From b23570b80f07c7147eca82bb0b516dfc29e8378a Mon Sep 17 00:00:00 2001
From: Willy Kloucek <wkloucek@owncloud.com>
Date: Thu, 17 Jun 2021 13:15:41 +0200
Subject: [PATCH] fix secrets use

---
 deployments/examples/ocis_wopi/.env               |  4 +++-
 deployments/examples/ocis_wopi/docker-compose.yml |  8 ++++----
 docs/ocis/deployment/ocis_wopi.md                 | 14 ++++++++------
 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/deployments/examples/ocis_wopi/.env b/deployments/examples/ocis_wopi/.env
index 391bd938e1a..9d767164a02 100644
--- a/deployments/examples/ocis_wopi/.env
+++ b/deployments/examples/ocis_wopi/.env
@@ -31,8 +31,10 @@ OCIS_WOPISERVER_DOCKER_TAG=
 CS3ORG_WOPISERVER_DOCKER_TAG=
 # cs3org wopi server domain. Defaults to "wopiserver.owncloud.test"
 WOPISERVER_DOMAIN=
-# JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "Pive-Fumkiu4"
+# JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "LoremIpsum567"
 WOPI_JWT_SECRET=
+# JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "LoremIpsum123"
+WOPI_IOP_SECRET=
 
 ### Collabora settings ###
 # Domain of Collabora, where you can find the frontend. Defaults to "collabora.owncloud.test"
diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml
index ffb6360a0ed..4e2fe617011 100644
--- a/deployments/examples/ocis_wopi/docker-compose.yml
+++ b/deployments/examples/ocis_wopi/docker-compose.yml
@@ -92,8 +92,9 @@ services:
     environment:
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       WOPISERVER_REVA_GATEWAY_ADDR: ocis:9142
+      OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       WOPISERVER_WOPI_SERVER_HOST: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
-      WOPISERVER_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      WOPISERVER_WOPI_SERVER_IOP_SECRET: ${WOPI_IOP_SECRET:-LoremIpsum123}
       WOPISERVER_WOPI_SERVER_INSECURE: "${INSECURE:-false}"
     logging:
       driver: "local"
@@ -107,9 +108,8 @@ services:
       - /bin/sh
       - /entrypoint-override.sh
     environment:
-      - OCIS_DOMAIN=${OCIS_DOMAIN:-ocis.owncloud.test}
-      - WOPISECRET=${WOPI_JWT_SECRET:-Pive-Fumkiu4}
-      - IOPSECRET=${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      - WOPISECRET=${WOPI_JWT_SECRET:-LoremIpsum567}
+      - IOPSECRET=${WOPI_IOP_SECRET:-LoremIpsum123}
       - WOPISERVER_DOMAIN=${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
       - COLLABORA_DOMAIN=${COLLABORA_DOMAIN:-collabora.owncloud.test}
     volumes:
diff --git a/docs/ocis/deployment/ocis_wopi.md b/docs/ocis/deployment/ocis_wopi.md
index 678729f0144..1c00c23cea8 100644
--- a/docs/ocis/deployment/ocis_wopi.md
+++ b/docs/ocis/deployment/ocis_wopi.md
@@ -81,13 +81,15 @@ See also [example server setup]({{< ref "preparing_server" >}})
 
     ### Wopi server settings ###
     # oCIS Wopi server version. Defaults to "latest"
-    OCIS_WOPISERVER_DOCKER_TAG=custom
+    OCIS_WOPISERVER_DOCKER_TAG=
     # cs3org wopi server version. Defaults to "latest"
     CS3ORG_WOPISERVER_DOCKER_TAG=
     # cs3org wopi server domain. Defaults to "wopiserver.owncloud.test"
     WOPISERVER_DOMAIN=
-    # JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "Pive-Fumkiu4"
+    # JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "LoremIpsum567"
     WOPI_JWT_SECRET=
+    # JWT secret which is used for the documents to be request by the Wopi client from the cs3org Wopi server. Must be change in order to have a secure Wopi server. Defaults to "LoremIpsum123"
+    WOPI_IOP_SECRET=
 
     ### Collabora settings ###
     # Domain of Collabora, where you can find the frontend. Defaults to "collabora.owncloud.test"
@@ -120,13 +122,13 @@ See also [example server setup]({{< ref "preparing_server" >}})
   By default the CS3Org WOPI server will also be started in the `latest` version. If you want to start a specific version of it, you can set the version to `CS3ORG_WOPISERVER_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/cs3org/wopiserver/tags?page=1&ordering=last_updated).
 
   Set your domain for the CS3Org WOPI server in `WOPISERVER_DOMAIN=`, where Collabora can download the files.
-  
-  You also must override the default WOPI JWT secret, in order to have a secure setup. Do this by setting `WOPI_JWT_SECRET` to a long and random string.
-  
+
+  You also must override the default WOPI JWT secret and the WOPI IOP secret, in order to have a secure setup. Do this by setting `WOPI_JWT_SECRET` and `WOPI_IOP_SECRET` to a long and random string.
+
   Now it's time to set up Collabora and you need to configure the Domain of Collabora in `COLLABORA_DOMAIN=`.
 
   If you want to use the Collabora admin panel you need to set user name and passwort for in `COLLABORA_ADMIN_USER=` and `COLLABORA_ADMIN_PASSWORD=`.
-  
+
   Now you have configured everything and can save the file.
 
 * Start the docker stack