From 518e8747b2b73bc2b519bdb4925ed5d539fb230e Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Thu, 23 Sep 2021 15:19:32 +0200 Subject: [PATCH 1/5] Add config to skip encoding user groups in reva tokens --- .../reva-tokens-skip-groups-config.md | 3 +++ proxy/pkg/user/backend/cs3.go | 2 +- storage/pkg/command/appprovider.go | 5 ++-- storage/pkg/command/authbasic.go | 5 ++-- storage/pkg/command/authbearer.go | 8 ++++--- storage/pkg/command/frontend.go | 5 ++-- storage/pkg/command/gateway.go | 5 ++-- storage/pkg/command/groups.go | 5 ++-- storage/pkg/command/sharing.go | 5 ++-- storage/pkg/command/storagehome.go | 5 ++-- storage/pkg/command/storagemetadata.go | 5 ++-- storage/pkg/command/storagepubliclink.go | 5 ++-- storage/pkg/command/storageusers.go | 5 ++-- storage/pkg/command/users.go | 5 ++-- storage/pkg/config/config.go | 23 ++++++++++--------- storage/pkg/flagset/secret.go | 7 ++++++ 16 files changed, 61 insertions(+), 37 deletions(-) create mode 100644 changelog/unreleased/reva-tokens-skip-groups-config.md diff --git a/changelog/unreleased/reva-tokens-skip-groups-config.md b/changelog/unreleased/reva-tokens-skip-groups-config.md new file mode 100644 index 00000000000..6620f48a20b --- /dev/null +++ b/changelog/unreleased/reva-tokens-skip-groups-config.md @@ -0,0 +1,3 @@ +Enhancement: Add config to skip encoding user groups in reva tokens + +https://github.com/owncloud/ocis/pull/2529 diff --git a/proxy/pkg/user/backend/cs3.go b/proxy/pkg/user/backend/cs3.go index dc413919a5b..3dcd9c36571 100644 --- a/proxy/pkg/user/backend/cs3.go +++ b/proxy/pkg/user/backend/cs3.go @@ -37,7 +37,7 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w } res, err := c.authProvider.Authenticate(ctx, &gateway.AuthenticateRequest{ - Type: "machine", + Type: "bearer", ClientId: value, ClientSecret: c.machineAuthAPIKey, }) diff --git a/storage/pkg/command/appprovider.go b/storage/pkg/command/appprovider.go index 2989f7c39a8..1a8b9e5d95c 100644 --- a/storage/pkg/command/appprovider.go +++ b/storage/pkg/command/appprovider.go @@ -91,8 +91,9 @@ func appProviderConfigFromStruct(c *cli.Context, cfg *config.Config) map[string] "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.AppProvider.GRPCNetwork, diff --git a/storage/pkg/command/authbasic.go b/storage/pkg/command/authbasic.go index 3a3d227db0a..840963058d4 100644 --- a/storage/pkg/command/authbasic.go +++ b/storage/pkg/command/authbasic.go @@ -102,8 +102,9 @@ func authBasicConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]in "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.AuthBasic.GRPCNetwork, diff --git a/storage/pkg/command/authbearer.go b/storage/pkg/command/authbearer.go index b3937ed11f5..94e0023ff35 100644 --- a/storage/pkg/command/authbearer.go +++ b/storage/pkg/command/authbearer.go @@ -93,8 +93,9 @@ func authBearerConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]i "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.AuthBearer.GRPCNetwork, @@ -113,7 +114,8 @@ func authBearerConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]i "gatewaysvc": cfg.Reva.Gateway.Endpoint, }, "machine": map[string]interface{}{ - "api_key": cfg.Reva.AuthBearerConfig.MachineAuthAPIKey, + "api_key": cfg.Reva.AuthBearerConfig.MachineAuthAPIKey, + "gateway_addr": cfg.Reva.Gateway.Endpoint, }, }, }, diff --git a/storage/pkg/command/frontend.go b/storage/pkg/command/frontend.go index 925c115d255..9e14b53de50 100644 --- a/storage/pkg/command/frontend.go +++ b/storage/pkg/command/frontend.go @@ -149,8 +149,9 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, // Todo or address? + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, // Todo or address? + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "http": map[string]interface{}{ "network": cfg.Reva.Frontend.HTTPNetwork, diff --git a/storage/pkg/command/gateway.go b/storage/pkg/command/gateway.go index 7008fbbd1e1..d8a363d7593 100644 --- a/storage/pkg/command/gateway.go +++ b/storage/pkg/command/gateway.go @@ -124,8 +124,9 @@ func gatewayConfigFromStruct(c *cli.Context, cfg *config.Config, logger log.Logg "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.Gateway.GRPCNetwork, diff --git a/storage/pkg/command/groups.go b/storage/pkg/command/groups.go index c9c35394f45..e3758080f7f 100644 --- a/storage/pkg/command/groups.go +++ b/storage/pkg/command/groups.go @@ -102,8 +102,9 @@ func groupsConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inter "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.Groups.GRPCNetwork, diff --git a/storage/pkg/command/sharing.go b/storage/pkg/command/sharing.go index 354bb0d643c..50f50c64b6e 100644 --- a/storage/pkg/command/sharing.go +++ b/storage/pkg/command/sharing.go @@ -112,8 +112,9 @@ func sharingConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inte "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.Sharing.GRPCNetwork, diff --git a/storage/pkg/command/storagehome.go b/storage/pkg/command/storagehome.go index bcea78c22ca..4df8524e9a2 100644 --- a/storage/pkg/command/storagehome.go +++ b/storage/pkg/command/storagehome.go @@ -98,8 +98,9 @@ func storageHomeConfigFromStruct(c *cli.Context, cfg *config.Config) map[string] "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.StorageHome.GRPCNetwork, diff --git a/storage/pkg/command/storagemetadata.go b/storage/pkg/command/storagemetadata.go index dde9a6aa5c8..c27b27a424d 100644 --- a/storage/pkg/command/storagemetadata.go +++ b/storage/pkg/command/storagemetadata.go @@ -120,8 +120,9 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.StorageMetadata.GRPCNetwork, diff --git a/storage/pkg/command/storagepubliclink.go b/storage/pkg/command/storagepubliclink.go index d2227177769..d90b971fc04 100644 --- a/storage/pkg/command/storagepubliclink.go +++ b/storage/pkg/command/storagepubliclink.go @@ -88,8 +88,9 @@ func storagePublicLinkConfigFromStruct(c *cli.Context, cfg *config.Config) map[s "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.StoragePublicLink.GRPCNetwork, diff --git a/storage/pkg/command/storageusers.go b/storage/pkg/command/storageusers.go index 85b1dfd95b9..6f01defad9e 100644 --- a/storage/pkg/command/storageusers.go +++ b/storage/pkg/command/storageusers.go @@ -98,8 +98,9 @@ func storageUsersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.StorageUsers.GRPCNetwork, diff --git a/storage/pkg/command/users.go b/storage/pkg/command/users.go index d01757ae817..2f4c3e87cc8 100644 --- a/storage/pkg/command/users.go +++ b/storage/pkg/command/users.go @@ -109,8 +109,9 @@ func usersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]interf "tracing_service_name": c.Command.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.Reva.JWTSecret, - "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, }, "grpc": map[string]interface{}{ "network": cfg.Reva.Users.GRPCNetwork, diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go index 42426f5cae4..c05e6899072 100644 --- a/storage/pkg/config/config.go +++ b/storage/pkg/config/config.go @@ -430,17 +430,18 @@ type Archiver struct { // Reva defines the available reva configuration. type Reva struct { // JWTSecret used to sign jwt tokens between services - JWTSecret string - TransferSecret string - TransferExpires int - OIDC OIDC - LDAP LDAP - UserGroupRest UserGroupRest - UserOwnCloudSQL UserOwnCloudSQL - OCDav OCDav - Archiver Archiver - UserStorage StorageConfig - MetadataStorage StorageConfig + JWTSecret string + SkipUserGroupsInToken bool + TransferSecret string + TransferExpires int + OIDC OIDC + LDAP LDAP + UserGroupRest UserGroupRest + UserOwnCloudSQL UserOwnCloudSQL + OCDav OCDav + Archiver Archiver + UserStorage StorageConfig + MetadataStorage StorageConfig // Ports are used to configure which services to start on which port Frontend FrontendPort DataGateway DataGatewayPort diff --git a/storage/pkg/flagset/secret.go b/storage/pkg/flagset/secret.go index 2519caa61a3..8504bd56b1e 100644 --- a/storage/pkg/flagset/secret.go +++ b/storage/pkg/flagset/secret.go @@ -16,5 +16,12 @@ func SecretWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_JWT_SECRET", "OCIS_JWT_SECRET"}, Destination: &cfg.Reva.JWTSecret, }, + &cli.BoolFlag{ + Name: "skip-user-groups-in-token", + Value: flags.OverrideDefaultBool(cfg.Reva.SkipUserGroupsInToken, false), + Usage: "Whether to skip encoding user groups in reva's JWT token", + EnvVars: []string{"STORAGE_SKIP_USER_GROUPS_IN_TOKEN"}, + Destination: &cfg.Reva.SkipUserGroupsInToken, + }, } } From 35905f4a09072901d7cb8c9b026381573e42992e Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Thu, 14 Oct 2021 17:05:38 +0200 Subject: [PATCH 2/5] Start up a new machine auth provider in the storage service --- .../reva-tokens-skip-groups-config.md | 5 +- ocis/pkg/runtime/service/service.go | 1 + storage/pkg/command/authbearer.go | 6 +- storage/pkg/command/authmachine.go | 154 ++++++++++++++++++ storage/pkg/config/config.go | 9 +- storage/pkg/flagset/authbearer.go | 19 --- storage/pkg/flagset/authmachine.go | 73 +++++++++ 7 files changed, 237 insertions(+), 30 deletions(-) create mode 100644 storage/pkg/command/authmachine.go create mode 100644 storage/pkg/flagset/authmachine.go diff --git a/changelog/unreleased/reva-tokens-skip-groups-config.md b/changelog/unreleased/reva-tokens-skip-groups-config.md index 6620f48a20b..92389540eb5 100644 --- a/changelog/unreleased/reva-tokens-skip-groups-config.md +++ b/changelog/unreleased/reva-tokens-skip-groups-config.md @@ -1,3 +1,6 @@ -Enhancement: Add config to skip encoding user groups in reva tokens +Enhancement: Start up a new machine auth provider in the storage service +This PR also adds the config to skip encoding user groups in reva tokens + +https://github.com/owncloud/ocis/pull/2528 https://github.com/owncloud/ocis/pull/2529 diff --git a/ocis/pkg/runtime/service/service.go b/ocis/pkg/runtime/service/service.go index 28cd652b5fc..8795330adea 100644 --- a/ocis/pkg/runtime/service/service.go +++ b/ocis/pkg/runtime/service/service.go @@ -105,6 +105,7 @@ func NewService(options ...Option) (*Service, error) { s.ServicesRegistry["storage-groupprovider"] = storage.NewGroupProvider s.ServicesRegistry["storage-authbasic"] = storage.NewAuthBasic s.ServicesRegistry["storage-authbearer"] = storage.NewAuthBearer + s.ServicesRegistry["storage-authmachine"] = storage.NewAuthMachine s.ServicesRegistry["storage-home"] = storage.NewStorageHome s.ServicesRegistry["storage-users"] = storage.NewStorageUsers s.ServicesRegistry["storage-public-link"] = storage.NewStoragePublicLink diff --git a/storage/pkg/command/authbearer.go b/storage/pkg/command/authbearer.go index 94e0023ff35..4a2b43c05ed 100644 --- a/storage/pkg/command/authbearer.go +++ b/storage/pkg/command/authbearer.go @@ -103,7 +103,7 @@ func authBearerConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]i // TODO build services dynamically "services": map[string]interface{}{ "authprovider": map[string]interface{}{ - "auth_manager": cfg.Reva.AuthBearerConfig.Driver, + "auth_manager": "oidc", "auth_managers": map[string]interface{}{ "oidc": map[string]interface{}{ "issuer": cfg.Reva.OIDC.Issuer, @@ -113,10 +113,6 @@ func authBearerConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]i "gid_claim": cfg.Reva.OIDC.GIDClaim, "gatewaysvc": cfg.Reva.Gateway.Endpoint, }, - "machine": map[string]interface{}{ - "api_key": cfg.Reva.AuthBearerConfig.MachineAuthAPIKey, - "gateway_addr": cfg.Reva.Gateway.Endpoint, - }, }, }, }, diff --git a/storage/pkg/command/authmachine.go b/storage/pkg/command/authmachine.go new file mode 100644 index 00000000000..8bdb111014d --- /dev/null +++ b/storage/pkg/command/authmachine.go @@ -0,0 +1,154 @@ +package command + +import ( + "context" + "flag" + "os" + "path" + + "github.com/cs3org/reva/cmd/revad/runtime" + "github.com/gofrs/uuid" + "github.com/oklog/run" + ociscfg "github.com/owncloud/ocis/ocis-pkg/config" + "github.com/owncloud/ocis/ocis-pkg/sync" + "github.com/owncloud/ocis/storage/pkg/config" + "github.com/owncloud/ocis/storage/pkg/flagset" + "github.com/owncloud/ocis/storage/pkg/server/debug" + "github.com/owncloud/ocis/storage/pkg/tracing" + "github.com/thejerf/suture/v4" + "github.com/urfave/cli/v2" +) + +// AuthMachine is the entrypoint for the auth-machine command. +func AuthMachine(cfg *config.Config) *cli.Command { + return &cli.Command{ + Name: "auth-machine", + Usage: "Start authprovider for machine auth", + Flags: flagset.AuthMachineWithConfig(cfg), + Before: func(c *cli.Context) error { + cfg.Reva.AuthMachine.Services = c.StringSlice("service") + + return nil + }, + Action: func(c *cli.Context) error { + logger := NewLogger(cfg) + tracing.Configure(cfg, logger) + gr := run.Group{} + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + uuid := uuid.Must(uuid.NewV4()) + pidFile := path.Join(os.TempDir(), "revad-"+c.Command.Name+"-"+uuid.String()+".pid") + rcfg := authMachineConfigFromStruct(c, cfg) + + gr.Add(func() error { + runtime.RunWithOptions( + rcfg, + pidFile, + runtime.WithLogger(&logger.Logger), + ) + return nil + }, func(_ error) { + logger.Info(). + Str("server", c.Command.Name). + Msg("Shutting down server") + + cancel() + }) + + debugServer, err := debug.Server( + debug.Name(c.Command.Name+"-debug"), + debug.Addr(cfg.Reva.AuthMachine.DebugAddr), + debug.Logger(logger), + debug.Context(ctx), + debug.Config(cfg), + ) + + if err != nil { + logger.Info().Err(err).Str("server", "debug").Msg("failed to initialize server") + return err + } + + gr.Add(debugServer.ListenAndServe, func(_ error) { + cancel() + }) + + if !cfg.Reva.AuthMachine.Supervised { + sync.Trap(&gr, cancel) + } + + return gr.Run() + }, + } +} + +// authMachineConfigFromStruct will adapt an oCIS config struct into a reva mapstructure to start a reva service. +func authMachineConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]interface{} { + return map[string]interface{}{ + "core": map[string]interface{}{ + "max_cpus": cfg.Reva.AuthMachine.MaxCPUs, + "tracing_enabled": cfg.Tracing.Enabled, + "tracing_endpoint": cfg.Tracing.Endpoint, + "tracing_collector": cfg.Tracing.Collector, + "tracing_service_name": c.Command.Name, + }, + "shared": map[string]interface{}{ + "jwt_secret": cfg.Reva.JWTSecret, + "gatewaysvc": cfg.Reva.Gateway.Endpoint, + "skip_user_groups_in_token": cfg.Reva.SkipUserGroupsInToken, + }, + "grpc": map[string]interface{}{ + "network": cfg.Reva.AuthMachine.GRPCNetwork, + "address": cfg.Reva.AuthMachine.GRPCAddr, + // TODO build services dynamically + "services": map[string]interface{}{ + "authprovider": map[string]interface{}{ + "auth_manager": "machine", + "auth_managers": map[string]interface{}{ + "machine": map[string]interface{}{ + "api_key": cfg.Reva.AuthMachineConfig.MachineAuthAPIKey, + "gateway_addr": cfg.Reva.Gateway.Endpoint, + }, + }, + }, + }, + }, + } +} + +// AuthMachineSutureService allows for the storage-gateway command to be embedded and supervised by a suture supervisor tree. +type AuthMachineSutureService struct { + cfg *config.Config +} + +// NewAuthMachineSutureService creates a new gateway.AuthMachineSutureService +func NewAuthMachine(cfg *ociscfg.Config) suture.Service { + if cfg.Mode == 0 { + cfg.Storage.Reva.AuthMachine.Supervised = true + } + return AuthMachineSutureService{ + cfg: cfg.Storage, + } +} + +func (s AuthMachineSutureService) Serve(ctx context.Context) error { + s.cfg.Reva.AuthMachine.Context = ctx + f := &flag.FlagSet{} + cmdFlags := AuthMachine(s.cfg).Flags + for k := range cmdFlags { + if err := cmdFlags[k].Apply(f); err != nil { + return err + } + } + cliCtx := cli.NewContext(nil, f, nil) + if AuthMachine(s.cfg).Before != nil { + if err := AuthMachine(s.cfg).Before(cliCtx); err != nil { + return err + } + } + if err := AuthMachine(s.cfg).Action(cliCtx); err != nil { + return err + } + + return nil +} diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go index c05e6899072..1d690507cfb 100644 --- a/storage/pkg/config/config.go +++ b/storage/pkg/config/config.go @@ -127,10 +127,8 @@ type Users struct { UserGroupsCacheExpiration int } -// AuthBearerConfig defines the available configuration for the bearer auth drivers. -type AuthBearerConfig struct { - Port - Driver string +// AuthMachineConfig defines the available configuration for the machine auth driver. +type AuthMachineConfig struct { MachineAuthAPIKey string } @@ -451,9 +449,10 @@ type Reva struct { Users Users Groups Groups AuthProvider Users - AuthBearerConfig AuthBearerConfig AuthBasic Port AuthBearer Port + AuthMachine Port + AuthMachineConfig AuthMachineConfig Sharing Sharing StorageHome StoragePort StorageUsers StoragePort diff --git a/storage/pkg/flagset/authbearer.go b/storage/pkg/flagset/authbearer.go index b67b661e515..73bfeb91ef4 100644 --- a/storage/pkg/flagset/authbearer.go +++ b/storage/pkg/flagset/authbearer.go @@ -19,15 +19,6 @@ func AuthBearerWithConfig(cfg *config.Config) []cli.Flag { Destination: &cfg.Reva.AuthBearer.DebugAddr, }, - // Driver - &cli.StringFlag{ - Name: "auth-driver", - Value: flags.OverrideDefaultString(cfg.Reva.AuthBearerConfig.Driver, "oidc"), - Usage: "bearer auth driver: 'oidc' or 'machine'", - EnvVars: []string{"STORAGE_AUTH_BEARER_DRIVER"}, - Destination: &cfg.Reva.AuthBearerConfig.Driver, - }, - // OIDC &cli.StringFlag{ @@ -72,16 +63,6 @@ func AuthBearerWithConfig(cfg *config.Config) []cli.Flag { Destination: &cfg.Reva.OIDC.GIDClaim, }, - // Machine Auth - - &cli.StringFlag{ - Name: "machine-auth-api-key", - Value: flags.OverrideDefaultString(cfg.Reva.AuthBearerConfig.MachineAuthAPIKey, "change-me-please"), - Usage: "the API key to be used for the machine auth driver in reva", - EnvVars: []string{"STORAGE_AUTH_BEARER_MACHINE_AUTH_API_KEY", "OCIS_MACHINE_AUTH_API_KEY"}, - Destination: &cfg.Reva.AuthBearerConfig.MachineAuthAPIKey, - }, - // Services // AuthBearer diff --git a/storage/pkg/flagset/authmachine.go b/storage/pkg/flagset/authmachine.go new file mode 100644 index 00000000000..f4a9d20f7af --- /dev/null +++ b/storage/pkg/flagset/authmachine.go @@ -0,0 +1,73 @@ +package flagset + +import ( + "github.com/owncloud/ocis/ocis-pkg/flags" + "github.com/owncloud/ocis/storage/pkg/config" + "github.com/urfave/cli/v2" +) + +// AuthMachineWithConfig applies cfg to the root flagset +func AuthMachineWithConfig(cfg *config.Config) []cli.Flag { + flags := []cli.Flag{ + + // debug ports are the odd ports + &cli.StringFlag{ + Name: "debug-addr", + Value: flags.OverrideDefaultString(cfg.Reva.AuthMachine.DebugAddr, "127.0.0.1:9167"), + Usage: "Address to bind debug server", + EnvVars: []string{"STORAGE_AUTH_MACHINE_DEBUG_ADDR"}, + Destination: &cfg.Reva.AuthMachine.DebugAddr, + }, + + // Machine Auth + + &cli.StringFlag{ + Name: "machine-auth-api-key", + Value: flags.OverrideDefaultString(cfg.Reva.AuthMachineConfig.MachineAuthAPIKey, "change-me-please"), + Usage: "the API key to be used for the machine auth driver in reva", + EnvVars: []string{"STORAGE_AUTH_MACHINE_AUTH_API_KEY", "OCIS_MACHINE_AUTH_API_KEY"}, + Destination: &cfg.Reva.AuthMachineConfig.MachineAuthAPIKey, + }, + + // Services + + // AuthMachine + + &cli.StringFlag{ + Name: "network", + Value: flags.OverrideDefaultString(cfg.Reva.AuthMachine.GRPCNetwork, "tcp"), + Usage: "Network to use for the storage service, can be 'tcp', 'udp' or 'unix'", + EnvVars: []string{"STORAGE_AUTH_MACHINE_GRPC_NETWORK"}, + Destination: &cfg.Reva.AuthMachine.GRPCNetwork, + }, + &cli.StringFlag{ + Name: "addr", + Value: flags.OverrideDefaultString(cfg.Reva.AuthMachine.GRPCAddr, "127.0.0.1:9166"), + Usage: "Address to bind storage service", + EnvVars: []string{"STORAGE_AUTH_MACHINE_GRPC_ADDR"}, + Destination: &cfg.Reva.AuthMachine.GRPCAddr, + }, + &cli.StringSliceFlag{ + Name: "service", + Value: cli.NewStringSlice("authprovider"), // TODO preferences + Usage: "--service authprovider [--service otherservice]", + EnvVars: []string{"STORAGE_AUTH_MACHINE_SERVICES"}, + }, + + // Gateway + + &cli.StringFlag{ + Name: "reva-gateway-addr", + Value: flags.OverrideDefaultString(cfg.Reva.Gateway.Endpoint, "127.0.0.1:9142"), + Usage: "Address of REVA gateway endpoint", + EnvVars: []string{"REVA_GATEWAY"}, + Destination: &cfg.Reva.Gateway.Endpoint, + }, + } + + flags = append(flags, TracingWithConfig(cfg)...) + flags = append(flags, DebugWithConfig(cfg)...) + flags = append(flags, SecretWithConfig(cfg)...) + + return flags +} From 26ec5f0a40d19f843e2d0534fca02dff353684bf Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Thu, 14 Oct 2021 17:14:36 +0200 Subject: [PATCH 3/5] Use machine auth when using cs3 backend in proxy service --- proxy/pkg/user/backend/cs3.go | 9 ++------- storage/pkg/command/gateway.go | 1 + 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/proxy/pkg/user/backend/cs3.go b/proxy/pkg/user/backend/cs3.go index 3dcd9c36571..4623c7d5c86 100644 --- a/proxy/pkg/user/backend/cs3.go +++ b/proxy/pkg/user/backend/cs3.go @@ -31,14 +31,9 @@ func NewCS3UserBackend(rs settings.RoleService, ap RevaAuthenticator, machineAut } func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, withRoles bool) (*cs3.User, string, error) { - // We only support authentication via username for now - if claim != "username" { - return nil, "", fmt.Errorf("claim: %s not supported", claim) - } - res, err := c.authProvider.Authenticate(ctx, &gateway.AuthenticateRequest{ - Type: "bearer", - ClientId: value, + Type: "machine", + ClientId: claim + ":" + value, ClientSecret: c.machineAuthAPIKey, }) diff --git a/storage/pkg/command/gateway.go b/storage/pkg/command/gateway.go index d8a363d7593..b1047367fbb 100644 --- a/storage/pkg/command/gateway.go +++ b/storage/pkg/command/gateway.go @@ -164,6 +164,7 @@ func gatewayConfigFromStruct(c *cli.Context, cfg *config.Config, logger log.Logg "rules": map[string]interface{}{ "basic": cfg.Reva.AuthBasic.Endpoint, "bearer": cfg.Reva.AuthBearer.Endpoint, + "machine": cfg.Reva.AuthMachine.Endpoint, "publicshares": cfg.Reva.StoragePublicLink.Endpoint, }, }, From 0c8cbe4d4f375cde47a51f1f06877c9d6220e899 Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Fri, 15 Oct 2021 17:54:44 +0200 Subject: [PATCH 4/5] Add machine auth endpoint to gateway --- storage/pkg/flagset/gateway.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/storage/pkg/flagset/gateway.go b/storage/pkg/flagset/gateway.go index 940368532c7..34c008e0ce2 100644 --- a/storage/pkg/flagset/gateway.go +++ b/storage/pkg/flagset/gateway.go @@ -124,6 +124,13 @@ func GatewayWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_AUTH_BEARER_ENDPOINT"}, Destination: &cfg.Reva.AuthBearer.Endpoint, }, + &cli.StringFlag{ + Name: "auth-machine-endpoint", + Value: flags.OverrideDefaultString(cfg.Reva.AuthMachine.Endpoint, "localhost:9166"), + Usage: "endpoint to use for the machine auth provider", + EnvVars: []string{"STORAGE_AUTH_MACHINE_ENDPOINT"}, + Destination: &cfg.Reva.AuthMachine.Endpoint, + }, // storage registry From 375e9121fd7847766adc38dc01baa910fd32666b Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Mon, 18 Oct 2021 09:52:17 +0200 Subject: [PATCH 5/5] Update reva version --- go.mod | 2 +- go.sum | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index b1558a79a29..571a6cdd190 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/blevesearch/bleve/v2 v2.1.0 github.com/coreos/go-oidc/v3 v3.0.0 github.com/cs3org/go-cs3apis v0.0.0-20211007101428-6d142794ec11 - github.com/cs3org/reva v1.14.1-0.20211015144112-cddbdd4c560f + github.com/cs3org/reva v1.14.1-0.20211018074606-00d075577d05 github.com/disintegration/imaging v1.6.2 github.com/glauth/glauth v1.1.3-0.20210729125545-b9aecdfcac31 github.com/go-chi/chi/v5 v5.0.4 diff --git a/go.sum b/go.sum index c3a53fe37dd..64711173d04 100644 --- a/go.sum +++ b/go.sum @@ -290,10 +290,8 @@ github.com/crewjam/saml v0.4.5/go.mod h1:qCJQpUtZte9R1ZjUBcW8qtCNlinbO363ooNl02S github.com/cs3org/cato v0.0.0-20200828125504-e418fc54dd5e/go.mod h1:XJEZ3/EQuI3BXTp/6DUzFr850vlxq11I6satRtz0YQ4= github.com/cs3org/go-cs3apis v0.0.0-20211007101428-6d142794ec11 h1:cc/8fdzWdr/wAZOXb29J8bnXjo1poCMCLwhlFBlvhfI= github.com/cs3org/go-cs3apis v0.0.0-20211007101428-6d142794ec11/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva v1.14.1-0.20211015081146-2e9bc0c7714a h1:xauop9DkHYtOA3qLGmohOi0rt6WqN8+1BCWu5i/4cL4= -github.com/cs3org/reva v1.14.1-0.20211015081146-2e9bc0c7714a/go.mod h1:uENdZEtDFmTRt6+d4+Ro4P5XnNL+9I6gwftHEBJzHQw= -github.com/cs3org/reva v1.14.1-0.20211015144112-cddbdd4c560f h1:DVy9daUTEgnAP35Q5Vn5rt0FXiHwTr4vp0pecHFHA4Q= -github.com/cs3org/reva v1.14.1-0.20211015144112-cddbdd4c560f/go.mod h1:uENdZEtDFmTRt6+d4+Ro4P5XnNL+9I6gwftHEBJzHQw= +github.com/cs3org/reva v1.14.1-0.20211018074606-00d075577d05 h1:+JZo40/fI+CUDIyI/65W4XJi3VT7+nE/G+Y5QUdaiXY= +github.com/cs3org/reva v1.14.1-0.20211018074606-00d075577d05/go.mod h1:uENdZEtDFmTRt6+d4+Ro4P5XnNL+9I6gwftHEBJzHQw= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=