From 78fd376ebd267c7c587912e168a237c9df74f4de Mon Sep 17 00:00:00 2001
From: jkoberg <jkoberg@owncloud.com>
Date: Fri, 15 Dec 2023 15:25:04 +0100
Subject: [PATCH] allow authentication for nats events

Signed-off-by: jkoberg <jkoberg@owncloud.com>
---
 go.mod                                          |  2 +-
 go.sum                                          |  6 ++----
 .../interceptors/eventsmiddleware/events.go     | 17 ++++++-----------
 .../services/storageprovider/storageprovider.go |  2 ++
 .../http/services/dataprovider/dataprovider.go  |  4 ++++
 pkg/events/stream/nats.go                       | 15 +++++++++------
 pkg/share/manager/jsoncs3/jsoncs3.go            |  2 ++
 7 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/go.mod b/go.mod
index d0116100130..1c120781e67 100644
--- a/go.mod
+++ b/go.mod
@@ -231,4 +231,4 @@ require (
 
 replace github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/kobergj/plugins/v4/store/nats-js-kv v0.0.0-20231207143248-4d424e3ae348
 
-replace github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6
+replace github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20231215074047-b00689b28e5f
diff --git a/go.sum b/go.sum
index 44aac726d79..6f15bd93f8f 100644
--- a/go.sum
+++ b/go.sum
@@ -425,8 +425,8 @@ github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
 github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
-github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6 h1:ws0yvsikTQdmheKINP16tBzAHdttrHwbz/q3Fgl9X1Y=
-github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
+github.com/aduffeck/gowebdav v0.0.0-20231215074047-b00689b28e5f h1:rxzQfsnLmEm5YnAf0KDoTmswnnTX9whwAsFT7n1I1kk=
+github.com/aduffeck/gowebdav v0.0.0-20231215074047-b00689b28e5f/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -616,8 +616,6 @@ github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-micro/plugins/v4/events/natsjs v1.2.2-0.20230807070816-bc05fb076ce7 h1:/RpJVLKmKT2OcEnKCPaS6n+zygNzYDzwoYgPQEgcEiQ=
-github.com/go-micro/plugins/v4/events/natsjs v1.2.2-0.20230807070816-bc05fb076ce7/go.mod h1:lYuiEYKQTpbE2LA8HEcC8D6kQ29M7ILfEak3dzeucEg=
 github.com/go-micro/plugins/v4/events/natsjs v1.2.2-0.20231215124540-f7f8d3274bf9 h1:YOIavj+ZgO9HzukpdXZCvQv+AahjW/fTVFVF4QFRabw=
 github.com/go-micro/plugins/v4/events/natsjs v1.2.2-0.20231215124540-f7f8d3274bf9/go.mod h1:cL0O63th39fZ+M/aRJvajz7Qnmv+UTXugOq1k3qrYiQ=
 github.com/go-micro/plugins/v4/registry/consul v1.2.1 h1:3wctYMtstwQLCjoJ1HA6mKGGFF1hcdKDv5MzHakB1jE=
diff --git a/internal/grpc/interceptors/eventsmiddleware/events.go b/internal/grpc/interceptors/eventsmiddleware/events.go
index 4162503d1db..6b0f9da9b4b 100644
--- a/internal/grpc/interceptors/eventsmiddleware/events.go
+++ b/internal/grpc/interceptors/eventsmiddleware/events.go
@@ -37,6 +37,7 @@ import (
 	"github.com/cs3org/reva/v2/pkg/rgrpc"
 	"github.com/cs3org/reva/v2/pkg/storagespace"
 	"github.com/cs3org/reva/v2/pkg/utils"
+	"github.com/mitchellh/mapstructure"
 )
 
 const (
@@ -223,17 +224,11 @@ func publisherFromConfig(m map[string]interface{}) (events.Publisher, error) {
 	default:
 		return nil, fmt.Errorf("stream type '%s' not supported", typ)
 	case "nats":
-		var tlsCert string
-		val, ok := m["tls-root-ca-cert"]
-		if ok {
-			tlsCert = val.(string)
+		var cfg stream.NatsConfig
+		if err := mapstructure.Decode(m, &cfg); err != nil {
+			return nil, err
 		}
-		return stream.NatsFromConfig(m["name"].(string), false, stream.NatsConfig{
-			Endpoint:             m["address"].(string),
-			Cluster:              m["clusterID"].(string),
-			EnableTLS:            m["enable-tls"].(bool),
-			TLSInsecure:          m["tls-insecure"].(bool),
-			TLSRootCACertificate: tlsCert,
-		})
+		name, _ := m["name"].(string)
+		return stream.NatsFromConfig(name, false, cfg)
 	}
 }
diff --git a/internal/grpc/services/storageprovider/storageprovider.go b/internal/grpc/services/storageprovider/storageprovider.go
index 5b1274c0e4a..532854a2902 100644
--- a/internal/grpc/services/storageprovider/storageprovider.go
+++ b/internal/grpc/services/storageprovider/storageprovider.go
@@ -76,6 +76,8 @@ type eventconfig struct {
 	TLSInsecure          bool   `mapstructure:"tls_insecure"  docs:"Whether to verify the server TLS certificates."`
 	TLSRootCACertificate string `mapstructure:"tls_root_ca_cert"  docs:"The root CA certificate used to validate the server's TLS certificate."`
 	EnableTLS            bool   `mapstructure:"nats_enable_tls" docs:"events tls switch"`
+	AuthUsername         string `mapstructure:"nats_username" docs:"event stream username"`
+	AuthPassword         string `mapstructure:"nats_password" docs:"event stream password"`
 }
 
 func (c *config) init() {
diff --git a/internal/http/services/dataprovider/dataprovider.go b/internal/http/services/dataprovider/dataprovider.go
index cb930b95a73..f9c14e7b88c 100644
--- a/internal/http/services/dataprovider/dataprovider.go
+++ b/internal/http/services/dataprovider/dataprovider.go
@@ -48,6 +48,8 @@ type config struct {
 	NatsTLSInsecure    bool                              `mapstructure:"nats_tls_insecure"`
 	NatsRootCACertPath string                            `mapstructure:"nats_root_ca_cert_path"`
 	NatsEnableTLS      bool                              `mapstructure:"nats_enable_tls"`
+	NatsUsername       string                            `mapstructure:"nats_username"`
+	NatsPassword       string                            `mapstructure:"nats_password"`
 }
 
 func (c *config) init() {
@@ -86,6 +88,8 @@ func New(m map[string]interface{}, log *zerolog.Logger) (global.Service, error)
 			EnableTLS:            conf.NatsEnableTLS,
 			TLSInsecure:          conf.NatsTLSInsecure,
 			TLSRootCACertificate: conf.NatsRootCACertPath,
+			AuthUsername:         conf.NatsUsername,
+			AuthPassword:         conf.NatsPassword,
 		})
 		if err != nil {
 			return nil, err
diff --git a/pkg/events/stream/nats.go b/pkg/events/stream/nats.go
index 4910d694e23..30ffec7ca07 100644
--- a/pkg/events/stream/nats.go
+++ b/pkg/events/stream/nats.go
@@ -17,11 +17,14 @@ import (
 
 // NatsConfig is the configuration needed for a NATS event stream
 type NatsConfig struct {
-	Endpoint             string // Endpoint of the nats server
-	Cluster              string // CluserID of the nats cluster
-	TLSInsecure          bool   // Whether to verify TLS certificates
-	TLSRootCACertificate string // The root CA certificate used to validate the TLS certificate
-	EnableTLS            bool   // Enable TLS
+	Endpoint             string `mapstructure:"address"`          // Endpoint of the nats server
+	Cluster              string `mapstructure:"clusterID"`        // CluserID of the nats cluster
+	TLSInsecure          bool   `mapstructure:"tls-insecure"`     // Whether to verify TLS certificates
+	TLSRootCACertificate string `mapstructure:"tls-root-ca-cert"` // The root CA certificate used to validate the TLS certificate
+	EnableTLS            bool   `mapstructure:"enable-tls"`       // Enable TLS
+	AuthUsername         string `mapstructure:"username"`         // Username for authentication
+	AuthPassword         string `mapstructure:"password"`         // Password for authentication
+
 }
 
 // NatsFromConfig returns a nats stream from the given config
@@ -55,6 +58,7 @@ func NatsFromConfig(connName string, disableDurability bool, cfg NatsConfig) (ev
 		natsjs.ClusterID(cfg.Cluster),
 		natsjs.SynchronousPublish(true),
 		natsjs.Name(connName),
+		natsjs.Authenticate(cfg.AuthUsername, cfg.AuthPassword),
 	}
 
 	if disableDurability {
@@ -62,7 +66,6 @@ func NatsFromConfig(connName string, disableDurability bool, cfg NatsConfig) (ev
 	}
 
 	return Nats(opts...)
-
 }
 
 // nats returns a nats streaming client
diff --git a/pkg/share/manager/jsoncs3/jsoncs3.go b/pkg/share/manager/jsoncs3/jsoncs3.go
index f0fa2cbd51b..be1629119b5 100644
--- a/pkg/share/manager/jsoncs3/jsoncs3.go
+++ b/pkg/share/manager/jsoncs3/jsoncs3.go
@@ -133,6 +133,8 @@ type EventOptions struct {
 	TLSInsecure          bool   `mapstructure:"tlsinsecure"`
 	TLSRootCACertificate string `mapstructure:"tlsrootcacertificate"`
 	EnableTLS            bool   `mapstructure:"enabletls"`
+	AuthUsername         string `mapstructure:"authusername"`
+	AuthPassword         string `mapstructure:"authpassword"`
 }
 
 // Manager implements a share manager using a cs3 storage backend with local caching