From 04c2dcd4275a85f2aa173fe1b968422dda96c80f Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Mon, 28 Oct 2024 11:06:17 +0100 Subject: [PATCH 1/2] Revert "use secure config defaults for OCM" This reverts commit 59589cd7d33ba270fddab8d70af213b3c43c2efe. --- services/ocm/pkg/config/defaults/defaultconfig.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/services/ocm/pkg/config/defaults/defaultconfig.go b/services/ocm/pkg/config/defaults/defaultconfig.go index 34fec3570e8..1b4cdae30c5 100644 --- a/services/ocm/pkg/config/defaults/defaultconfig.go +++ b/services/ocm/pkg/config/defaults/defaultconfig.go @@ -109,8 +109,7 @@ func DefaultConfig() *config.Config { OCMProviderAuthorizerDriver: "json", OCMProviderAuthorizerDrivers: config.OCMProviderAuthorizerDrivers{ JSON: config.OCMProviderAuthorizerJSONDriver{ - Providers: filepath.Join(defaults.BaseConfigPath(), "ocmproviders.json"), - VerifyRequestHostname: true, + Providers: filepath.Join(defaults.BaseConfigPath(), "ocmproviders.json"), }, }, OCMShareProvider: config.OCMShareProvider{ From f48e5499293b12817eace5401a83c1bb728b87e2 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Mon, 28 Oct 2024 11:29:35 +0100 Subject: [PATCH 2/2] Remove 'OCM_OCM_PROVIDER_AUTHORIZER_VERIFY_REQUEST_HOSTNAME' setting The feature never really worked correctly and it's added value is at least arguable. Fixes #10355 --- .../unreleased/fix-remove-non-working-ocm-setting.md | 12 ++++++++++++ services/ocm/pkg/config/config.go | 3 +-- services/ocm/pkg/revaconfig/config.go | 3 +-- 3 files changed, 14 insertions(+), 4 deletions(-) create mode 100644 changelog/unreleased/fix-remove-non-working-ocm-setting.md diff --git a/changelog/unreleased/fix-remove-non-working-ocm-setting.md b/changelog/unreleased/fix-remove-non-working-ocm-setting.md new file mode 100644 index 00000000000..ae4d3294544 --- /dev/null +++ b/changelog/unreleased/fix-remove-non-working-ocm-setting.md @@ -0,0 +1,12 @@ +Bugfix: Removed 'OCM_OCM_PROVIDER_AUTHORIZER_VERIFY_REQUEST_HOSTNAME' setting + +The config option 'OCM_OCM_PROVIDER_AUTHORIZER_VERIFY_REQUEST_HOSTNAME' was +removed from the OCM service. The additional security provided by this setting +is somewhat questionable and only provided in very specific setups. + +We are not going through the normal deprecation process for this setting, as it +was never really working anyway. If you have this setting in your configuration, +it will be ignored. You can safely remove it. + +https://github.com/owncloud/ocis/pull/104xx +https://github.com/owncloud/ocis/issues/10355 diff --git a/services/ocm/pkg/config/config.go b/services/ocm/pkg/config/config.go index 54ff647cd90..db50077e96a 100644 --- a/services/ocm/pkg/config/config.go +++ b/services/ocm/pkg/config/config.go @@ -114,8 +114,7 @@ type OCMProviderAuthorizerDrivers struct { } type OCMProviderAuthorizerJSONDriver struct { - Providers string `yaml:"providers" env:"OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE" desc:"Path to the JSON file where ocm invite data will be stored. Defaults to $OCIS_CONFIG_DIR/ocmproviders.json." introductionVersion:"5.0"` - VerifyRequestHostname bool `yaml:"verify_request_hostname" env:"OCM_OCM_PROVIDER_AUTHORIZER_VERIFY_REQUEST_HOSTNAME" desc:"Verify the hostname of the incoming request against the hostname of the OCM provider." introductionVersion:"5.0"` + Providers string `yaml:"providers" env:"OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE" desc:"Path to the JSON file where ocm invite data will be stored. Defaults to $OCIS_CONFIG_DIR/ocmproviders.json." introductionVersion:"5.0"` } type OCMCore struct { diff --git a/services/ocm/pkg/revaconfig/config.go b/services/ocm/pkg/revaconfig/config.go index 83467474250..3285822c17b 100644 --- a/services/ocm/pkg/revaconfig/config.go +++ b/services/ocm/pkg/revaconfig/config.go @@ -130,8 +130,7 @@ func OCMConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]inter "driver": cfg.OCMProviderAuthorizerDriver, "drivers": map[string]interface{}{ "json": map[string]interface{}{ - "providers": cfg.OCMProviderAuthorizerDrivers.JSON.Providers, - "verify_request_hostname": cfg.OCMProviderAuthorizerDrivers.JSON.VerifyRequestHostname, + "providers": cfg.OCMProviderAuthorizerDrivers.JSON.Providers, }, }, },