diff --git a/cmd/reva/common.go b/cmd/reva/common.go index de00099d69..0e97fe2101 100644 --- a/cmd/reva/common.go +++ b/cmd/reva/common.go @@ -77,10 +77,6 @@ func readConfig() (*config, error) { } func writeConfig(c *config) error { - if c.AuthHeader == "" { - c.AuthHeader = "x-access-token" - } - data, err := json.Marshal(c) if err != nil { return err @@ -89,8 +85,7 @@ func writeConfig(c *config) error { } type config struct { - Host string `json:"host"` - AuthHeader string `json:"auth_header"` + Host string `json:"host"` } func read(r *bufio.Reader) (string, error) { diff --git a/cmd/reva/gen/gen.go b/cmd/reva/gen/gen.go index 2a0c61c0bb..ddb685f668 100644 --- a/cmd/reva/gen/gen.go +++ b/cmd/reva/gen/gen.go @@ -104,13 +104,6 @@ skip_methods = ["/status.php"] [http.middlewares.auth.token_managers.jwt] secret = "{{.TokenSecret}}" -[http.middlewares.auth.token_strategies.header] -header = "X-Access-Token" - -[http.middlewares.auth.token_writers.header] -header = "X-Access-Token" - - # GRPC interceptors [grpc.interceptors.trace] @@ -126,15 +119,11 @@ priority = 300 [grpc.interceptors.auth] priority = 400 # keys for grpc metadata are always lowercase, so interceptors headers need to use lowercase. -header = "x-access-token" token_strategy = "header" token_manager = "jwt" # GenerateAccessToken contains the credentials in the payload. Skip auth, otherwise services cannot obtain a token. skip_methods = ["/cs3.authproviderv1beta1.AuthService/GenerateAccessToken"] -[grpc.interceptors.auth.token_strategies.header] -header = "X-Access-Token" - [grpc.interceptors.auth.token_managers.jwt] secret = "{{.TokenSecret}}" diff --git a/cmd/reva/grpc.go b/cmd/reva/grpc.go index 28f82d1dba..ddc0e49444 100644 --- a/cmd/reva/grpc.go +++ b/cmd/reva/grpc.go @@ -30,8 +30,6 @@ import ( "google.golang.org/grpc/metadata" ) -const defaultHeader = "x-access-token" - func getAuthContext() context.Context { ctx := context.Background() // read token from file @@ -41,7 +39,7 @@ func getAuthContext() context.Context { return ctx } ctx = token.ContextSetToken(ctx, t) - ctx = metadata.AppendToOutgoingContext(ctx, defaultHeader, t) + ctx = metadata.AppendToOutgoingContext(ctx, token.TokenHeader, t) return ctx } diff --git a/docs/old/README.md b/docs/old/README.md deleted file mode 100644 index 54f26a75b6..0000000000 --- a/docs/old/README.md +++ /dev/null @@ -1,53 +0,0 @@ -# REVA Documentation - -:warning: REVA is a very young project and documentation is subject to change very often! - -* [Installing REVA](./installing-reva.md) -* [Building REVA from Sources](./building-reva.md) -* [Beginner's Guide](./beginner-guide.md) -* [Controlling REVA](./controlling-reva.md) -* [Command-line parameters](./command-line.md) - -## Guides - -* [Getting started with REVA](./guides/getting-started.md) - -## Config reference - -* [Core](./config/core.md) -* [Log](./config/log.md) -* [HTTP](./config/http.md) -* [GRPC](./config/grpc.md) - -**HTTP services** - -* [helloworld](./config/http/services/helloworld.md) -* [datagateway](./config/http/services/datagateway.md) -* [dataprovider](./config/http/services/dataprovider.md) -* [prometheussvc](./config/http/services/prometheus.md) -* [ocdav](./config/http/services/ocdav.md) -* [ocs](./config/http/services/ocs.md) -* [oidcprovider](./config/http/services/oidcprovider.md) -* [wellknown](./config/http/services/wellknown.md) - -**HTTP middleware** - -* [auth](./config/http/middleware/auth.md) -* [cors](./config/http/middleware/cors.md) -* [log](./config/http/middleware/log.md) - -**GRPC Services** - -* [authprovider](./config/grpc/services/authprovider.md) -* [authregistry](./config/grpc/services/authregistry.md) -* [gateway](./config/grpc/services/gateway.md) -* [helloworld](./config/grpc/services/helloworld.md) -* [storageprovider](./config/grpc/services/storageprovider.md) -* [storageregistry](./config/grpc/services/storageregistry.md) -* [userprovider](./config/grpc/services/userprovider.md) -* [usershareprovider](./config/grpc/services/usershareprovider.md) - -**GRPC interceptors** - -* [auth](./config/grpc/interceptors/auth.md) - diff --git a/docs/old/_config.yml b/docs/old/_config.yml deleted file mode 100644 index 457d7a5473..0000000000 --- a/docs/old/_config.yml +++ /dev/null @@ -1 +0,0 @@ -remote_theme: pmarsceill/just-the-docs diff --git a/docs/old/beginner-guide.md b/docs/old/beginner-guide.md deleted file mode 100644 index ffd29da8a6..0000000000 --- a/docs/old/beginner-guide.md +++ /dev/null @@ -1,95 +0,0 @@ -# Beginner's Guide - -This guide gives a basic introduction to revad and describes some simple tasks that can be done with it. -This guide assumes that revad is already installed on the reader's machine. -If this is not, see [Installing REVA](./installing-reva.md). - -This guide describes how to start and stop the **REVA daemon (revad)**, and reload its configuration, explains the structure of the configuration -file and describes how to set up revad to serve some basic services. - -By default, the configuration file is named revad.toml and placed in the directory /etc/revad/revad.toml. - -## Starting, Stopping, and Reloading Configuration - -To start revad, run the executable file: - -``` -revad -c revad.toml -p /var/tmp/revad.pid -``` - -Once revad is started, it can be controlled by invoking the executable with the -s parameter. Use the following syntax: - -``` -revad -s -p /var/tmp/revad.pid -``` - -Where signal may be one of the following: - -* stop — fast shutdown (aborts in-flight requests) -* quit — graceful shutdown -* reload — reloading the configuration file (forks a new process) - - For example, to stop revad gracefully, the following command can be executed: - -``` -revad -s quit -p /var/tmp/revad.pid -``` - -*This command should be executed under the same user that started revad.* - -Changes made in the configuration file will not be applied until the command to reload configuration is sent to revad or it is restarted. To reload configuration, execute: - -``` -revad -s reload -p /var/tmp/revad.pid -``` - -Once the main process receives the signal to reload configuration, it checks the syntax validity of the new configuration file and tries to apply the configuration provided in it. If this is a success, the main process forks a new process. The new forked process will gracefully kill the parent process. During a period of time until all ongoing requests are served, both processes will share the same network socket, the old parent process will serve ongoing requests and the new process will serve only new requests. No requests are dropped during the reload. If the provided configuration is invalid, the forked process will die and the master process will continue serving requests. - -A signal may also be sent to the revad process with the help of Unix tools such as the *kill* utility. In this case a signal is sent directly to a process with a given process ID. The process ID of the revad master process is written to the pid file, as configured with the *-s* flag. For example, if the master process ID is 1610, to send the QUIT signal resulting in revad’s graceful shutdown, execute: - -``` -kill -s QUIT 1610 -``` - -For getting the list of all running revad processes, the *ps* utility may be used, for example, in the following way: - -``` -ps -ax | grep revad -``` - -For more information on sending signals to revad, see [Controlling REVA](./controlling-reva.md). - -## Configuration File’s Structure -revad configuration file is written in [TOML](https://github.com/toml-lang/toml) language. - -revad consists of services which are controlled by directives specified in the configuration file. - -An example configuration file is the following: - -``` -[http] -enabled_services = ["helloworldsvc"] -``` -Running revad, will output some lines similar to these: - -``` -4:44PM INF main.go:94 > version= commit= branch= go_version= build_date= build_platform= pid=27856 -4:44PM INF main.go:95 > running on 4 cpus pid=27856 -4:44PM INF grace/grace.go:181 > pidfile saved at: /tmp/gonzalhu/revad-44b42674-2f10-4d06-b681-328b5a9b2581.pid pid=27856 pkg=grace -4:44PM INF httpserver/httpserver.go:233 > http service enabled: helloworldsvc@/ pid=27856 pkg=httpserver -4:44PM INF httpserver/httpserver.go:134 > http server listening at http://localhost:9998 pid=27856 pkg=httpserver -``` - -Revad will listen by default at http://localhost:9998, curl-ing this address will render the message *Hello World!*. -The *helloworldsvc* is one of the many services available in revad. To modify the configuration for this service a new directive is added to the configuration: - -``` -[http] -enabled_services = ["helloworldsvc"] - -[http.services.helloworldsvc] -message = "Ola Mundo!" -``` - -Reloading revad (```revad -s reload -p /var/tmp/revad.pid```) will render the new message. - diff --git a/docs/old/building-reva.md b/docs/old/building-reva.md deleted file mode 100644 index e0f4ed2515..0000000000 --- a/docs/old/building-reva.md +++ /dev/null @@ -1,11 +0,0 @@ -# Building REVA - -To build REVA the Go compiler needs to be installed. See [Install Go](https://golang.org/doc/install) to install -the Go programming language that installs the Go compiler. - -``` -git clone https://github.com/cs3org/reva -cd reva -make deps -make -``` diff --git a/docs/old/command-line.md b/docs/old/command-line.md deleted file mode 100644 index a7ceab7c79..0000000000 --- a/docs/old/command-line.md +++ /dev/null @@ -1,16 +0,0 @@ -# Command line parameters - -revad supports the following command-line parameters: - -``` -Usage of ./revad: - -c string - set configuration file (default "/etc/revad/revad.toml") - -p string - pid file. If empty defaults to a random file in the OS temporary directory - -s string - send signal to a master process: stop, quit, reload - -t test configuration and exit - -version - show version and exit -``` diff --git a/docs/old/config/core.md b/docs/old/config/core.md deleted file mode 100644 index a62b4ad1c1..0000000000 --- a/docs/old/config/core.md +++ /dev/null @@ -1,53 +0,0 @@ -# Core functionality - -Example configuration: - -``` -[core] -max_cpus = 2 -tracing_enabled = true -``` - -## Directives - -``` -Syntax: max_cpus = uint | "uint%" -Default: max_cpus = "100%" -``` -If max_cpus is set it determines the available cpus to schedule revad processes. - -``` -Syntax: tracing_enabled = boolean -Default: tracing_enabled = false -``` - -``` -Syntax: tracing_endpoint = string -Default: tracing_endpoint = "localhost:6831" -``` - -``` -Syntax: tracing_collector = string -Default: tracing_collector = "http://localhost:14268/api/traces" -``` - -``` -Syntax: tracing_service_name = string -Default: tracing_service_name = "revad" -``` - -``` -Syntax: disable_http = false | true -Default: disable_http = false -``` - -If disable_http is set to false, revad will not listen on the specified http network and address and -http services will not be exposed by revad. - -``` -Syntax: disable_grpc = false | true -Default: disable_grpc = false -``` - -If disable_grpc is set to false, revad will not listen on the specified grpc network and address and -grpc services will not be exposed by revad. diff --git a/docs/old/config/grpc.md b/docs/old/config/grpc.md deleted file mode 100644 index be53be58f0..0000000000 --- a/docs/old/config/grpc.md +++ /dev/null @@ -1,51 +0,0 @@ -# gRPC functionality - -Example configuration: - -``` -[grpc] -network = tcp -address = 0.0.0.0:9999 -enabled_services = ["storageprovidersvc"] - -[grpc.services.storageprovidersvc] -driver = "local" -mount_path = "/localfs" -mount_id = "123e4567-e89b-12d3-a456-426655440000" -tmp_folder = "/var/tmp" - -[grpc.services.storageprovidersvc.drivers.local] -root = "/var/data" -``` - -## Directives - -``` -Syntax: network = tcp -Default: network = tcp -``` -network specifies what network type to listen for requests. The only supported -network type for the moment is a tcp socket. - -``` -Syntax: address = string -Default: address = "0.0.0.0:9999" -``` - -address specifies the listening address for connections. - -``` -Syntax: enabled_services = [string, string, ...] -Default: enabled_services = [] -``` -enabled_services specifies the grpc services exposed by revad. -The value is a list containing the names of the services. -By default, no service is exposed. - -``` -Syntax: shutdown_deadline = int -Default: shutdown_deadline = 60 -``` -shutdown_deadline specifies how much time in seconds to wait for the -grpc server to shutdown. Once the deadline is reached, ongoing requests that -did not finish will be aborted. diff --git a/docs/old/config/grpc/interceptors/auth.md b/docs/old/config/grpc/interceptors/auth.md deleted file mode 100644 index 06f11c2c11..0000000000 --- a/docs/old/config/grpc/interceptors/auth.md +++ /dev/null @@ -1,48 +0,0 @@ -# GRPC interceptor: auth - -This interceptor authenticates requests to -GRPC services. - -To enable the interceptor: - -``` -[grpc] -enabled_interceptors = ["auth"] -``` - -Example configuration: - -``` -[grpc.interceptors.auth] -token_manager = "jwt" -#header = "x-access-token" -skip_methods = [ - # allow calls that happen during authentication - "/cs3.gatewayv0alpha.GatewayService/Authenticate", - "/cs3.gatewayv0alpha.GatewayService/WhoAmI", - "/cs3.gatewayv0alpha.GatewayService/GetUser", - "/cs3.gatewayv0alpha.GatewayService/ListAuthProviders", - "/cs3.authregistryv0alpha.AuthRegistryService/ListAuthProviders", - "/cs3.authregistryv0alpha.AuthRegistryService/GetAuthProvider", - "/cs3.authproviderv0alpha.AuthProviderService/Authenticate", - "/cs3.userproviderv0alpha.UserProviderService/GetUser", -] - -[grpc.interceptors.auth.token_managers.jwt] -secret = "Pive-Fumkiu4" -``` - -## Directives - -``` -Syntax: token_manager = string -Default: token_manager = "jwt" -``` -token_manager specifies the strategy to use verify the access token. -Available token managers shipped with REVA can be consulted at the end of this section. -The default manager is to verify it using JWT. -**The token manager configured for the authentication service and the token manager for -this middleware MUST be the same**. - -TODO: header -TODO: skip_methods diff --git a/docs/old/config/grpc/services/authprovider.md b/docs/old/config/grpc/services/authprovider.md deleted file mode 100644 index 069c88ae59..0000000000 --- a/docs/old/config/grpc/services/authprovider.md +++ /dev/null @@ -1,141 +0,0 @@ -# gRPC Service: authprovider - -To enable the service: - -``` -[grpc] -enabled_services = ["authprovider"] -``` - -Example configuration: - -``` -[grpc.services.authprovider] -auth_manager = "demo" -token_manager = "jwt" -user_manager = "demo" -``` - -## Directives - -``` -Syntax: auth_manager = string -Default: auth_manager = "demo" -``` - -auth_manager specifies the auth driver to use for the authentication service. -Available drivers shipped with REVA can be consulted at the end of this section. -The default driver (demo) is a hardcoded in-memory list of well-known physicists. - -``` -Syntax: token_manager = string -Default: token_manager = "demo" -``` - -token_manager specifies the token driver to use for the authentication service. Available drivers shipped with REVA can be consulted at the end of this section. -The default driver (jwt) forges [JWT](https://tools.ietf.org/html/rfc7519) tokens. - -``` -Syntax: user_manager = string -Default: user_manager = "demo" -``` - -user_manager specifies the user manager to use for obtaining user information -like display names and groups associated to an user. -Available managers shipped with REVA can be consulted at the end of this section. -The default driver (demo) is a hardcoded in-memory catalog of well-known physicists. - -## Auth managers - -### Demo -The demo driver authenticates against a hardcoded in-memory catalog -of well-known physicists. -This is the list of credentials: - -``` -einstein => relativity -marie => radioactivity -richard => superfluidity -``` - -### JSON -The json driver allows using a json file to authenticate users. -TODO: example json config - -### LDAP -The LDAP driver authenticates against an LDAP server. - -Example configuration: - -``` -[grpc.services.authsvc.auth_managers.ldap" -hostname = "example.org" -port = 389 -base_dn = "CN=Users,DC=example,DC=org" -filter = "(&(objectClass=person)(objectClass=user)(cn=%s))" -bind_username = "foo" -bind_password = "bar" -``` - -#### Directives - -``` -Syntax: hostname = string -Default: hostname = "" -``` - -hostname specifies the hostname of the LDAP server. - -``` -Syntax: port = int -Default: port = 389 -``` -port specifies the port of the LDAP server. - -``` -Syntax: base_dn = string -Default: base_dn = "" -``` - -base_dn specifies the Base DN to use to query the LDAP server. - -``` -Syntax: filter = string -Default: filter = "" -``` -filter specifies the LDAP filter to authenticate users. -The filter needs to contains a '%s' placeholder where the username will be set -in the filter. - -``` -Syntax: bind_username = string -Default: bind_username = "" -``` - -bind_username specifies the username to bind agains the LDAP server. - -``` -Syntax: bind_password = string -Default: bind_password = "" -``` - -bind_password specifies the password to use to bind agains the LDAP server. - -## Token managers - -### JWT -The jwt manager forges [JWT](https://tools.ietf.org/html/rfc7519) tokens. - -#### Directives - -``` -Syntax: secret = string -Default: secret = "" -``` -secret specifies the secret to use to sign a JWT token. - -## User managers - -### Demo -The demo manager contains a hard-coded in-memory catalog of user information -of well-known physicists. This manager is to be used with the *demo* auth manager. diff --git a/docs/old/config/grpc/services/storageprovider.md b/docs/old/config/grpc/services/storageprovider.md deleted file mode 100644 index 64e6d11747..0000000000 --- a/docs/old/config/grpc/services/storageprovider.md +++ /dev/null @@ -1,201 +0,0 @@ -# gRPC Service: storageprovider - -To enable the service: - -``` -[grpc] -enabled_services = ["storageprovider"] -``` - -Example configuration: - -``` -[grpc.services.storageprovider] -driver = "local" -mount_path = "/localfs" -mount_id = "123e4567-e89b-12d3-a456-426655440000" -tmp_folder = "/var/tmp" - -[grpc.services.storageprovider.drivers.local] -root = "/var/data" -``` - -## Directives - -``` -Syntax: mount_path = string -Default: mount_path = "" -``` -mount_path specifies where to mount the storage provider -in the global REVA namespace. This directive needs to be specified -to run the service. - -``` -Syntax: mount_id = string -Default: mount_id = "" -``` -mount_id specifies the identifier to append to internal object ids -so they become routable accross the REVA global namespace. This directive -needs to be specified to run the service. - -``` -Syntax: tmp_folder = string -Default: tmp_folder = "/tmp" -``` -tmp_folder specifies where temporary files will be stored -on the local filesystem. The default is to use the -system default for a temporary folder (```echo $TMPDIR```). - -``` -Syntax: driver = string -Default: driver = "local" -``` - -driver specifies the filesystem driver to use for the storage provider. -Available drivers shipped with REVA can be consulted at the end of this section. -The default is to use a local filesystem to store the files. -storageprovidersvc specifies the location of the storage provider. - -## Storage drivers - -### Local filesystem -The local driver stores the files in a local filesytem. - -Example configuration: - -``` -[grpc.services.storageprovidersvc.drivers.local] -root = "/var/data" -``` - -#### Directives - -``` -Syntax: root = string -Default: root = "/tmp" -``` - -root specifies the directory in the local filesystem for storing data. - - -### EOS driver - [CERN Open Storage](http://eos.web.cern.ch/) -The EOS driver stores the files in a remote EOS storage system. - - -Example configuration: - -``` -[grpc.services.storageprovidersvc.drivers.eos] -namespace = "/eos/user/" -master_url = "root://eosuser.example.org" -``` - -#### Directives - -``` -Syntax: namespace = string -Default: namespace = "/eos" -``` -namespace speficies the namespace on the remote EOS -storage system to perform storage operations. - -``` -Syntax: eos_binary = string -Default: eos_binary = "/usr/bin/eos" -``` -eos_binary specifies the location of the eos client binary. - -``` -Syntax: xrdcopy_binary = string -Default: xrdcopy_binary = "/usr/bin/xrdcopy" -``` - -xrdcopy_binary specifies the location of the xrdcopy client binary. - -``` -Syntax: master_url = string -Default: master_url = "root://example.org" -``` -master_url specifies the master EOS MGM url. - -``` -Syntax: slave_url = string -Default: slave_url = "root://example.org" -``` -slave_url specifies the slave EOS MGM url. - -``` -Syntax: cache_directory = string -Default: cache_directory = "/tmp" -``` - -cache_directory specifies where to store temporary files. -The default value is system default for a temporary folder (```echo $TMPDIR```). - -``` -Syntax: show_hidden_sys_files = true | false -Default: show_hidden_sys_files = false -``` - -If show_hidden_sys_files is set to true, system files -used by EOS are exposed to the clients. System files follow the pattern -*.sys.** like version folders (.sys.v#.*) or atomic files (.sys.a#.). - - -``` -Syntax: force_single_user_mode = true | false -Default: force_single_user_mode = false -``` - -If force_single_user_mode is set all EOS command sent to the EOS -storage system will be sent as a single user specified by the *single_username* -directive. This directive is usefull when the access to EOS is done by -web servers like Apache and all the commands run as www-data or apache unix user. - -``` -Syntax: single_username = string -Default: single_username = "" -``` - -single_username specifies the unix account for run EOS commands. - - -### Owncloud data directory -The `owncloud` driver stores the files in a local filesytem using the owncloud data directory layout. Files will be assigned a uuid, stored in extended attributes and cahced via redis. - -Example configuration: - -``` -[grpc.services.storageprovidersvc.drivers.owncloud] -datadirectory = "/data" -``` - -#### Directives - -``` -Syntax: datadirectory = string -Default: datadirectory = "" -``` - -datadirectory specifies the directory in the local filesystem for storing data. - -``` -Syntax: scan = boolean -Default: scan = true -``` - -scan will scan files on the first request to index file ids into the configured redis server - -``` -Syntax: autocreate = boolean -Default: autocreate = true -``` - -autocreate will create the home dir and necessary subfolders for new users - -``` -Syntax: redis = string -Default: redis = ":6379" -``` - -redis is used to store fileid to path mappings \ No newline at end of file diff --git a/docs/old/config/http.md b/docs/old/config/http.md deleted file mode 100644 index 3ea5d06ca6..0000000000 --- a/docs/old/config/http.md +++ /dev/null @@ -1,46 +0,0 @@ -# HTTP functionality - -Example configuration: - -``` -[http] -network = tcp -address = 0.0.0.0:9998 -enabled_services = ["helloworldsvc"] - -[http.services.helloworldsvc] -hello_message = "Ola Mundo!" -``` - -## Directives - -``` -Syntax: network = tcp -Default: network = tcp -``` -network specifies what network type to listen for requests. The only supported -network type for the moment is a tcp socket. - -``` -Syntax: address = string -Default: address = "0.0.0.0:9998" -``` - -address specifies the listening address for connections. - -``` -Syntax: enabled_services = [string, string, ...] -Default: enabled_services = [] -``` -enabled_services specifies the http services exposed by revad. -The value is a list containing the names of the services. -By default, not service is exposed. - -``` -Syntax: enabled_middlewares = [string, string, ...] -Default: enabled_middlewares = ["log", "trace"] -``` -enabled_middlewares specifies the http middlwares used on the -HTTP request->response chain. -The value is a list containing the names of the middlewares. -By default, the log and trace middlewares are enabled. diff --git a/docs/old/config/http/middleware/auth.md b/docs/old/config/http/middleware/auth.md deleted file mode 100644 index c52eec5612..0000000000 --- a/docs/old/config/http/middleware/auth.md +++ /dev/null @@ -1,190 +0,0 @@ -# HTTP Middleware: auth - -This middleware authenticates requests to -HTTP services. - -The logic is as follows: when a requests comes, the token strategy is triggered -to obtain an access token from the request. If a token is found, authenticaton -is not triggered. If a token is not found, the credentials strategy is -triggered to obtain user credentials (basic auth, OpenIDConnect, ...). -Then these credentials are validated against the authentication service -and if they are valid, an access token is obtained. This access token is written -to the response using a token writer strategy (reponse header, response cookie, ...). -Once the access token is obtained either because is set on the request or because -authentication was successful, the token is verified using the token manager -strategy (jwt) to obtain the user context and pass it to outgoing requests. - - -To enable the middleware: - -``` -[http] -enabled_middlewares = ["auth"] -``` - -Example configuration: - -``` -[http.middlewares.auth] -gateway = "localhost:9999" -auth_type = "basic" -credential_strategy = "basic" -token_strategy = "header" -token_writer = "header" -token_manager = "jwt" - -[http.middlewares.auth.token_managers.jwt] -secret = "bar" - -[http.middlewares.auth.token_strategies.header] -header = "X-Access-Token" - -[http.middlewares.auth.token_writers.header] -header = "X-Access-Token" -``` - -## Directives - -``` -Syntax: gateway = string -Default: gateway = "0.0.0.0:9999" -``` -gateway specifies the location of the gateway service. - -``` -Syntax: auth_type = string -Default: auth_type = "" -``` -auth_type specifies the type of authprovider the gateway should look up using the configured authregistry. Must be set (`basic` or `oidc` make sense, but those are arbitrary strings the are just used to do a lookup of the actual authprovider url) - -``` -Syntax: credential_strategy = string -Default: credential_strategy = "basic" -``` -credential_strategy specifies the strategy to use to obtain -user credentials. -Available strategies shipped with REVA can be consulted at the end of this section. -The default strategy is [Basic Auth](https://tools.ietf.org/html/rfc7617). - -``` -Syntax: token_strategy = string -Default: token_strategy = "header" -``` -token_strategy specifies the strategy to use to obtain -the access token from the HTTP request. -Available strategies shipped with REVA can be consulted at the end of this section. -The default strategy is obtain the token from an HTTP header. - -``` -Syntax: token_writer = string -Default: token_writer = "header" -``` -token_writer specifies the strategy to use write the -access token once is obtained to the HTTP response so clients -can re-send it subsequent requests to avoid performing expensive authentication -calls to the authentication service. -Available writer strategies shipped with REVA can be consulted at the end of this section. -The default strategy is write the access token in an HTTP response header. - -``` -Syntax: token_manager = string -Default: token_manager = "jwt" -``` -token_manager specifies the strategy to use verify the access token. -Available token managers shipped with REVA can be consulted at the end of this section. -The default manager is to verify it using JWT. -**The token manager configured for the authentication service and the token manager for -this middleware MUST be the same**. - - -TODO: skip_methods - -## Credential strategies - -### Basic Authentication -This strategy obtains the credentials from Basic Auth. - -To enable the strategy: - -``` -[http.middlewares.auth] -credential_strategy = "basic" -``` - -### OpenID Connect - **Work in Progress** -This strategy obtains the open id connect token as the credentials -that is passed to the authentication service to be verified -agains the configured identity provider public keys. - -To enable the strategy: - -``` -[http.middlewares.auth] -credential_strategy = "oidc" -``` - -## Token strategies - -### Header -This token strategy obtains the access token from an HTTP request header. - -To enable the strategy: - -``` -[http.middlewares.auth] -token_strategy = "header" -``` -#### Directives - -``` -Syntax: header = string -Default: header = "" -``` -header specifies header name that contains the token. - -## Token writers - -### Header -This writer strategy writes the access token to an HTTP response header -specified by tbe **header** directive. - -To enable the strategy: - -``` -[http.middlewares.auth] -token_writer = "header" - -[http.middlewares.auth.token_writers.header] -header = "X-Access-Token" -``` - -#### Directives - -``` -Syntax: header = string -Default: header = "" -``` -header specifies header name to use to write the token. - -## Token managers - -### JWT -This token manager verifies the token using the JWT shared secret. - -To enable the strategy: - -``` -[http.middlewares.auth] -token_manager = "jwt" - -[http.middlewares.auth.token_managers.jwt] -secret = "bar" -``` - -#### Directives - -``` -Syntax: secret = string -Default: secret = "" -``` -secret specifies the shared secret to verify the JWT token. diff --git a/docs/old/config/http/middleware/cors.md b/docs/old/config/http/middleware/cors.md deleted file mode 100644 index 7d4b9da44e..0000000000 --- a/docs/old/config/http/middleware/cors.md +++ /dev/null @@ -1,23 +0,0 @@ -# HTTP Middleware: cors - -The cors middleware takes care of CORS headers. It is needed to allow authenticating users using oidc, which will make cross origin resource POST requests when using the recommended autorization code flow. - -If you hide the idp, phoenix and reva behind a reverse proxy and serve them all from the same domain you may be able to disable it. - -To enable the middleware: - -``` -[http] -enabled_middlewares = ["cors"] -``` - -Example configuration: - -``` -[http.middlewares.cors] -allowed_origins = ["*"] # allow requests from everywhere -allowed_methods = ["OPTIONS", "GET", "PUT", "POST", "DELETE", "MKCOL", "PROPFIND", "PROPPATCH", "MOVE", "COPY", "REPORT", "SEARCH"] -allowed_headers = ["Origin", "Accept", "Depth", "Content-Type", "X-Requested-With", "Authorization", "Ocs-Apirequest", "If-None-Match"] -allow_credentials = true -options_passthrough = false -``` diff --git a/docs/old/config/http/middleware/log.md b/docs/old/config/http/middleware/log.md deleted file mode 100644 index da6373b6d8..0000000000 --- a/docs/old/config/http/middleware/log.md +++ /dev/null @@ -1,3 +0,0 @@ -# HTTP Middleware: log - -The logging middleware is always enabled with the highest priority. It will always receive requests first. \ No newline at end of file diff --git a/docs/old/config/http/services/helloworld.md b/docs/old/config/http/services/helloworld.md deleted file mode 100644 index e9f1e90bcc..0000000000 --- a/docs/old/config/http/services/helloworld.md +++ /dev/null @@ -1,40 +0,0 @@ -# HTTP Service: helloworld - -This service is for demo purposes. -It exposes a single endpoint that renders a -hello message that can be changed in the configuration file. - -To enable the service: - -``` -[http] -enabled_services = ["helloworld"] -``` - -Example configuration: - -``` -[http.services.helloworld] -hello_message = "Ola Mundo!" -``` - -## Directives - -``` -Syntax: prefix = string -Default: prefix = "helloworld" -``` - -`prefix` specifies where the service should be exposed. -For example, if the prefix is "myservice", it will be -reachable at http://localhost:9998/myservice - - -``` -Syntax: message = string -Default: message = "Hello World!" -``` - -`message` defines the message that will be rendered under the -http endpoint configured by the **prefix** directive. - diff --git a/docs/old/config/http/services/ocdav.md b/docs/old/config/http/services/ocdav.md deleted file mode 100644 index dfa597eda2..0000000000 --- a/docs/old/config/http/services/ocdav.md +++ /dev/null @@ -1,52 +0,0 @@ -# HTTP Service: ocdav - -This service exposes an [ownCloud](https://ownlcloud.org/) -WebDAV endpoint. This service allows ownCloud sync clients to connect -to this endpoint to synchronize files against the configured storage provider. -This service also allows to mount the storage provider using a WebDAV mount -from many operative systems, like Finder for MacOS, Network Drive for Windows or -davfs2 on Linux. - -To enable the service: - -``` -[http] -enabled_services = ["ocdav"] -``` - -Example configuration: - -``` -[http.services.ocdav] -prefix = "webdav" -``` - -## Directives - -``` -Syntax: prefix = string -Default: prefix = "webdav" -``` - -prefix specifies where the service should be exposed. -For example, if the prefix is "myservice", it will be -reachable at [http://localhost:9998/myservice](http://localhost:9998/myservice) - - -``` -Syntax: chunk_folder = string -Default: chunk_folder = "/tmp" -``` - -chunk_folder specifies where file chunks will be stored -on the local filesystem. The default is to use the -system default for a temporary folder (```echo $TMPDIR```). - -``` -Syntax: storageprovidersvc = string -Default: storageprovidersvc = 0.0.0.0:9999 -``` - -storageprovidersvc specifies the location of the storage provider. -The ocdavsvc service acts as a protocol translator between WebDAV and -the gRPC CS3 API for StorageProvider. diff --git a/docs/old/config/http/services/prometheus.md b/docs/old/config/http/services/prometheus.md deleted file mode 100644 index 1495988254..0000000000 --- a/docs/old/config/http/services/prometheus.md +++ /dev/null @@ -1,29 +0,0 @@ -# HTTP Service: prometheus - -This service exposes a [Prometheus](https://prometheus.io/) -telemetry endpoint so metrics can be consumed. - -To enable the service: - -``` -[http] -enabled_services = ["prometheus"] -``` - -Example configuration: - -``` -[http.services.prometheus] -prefix = "metrics" -``` - -## Directives - -``` -Syntax: prefix = string -Default: prefix = "metrics" -``` - -prefix specifies where the service should be exposed. -For example, if the prefix is "myservice", it will be -reachable at http://localhost:9998/myservice diff --git a/docs/old/config/log.md b/docs/old/config/log.md deleted file mode 100644 index f1e20a8713..0000000000 --- a/docs/old/config/log.md +++ /dev/null @@ -1,39 +0,0 @@ -# Log functionality - -Example configuration: - -``` -[log] -level = "debug" -mode = "json" -output = "/var/log/revad.log" -``` - -## Directives - -``` -Syntax: level = string -Default: level = "debug" -``` - -`level` defines the log level, eg. "debug", "warn", "info" - -``` -Syntax: output = string -Default: output = "stderr" -``` - -output sets the output for writting logs. The "stdout" and "stderr" strings have special meaning -as they will set the log output to stdout and stderr respectively. revad will create the filename -specified in the directive if it does not exists. revad does not perform any log rotate logic, this task -is delegated to tools like *logrotate(8)* configured by the system administrator. - -``` -Syntax: mode = "dev" | "prod" -Default: mode = "dev" -``` - -mode sets the format for the logs. dev mode sets the output to be consumed by humans on a terminal. -prod mode sets the output format to JSON so it can be parsed by machines and send to central logging systems -like Kibana. - diff --git a/docs/old/controlling-reva.md b/docs/old/controlling-reva.md deleted file mode 100644 index 26824460d2..0000000000 --- a/docs/old/controlling-reva.md +++ /dev/null @@ -1,51 +0,0 @@ -# Controlling REVA - -revad can be controlled with signals. The process ID of the master process is written to the file */var/run/revad.pid* by default. This name may be changed with the *-p* flag: - -``` --p string - pid file (default "/var/run/revad.pid") -``` - -The master process supports the following signals: - -* TERM, INT: fast shutdown -* QUIT: graceful shutdown -* HUP: changing configuration, starting new process with the new configuration, graceful shutdown of old parent processes - -## Changing Configuration - -In order for revad to re-read the configuration file, a HUP signal should be sent to the master process. -The master process forks a new child that checks the configuration file for syntax validity, -then tries to apply new configuration, and inherits listening sockets. -If this fails, it kills itself and the parent process continues to work with old configuration. -If this succeeds, the forked child sends a message to old parent process requesting it to shut down gracefully. -Parent process close listening sockets and continue to service old clients. -After all clients are serviced, old process is shut down. - -Let’s illustrate this by example. Imagine that revad is run on Darwin and the command: - -``` -ps axw -o pid,user,%cpu,command | egrep '(revad|PID)' -``` - -produces the following output: - -``` -PID USER %CPU COMMAND -46011 gonzalhu 0.0 ./revad -c revad.toml -p revad.pid -``` - -If HUP is sent to the master process, the output becomes: - -``` -PID USER %CPU COMMAND -46491 gonzalhu 0.0 ./revad -c revad.toml -p revad.pid -``` - -## Upgrading Executable on the Fly - -In order to upgrade the server executable, the new executable file -should be put in place of an old file first. After that, an HUP signal should be -sent to the master process. - The master process run the new executable file that in turn starts a new child process. diff --git a/docs/old/guides/getting-started.md b/docs/old/guides/getting-started.md deleted file mode 100644 index f20417cfa2..0000000000 --- a/docs/old/guides/getting-started.md +++ /dev/null @@ -1,161 +0,0 @@ -# Getting started with REVA - -This guide assumes that you have REVA already installed in your system. - -## Basic configuration - -``` -$ echo "" > ~/revad.toml -$ revad -c ~/revad.toml -9:20AM INF dev/reva/cmd/revad/main.go:94 > version= commit= branch= go_version= build_date= build_platform= pid=2177 -9:20AM INF dev/reva/cmd/revad/main.go:95 > running on 4 cpus pid=2177 -9:20AM INF dev/reva/cmd/revad/main.go:118 > nothing to do, no grpc/http enabled_services declared in config pid=2177 -``` - -An empty configuration will output those lines, stating that no services have been enabled and therefore the program exists. -Let's change the log output format to JSON. - -``` -$ cat ~/revad.toml -[log] -mode = "json" -``` - -``` -$ revad -c ~/revad.toml -{"level":"info","pid":9355,"time":"2019-10-16T09:22:17+02:00","caller":"/home/gonzalhu/dev/reva/cmd/revad/main.go:94","message":"version= commit= branch= go_version= build_date= build_platform="} -{"level":"info","pid":9355,"time":"2019-10-16T09:22:17+02:00","caller":"/home/gonzalhu/dev/reva/cmd/revad/main.go:95","message":"running on 4 cpus"} -{"level":"info","pid":9355,"time":"2019-10-16T09:22:17+02:00","caller":"/home/gonzalhu/dev/reva/cmd/revad/main.go:118","message":"nothing to do, no grpc/http enabled_services declared in config"} -``` - -REVA by default will use all the available CPU cores, let's change that to use only 50%: - -``` -[core] -max_cpus = "50%" -``` - -``` -$ revad -c ~/revad.toml -9:25AM INF dev/reva/cmd/revad/main.go:94 > version= commit= branch= go_version= build_date= build_platform= pid=19783 -9:25AM INF dev/reva/cmd/revad/main.go:95 > running on 2 cpus pid=19783 -9:25AM INF dev/reva/cmd/revad/main.go:118 > nothing to do, no grpc/http enabled_services declared in config pid=19783 - -``` - - -## HTTP services - -Let's enable the helloworld service: - -``` -$ cat revad.toml -[http] -enabled_services = ["helloworldsvc"] -``` - -``` -$ revad -c ~/revad.toml -9:27AM INF dev/reva/cmd/revad/main.go:94 > version= commit= branch= go_version= build_date= build_platform= pid=24558 -9:27AM INF dev/reva/cmd/revad/main.go:95 > running on 4 cpus pid=24558 -9:27AM INF dev/reva/cmd/revad/grace/grace.go:181 > pidfile saved at: /tmp/gonzalhu/revad-ea51bb72-2d20-403e-a7db-73843e530115.pid pid=24558 pkg=grace -9:27AM INF dev/reva/cmd/revad/httpserver/httpserver.go:233 > http service enabled: helloworldsvc@/ pid=24558 pkg=httpserver -9:27AM INF dev/reva/cmd/revad/httpserver/httpserver.go:134 > http server listening at http://localhost:9998 pid=24558 pkg=httpserver -``` - -When the directive `enabled_services` is declared and the value is not empty, REVA will start an HTTP server with the declared services, in this case, the helloworld service. - -When REVA starts it will create a PID (process ID file), that will contain the PID of the REVA process, this file is needed to do reloads of the service as explained in [Controlling REVA](/controlling-reva.md). If no `-p flag` is specified, REVA will create the PID file in the operating system temporary directory, in this example: `/tmp/gonzalhu/revad-ea51bb72-2d20-403e-a7db-73843e530115.pid`. - -The line `http service enabled: helloworldsvc@/` indicated that the helloworld service has been enabled and it can be reach at the root URL (`/`). - -We can `curl` this endpoint: - -``` -$ curl http://localhost:9998 -Hello World! -``` - -In the log lines of the server we see the result of the HTTP request: - -``` -9:34AM INF dev/reva/cmd/revad/svcs/httpsvcs/handlers/log/log.go:112 > http end="16/Oct/2019:09:34:11 +0200" host=127.0.0.1 method=GET pid=13968 pkg=httpserver proto=HTTP/1.1 size=12 start="16/Oct/2019:09:34:11 +0200" status=200 time_ns=67614 traceid=af56a393712698d362b0939b2caabb72 uri=/ url=/ -``` - -The helloworld service allows to change the message being returned with the `message` directive: - -``` -$ cat revad.toml -[http] -enabled_services = ["helloworldsvc"] - -[http.services.helloworldsvc] -message = "Ola Mundo!" -``` - -## GRPC services - -REVA offers the possibility to expose GRPC services, let's do an example with the GRPC helloworld service: - -``` -$ cat ~/revad.toml -[grpc] -enable_reflection = true # needed to query GRPC services dynamically without having the protobuf definitions. -enabled_services = ["helloworldsvc"] -``` - -``` -$ revad -c ~/revad.toml -9:44AM INF dev/reva/cmd/revad/main.go:94 > version= commit= branch= go_version= build_date= build_platform= pid=13514 -9:44AM INF dev/reva/cmd/revad/main.go:95 > running on 4 cpus pid=13514 -9:44AM INF dev/reva/cmd/revad/grace/grace.go:181 > pidfile saved at: /tmp/gonzalhu/revad-68d20c91-1d3a-4e1c-a2a3-e9216e2f63d5.pid pid=13514 pkg=grace -9:44AM INF dev/reva/cmd/revad/grpcserver/grpcserver.go:177 > grpc service enabled: helloworldsvc pid=13514 pkg=grpcserver -9:44AM INF dev/reva/cmd/revad/grpcserver/grpcserver.go:141 > grpc server listening at tcp:0.0.0.0:9999 pid=13514 pkg=grpcserver -``` - -To query the GRPC endpoint we need another tool, we'll use [grpcurl](https://github.com/fullstorydev/grpcurl), make sure you have it installed. - -We can list the available services: - -``` -$ grpcurl -plaintext localhost:9999 list -grpc.reflection.v1alpha.ServerReflection -revad.helloworld.HelloWorldService -``` - -And we can ask the server the available methods for a service: - -``` -$ grpcurl -plaintext localhost:9999 describe revad.helloworld.HelloWorldService -revad.helloworld.HelloWorldService is a service: -service HelloWorldService { - rpc Hello ( .revad.helloworld.HelloRequest ) returns ( .revad.helloworld.HelloResponse ); -} -``` - -Let's query the method: - -``` -$ grpcurl -plaintext localhost:9999 'revad.helloworld.HelloWorldService/Hello' -{ - "message": "Hello Mr. Nobody" -} - -``` - -The HelloWorldService accepts a message for its Hello method: - -``` -$ grpcurl -plaintext localhost:9999 describe revad.helloworld.HelloRequest -revad.helloworld.HelloRequest is a message: -message HelloRequest { - string name = 1; -} -``` - -``` -$ grpcurl -plaintext -d '{"name": "Alice"}' localhost:9999 'revad.helloworld.HelloWorldService/Hello' -{ - "message": "Hello Alice" -} -``` diff --git a/docs/old/installing-reva.md b/docs/old/installing-reva.md deleted file mode 100644 index 83dbb582b6..0000000000 --- a/docs/old/installing-reva.md +++ /dev/null @@ -1,7 +0,0 @@ -# Installing REVA - -REVA is written in Go and is shipped as a statically compiled single binary. -Releases are available in the [Releases](https://github.com/cs3org/reva/releases) page. - -REVA can also be compiled from source files. While more flexible, this approach may be complex -for a beginner. For more information, see [Building REVA](./building-reva.md). diff --git a/examples/authprovider.toml b/examples/authprovider.toml deleted file mode 100644 index 8e63d4ff97..0000000000 --- a/examples/authprovider.toml +++ /dev/null @@ -1,25 +0,0 @@ -[core] -log_file = "stderr" -log_mode = "dev" -max_cpus = "100%" -disable_http = true - -[log] -level = "debug" -mode = "console" - -[grpc] -network = "tcp" -address = "0.0.0.0:9998" -enabled_services = [ -"authsvc" -] - -[grpc.services.authsvc] -auth_manager = "oidc" - -[grpc.services.authsvc.auth_managers.oidc] -provider = "http://0.0.0.0:10000" -insecure = true -client_id = "phoenix" -client_secret = "foobar" diff --git a/examples/backend.toml b/examples/backend.toml deleted file mode 100644 index 29a8f68f4a..0000000000 --- a/examples/backend.toml +++ /dev/null @@ -1,74 +0,0 @@ -[core] -max_cpus = "2" - -[log] -level = "debug" - -[grpc] -network = "tcp" -address = "0.0.0.0:9999" -enabled_services = ["storageprovidersvc", "authsvc", "storageregistrysvc", "preferencessvc", "usershareprovidersvc"] -enabled_interceptors = ["auth"] - -[grpc.services.usershareprovidersvc] -driver = "memory" - -[grpc.services.storageprovidersvc] -driver = "local" -mount_path = "/" -mount_id = "123e4567-e89b-12d3-a456-426655440000" -# we point to the datagatewaysvc. -data_server_url = "http://localhost:9998/data" - -[grpc.services.storageprovidersvc.available_checksums] -md5 = 100 -unset = 1000 - -[grpc.services.storageprovidersvc.drivers.local] -root = "/var/tmp/reva/data" - -[grpc.services.authsvc] -auth_manager = "demo" -token_manager = "jwt" -user_manager = "demo" - -[grpc.services.authsvc.token_managers.jwt] -secret = "Pive-Fumkiu4" - -[grpc.services.storageregistrysvc] -driver = "static" - -[grpc.services.storageregistrysvc.drivers.static.rules] -"/" = "localhost:9999" -"123e4567-e89b-12d3-a456-426655440000" = "localhost:9999" - -[grpc.interceptors.auth] -token_manager = "jwt" -skip_methods = ["/cs3.authv0alpha.AuthService/GenerateAccessToken", "/cs3.authv0alpha.AuthService/WhoAmI"] - -[grpc.interceptors.auth.token_managers.jwt] -secret = "Pive-Fumkiu4" - -[http] -address = "0.0.0.0:9998" -enabled_services = ["datasvc"] -enabled_middlewares = ["auth"] - -[http.middlewares.auth] -gatewaysvc = "0.0.0.0:9999" -credential_strategy = "basic" -token_strategy = "header" -token_writer = "header" -token_manager = "jwt" -skip_methods = ["/owncloud/status.php", "/metrics"] - -[http.middlewares.auth.token_managers.jwt] -secret = "Pive-Fumkiu4" - -[http.services.datasvc] -driver = "local" -prefix = "data" -temp_folder = "/var/tmp/" - -[http.services.datasvc.drivers.local] -root = "/var/tmp/reva/data" diff --git a/examples/oidc-provider.toml b/examples/oidc-provider.toml deleted file mode 100644 index 69ca298c2b..0000000000 --- a/examples/oidc-provider.toml +++ /dev/null @@ -1,30 +0,0 @@ -# This oidc-provider.toml config starts an authprovider that uses the oidc introspection endpoint to authenticate requests -# See https://tools.ietf.org/html/rfc7662 for the spec -[core] -log_file = "stderr" -log_mode = "dev" -max_cpus = "100%" -disable_http = true - -[log] -level = "debug" -mode = "console" - -[grpc] -address = "0.0.0.0:9998" -enabled_services = [ - "authprovider" -] - -[grpc.services.authprovider] -auth_manager = "oidc" -userprovidersvc = "http://localhost:10000" - -[grpc.services.authprovider.auth_managers.oidc] -provider = "http://localhost:10000" -insecure = true -# credentials used for the introspection endpoint with basic auth -# also rate limit the endpoint: https://tools.ietf.org/html/rfc7662#section-4 -# TODO(jfd) introduce rate limits -client_id = "reva" -client_secret = "foobar" diff --git a/examples/phoenix.oidc.config.json b/examples/phoenix.oidc.config.json deleted file mode 100644 index 0e122ddabf..0000000000 --- a/examples/phoenix.oidc.config.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "__doc": "install https://github.com/owncloud/ocis-phoenix, then run this with `./ocis-phoenix-testing-linux-amd64 server --http-addr localhost:8300 --config-file phoenix.oidc.config.json --log-level debug`", - "server": "http://localhost:10000", - "theme": "owncloud", - "version": "0.1.0", - "openIdConnect": { - "metadataUrl": "http://localhost:10000/.well-known/openid-configuration", - "authority": "http://localhost:10000", - "client_id": "phoenix", - "response_type": "code", - "scope": "openid profile email" - }, - "apps": [ - "files", - "markdown-editor", - "pdf-viewer" - ] - } diff --git a/examples/separate/gateway.toml b/examples/separate/gateway.toml index 2a6c9621f0..d8bc44c1dc 100644 --- a/examples/separate/gateway.toml +++ b/examples/separate/gateway.toml @@ -48,6 +48,9 @@ bearer = "localhost:20099" [grpc.services.storageregistry] driver = "static" +[grpc.services.storageregistry.drivers.static] +home_provider = "/home" + [grpc.services.storageregistry.drivers.static.rules] # this is the list of namespaces that build the cs3 namespace # - every storage as mounted in the root diff --git a/examples/standalone.oidc.toml b/examples/standalone.oidc.toml deleted file mode 100644 index cfcaee2c95..0000000000 --- a/examples/standalone.oidc.toml +++ /dev/null @@ -1,222 +0,0 @@ -# This standalone.oidc.toml config file will start a reva service that: -# - authenticates requests using openid connect -# - serves http requests on port 10000 -# - / - ocdav: owncloud webdav api -# - /data - dataprovider: file up and download -# - /oauth2 - an openid connect provider implementation for development -# - /.well-known - used for openid connect discovery -# - /metrics - prometheus: metrics -# - serves grpc requests on port 9999 -# - authprovider - provides basic auth -# - storageprovider - handles storage metadata -# - usershareprovider - provides user shares -# - userprovider - provides user matadata (used to look up email, displayname etc after a login) -# - preferences - provides user preferences -# - gateway: to lookup services and authenticate requests -# - authregistry - used by the gateway to look up auth providers -# - storageregistry - used by the gateway to look up storage providers - -[core] -max_cpus = "2" # defaults to runtime.NumCPU() -#tracing_enabled = false -#tracing_endpoint = "localhost:6831" -#tracing_collector = "http://localhost:14268/api/traces" -#tracing_service_name = "revad" - -[log] -level = "debug" -#mode = "console" # "console" or "json" -#output = "./standalone.log" - -[http] -#network = "tcp" -# allow access from any host, not only localhost -address = "0.0.0.0:10000" # "localhost:9998" -enabled_services = ["dataprovider", "ocdav", "prometheus", "wellknown", "oidcprovider", "ocs"] -enabled_middlewares = ["cors", "auth"] - -[http.middlewares.auth] -gateway = "localhost:9999" -auth_type = "oidc" # used to look up the authprovider in the authregistry by the gateway -credential_strategy = "oidc" -token_strategy = "header" -token_writer = "header" -token_manager = "jwt" -skip_methods = [ - "/favicon.ico", - "/status.php", - "/oauth2", - "/oauth2/auth", - "/oauth2/token", - # TODO protect the introspection endpoint from external requests. - # should only be reachable by internal services, which is why the - # oidc-provider.toml has clientid and secret that are used for a basic auth - "/oauth2/introspect", - "/oauth2/userinfo", - "/oauth2/sessions", - "/.well-known/openid-configuration", - "/metrics" -] - -[http.middlewares.auth.token_managers.jwt] -secret = "Pive-Fumkiu4" - -[http.middlewares.cors] -allowed_origins = ["*"] -allowed_methods = ["OPTIONS", "GET", "PUT", "POST", "DELETE", "MKCOL", "PROPFIND", "PROPPATCH", "MOVE", "COPY", "REPORT", "SEARCH"] -allowed_headers = ["Origin", "Accept", "Depth", "Content-Type", "X-Requested-With", "Authorization", "Ocs-Apirequest", "If-None-Match"] -allow_credentials = true -options_passthrough = false - -[http.services.wellknown] -issuer = "http://localhost:10000" -authorization_endpoint = "http://localhost:10000/oauth2/auth" -token_endpoint = "http://localhost:10000/oauth2/token" -#jwks_uri = "" -revocation_endpoint = "http://localhost:10000/oauth2/auth" -introspection_endpoint = "http://localhost:10000/oauth2/introspect" -userinfo_endpoint = "http://localhost:10000/oauth2/userinfo" -#end_session_endpoint = - -[http.services.oidcprovider] -prefix = "oauth2" -gateway = "localhost:9999" -auth_type = "basic" -issuer = "http://localhost:10000" - -[http.services.oidcprovider.clients.phoenix] -id = "phoenix" -redirect_uris = ["http://localhost:8300/oidc-callback.html", "http://localhost:8300/"] -grant_types = ["implicit", "refresh_token", "authorization_code", "password", "client_credentials"] -response_types = ["code"] # use authorization code flow, see https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead for details -scopes = ["openid", "profile", "email", "offline"] -public = true # force PKCS for public clients - -[http.services.oidcprovider.clients.reva] -id = "reva" -grant_types = ["implicit", "refresh_token", "authorization_code", "password", "client_credentials"] -response_types = ["code"] # use authorization code flow -# private clients can use a secret -client_secret = "$2a$10$IxMdI6d.LIRZPpSfEwNoeu4rY3FhDREsxFJXikcgdRRAStxUlsuEO" # = "foobar" -scopes = ["openid", "profile", "email", "offline"] - -# to debug the oidc provider allow https://oidcdebugger.com -[http.services.oidcprovider.clients.oidcdebugger] -id = "oidcdebugger" -redirect_uris = ["https://oidcdebugger.com/debug"] -grant_types = ["implicit", "refresh_token", "authorization_code", "password", "client_credentials"] -response_types = ["id_token token", "code"] -client_secret = "$2a$10$IxMdI6d.LIRZPpSfEwNoeu4rY3FhDREsxFJXikcgdRRAStxUlsuEO" # = "foobar" -scopes = ["openid", "profile", "email", "offline"] - -[http.services.dataprovider] -driver = "local" -prefix = "data" -tmp_folder = "/var/tmp/" - -[http.services.dataprovider.drivers.local] -root = "/var/tmp/reva/data" - -[http.services.ocdav] -prefix = "" -chunk_folder = "/var/tmp/revad/chunks" -gateway = "localhost:9999" - -[grpc] -#network = "tcp" -# allow access from any host, not only localhost -address = "0.0.0.0:9999" # "localhost:9999" -enabled_services = [ - "authprovider", # provides basic auth - "storageprovider", # handles storage metadata - "usershareprovider", # provides user shares - "userprovider", # provides user matadata (used to look up email, displayname etc after a login) - "preferences", # provides user preferences - "gateway", # to lookup services and authenticate requests - "authregistry", # used by the gateway to look up auth providers - "storageregistry", # used by the gateway to look up storage providers -] -enabled_interceptors = ["auth"] - -[grpc.interceptors.auth] -token_manager = "jwt" -#header = "x-access-token" -skip_methods = [ - # we need to allow calls that happen during authentication - "/cs3.gateway.v1beta1.GatewayAPI/Authenticate", - "/cs3.gateway.v1beta1.GatewayAPI/WhoAmI", - "/cs3.gateway.v1beta1.GatewayAPI/GetUser", - "/cs3.gateway.v1beta1.GatewayAPI/ListAuthProviders", - "/cs3.auth.registry.v1beta1.RegistryAPI/ListAuthProviders", - "/cs3.auth.registry.v1beta1.RegistryAPI/GetAuthProvider", - "/cs3.auth.provider.v1beta1.ProviderAPI/Authenticate", - "/cs3.identity.user.v1beta1.UserAPI/GetUser", -] - -[grpc.interceptors.auth.token_managers.jwt] -secret = "Pive-Fumkiu4" - -[grpc.services.userprovider] -driver = "json" - -[grpc.services.userprovider.drivers.json] -users = "./examples/users.demo.json" - -[grpc.services.authregistry] -driver = "static" - -[grpc.services.authregistry.drivers.static.rules] -basic = "localhost:9999" -# needs to be started as a second service using the oidc-provider.toml -oidc = "localhost:9998" - -[grpc.services.usershareprovider] -driver = "memory" - -[grpc.services.storageprovider] -driver = "local" -mount_path = "/" -mount_id = "123e4567-e89b-12d3-a456-426655440000" -data_server_url = "http://localhost:10000/data" -expose_data_server = true - -[grpc.services.storageprovider.available_checksums] -md5 = 100 -unset = 1000 - -[grpc.services.storageprovider.drivers.local] -root = "/var/tmp/reva/data" - -# cannot be started in the same process because it has to serve the same -# "/cs3.auth.provider.v1beta1.ProviderAPI/Authenticate" request as the oidcprovider -[grpc.services.authprovider] -auth_manager = "json" -userprovidersvc = "localhost:9999" - -[grpc.services.authprovider.auth_managers.json] -users = "./examples/users.demo.json" - -[grpc.services.storageregistry] -driver = "static" - -[grpc.services.storageregistry.drivers.static.rules] -"/" = "localhost:9999" -"123e4567-e89b-12d3-a456-426655440000" = "localhost:9999" - -[grpc.services.gateway] -authregistrysvc = "localhost:9999" -storageregistrysvc = "localhost:9999" -appregistrysvc = "localhost:9999" -preferencessvc = "localhost:9999" -usershareprovidersvc = "localhost:9999" -publicshareprovidersvc = "localhost:9999" -ocmshareprovidersvc = "localhost:9999" -userprovidersvc = "localhost:9999" -commit_share_to_storage_grant = true -datagateway = "http://localhost:10000/data" -transfer_shared_secret = "replace-me-with-a-transfer-secret" -transfer_expires = 6 # give it a moment -token_manager = "jwt" - -[grpc.services.gateway.token_managers.jwt] -secret = "Pive-Fumkiu4" diff --git a/examples/standalone.toml b/examples/standalone.toml deleted file mode 100644 index 9d5a119d5e..0000000000 --- a/examples/standalone.toml +++ /dev/null @@ -1,166 +0,0 @@ -# This standalone.toml config file will start a reva service that: -# - authenticates requests using basic auth -# - serves http requests on port 10000 -# - /owncloud - ocdav: owncloud webdav api -# - /data - dataprovider: file up and download -# - /metrics - prometheus: metrics -# - serves grpc requests on port 9999 -# - authprovider - provides basic auth -# - storageprovider - handles storage metadata -# - usershareprovider - provides user shares -# - userprovider - provides user matadata (used to look up email, displayname etc after a login) -# - preferences - provides user preferences -# - gateway: to lookup services and authenticate requests -# - authregistry - used by the gateway to look up auth providers -# - storageregistry - used by the gateway to look up storage providers - -[core] -max_cpus = "2" # defaults to runtime.NumCPU() -#tracing_enabled = false -#tracing_endpoint = "localhost:6831" -#tracing_collector = "http://localhost:14268/api/traces" -#tracing_service_name = "revad" - -[log] -level = "debug" -#mode = "console" # "console" or "json" -#output = "./standalone.log" - -[http] -#network = "tcp" -# allow access from any host, not only localhost -address = "0.0.0.0:10000" # "localhost:9998" -enabled_services = ["ocdav", "dataprovider", "prometheus"] # [] -enabled_middlewares = ["cors", "auth"] # [] - -[http.middlewares.auth] -gateway = "localhost:9999" -auth_type = "basic" # used to look up the authprovider in the authregistry by the gateway -credential_strategy = "basic" -token_strategy = "header" -token_writer = "header" -token_manager = "jwt" -skip_methods = ["/owncloud/status.php", "/metrics"] # [] - -[http.middlewares.auth.token_strategies.header] -header = "X-Access-Token" -[http.middlewares.auth.token_writers.header] -header = "X-Access-Token" - -[http.middlewares.auth.token_managers.jwt] -secret = "Pive-Fumkiu4" - -[http.services.dataprovider] -driver = "local" -prefix = "data" -temp_folder = "/var/tmp/" - -[http.services.dataprovider.drivers.local] -root = "/var/tmp/reva/data" - -[http.services.ocdav] -prefix = "owncloud" -chunk_folder = "/var/tmp/revad/chunks" -gateway = "localhost:9999" - -[grpc] -#network = "tcp" -# allow access from any host, not only localhost -address = "0.0.0.0:9999" # "localhost:9999" -enabled_services = [ - "authprovider", # provides basic auth - "storageprovider", # handles storage metadata - "usershareprovider", # provides user shares - "userprovider", # provides user matadata (used to look up email, displayname etc after a login) - "preferences", # provides user preferences - "gateway", # to lookup services and authenticate requests - "authregistry", # used by the gateway to look up auth providers - "storageregistry", # used by the gateway to look up storage providers -] -enabled_interceptors = ["auth"] - -[grpc.interceptors.auth] -token_manager = "jwt" -#header = "x-access-token" -skip_methods = [ - # we need to allow calls that happen during authentication - "/cs3.gateway.v1beta1.GatewayAPI/Authenticate", - "/cs3.gateway.v1beta1.GatewayAPI/WhoAmI", - "/cs3.gateway.v1beta1.GatewayAPI/GetUser", - "/cs3.gateway.v1beta1.GatewayAPI/ListAuthProviders", - "/cs3.auth.registry.v1beta1.RegistryAPI/ListAuthProviders", - "/cs3.auth.registry.v1beta1.RegistryAPI/GetAuthProvider", - "/cs3.auth.provider.v1beta1.ProviderAPI/Authenticate", - "/cs3.identity.user.v1beta1.UserAPI/GetUser", -] - -[grpc.interceptors.auth.token_managers.jwt] -secret = "Pive-Fumkiu4" - -[grpc.services.usershareprovider] -driver = "memory" - -[grpc.services.storageprovider] -driver = "local" -mount_path = "/" -mount_id = "123e4567-e89b-12d3-a456-426655440000" -data_server_url = "http://localhost:10000/data" -# make the gateway return the storageprovider reported by the storageprovider -expose_data_server = true - -[grpc.services.storageprovider.available_checksums] -md5 = 100 -unset = 1000 - -[grpc.services.storageprovider.drivers.local] -root = "/var/tmp/reva/data" - -# the authprovider handles basic auth -[grpc.services.authprovider] -auth_manager = "json" -userprovidersvc = "localhost:9999" - -[grpc.services.authprovider.auth_managers.json] -users = "./examples/users.demo.json" - -[grpc.services.authprovider.token_managers.jwt] -secret = "Pive-Fumkiu4" - -[grpc.services.userprovider] -driver = "json" - -[grpc.services.userprovider.drivers.json] -users = "./examples/users.demo.json" - -[grpc.services.authregistry] -driver = "static" - -[grpc.services.authregistry.drivers.static.rules] -basic = "localhost:9999" -oidc = "localhost:9998" - -[grpc.services.storageregistry] -driver = "static" - -[grpc.services.storageregistry.drivers.static.rules] -"/" = "localhost:9999" -"123e4567-e89b-12d3-a456-426655440000" = "localhost:9999" - - -[grpc.services.gateway] -authregistrysvc = "localhost:9999" -storageregistrysvc = "localhost:9999" -appregistrysvc = "localhost:9999" -preferencessvc = "localhost:9999" -usershareprovidersvc = "localhost:9999" -publicshareprovidersvc = "localhost:9999" -ocmshareprovidersvc = "localhost:9999" -userprovidersvc = "localhost:9999" -commit_share_to_storage_grant = true -datagateway = "http://localhost:10000/data" -transfer_shared_secret = "replace-me-with-a-transfer-secret" -transfer_expires = 6 # give it a moment -token_manager = "jwt" - -[grpc.services.gateway.token_managers.jwt] -secret = "Pive-Fumkiu4" diff --git a/examples/users.demo.json b/examples/users.demo.json deleted file mode 100644 index 9b3e5f3ef3..0000000000 --- a/examples/users.demo.json +++ /dev/null @@ -1,35 +0,0 @@ -[ - { - "id": { - "opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "idp": "http://localhost:10000" - }, - "username": "einstein", - "secret": "relativity", - "mail": "einstein@example.org", - "display_name": "Albert Einstein", - "groups": ["sailing-lovers", "violin-haters", "physics-lovers"] - }, - { - "id": { - "opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c", - "idp": "http://localhost:10000" - }, - "username": "marie", - "secret": "radioactivity", - "mail": "marie@example.org", - "display_name": "Marie Curie", - "groups": ["radium-lovers", "polonium-lovers", "physics-lovers"] - }, - { - "id": { - "opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c", - "idp": "http://localhost:10000" - }, - "username": "richard", - "secret": "superfluidity", - "mail": "richard@example.org", - "display_name": "Richard Feynman", - "groups": ["quantum-lovers", "philosophy-haters", "physics-lovers"] - } -] diff --git a/examples/users.oidc.json b/examples/users.oidc.json deleted file mode 100644 index db6e889417..0000000000 --- a/examples/users.oidc.json +++ /dev/null @@ -1,32 +0,0 @@ -[ - { - "id": { - "opaque_id": "c6e5995d6c7fa1986b830b78b478e6c2", - "idp": "localhost:10000" - }, - "username": "aaliyah_abernathy", - "secret": "secret", - "mail": "aaliyah_abernathy@owncloudqa.com", - "display_name": "Aaliyah Abernathy" - }, - { - "id": { - "opaque_id": "9fb5f8d212cbf3fc55f1bf67d97ed05d", - "idp": "localhost:10000" - }, - "username": "aaliyah_adams", - "secret": "secret", - "mail": "aaliyah_adams@owncloudqa.com", - "display_name": "Aaliyah Adams" - }, - { - "id": { - "opaque_id": "a84075b398fe6a0aee1155f8ead13331", - "idp": "localhost:10000" - }, - "username": "aaliyah_anderson", - "secret": "secret", - "mail": "aaliyah_anderson@owncloudqa.com", - "display_name": "Aaliyah Anderson" - } -] diff --git a/internal/grpc/interceptors/auth/auth.go b/internal/grpc/interceptors/auth/auth.go index 162fc6f104..a01a6ba16a 100644 --- a/internal/grpc/interceptors/auth/auth.go +++ b/internal/grpc/interceptors/auth/auth.go @@ -36,14 +36,9 @@ import ( "google.golang.org/grpc/status" ) -const ( - defaultHeader = "x-access-token" -) - type config struct { // TODO(labkode): access a map is more performant as uri as fixed in length // for SkipMethods. - Header string `mapstructure:"header"` TokenManager string `mapstructure:"token_manager"` TokenManagers map[string]map[string]interface{} `mapstructure:"token_managers"` } @@ -66,10 +61,6 @@ func NewUnary(m map[string]interface{}, unprotected []string) (grpc.UnaryServerI return nil, err } - if conf.Header == "" { - conf.Header = defaultHeader - } - if conf.TokenManager == "" { err := errors.New("auth: token manager is not configured for interceptor") return nil, err @@ -134,10 +125,6 @@ func NewStream(m map[string]interface{}, unprotected []string) (grpc.StreamServe return nil, err } - if conf.Header == "" { - conf.Header = defaultHeader - } - h, ok := tokenmgr.NewFuncs[conf.TokenManager] if !ok { return nil, fmt.Errorf("auth: token manager not found: %s", conf.TokenManager) diff --git a/internal/grpc/interceptors/token/token.go b/internal/grpc/interceptors/token/token.go index e428763809..6f4a4f1daf 100644 --- a/internal/grpc/interceptors/token/token.go +++ b/internal/grpc/interceptors/token/token.go @@ -26,8 +26,6 @@ import ( "google.golang.org/grpc/metadata" ) -const defaultHeader = "x-access-token" - // NewUnary returns a new unary interceptor that adds // the token to the context. func NewUnary() grpc.UnaryServerInterceptor { @@ -35,14 +33,14 @@ func NewUnary() grpc.UnaryServerInterceptor { var tkn string md, ok := metadata.FromIncomingContext(ctx) if ok && md != nil { - if val, ok := md[defaultHeader]; ok { + if val, ok := md[token.TokenHeader]; ok { if len(val) > 0 && val[0] != "" { tkn = val[0] } } } - ctx = metadata.AppendToOutgoingContext(ctx, defaultHeader, tkn) + ctx = metadata.AppendToOutgoingContext(ctx, token.TokenHeader, tkn) ctx = token.ContextSetToken(ctx, tkn) return handler(ctx, req) } @@ -58,14 +56,14 @@ func NewStream() grpc.StreamServerInterceptor { var tkn string md, ok := metadata.FromIncomingContext(ss.Context()) if ok && md != nil { - if val, ok := md[defaultHeader]; ok { + if val, ok := md[token.TokenHeader]; ok { if len(val) > 0 && val[0] != "" { tkn = val[0] } } } - ctx = metadata.AppendToOutgoingContext(ctx, defaultHeader, tkn) + ctx = metadata.AppendToOutgoingContext(ctx, token.TokenHeader, tkn) ctx = token.ContextSetToken(ctx, tkn) wrapped := newWrappedServerStream(ctx, ss) return handler(srv, wrapped) diff --git a/internal/grpc/services/gateway/authprovider.go b/internal/grpc/services/gateway/authprovider.go index 08b8e70b58..a9fae4b523 100644 --- a/internal/grpc/services/gateway/authprovider.go +++ b/internal/grpc/services/gateway/authprovider.go @@ -30,7 +30,9 @@ import ( "github.com/cs3org/reva/pkg/errtypes" "github.com/cs3org/reva/pkg/rgrpc/status" "github.com/cs3org/reva/pkg/rgrpc/todo/pool" + tokenpkg "github.com/cs3org/reva/pkg/token" "github.com/pkg/errors" + "google.golang.org/grpc/metadata" ) func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest) (*gateway.AuthenticateResponse, error) { @@ -103,6 +105,10 @@ func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest return gwRes, nil } + // we need to pass the token to authenticate the CreateHome request. + ctx = tokenpkg.ContextSetToken(ctx, token) + ctx = metadata.AppendToOutgoingContext(ctx, tokenpkg.TokenHeader, token) + // create home directory createHomeReq := &storageprovider.CreateHomeRequest{} createHomeRes, err := s.CreateHome(ctx, createHomeReq) diff --git a/internal/http/interceptors/auth/auth.go b/internal/http/interceptors/auth/auth.go index 072222e0d6..65b84cc8d8 100644 --- a/internal/http/interceptors/auth/auth.go +++ b/internal/http/interceptors/auth/auth.go @@ -42,10 +42,6 @@ import ( "google.golang.org/grpc/metadata" ) -const ( - defaultHeader = "x-access-token" -) - type config struct { Priority int `mapstructure:"priority"` GatewaySvc string `mapstructure:"gateway"` @@ -224,7 +220,7 @@ func New(m map[string]interface{}, unprotected []string) (global.Middleware, err // store user and core access token in context. ctx = user.ContextSetUser(ctx, u) ctx = token.ContextSetToken(ctx, tkn) - ctx = metadata.AppendToOutgoingContext(ctx, defaultHeader, tkn) // TODO(jfd): hardcoded metadata key. use PerRPCCredentials? + ctx = metadata.AppendToOutgoingContext(ctx, token.TokenHeader, tkn) // TODO(jfd): hardcoded metadata key. use PerRPCCredentials? r = r.WithContext(ctx) h.ServeHTTP(w, r) diff --git a/internal/http/interceptors/auth/token/strategy/header/header.go b/internal/http/interceptors/auth/token/strategy/header/header.go index 00a234977c..980a9a7cbc 100644 --- a/internal/http/interceptors/auth/token/strategy/header/header.go +++ b/internal/http/interceptors/auth/token/strategy/header/header.go @@ -23,46 +23,20 @@ import ( "github.com/cs3org/reva/internal/http/interceptors/auth/token/registry" "github.com/cs3org/reva/pkg/auth" - "github.com/mitchellh/mapstructure" - "github.com/pkg/errors" -) - -const ( - defaultHeader = "X-Access-Token" + "github.com/cs3org/reva/pkg/token" ) func init() { registry.Register("header", New) } -type config struct { - Header string `mapstructure:"header"` -} type strategy struct { header string } -func parseConfig(m map[string]interface{}) (*config, error) { - c := &config{} - if err := mapstructure.Decode(m, c); err != nil { - err = errors.Wrap(err, "error decoding conf") - return nil, err - } - - if c.Header == "" { - c.Header = defaultHeader - } - - return c, nil -} - // New returns a new auth strategy that checks for basic auth. func New(m map[string]interface{}) (auth.TokenStrategy, error) { - conf, err := parseConfig(m) - if err != nil { - return nil, err - } - return &strategy{header: conf.Header}, nil + return &strategy{header: token.TokenHeader}, nil } func (s *strategy) GetToken(r *http.Request) string { diff --git a/internal/http/interceptors/auth/tokenwriter/strategy/header/header.go b/internal/http/interceptors/auth/tokenwriter/strategy/header/header.go index 513314f276..664810029d 100644 --- a/internal/http/interceptors/auth/tokenwriter/strategy/header/header.go +++ b/internal/http/interceptors/auth/tokenwriter/strategy/header/header.go @@ -23,38 +23,20 @@ import ( "github.com/cs3org/reva/internal/http/interceptors/auth/tokenwriter/registry" "github.com/cs3org/reva/pkg/auth" - "github.com/mitchellh/mapstructure" - "github.com/pkg/errors" + "github.com/cs3org/reva/pkg/token" ) func init() { registry.Register("header", New) } -type config struct { - Header string `mapstructure:"header"` -} - type strategy struct { header string } -func parseConfig(m map[string]interface{}) (*config, error) { - c := &config{Header: "X-Access-Token"} - if err := mapstructure.Decode(m, c); err != nil { - err = errors.Wrap(err, "error decoding conf") - return nil, err - } - return c, nil -} - // New returns a new token writer strategy that stores token in a header. func New(m map[string]interface{}) (auth.TokenWriter, error) { - conf, err := parseConfig(m) - if err != nil { - return nil, err - } - return &strategy{header: conf.Header}, nil + return &strategy{header: token.TokenHeader}, nil } func (s *strategy) WriteToken(token string, w http.ResponseWriter) { diff --git a/internal/http/services/oidcprovider/userinfo.go b/internal/http/services/oidcprovider/userinfo.go index 12ba81f30c..d67df6a979 100644 --- a/internal/http/services/oidcprovider/userinfo.go +++ b/internal/http/services/oidcprovider/userinfo.go @@ -58,7 +58,7 @@ func (s *svc) doUserinfo(w http.ResponseWriter, r *http.Request) { internalToken := session.internalToken // To include in the context. ctx = token.ContextSetToken(ctx, internalToken) - ctx = metadata.AppendToOutgoingContext(ctx, "x-access-token", internalToken) // TODO(labkode): this sucks. + ctx = metadata.AppendToOutgoingContext(ctx, token.TokenHeader, internalToken) // TODO(labkode): this sucks. sub := session.GetSubject() fmt.Printf("internal token: %s subject: %s session:%+v", internalToken, sub, session) diff --git a/pkg/rhttp/client.go b/pkg/rhttp/client.go index e317491e12..b6b8a52fc4 100644 --- a/pkg/rhttp/client.go +++ b/pkg/rhttp/client.go @@ -29,10 +29,6 @@ import ( "go.opencensus.io/plugin/ochttp" ) -const ( - defaultAccessHeader = "X-Access-Token" -) - // GetHTTPClient returns an http client with open census tracing support. // TODO(labkode): harden it. // https://medium.com/@nate510/don-t-use-go-s-default-http-client-4804cb19f779 @@ -54,7 +50,7 @@ func NewRequest(ctx context.Context, method, url string, body io.Reader) (*http. // TODO(labkode): make header / auth configurable tkn, ok := token.ContextGetToken(ctx) if ok { - httpReq.Header.Set(defaultAccessHeader, tkn) + httpReq.Header.Set(token.TokenHeader, tkn) } httpReq = httpReq.WithContext(ctx) diff --git a/pkg/token/token.go b/pkg/token/token.go index 7fd4063a19..ac5f22ffce 100644 --- a/pkg/token/token.go +++ b/pkg/token/token.go @@ -24,6 +24,8 @@ import ( user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" ) +const TokenHeader = "x-access-token" + type key int const tokenKey key = iota