apis/ocis/services/settings/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.settings.v0"
 url: /grpc_apis/ocis_services_settings_v0
-date: 2022-07-05T13:51:57Z
+date: 2022-07-05T18:17:52Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/services/store/v0/grpc.md b/grpc_apis/ocis/services/store/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.store.v0"
 url: /grpc_apis/ocis_services_store_v0
-date: 2022-07-05T13:51:57Z
+date: 2022-07-05T18:17:52Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/services/thumbnails/v0/grpc.md b/grpc_apis/ocis/services/thumbnails/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.thumbnails.v0"
 url: /grpc_apis/ocis_services_thumbnails_v0
-date: 2022-07-05T13:51:57Z
+date: 2022-07-05T18:17:52Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/services/_includes/adoc/auth-machine_configvars.adoc b/services/_includes/adoc/auth-machine_configvars.adoc
@@ -141,7 +141,7 @@ Disables the encoding of the user's group memberships in the reva access token.
 a| [subs=-attributes]
 
 a| [subs=-attributes]
-Machine auth API key used for validating requests from other services when impersonating users.
+Machine auth API key used to validate internal requests necessary for the access to resources from other services.
 |===
 
 Since Version: `+` added, `-` deprecated
diff --git a/services/_includes/adoc/frontend_configvars.adoc b/services/_includes/adoc/frontend_configvars.adoc
@@ -148,7 +148,7 @@ The CS3 gateway endpoint.
 a| [subs=-attributes]
 
 a| [subs=-attributes]
-Machine auth API key used for accessing the 'auth-machine' service to impersonate users.
+Machine auth API key used to validate internal requests necessary for the access to resources from other services.
 
 |`FRONTEND_SKIP_USER_GROUPS_IN_TOKEN`
 | bool

diff --git a/services/_includes/adoc/idp_configvars.adoc b/services/_includes/adoc/idp_configvars.adoc
@@ -154,7 +154,7 @@ CS3 gateway used to authenticate and look up users
 a| [subs=-attributes]
 
 a| [subs=-attributes]
-Machine auth API key used for accessing the 'auth-machine' service to impersonate users when looking up their userinfo via the 'cs3' backend.
+Machine auth API key used to validate internal requests necessary for the access to resources from other services.
 
 |`IDP_ASSET_PATH`
 | string

diff --git a/services/_includes/adoc/notifications_configvars.adoc b/services/_includes/adoc/notifications_configvars.adoc
@@ -130,7 +130,7 @@ CS3 gateway used to look up user metadata
 a| [subs=-attributes]
 
 a| [subs=-attributes]
-Machine auth API key used for accessing the 'auth-machine' service to look up their email.
+Machine auth API key used to validate internal requests necessary for the access to resources from other services.
 |===
 
 Since Version: `+` added, `-` deprecated
diff --git a/services/_includes/adoc/ocdav_configvars.adoc b/services/_includes/adoc/ocdav_configvars.adoc
@@ -185,6 +185,14 @@ a| [subs=-attributes]
 84300 
 a| [subs=-attributes]
 Request timeout in seconds for requests from the oCDAV service to the gateway service.
+
+|`OCIS_MACHINE_AUTH_API_KEY` +
+`OCDAV_MACHINE_AUTH_API_KEY`
+| string
+a| [subs=-attributes]
+
+a| [subs=-attributes]
+Machine auth API key used to validate internal requests necessary for the access to resources from other services.
 |===
 
 Since Version: `+` added, `-` deprecated
diff --git a/services/_includes/adoc/ocs_configvars.adoc b/services/_includes/adoc/ocs_configvars.adoc
@@ -143,7 +143,7 @@ URL of the OIDC issuer. It defaults to URL of the builtin IDP.
 a| [subs=-attributes]
 
 a| [subs=-attributes]
-Machine auth API key used for accessing the 'auth-machine' service to impersonate users.
+Machine auth API key used to validate internal requests necessary for the access to resources from other services.
 |===
 
 Since Version: `+` added, `-` deprecated
diff --git a/services/_includes/adoc/proxy_configvars.adoc b/services/_includes/adoc/proxy_configvars.adoc
@@ -214,7 +214,7 @@ The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc
 a| [subs=-attributes]
 
 a| [subs=-attributes]
-Machine auth API key used for accessing the 'auth-machine' service to impersonate users.
+Machine auth API key used to validate internal requests necessary for the access to resources from other services.
 
 |`PROXY_AUTOPROVISION_ACCOUNTS`
 | bool

diff --git a/services/_includes/adoc/search_configvars.adoc b/services/_includes/adoc/search_configvars.adoc
@@ -147,7 +147,7 @@ the customergroup of the service. One group will only get one copy of an event
 a| [subs=-attributes]
 
 a| [subs=-attributes]
-Machine auth API key used for accessing the 'auth-machine' service to impersonate users.
+Machine auth API key used to validate internal requests necessary for the access to resources from other services.
 |===
 
 Since Version: `+` added, `-` deprecated
diff --git a/services/_includes/auth-machine_configvars.md b/services/_includes/auth-machine_configvars.md
@@ -19,4 +19,4 @@
 | OCIS_JWT_SECRET<br/>AUTH_MACHINE_JWT_SECRET | string | | The secret to mint and validate jwt tokens.|
 | REVA_GATEWAY | string | 127.0.0.1:9142 | The CS3 gateway endpoint.|
 | AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN | bool | false | Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.|
-| OCIS_MACHINE_AUTH_API_KEY<br/>AUTH_MACHINE_API_KEY | string | | Machine auth API key used for validating requests from other services when impersonating users.|
+| OCIS_MACHINE_AUTH_API_KEY<br/>AUTH_MACHINE_API_KEY | string | | Machine auth API key used to validate internal requests necessary for the access to resources from other services.|
diff --git a/services/_includes/frontend_configvars.md b/services/_includes/frontend_configvars.md
@@ -20,7 +20,7 @@
 | STORAGE_TRANSFER_SECRET | string | | Transfer secret for signing file up- and download requests.|
 | OCIS_JWT_SECRET<br/>FRONTEND_JWT_SECRET | string | | The secret to mint and validate jwt tokens.|
 | REVA_GATEWAY | string | 127.0.0.1:9142 | The CS3 gateway endpoint.|
-| OCIS_MACHINE_AUTH_API_KEY<br/>FRONTEND_MACHINE_AUTH_API_KEY | string | | Machine auth API key used for accessing the 'auth-machine' service to impersonate users.|
+| OCIS_MACHINE_AUTH_API_KEY<br/>FRONTEND_MACHINE_AUTH_API_KEY | string | | Machine auth API key used to validate internal requests necessary for the access to resources from other services.|
 | FRONTEND_SKIP_USER_GROUPS_IN_TOKEN | bool | false | Disables the loading of user's group memberships from the reva access token.|
 | FRONTEND_ENABLE_FAVORITES | bool | false | Enables the support for favorites in the frontend.|
 | FRONTEND_ENABLE_PROJECT_SPACES | bool | true | Indicates to clients that project spaces are supposed to be made available.|

diff --git a/services/_includes/idp_configvars.md b/services/_includes/idp_configvars.md
@@ -21,7 +21,7 @@
 | IDP_TRANSPORT_TLS_KEY | string | ~/.ocis/idp/server.key | |
 | IDP_TLS | bool | false | |
 | REVA_GATEWAY | string | 127.0.0.1:9142 | CS3 gateway used to authenticate and look up users|
-| OCIS_MACHINE_AUTH_API_KEY<br/>IDP_MACHINE_AUTH_API_KEY | string | | Machine auth API key used for accessing the 'auth-machine' service to impersonate users when looking up their userinfo via the 'cs3' backend.|
+| OCIS_MACHINE_AUTH_API_KEY<br/>IDP_MACHINE_AUTH_API_KEY | string | | Machine auth API key used to validate internal requests necessary for the access to resources from other services.|
 | IDP_ASSET_PATH | string | | Serve IDP assets from a path on the filesystem instead of the builtin assets.|
 | OCIS_URL<br/>OCIS_OIDC_ISSUER<br/>IDP_ISS | string | https://localhost:9200 | The OIDC issuer URL to use.|
 | IDP_IDENTITY_MANAGER | string | ldap | The identity manager implementation to use, defaults to 'ldap', can be changed to 'cs3', 'kc', 'libregraph', 'cookie' or 'guest'.|

diff --git a/services/_includes/notifications_configvars.md b/services/_includes/notifications_configvars.md
@@ -18,4 +18,4 @@
 | NOTIFICATIONS_EVENTS_CLUSTER | string | ocis-cluster | Cluster ID of the event system.|
 | NOTIFICATIONS_EVENTS_GROUP | string | notifications | Name of the event group / queue on the event system.|
 | REVA_GATEWAY<br/>NOTIFICATIONS_REVA_GATEWAY | string | 127.0.0.1:9142 | CS3 gateway used to look up user metadata|
-| OCIS_MACHINE_AUTH_API_KEY<br/>NOTIFICATIONS_MACHINE_AUTH_API_KEY | string | | Machine auth API key used for accessing the 'auth-machine' service to look up their email.|
+| OCIS_MACHINE_AUTH_API_KEY<br/>NOTIFICATIONS_MACHINE_AUTH_API_KEY | string | | Machine auth API key used to validate internal requests necessary for the access to resources from other services.|
diff --git a/services/_includes/ocdav-config-example.yaml b/services/_includes/ocdav-config-example.yaml
@@ -34,3 +34,4 @@ gateway_request_timeout: 84300
 middleware:
  auth:
  credentials_by_user_agent: {}
+machine_auth_api_key: ""
diff --git a/services/_includes/ocdav_configvars.md b/services/_includes/ocdav_configvars.md
@@ -25,4 +25,5 @@
 | OCDAV_SHARES_NAMESPACE | string | /Shares | The human readable path for the share jail. Relative to a users personal space root. Upcased intentionally.|
 | OCIS_URL<br/>OCDAV_PUBLIC_URL | string | https://localhost:9200 | URL, where oCIS is reachable for users.|
 | OCIS_INSECURE<br/>OCDAV_INSECURE | bool | false | |
-| OCDAV_GATEWAY_REQUEST_TIMEOUT | int64 | 84300 | Request timeout in seconds for requests from the oCDAV service to the gateway service.|
+| OCDAV_GATEWAY_REQUEST_TIMEOUT | int64 | 84300 | Request timeout in seconds for requests from the oCDAV service to the gateway service.|
+| OCIS_MACHINE_AUTH_API_KEY<br/>OCDAV_MACHINE_AUTH_API_KEY | string | | Machine auth API key used to validate internal requests necessary for the access to resources from other services.|
diff --git a/services/_includes/ocs_configvars.md b/services/_includes/ocs_configvars.md
@@ -19,4 +19,4 @@
 | OCIS_JWT_SECRET<br/>OCS_JWT_SECRET | string | | The secret to mint and validate jwt tokens.|
 | REVA_GATEWAY | string | 127.0.0.1:9142 | The CS3 gateway endpoint.|
 | OCIS_URL<br/>OCIS_OIDC_ISSUER<br/>OCS_IDM_ADDRESS | string | https://localhost:9200 | URL of the OIDC issuer. It defaults to URL of the builtin IDP.|
-| OCIS_MACHINE_AUTH_API_KEY<br/>OCS_MACHINE_AUTH_API_KEY | string | | Machine auth API key used for accessing the 'auth-machine' service to impersonate users.|
+| OCIS_MACHINE_AUTH_API_KEY<br/>OCS_MACHINE_AUTH_API_KEY | string | | Machine auth API key used to validate internal requests necessary for the access to resources from other services.|
diff --git a/services/_includes/proxy_configvars.md b/services/_includes/proxy_configvars.md
@@ -29,7 +29,7 @@
 | PROXY_ACCOUNT_BACKEND_TYPE | string | cs3 | Account backend the proxy should use, currenly only 'cs3' is possible here.|
 | PROXY_USER_OIDC_CLAIM | string | email | The name of an OpenID Connect claim that should be used for resolving users with the account backend. Currently defaults to 'email'.|
 | PROXY_USER_CS3_CLAIM | string | mail | The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Currently defaults to 'mail' (other possible values are: 'username', 'displayname')|
-| OCIS_MACHINE_AUTH_API_KEY<br/>PROXY_MACHINE_AUTH_API_KEY | string | | Machine auth API key used for accessing the 'auth-machine' service to impersonate users.|
+| OCIS_MACHINE_AUTH_API_KEY<br/>PROXY_MACHINE_AUTH_API_KEY | string | | Machine auth API key used to validate internal requests necessary for the access to resources from other services.|
 | PROXY_AUTOPROVISION_ACCOUNTS | bool | false | Set this to 'true' to automatically provsion users that do not yet exist in the users service on-demand upon first signin. To use this a write-enabled libregraph user backend needs to be setup an running.|
 | PROXY_ENABLE_BASIC_AUTH | bool | false | Set this to true to enable 'basic' (username/password) authentication.|
 | PROXY_INSECURE_BACKENDS | bool | false | Disable TLS certificate validation for all http backend connections.|
diff --git a/services/_includes/search_configvars.md b/services/_includes/search_configvars.md
@@ -20,4 +20,4 @@
 | SEARCH_EVENTS_ENDPOINT | string | 127.0.0.1:9233 | the address of the streaming service|
 | SEARCH_EVENTS_CLUSTER | string | ocis-cluster | the clusterID of the streaming service. Mandatory when using nats|
 | SEARCH_EVENTS_GROUP | string | search | the customergroup of the service. One group will only get one copy of an event|
-| OCIS_MACHINE_AUTH_API_KEY<br/>SEARCH_MACHINE_AUTH_API_KEY | string | | Machine auth API key used for accessing the 'auth-machine' service to impersonate users.|
+| OCIS_MACHINE_AUTH_API_KEY<br/>SEARCH_MACHINE_AUTH_API_KEY | string | | Machine auth API key used to validate internal requests necessary for the access to resources from other services.|