Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ocis should not have default secrets #212

Closed
3 tasks done
IljaN opened this issue Apr 20, 2020 · 1 comment · Fixed by #3551
Closed
3 tasks done

Ocis should not have default secrets #212

IljaN opened this issue Apr 20, 2020 · 1 comment · Fixed by #3551
Labels
Type:Story User Story

Comments

@IljaN
Copy link
Contributor

IljaN commented Apr 20, 2020
edited by exalate-issue-sync bot
Loading

Description

To have a seamless first run experience we currently hard-code shared-secrets in to different services as default values:

https://github.com/owncloud/ocis-reva/blob/master/pkg/flagset/gateway.go#L79
https://github.com/search?q=org%3Aowncloud+Pive-Fumkiu4&type=Code

When running ocis server a admin who forgets to change this variable will use an insecure default configuration.

Proposal to fix this would be to create an "ocis init" command which for example could generate an .env file and required certificates and defaults. This would also remove all the default handling from the services and bundle it in to one place.

Additionally ocis init could abstract away the knowledge of how to set the same parameter across every single service. For example IDP/Issuer configuration could be configured once and the generated .env file or config would reflect the setting for every single service.

User Stories

  • As a software vendor i want to prevent insecure ocis deployments

Value

Acceptance Criteria

  • Ocis has empty default secrets
  • Ocis refuses to start with empty secrets
  • Ocis provides understandable error messages and a hint what to do next

Definition of ready

[ ] everybody needs to understand the value written in the user story
[ ] acceptance criteria has to be defined
[ ] all dependencies of the user story need to be identified
[ ] feature should be seen from an end user perspective
[ ] user story has to be estimated
[ ] story points need to be less then 20

Definition of done

  • Functional requirements
    [ ] functionality described in the user story works
    [ ] acceptance criteria are fulfilled
  • Quality
    [ ] codre review happened
    [ ] CI is green
    [ ] critical code received unit tests by the developer
    [ ] automated tests passed (if automated tests are not available, this test needs to be created and passed
  • Non-functional requirements
    [ ] no sonar cloud issues
@IljaN IljaN added bug labels Apr 20, 2020
@settings settings bot removed the discussion label Sep 23, 2020
@settings settings bot removed the bug label Jan 12, 2021
@refs refs added the Category:Defect Existing functionality is not working as expected label Jan 13, 2021
@refs refs changed the title Hard-coded default-secrets. ocis init? Hardcoded default-secrets. ocis init? Jan 13, 2021
@settings settings bot removed the p3-medium label Apr 7, 2021
@wkloucek
Copy link
Contributor

currently only covered by documentation: https://owncloud.dev/ocis/deployment/#secure-an-ocis-instance

@settings settings bot removed the p3-medium label Mar 23, 2022
@exalate-issue-sync exalate-issue-sync bot changed the title Hardcoded default-secrets. ocis init? Ocis should not start with default secrets Apr 6, 2022
@exalate-issue-sync exalate-issue-sync bot removed Topic:Security Category:Defect Existing functionality is not working as expected labels Apr 6, 2022
@exalate-issue-sync exalate-issue-sync bot changed the title Ocis should not start with default secrets Ocis should not have with default secrets Apr 6, 2022
@exalate-issue-sync exalate-issue-sync bot changed the title Ocis should not have with default secrets Ocis should not have default secrets Apr 6, 2022
@wkloucek wkloucek mentioned this issue Apr 29, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type:Story User Story
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[full-ci] ocis init & remove default secrets owncloud/ocis
3 participants
@IljaN @refs @wkloucek