From 7a40904345b8561ba8257bc82ebc703f6b18886c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Tue, 3 May 2022 11:17:09 +0000 Subject: [PATCH] separate machine auth key and system auth key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- .vscode/launch.json | 5 ++-- .../accounts/pkg/config/parser/parse.go | 2 +- .../pkg/config/defaults/defaultconfig.go | 2 +- .../appprovider/pkg/config/parser/parse.go | 2 +- .../auth-basic/pkg/config/parser/parse.go | 2 +- .../auth-bearer/pkg/config/parser/parse.go | 2 +- .../auth-machine/pkg/config/parser/parse.go | 4 ++-- .../frontend/pkg/config/parser/parse.go | 6 ++--- extensions/gateway/pkg/config/parser/parse.go | 4 ++-- extensions/graph/pkg/config/parser/parse.go | 2 +- extensions/group/pkg/config/parser/parse.go | 2 +- .../notifications/pkg/config/parser/parse.go | 2 +- extensions/ocdav/pkg/config/parser/parse.go | 2 +- extensions/ocs/pkg/config/config.go | 3 ++- extensions/ocs/pkg/config/parser/parse.go | 4 ++-- extensions/proxy/pkg/config/parser/parse.go | 4 ++-- extensions/search/pkg/config/parser/parse.go | 2 +- extensions/settings/pkg/config/config.go | 6 ++--- .../pkg/config/defaults/defaultconfig.go | 10 ++++---- .../settings/pkg/config/parser/parse.go | 10 +++++--- .../settings/pkg/store/metadata/store.go | 2 +- extensions/sharing/pkg/command/command.go | 12 +++++----- extensions/sharing/pkg/config/config.go | 16 ++++++------- .../pkg/config/defaults/defaultconfig.go | 24 +++++++++---------- extensions/sharing/pkg/config/parser/parse.go | 18 +++++++------- .../storage-metadata/pkg/command/command.go | 4 ++-- .../storage-metadata/pkg/config/config.go | 8 +++---- .../pkg/config/defaults/defaultconfig.go | 8 +++---- .../pkg/config/parser/parse.go | 10 ++++---- .../pkg/config/parser/parse.go | 2 +- .../storage-shares/pkg/config/parser/parse.go | 2 +- .../storage-users/pkg/config/parser/parse.go | 2 +- .../thumbnails/pkg/config/parser/parse.go | 2 +- extensions/user/pkg/config/parser/parse.go | 2 +- ocis-pkg/config/config.go | 3 ++- ocis-pkg/config/parser/parse.go | 23 ++++++++++++------ ocis-pkg/shared/errors.go | 18 ++++++++++---- ocis-pkg/shared/shared_types.go | 3 ++- ocis/pkg/init/init.go | 16 +++++++++---- 39 files changed, 141 insertions(+), 110 deletions(-) diff --git a/.vscode/launch.json b/.vscode/launch.json index e7629b586fa..8d1ac0edad3 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -38,8 +38,9 @@ "IDM_ADMIN_PASSWORD": "admin", // demo users "IDM_CREATE_DEMO_USERS": "true", - // metadata storage - "METADATA_USER_ID": "some-metadata-user-id" + // system storage + "SYSTEM_USER_ID": "some-metadata-user-id", + "SYSTEM_AUTH_API_KEY": "some-system-auth-api-key", // OCIS_RUN_EXTENSIONS allows to start a subset of extensions even in the supervised mode //"OCIS_RUN_EXTENSIONS": "settings,storage-metadata,glauth,graph,graph-explorer,idp,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,accounts,proxy,ocdav", } diff --git a/extensions/accounts/pkg/config/parser/parse.go b/extensions/accounts/pkg/config/parser/parse.go index b052fd59c33..2fd846fa6a1 100644 --- a/extensions/accounts/pkg/config/parser/parse.go +++ b/extensions/accounts/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } return nil } diff --git a/extensions/appprovider/pkg/config/defaults/defaultconfig.go b/extensions/appprovider/pkg/config/defaults/defaultconfig.go index 978c6d2edb6..e04ec10a22e 100644 --- a/extensions/appprovider/pkg/config/defaults/defaultconfig.go +++ b/extensions/appprovider/pkg/config/defaults/defaultconfig.go @@ -84,7 +84,7 @@ func Sanitize(cfg *config.Config) { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } return nil diff --git a/extensions/appprovider/pkg/config/parser/parse.go b/extensions/appprovider/pkg/config/parser/parse.go index ff554af4759..c598e3d8100 100644 --- a/extensions/appprovider/pkg/config/parser/parse.go +++ b/extensions/appprovider/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } return nil diff --git a/extensions/auth-basic/pkg/config/parser/parse.go b/extensions/auth-basic/pkg/config/parser/parse.go index de3b06d5c54..7ce0ff66833 100644 --- a/extensions/auth-basic/pkg/config/parser/parse.go +++ b/extensions/auth-basic/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } if cfg.AuthProviders.LDAP.BindPassword == "" && cfg.AuthProvider == "ldap" { diff --git a/extensions/auth-bearer/pkg/config/parser/parse.go b/extensions/auth-bearer/pkg/config/parser/parse.go index fc3a1c50206..03e6a52e3dd 100644 --- a/extensions/auth-bearer/pkg/config/parser/parse.go +++ b/extensions/auth-bearer/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } return nil diff --git a/extensions/auth-machine/pkg/config/parser/parse.go b/extensions/auth-machine/pkg/config/parser/parse.go index 2eb535806ba..072fc218f12 100644 --- a/extensions/auth-machine/pkg/config/parser/parse.go +++ b/extensions/auth-machine/pkg/config/parser/parse.go @@ -35,11 +35,11 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } if cfg.AuthProviders.Machine.APIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + return shared.MissingMachineAuthAPIKey(cfg.Service.Name) } return nil } diff --git a/extensions/frontend/pkg/config/parser/parse.go b/extensions/frontend/pkg/config/parser/parse.go index e2ff551a5c4..e8507b0c15b 100644 --- a/extensions/frontend/pkg/config/parser/parse.go +++ b/extensions/frontend/pkg/config/parser/parse.go @@ -35,15 +35,15 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } if cfg.TransferSecret == "" { - return shared.MissingRevaTransferSecretError(cfg.Service.Name) + return shared.MissingRevaTransferSecret(cfg.Service.Name) } if cfg.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + return shared.MissingMachineAuthAPIKey(cfg.Service.Name) } return nil diff --git a/extensions/gateway/pkg/config/parser/parse.go b/extensions/gateway/pkg/config/parser/parse.go index 424efdbfb21..b2b497786f1 100644 --- a/extensions/gateway/pkg/config/parser/parse.go +++ b/extensions/gateway/pkg/config/parser/parse.go @@ -35,11 +35,11 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } if cfg.TransferSecret == "" { - return shared.MissingRevaTransferSecretError(cfg.Service.Name) + return shared.MissingRevaTransferSecret(cfg.Service.Name) } return nil diff --git a/extensions/graph/pkg/config/parser/parse.go b/extensions/graph/pkg/config/parser/parse.go index f554a623d8e..c520490fa29 100644 --- a/extensions/graph/pkg/config/parser/parse.go +++ b/extensions/graph/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } if cfg.Identity.Backend == "ldap" && cfg.Identity.LDAP.BindPassword == "" { diff --git a/extensions/group/pkg/config/parser/parse.go b/extensions/group/pkg/config/parser/parse.go index f1e7880c9be..3f28064861c 100644 --- a/extensions/group/pkg/config/parser/parse.go +++ b/extensions/group/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } if cfg.Drivers.LDAP.BindPassword == "" && cfg.Driver == "ldap" { diff --git a/extensions/notifications/pkg/config/parser/parse.go b/extensions/notifications/pkg/config/parser/parse.go index 85ac780a342..9a86bb71f1e 100644 --- a/extensions/notifications/pkg/config/parser/parse.go +++ b/extensions/notifications/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.Notifications.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + return shared.MissingMachineAuthAPIKey(cfg.Service.Name) } return nil diff --git a/extensions/ocdav/pkg/config/parser/parse.go b/extensions/ocdav/pkg/config/parser/parse.go index 77766296bfd..635971d0b6f 100644 --- a/extensions/ocdav/pkg/config/parser/parse.go +++ b/extensions/ocdav/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } return nil diff --git a/extensions/ocs/pkg/config/config.go b/extensions/ocs/pkg/config/config.go index b5e7fbe8594..27f29e63dd8 100644 --- a/extensions/ocs/pkg/config/config.go +++ b/extensions/ocs/pkg/config/config.go @@ -23,7 +23,8 @@ type Config struct { IdentityManagement IdentityManagement `yaml:"identity_management"` - AccountBackend string `yaml:"account_backend" env:"OCS_ACCOUNT_BACKEND_TYPE"` + AccountBackend string `yaml:"account_backend" env:"OCS_ACCOUNT_BACKEND_TYPE"` + // StorageUsersDriver is used to list and then delete all spaces owned by the user StorageUsersDriver string `yaml:"storage_users_driver" env:"STORAGE_USERS_DRIVER;OCS_STORAGE_USERS_DRIVER"` MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;OCS_MACHINE_AUTH_API_KEY"` diff --git a/extensions/ocs/pkg/config/parser/parse.go b/extensions/ocs/pkg/config/parser/parse.go index 536ed52de18..159e0a4042a 100644 --- a/extensions/ocs/pkg/config/parser/parse.go +++ b/extensions/ocs/pkg/config/parser/parse.go @@ -36,11 +36,11 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } if cfg.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + return shared.MissingMachineAuthAPIKey(cfg.Service.Name) } return nil diff --git a/extensions/proxy/pkg/config/parser/parse.go b/extensions/proxy/pkg/config/parser/parse.go index f792d79557e..04fc1711936 100644 --- a/extensions/proxy/pkg/config/parser/parse.go +++ b/extensions/proxy/pkg/config/parser/parse.go @@ -34,11 +34,11 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } if cfg.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + return shared.MissingMachineAuthAPIKey(cfg.Service.Name) } return nil diff --git a/extensions/search/pkg/config/parser/parse.go b/extensions/search/pkg/config/parser/parse.go index 9183f5be88c..4dd0241d080 100644 --- a/extensions/search/pkg/config/parser/parse.go +++ b/extensions/search/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + return shared.MissingMachineAuthAPIKey(cfg.Service.Name) } return nil } diff --git a/extensions/settings/pkg/config/config.go b/extensions/settings/pkg/config/config.go index 8182911bf5a..85cd45461a8 100644 --- a/extensions/settings/pkg/config/config.go +++ b/extensions/settings/pkg/config/config.go @@ -39,7 +39,7 @@ type Metadata struct { GatewayAddress string `yaml:"gateway_addr" env:"STORAGE_GATEWAY_GRPC_ADDR"` StorageAddress string `yaml:"storage_addr" env:"STORAGE_GRPC_ADDR"` - ServiceUserID string `yaml:"service_user_id" env:"METADATA_SERVICE_USER_UUID"` - ServiceUserIDP string `yaml:"service_user_idp" env:"METADATA_SERVICE_USER_IDP"` - MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"` + SystemUserID string `yaml:"system_user_id" env:"SYSTEM_USER_ID"` + SystemUserIDP string `yaml:"system_user_idp" env:"SYSTEM_USER_IDP"` + SystemAuthAPIKey string `yaml:"machine_auth_api_key" env:"SYSTEM_AUTH_API_KEY"` } diff --git a/extensions/settings/pkg/config/defaults/defaultconfig.go b/extensions/settings/pkg/config/defaults/defaultconfig.go index 5e87d0702bc..76fcd087264 100644 --- a/extensions/settings/pkg/config/defaults/defaultconfig.go +++ b/extensions/settings/pkg/config/defaults/defaultconfig.go @@ -52,7 +52,7 @@ func DefaultConfig() *config.Config { Metadata: config.Metadata{ GatewayAddress: "127.0.0.1:9215", // metadata storage StorageAddress: "127.0.0.1:9215", - ServiceUserIDP: "internal", + SystemUserIDP: "internal", }, } } @@ -89,12 +89,12 @@ func EnsureDefaults(cfg *config.Config) { cfg.TokenManager = &config.TokenManager{} } - if cfg.Metadata.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { - cfg.Metadata.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey + if cfg.Metadata.SystemUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" { + cfg.Metadata.SystemUserID = cfg.Commons.SystemUserID } - if cfg.Metadata.ServiceUserID == "" && cfg.Commons != nil && cfg.Commons.MetadataUserID != "" { - cfg.Metadata.ServiceUserID = cfg.Commons.MetadataUserID + if cfg.Metadata.SystemAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemAuthAPIKey != "" { + cfg.Metadata.SystemAuthAPIKey = cfg.Commons.SystemAuthAPIKey } } diff --git a/extensions/settings/pkg/config/parser/parse.go b/extensions/settings/pkg/config/parser/parse.go index b59d8ee9fd1..d00d2bc427e 100644 --- a/extensions/settings/pkg/config/parser/parse.go +++ b/extensions/settings/pkg/config/parser/parse.go @@ -34,11 +34,15 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } - if cfg.Metadata.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + if cfg.Metadata.SystemUserID == "" { + return shared.MissingSystemUserID(cfg.Service.Name) + } + + if cfg.Metadata.SystemAuthAPIKey == "" { + return shared.MissingSystemAuthAPIKey(cfg.Service.Name) } return nil diff --git a/extensions/settings/pkg/store/metadata/store.go b/extensions/settings/pkg/store/metadata/store.go index c98615559a7..3b15c79ed04 100644 --- a/extensions/settings/pkg/store/metadata/store.go +++ b/extensions/settings/pkg/store/metadata/store.go @@ -84,7 +84,7 @@ func New(cfg *config.Config) settings.Manager { // NewMetadataClient returns the MetadataClient func NewMetadataClient(cfg config.Metadata) MetadataClient { - mdc, err := metadata.NewCS3Storage(cfg.GatewayAddress, cfg.StorageAddress, cfg.ServiceUserID, cfg.ServiceUserIDP, cfg.MachineAuthAPIKey) + mdc, err := metadata.NewCS3Storage(cfg.GatewayAddress, cfg.StorageAddress, cfg.SystemUserIDP, cfg.SystemUserIDP, cfg.SystemAuthAPIKey) if err != nil { log.Fatal("error connecting to mdc:", err) } diff --git a/extensions/sharing/pkg/command/command.go b/extensions/sharing/pkg/command/command.go index 29cde193573..7be127cf691 100644 --- a/extensions/sharing/pkg/command/command.go +++ b/extensions/sharing/pkg/command/command.go @@ -154,9 +154,9 @@ func sharingConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inte }, "cs3": map[string]interface{}{ "provider_addr": cfg.UserSharingDrivers.CS3.ProviderAddr, - "service_user_id": cfg.UserSharingDrivers.CS3.ServiceUserID, - "service_user_idp": cfg.UserSharingDrivers.CS3.ServiceUserIDP, - "machine_auth_apikey": cfg.UserSharingDrivers.CS3.MachineAuthAPIKey, + "service_user_id": cfg.UserSharingDrivers.CS3.SystemUserID, + "service_user_idp": cfg.UserSharingDrivers.CS3.SystemUserIDP, + "machine_auth_apikey": cfg.UserSharingDrivers.CS3.SystemAuthAPIKey, }, }, }, @@ -190,9 +190,9 @@ func sharingConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inte }, "cs3": map[string]interface{}{ "provider_addr": cfg.PublicSharingDrivers.CS3.ProviderAddr, - "service_user_id": cfg.PublicSharingDrivers.CS3.ServiceUserID, - "service_user_idp": cfg.PublicSharingDrivers.CS3.ServiceUserIDP, - "machine_auth_apikey": cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey, + "service_user_id": cfg.PublicSharingDrivers.CS3.SystemUserID, + "service_user_idp": cfg.PublicSharingDrivers.CS3.SystemUserIDP, + "machine_auth_apikey": cfg.PublicSharingDrivers.CS3.SystemAuthAPIKey, }, }, }, diff --git a/extensions/sharing/pkg/config/config.go b/extensions/sharing/pkg/config/config.go index f81d37faa1c..686aada5383 100644 --- a/extensions/sharing/pkg/config/config.go +++ b/extensions/sharing/pkg/config/config.go @@ -75,10 +75,10 @@ type UserSharingSQLDriver struct { } type UserSharingCS3Driver struct { - ProviderAddr string - ServiceUserID string - ServiceUserIDP string `env:"OCIS_URL;SHARING_CS3_SERVICE_USER_IDP"` - MachineAuthAPIKey string `env:"OCIS_MACHINE_AUTH_API_KEY"` + ProviderAddr string + SystemUserID string `env:"SYSTEM_USER_ID;SHARING_USER_SYSTEM_USER_ID"` + SystemUserIDP string `env:"SYSTEM_USER_IDP;SHARING_USER_SYSTEM_USER_IDP"` + SystemAuthAPIKey string `env:"SYSTEM_AUTH_API_KEY;SHARING_USER_SYSTEM_AUTH_API_KEY"` } type PublicSharingDrivers struct { @@ -104,10 +104,10 @@ type PublicSharingSQLDriver struct { } type PublicSharingCS3Driver struct { - ProviderAddr string - ServiceUserID string - ServiceUserIDP string - MachineAuthAPIKey string `env:"OCIS_MACHINE_AUTH_API_KEY"` + ProviderAddr string + SystemUserID string `env:"SYSTEM_USER_ID;SHARING_PUBLIC_SYSTEM_USER_ID"` + SystemUserIDP string `env:"SYSTEM_USER_IDP;SHARING_PUBLIC_SYSTEM_USER_IDP"` + SystemAuthAPIKey string `env:"SYSTEM_AUTH_API_KEY;SHARING_PUBLIC_SYSTEM_AUTH_API_KEY"` } type Events struct { diff --git a/extensions/sharing/pkg/config/defaults/defaultconfig.go b/extensions/sharing/pkg/config/defaults/defaultconfig.go index 924e432288f..9c6ec289c1c 100644 --- a/extensions/sharing/pkg/config/defaults/defaultconfig.go +++ b/extensions/sharing/pkg/config/defaults/defaultconfig.go @@ -48,8 +48,8 @@ func DefaultConfig() *config.Config { JanitorRunInterval: 60, }, CS3: config.UserSharingCS3Driver{ - ProviderAddr: "127.0.0.1:9215", // metadata storage - ServiceUserIDP: "internal", + ProviderAddr: "127.0.0.1:9215", // metadata storage + SystemUserIDP: "internal", }, }, PublicSharingDriver: "json", @@ -68,8 +68,8 @@ func DefaultConfig() *config.Config { JanitorRunInterval: 60, }, CS3: config.PublicSharingCS3Driver{ - ProviderAddr: "127.0.0.1:9215", // metadata storage - ServiceUserIDP: "internal", + ProviderAddr: "127.0.0.1:9215", // metadata storage + SystemUserIDP: "internal", }, }, Events: config.Events{ @@ -119,20 +119,20 @@ func EnsureDefaults(cfg *config.Config) { cfg.TokenManager = &config.TokenManager{} } - if cfg.UserSharingDrivers.CS3.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { - cfg.UserSharingDrivers.CS3.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey + if cfg.UserSharingDrivers.CS3.SystemAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemAuthAPIKey != "" { + cfg.UserSharingDrivers.CS3.SystemAuthAPIKey = cfg.Commons.SystemAuthAPIKey } - if cfg.UserSharingDrivers.CS3.ServiceUserID == "" && cfg.Commons != nil && cfg.Commons.MetadataUserID != "" { - cfg.UserSharingDrivers.CS3.ServiceUserID = cfg.Commons.MetadataUserID + if cfg.UserSharingDrivers.CS3.SystemUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" { + cfg.UserSharingDrivers.CS3.SystemUserID = cfg.Commons.SystemUserID } - if cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { - cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey + if cfg.PublicSharingDrivers.CS3.SystemAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemAuthAPIKey != "" { + cfg.PublicSharingDrivers.CS3.SystemAuthAPIKey = cfg.Commons.SystemAuthAPIKey } - if cfg.PublicSharingDrivers.CS3.ServiceUserID == "" && cfg.Commons != nil && cfg.Commons.MetadataUserID != "" { - cfg.PublicSharingDrivers.CS3.ServiceUserID = cfg.Commons.MetadataUserID + if cfg.PublicSharingDrivers.CS3.SystemUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" { + cfg.PublicSharingDrivers.CS3.SystemUserID = cfg.Commons.SystemUserID } } diff --git a/extensions/sharing/pkg/config/parser/parse.go b/extensions/sharing/pkg/config/parser/parse.go index afc4d88b8ec..13bb89f2ddc 100644 --- a/extensions/sharing/pkg/config/parser/parse.go +++ b/extensions/sharing/pkg/config/parser/parse.go @@ -35,23 +35,23 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } - if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.SystemAuthAPIKey == "" { + return shared.MissingSystemAuthAPIKey(cfg.Service.Name) } - if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.ServiceUserID == "" { - return shared.MissingMetadataUserID(cfg.Service.Name) + if cfg.PublicSharingDriver == "cs3" && cfg.PublicSharingDrivers.CS3.SystemUserID == "" { + return shared.MissingSystemUserID(cfg.Service.Name) } - if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.SystemAuthAPIKey == "" { + return shared.MissingSystemAuthAPIKey(cfg.Service.Name) } - if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.ServiceUserID == "" { - return shared.MissingMetadataUserID(cfg.Service.Name) + if cfg.UserSharingDriver == "cs3" && cfg.UserSharingDrivers.CS3.SystemUserID == "" { + return shared.MissingSystemUserID(cfg.Service.Name) } return nil diff --git a/extensions/storage-metadata/pkg/command/command.go b/extensions/storage-metadata/pkg/command/command.go index 54eff79d451..5743ce5c583 100644 --- a/extensions/storage-metadata/pkg/command/command.go +++ b/extensions/storage-metadata/pkg/command/command.go @@ -160,7 +160,7 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in "users": map[string]interface{}{ "serviceuser": map[string]interface{}{ "id": map[string]interface{}{ - "opaqueId": cfg.MetadataUserID, + "opaqueId": cfg.SystemUserID, "idp": "internal", "type": userpb.UserType_USER_TYPE_PRIMARY, }, @@ -185,7 +185,7 @@ func storageMetadataFromStruct(c *cli.Context, cfg *config.Config) map[string]in "auth_manager": "machine", "auth_managers": map[string]interface{}{ "machine": map[string]interface{}{ - "api_key": cfg.MachineAuthAPIKey, + "api_key": cfg.SystemAuthAPIKey, "gateway_addr": cfg.GRPC.Addr, }, }, diff --git a/extensions/storage-metadata/pkg/config/config.go b/extensions/storage-metadata/pkg/config/config.go index 8c4475600fd..d2ef8f863ce 100644 --- a/extensions/storage-metadata/pkg/config/config.go +++ b/extensions/storage-metadata/pkg/config/config.go @@ -19,10 +19,10 @@ type Config struct { Context context.Context `yaml:"context"` - TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` - MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"STORAGE_METADATA_MACHINE_AUTH_API_KEY"` - MetadataUserID string `yaml:"metadata_user_id"` + TokenManager *TokenManager `yaml:"token_manager"` + Reva *Reva `yaml:"reva"` + SystemUserID string `yaml:"system_user_id" env:"SYSTEM_USER_ID;STORAGE_METADATA_SYSTEM_USER_ID"` + SystemAuthAPIKey string `yaml:"system_auth_api_key" env:"SYSTEM_AUTH_API_KEY;STORAGE_METADATA_SYSTEM_AUTH_API_KEY"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token"` Driver string `yaml:"driver" env:"STORAGE_METADATA_DRIVER" desc:"The driver which should be used by the service"` diff --git a/extensions/storage-metadata/pkg/config/defaults/defaultconfig.go b/extensions/storage-metadata/pkg/config/defaults/defaultconfig.go index 4f274aa0ca1..564e9b8c5fe 100644 --- a/extensions/storage-metadata/pkg/config/defaults/defaultconfig.go +++ b/extensions/storage-metadata/pkg/config/defaults/defaultconfig.go @@ -122,12 +122,12 @@ func EnsureDefaults(cfg *config.Config) { cfg.TokenManager = &config.TokenManager{} } - if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { - cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey + if cfg.SystemUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" { + cfg.SystemUserID = cfg.Commons.SystemUserID } - if cfg.MetadataUserID == "" && cfg.Commons != nil && cfg.Commons.MetadataUserID != "" { - cfg.MetadataUserID = cfg.Commons.MetadataUserID + if cfg.SystemAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemAuthAPIKey != "" { + cfg.SystemAuthAPIKey = cfg.Commons.SystemAuthAPIKey } } diff --git a/extensions/storage-metadata/pkg/config/parser/parse.go b/extensions/storage-metadata/pkg/config/parser/parse.go index 413bbd52c55..7778a59da0a 100644 --- a/extensions/storage-metadata/pkg/config/parser/parse.go +++ b/extensions/storage-metadata/pkg/config/parser/parse.go @@ -35,15 +35,15 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } - if cfg.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) + if cfg.SystemUserID == "" { + return shared.MissingSystemUserID(cfg.Service.Name) } - if cfg.MetadataUserID == "" { - return shared.MissingMetadataUserID(cfg.Service.Name) + if cfg.SystemAuthAPIKey == "" { + return shared.MissingSystemAuthAPIKey(cfg.Service.Name) } return nil } diff --git a/extensions/storage-publiclink/pkg/config/parser/parse.go b/extensions/storage-publiclink/pkg/config/parser/parse.go index f0e7cda9922..96f3ee879de 100644 --- a/extensions/storage-publiclink/pkg/config/parser/parse.go +++ b/extensions/storage-publiclink/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } return nil diff --git a/extensions/storage-shares/pkg/config/parser/parse.go b/extensions/storage-shares/pkg/config/parser/parse.go index 6b0efc7aef7..cf643734793 100644 --- a/extensions/storage-shares/pkg/config/parser/parse.go +++ b/extensions/storage-shares/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } return nil diff --git a/extensions/storage-users/pkg/config/parser/parse.go b/extensions/storage-users/pkg/config/parser/parse.go index b6a55e1aef6..a91cbe1979f 100644 --- a/extensions/storage-users/pkg/config/parser/parse.go +++ b/extensions/storage-users/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } return nil diff --git a/extensions/thumbnails/pkg/config/parser/parse.go b/extensions/thumbnails/pkg/config/parser/parse.go index 4c47c635ddd..6517af2f356 100644 --- a/extensions/thumbnails/pkg/config/parser/parse.go +++ b/extensions/thumbnails/pkg/config/parser/parse.go @@ -36,7 +36,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.Thumbnail.TransferSecret == "" { - return shared.MissingRevaTransferSecretError(cfg.Service.Name) + return shared.MissingRevaTransferSecret(cfg.Service.Name) } return nil diff --git a/extensions/user/pkg/config/parser/parse.go b/extensions/user/pkg/config/parser/parse.go index 2b5f8030a50..7eb4120a8d6 100644 --- a/extensions/user/pkg/config/parser/parse.go +++ b/extensions/user/pkg/config/parser/parse.go @@ -35,7 +35,7 @@ func ParseConfig(cfg *config.Config) error { func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError(cfg.Service.Name) + return shared.MissingJWTToken(cfg.Service.Name) } if cfg.Driver == "ldap" && cfg.Drivers.LDAP.BindPassword == "" { diff --git a/ocis-pkg/config/config.go b/ocis-pkg/config/config.go index 8f6b1e0d834..e3ea920fde0 100644 --- a/ocis-pkg/config/config.go +++ b/ocis-pkg/config/config.go @@ -68,7 +68,8 @@ type Config struct { TokenManager *shared.TokenManager `yaml:"token_manager"` MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"` TransferSecret string `yaml:"transfer_secret" env:"STORAGE_TRANSFER_SECRET"` - MetadataUserID string `yaml:"metadata_user_id" env:"METADATA_USER_ID"` + SystemUserID string `yaml:"system_user_id" env:"SYSTEM_USER_ID"` + SystemAuthAPIKey string `yaml:"system_auth_api_key" env:"SYSTEM_AUTH_API_KEY"` Runtime Runtime `yaml:"runtime"` Audit *audit.Config `yaml:"audit"` diff --git a/ocis-pkg/config/parser/parse.go b/ocis-pkg/config/parser/parse.go index cd5f8ab32b8..a4d2a6a1392 100644 --- a/ocis-pkg/config/parser/parse.go +++ b/ocis-pkg/config/parser/parse.go @@ -95,26 +95,35 @@ func EnsureCommons(cfg *config.Config) { } // copy metadata user id to the commons part if set - if cfg.MetadataUserID != "" { - cfg.Commons.MetadataUserID = cfg.MetadataUserID + if cfg.SystemUserID != "" { + cfg.Commons.SystemUserID = cfg.SystemUserID + } + + // copy system auth api key to the commons part if set + if cfg.SystemAuthAPIKey != "" { + cfg.Commons.SystemAuthAPIKey = cfg.SystemAuthAPIKey } } func Validate(cfg *config.Config) error { if cfg.TokenManager.JWTSecret == "" { - return shared.MissingJWTTokenError("ocis") + return shared.MissingJWTToken("ocis") } if cfg.TransferSecret == "" { - return shared.MissingRevaTransferSecretError("ocis") + return shared.MissingRevaTransferSecret("ocis") } if cfg.MachineAuthAPIKey == "" { - return shared.MissingMachineAuthApiKeyError("ocis") + return shared.MissingMachineAuthAPIKey("ocis") + } + + if cfg.SystemUserID == "" { + return shared.MissingSystemUserID("ocis") } - if cfg.MetadataUserID == "" { - return shared.MissingMetadataUserID("ocis") + if cfg.SystemAuthAPIKey == "" { + return shared.MissingSystemAuthAPIKey("ocis") } return nil diff --git a/ocis-pkg/shared/errors.go b/ocis-pkg/shared/errors.go index de1ed5a8256..3aacf33a7a9 100644 --- a/ocis-pkg/shared/errors.go +++ b/ocis-pkg/shared/errors.go @@ -6,7 +6,7 @@ import ( "github.com/owncloud/ocis/ocis-pkg/config/defaults" ) -func MissingMachineAuthApiKeyError(service string) error { +func MissingMachineAuthAPIKey(service string) error { return fmt.Errorf("The Machineauth API key has not been configured for %s. "+ "Make sure your %s config contains the proper values "+ "(e.g. by running ocis init or setting it manually in "+ @@ -14,7 +14,7 @@ func MissingMachineAuthApiKeyError(service string) error { service, defaults.BaseConfigPath()) } -func MissingJWTTokenError(service string) error { +func MissingJWTToken(service string) error { return fmt.Errorf("jwt_secret has not been set properly in your config for %s. "+ "Make sure your %s config contains the proper values "+ "(e.g. by running ocis init or setting it manually in "+ @@ -22,7 +22,7 @@ func MissingJWTTokenError(service string) error { service, defaults.BaseConfigPath()) } -func MissingRevaTransferSecretError(service string) error { +func MissingRevaTransferSecret(service string) error { return fmt.Errorf("transfer_secret has not been set properly in your config for %s. "+ "Make sure your %s config contains the proper values "+ "(e.g. by running ocis init or setting it manually in "+ @@ -46,8 +46,16 @@ func MissingServiceUserPassword(service, serviceUser string) error { serviceUser, service, defaults.BaseConfigPath()) } -func MissingMetadataUserID(service string) error { - return fmt.Errorf("The metadata user ID has not been configured for %s. "+ +func MissingSystemUserID(service string) error { + return fmt.Errorf("The system user ID has not been configured for %s. "+ + "Make sure your %s config contains the proper values "+ + "(e.g. by running ocis init or setting it manually in "+ + "the config/corresponding environment variable).", + service, defaults.BaseConfigPath()) +} + +func MissingSystemAuthAPIKey(service string) error { + return fmt.Errorf("The system auth API key has not been configured for %s. "+ "Make sure your %s config contains the proper values "+ "(e.g. by running ocis init or setting it manually in "+ "the config/corresponding environment variable).", diff --git a/ocis-pkg/shared/shared_types.go b/ocis-pkg/shared/shared_types.go index 3497bed6114..6770a39eeec 100644 --- a/ocis-pkg/shared/shared_types.go +++ b/ocis-pkg/shared/shared_types.go @@ -44,5 +44,6 @@ type Commons struct { Reva *Reva `yaml:"reva"` MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"` TransferSecret string `yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET"` - MetadataUserID string `yaml:"metadata_user_id" env:"METADATA_USER_ID"` + SystemUserID string `yaml:"system_user_id" env:"SYSTEM_USER_ID"` + SystemAuthAPIKey string `yaml:"system_auth_api_key" env:"SYSTEM_AUTH_API_KEY"` } diff --git a/ocis/pkg/init/init.go b/ocis/pkg/init/init.go index 4f8bf8a51a9..edd83de2b70 100644 --- a/ocis/pkg/init/init.go +++ b/ocis/pkg/init/init.go @@ -100,7 +100,8 @@ type OcisConfig struct { TokenManager TokenManager `yaml:"token_manager"` MachineAuthApiKey string `yaml:"machine_auth_api_key"` TransferSecret string `yaml:"transfer_secret"` - MetadataUserID string `yaml:"metadata_user_id"` + SystemUserID string `yaml:"system_user_id"` + SystemAuthApiKey string `yaml:"system_auth_api_key"` Graph GraphExtension Idp LdapBasedExtension Idm IdmExtension @@ -162,7 +163,11 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin return err } - metadataUserID := uuid.Must(uuid.NewV4()).String() + systemUserID := uuid.Must(uuid.NewV4()).String() + systemAuthApiKey, err := generators.GenerateRandomPassword(passwordLength) + if err != nil { + return fmt.Errorf("could not generate random system auth api key: %s", err) + } idmServicePassword, err := generators.GenerateRandomPassword(passwordLength) if err != nil { @@ -190,11 +195,11 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin } machineAuthApiKey, err := generators.GenerateRandomPassword(passwordLength) if err != nil { - return fmt.Errorf("could not generate random password for machineauthsecret: %s", err) + return fmt.Errorf("could not generate random machine auth api key: %s", err) } revaTransferSecret, err := generators.GenerateRandomPassword(passwordLength) if err != nil { - return fmt.Errorf("could not generate random password for machineauthsecret: %s", err) + return fmt.Errorf("could not generate random reva transfer secret: %s", err) } cfg := OcisConfig{ @@ -203,7 +208,8 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin }, MachineAuthApiKey: machineAuthApiKey, TransferSecret: revaTransferSecret, - MetadataUserID: metadataUserID, + SystemUserID: systemUserID, + SystemAuthApiKey: systemAuthApiKey, Idm: IdmExtension{ ServiceUserPasswords: ServiceUserPasswordsSettings{ AdminPassword: ocisAdminServicePassword,