From 3e55223f2d003a58b3cae536863caebc56940981 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Fri, 15 Dec 2023 15:39:50 +0100 Subject: [PATCH 1/4] allow authentication for events Signed-off-by: jkoberg --- changelog/unreleased/nats-authentication.md | 5 +++++ services/antivirus/pkg/config/config.go | 2 ++ services/audit/pkg/config/config.go | 2 ++ services/clientlog/pkg/config/config.go | 2 ++ services/eventhistory/pkg/config/config.go | 2 ++ services/frontend/pkg/config/config.go | 2 ++ services/graph/pkg/config/config.go | 2 ++ services/notifications/pkg/config/config.go | 2 ++ services/policies/pkg/config/config.go | 2 ++ services/postprocessing/pkg/config/config.go | 2 ++ services/search/pkg/config/search.go | 2 ++ services/search/pkg/service/grpc/v0/service.go | 2 ++ services/sse/pkg/config/config.go | 2 ++ services/storage-users/pkg/config/config.go | 2 ++ services/storage-users/pkg/event/event.go | 2 ++ services/userlog/pkg/config/config.go | 2 ++ 16 files changed, 35 insertions(+) create mode 100644 changelog/unreleased/nats-authentication.md diff --git a/changelog/unreleased/nats-authentication.md b/changelog/unreleased/nats-authentication.md new file mode 100644 index 00000000000..dce8254d8dd --- /dev/null +++ b/changelog/unreleased/nats-authentication.md @@ -0,0 +1,5 @@ +Enhancement: Allow authentication nats connections + +Allow events, store and registry implementation to pass username/password to the nats instance + +https://github.com/owncloud/ocis/pull/7989 diff --git a/services/antivirus/pkg/config/config.go b/services/antivirus/pkg/config/config.go index a5ab982efbe..0ec79b25580 100644 --- a/services/antivirus/pkg/config/config.go +++ b/services/antivirus/pkg/config/config.go @@ -53,6 +53,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;ANTIVIRUS_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;ANTIVIRUS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;ANTIVIRUS_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;ANTIVIRUS_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` } // Scanner provides configuration options for the antivirusscanner diff --git a/services/audit/pkg/config/config.go b/services/audit/pkg/config/config.go index 8fd6cc2b629..0ee9e5493d4 100644 --- a/services/audit/pkg/config/config.go +++ b/services/audit/pkg/config/config.go @@ -29,6 +29,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;AUDIT_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;AUDIT_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;AUDIT_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;AUDIT_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` } // Auditlog holds audit log information diff --git a/services/clientlog/pkg/config/config.go b/services/clientlog/pkg/config/config.go index 929950da905..921dc273733 100644 --- a/services/clientlog/pkg/config/config.go +++ b/services/clientlog/pkg/config/config.go @@ -35,6 +35,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;CLIENTLOG_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;CLIENTLOG_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;CLIENTLOG_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;CLIENTLOG_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` } // TokenManager is the config for using the reva token manager diff --git a/services/eventhistory/pkg/config/config.go b/services/eventhistory/pkg/config/config.go index efe297eb99c..f64532a3573 100644 --- a/services/eventhistory/pkg/config/config.go +++ b/services/eventhistory/pkg/config/config.go @@ -52,4 +52,6 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;EVENTHISTORY_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;EVENTHISTORY_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. Will be seen as empty if NOTIFICATIONS_EVENTS_TLS_INSECURE is provided."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;EVENTHISTORY_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;EVENTHISTORY_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;EVENTHISTORY_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` } diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go index 80aa6691cd0..96f295e2cfc 100644 --- a/services/frontend/pkg/config/config.go +++ b/services/frontend/pkg/config/config.go @@ -172,6 +172,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;FRONTEND_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE;OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;FRONTEND_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;FRONTEND_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;FRONTEND_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` } // ServiceAccount is the configuration for the used service account diff --git a/services/graph/pkg/config/config.go b/services/graph/pkg/config/config.go index 27a151bcf83..c6518e228f7 100644 --- a/services/graph/pkg/config/config.go +++ b/services/graph/pkg/config/config.go @@ -121,6 +121,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;GRAPH_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;GRAPH_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;GRAPH_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;GRAPH_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` } // CORS defines the available cors configuration. diff --git a/services/notifications/pkg/config/config.go b/services/notifications/pkg/config/config.go index 324ab210cea..8ea2ec17432 100644 --- a/services/notifications/pkg/config/config.go +++ b/services/notifications/pkg/config/config.go @@ -56,6 +56,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;NOTIFICATIONS_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;NOTIFICATIONS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;NOTIFICATIONS_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;NOTIFICATIONS_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` } // ServiceAccount is the configuration for the used service account diff --git a/services/policies/pkg/config/config.go b/services/policies/pkg/config/config.go index 45e76e9e182..bf502c8c447 100644 --- a/services/policies/pkg/config/config.go +++ b/services/policies/pkg/config/config.go @@ -59,6 +59,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;POLICIES_EVENTS_TLS_INSECURE" desc:"Whether the server should skip the client certificate verification during the TLS handshake."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;POLICIES_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided POLICIES_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;POLICIES_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;POLICIES_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;POLICIES_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` } // Log defines the available log configuration. diff --git a/services/postprocessing/pkg/config/config.go b/services/postprocessing/pkg/config/config.go index c7e75b120a1..45398469583 100644 --- a/services/postprocessing/pkg/config/config.go +++ b/services/postprocessing/pkg/config/config.go @@ -41,6 +41,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;POSTPROCESSING_EVENTS_TLS_INSECURE" desc:"Whether the ocis server should skip the client certificate verification during the TLS handshake."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;POSTPROCESSING_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;POSTPROCESSING_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;POSTPROCESSING_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` } // Debug defines the available debug configuration. diff --git a/services/search/pkg/config/search.go b/services/search/pkg/config/search.go index 8bfe2fa4880..c7461c65571 100644 --- a/services/search/pkg/config/search.go +++ b/services/search/pkg/config/search.go @@ -11,4 +11,6 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;SEARCH_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;SEARCH_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;SEARCH_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;SEARCH_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` } diff --git a/services/search/pkg/service/grpc/v0/service.go b/services/search/pkg/service/grpc/v0/service.go index 1c6fb41c77f..8501ffffa44 100644 --- a/services/search/pkg/service/grpc/v0/service.go +++ b/services/search/pkg/service/grpc/v0/service.go @@ -81,6 +81,8 @@ func NewHandler(opts ...Option) (searchsvc.SearchProviderHandler, func(), error) EnableTLS: cfg.Events.EnableTLS, TLSInsecure: cfg.Events.TLSInsecure, TLSRootCACertificate: cfg.Events.TLSRootCACertificate, + AuthUsername: cfg.Events.AuthUsername, + AuthPassword: cfg.Events.AuthPassword, }) if err != nil { return nil, teardown, err diff --git a/services/sse/pkg/config/config.go b/services/sse/pkg/config/config.go index aa4f2031cd5..1401be166f0 100644 --- a/services/sse/pkg/config/config.go +++ b/services/sse/pkg/config/config.go @@ -51,6 +51,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;SSE_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SSE_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;SSE_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;SSE_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;SSE_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services."` } // CORS defines the available cors configuration. diff --git a/services/storage-users/pkg/config/config.go b/services/storage-users/pkg/config/config.go index 33b2b601b9c..e33a65dafa2 100644 --- a/services/storage-users/pkg/config/config.go +++ b/services/storage-users/pkg/config/config.go @@ -172,6 +172,8 @@ type Events struct { TLSRootCaCertPath string `yaml:"tls_root_ca_cert_path" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;STORAGE_USERS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."` NumConsumers int `yaml:"num_consumers" env:"STORAGE_USERS_EVENTS_NUM_CONSUMERS" desc:"The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OCIS_ASYNC_UPLOADS is set to false. The default and minimum value is 1."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;STORAGE_USERS_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;STORAGE_USERS_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` } // StatCache holds cache config diff --git a/services/storage-users/pkg/event/event.go b/services/storage-users/pkg/event/event.go index ef263085b35..44d2c1c9bda 100644 --- a/services/storage-users/pkg/event/event.go +++ b/services/storage-users/pkg/event/event.go @@ -14,5 +14,7 @@ func NewStream(cfg *config.Config) (events.Stream, error) { EnableTLS: cfg.Events.EnableTLS, TLSInsecure: cfg.Events.TLSInsecure, TLSRootCACertificate: cfg.Events.TLSRootCaCertPath, + AuthUsername: cfg.Events.AuthUsername, + AuthPassword: cfg.Events.AuthPassword, }) } diff --git a/services/userlog/pkg/config/config.go b/services/userlog/pkg/config/config.go index a0a3048e09b..c288318ee94 100644 --- a/services/userlog/pkg/config/config.go +++ b/services/userlog/pkg/config/config.go @@ -54,6 +54,8 @@ type Events struct { TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;USERLOG_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false."` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;USERLOG_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;USERLOG_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` + AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;USERLOG_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.."` } // CORS defines the available cors configuration. From de4f9d78f40a55b8fac05d01b2877a2a74677331 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Mon, 18 Dec 2023 14:58:20 +0100 Subject: [PATCH 2/4] allow authentication for stores Signed-off-by: jkoberg --- services/eventhistory/pkg/command/server.go | 1 + services/eventhistory/pkg/config/config.go | 14 ++++++++------ services/graph/pkg/config/cache.go | 2 ++ services/graph/pkg/service/v0/service.go | 1 + services/postprocessing/pkg/command/server.go | 1 + services/postprocessing/pkg/config/config.go | 14 ++++++++------ services/proxy/pkg/command/server.go | 1 + services/proxy/pkg/config/config.go | 2 ++ services/settings/pkg/config/config.go | 2 ++ services/settings/pkg/store/metadata/cache.go | 2 ++ services/userlog/pkg/command/server.go | 1 + services/userlog/pkg/config/config.go | 14 ++++++++------ 12 files changed, 37 insertions(+), 18 deletions(-) diff --git a/services/eventhistory/pkg/command/server.go b/services/eventhistory/pkg/command/server.go index da5e53df2bd..3a942b177f7 100644 --- a/services/eventhistory/pkg/command/server.go +++ b/services/eventhistory/pkg/command/server.go @@ -72,6 +72,7 @@ func Server(cfg *config.Config) *cli.Command { microstore.Nodes(cfg.Store.Nodes...), microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), + store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), ) service := grpc.NewService( diff --git a/services/eventhistory/pkg/config/config.go b/services/eventhistory/pkg/config/config.go index f64532a3573..84ffa450605 100644 --- a/services/eventhistory/pkg/config/config.go +++ b/services/eventhistory/pkg/config/config.go @@ -37,12 +37,14 @@ type GRPCConfig struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OCIS_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details."` - Nodes []string `yaml:"nodes" env:"OCIS_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."` - Database string `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use."` - Table string `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use."` - TTL time.Duration `yaml:"ttl" env:"OCIS_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details."` - Size int `yaml:"size" env:"OCIS_PERSISTENT_STORE_SIZE;EVENTHISTORY_STORE_SIZE" desc:"The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived and used from the ocmem package though no explicit default was set."` + Store string `yaml:"store" env:"OCIS_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details."` + Nodes []string `yaml:"nodes" env:"OCIS_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."` + Database string `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use."` + Table string `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use."` + TTL time.Duration `yaml:"ttl" env:"OCIS_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details."` + Size int `yaml:"size" env:"OCIS_PERSISTENT_STORE_SIZE;EVENTHISTORY_STORE_SIZE" desc:"The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived and used from the ocmem package though no explicit default was set."` + AuthUsername string `yaml:"username" env:"OCIS_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured."` + AuthPassword string `yaml:"password" env:"OCIS_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured."` } // Events combines the configuration options for the event bus. diff --git a/services/graph/pkg/config/cache.go b/services/graph/pkg/config/cache.go index f6923ce4dbd..d33980ac699 100644 --- a/services/graph/pkg/config/cache.go +++ b/services/graph/pkg/config/cache.go @@ -11,4 +11,6 @@ type Cache struct { TTL time.Duration `yaml:"ttl" env:"OCIS_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details."` Size int `yaml:"size" env:"OCIS_CACHE_SIZE;GRAPH_CACHE_SIZE" desc:"The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitely set as default."` DisablePersistence bool `yaml:"disable_persistence" env:"OCIS_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false."` + AuthUsername string `yaml:"username" env:"OCIS_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured."` + AuthPassword string `yaml:"password" env:"OCIS_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured."` } diff --git a/services/graph/pkg/service/v0/service.go b/services/graph/pkg/service/v0/service.go index 7ec332e55d7..e64e41a3d8c 100644 --- a/services/graph/pkg/service/v0/service.go +++ b/services/graph/pkg/service/v0/service.go @@ -187,6 +187,7 @@ func NewService(opts ...Option) (Graph, error) { microstore.Database(options.Config.Cache.Database), microstore.Table(options.Config.Cache.Table), store.DisablePersistence(options.Config.Cache.DisablePersistence), + store.Authentication(options.Config.Cache.AuthUsername, options.Config.Cache.AuthPassword), } m := roles.NewManager( roles.StoreOptions(storeOptions), diff --git a/services/postprocessing/pkg/command/server.go b/services/postprocessing/pkg/command/server.go index 5e1afecc32b..f8b9095cd91 100644 --- a/services/postprocessing/pkg/command/server.go +++ b/services/postprocessing/pkg/command/server.go @@ -66,6 +66,7 @@ func Server(cfg *config.Config) *cli.Command { microstore.Nodes(cfg.Store.Nodes...), microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), + store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), ) svc, err := service.NewPostprocessingService(ctx, bus, logger, st, traceProvider, cfg.Postprocessing) diff --git a/services/postprocessing/pkg/config/config.go b/services/postprocessing/pkg/config/config.go index 45398469583..5cd6168dee0 100644 --- a/services/postprocessing/pkg/config/config.go +++ b/services/postprocessing/pkg/config/config.go @@ -55,10 +55,12 @@ type Debug struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OCIS_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details."` - Nodes []string `yaml:"nodes" env:"OCIS_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."` - Database string `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use."` - Table string `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use."` - TTL time.Duration `yaml:"ttl" env:"OCIS_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details."` - Size int `yaml:"size" env:"OCIS_PERSISTENT_STORE_SIZE;POSTPROCESSING_STORE_SIZE" desc:"The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitely set as default."` + Store string `yaml:"store" env:"OCIS_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details."` + Nodes []string `yaml:"nodes" env:"OCIS_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."` + Database string `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use."` + Table string `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use."` + TTL time.Duration `yaml:"ttl" env:"OCIS_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details."` + Size int `yaml:"size" env:"OCIS_PERSISTENT_STORE_SIZE;POSTPROCESSING_STORE_SIZE" desc:"The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitely set as default."` + AuthUsername string `yaml:"username" env:"OCIS_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured."` + AuthPassword string `yaml:"password" env:"OCIS_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured."` } diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go index c684af09ac4..fc8d9225d01 100644 --- a/services/proxy/pkg/command/server.go +++ b/services/proxy/pkg/command/server.go @@ -63,6 +63,7 @@ func Server(cfg *config.Config) *cli.Command { microstore.Database(cfg.OIDC.UserinfoCache.Database), microstore.Table(cfg.OIDC.UserinfoCache.Table), store.DisablePersistence(cfg.OIDC.UserinfoCache.DisablePersistence), + store.Authentication(cfg.OIDC.UserinfoCache.AuthUsername, cfg.OIDC.UserinfoCache.AuthPassword), ) logger := logging.Configure(cfg.Service.Name, cfg.Log) diff --git a/services/proxy/pkg/config/config.go b/services/proxy/pkg/config/config.go index 4ecbcef79ea..8ddb8c6ff43 100644 --- a/services/proxy/pkg/config/config.go +++ b/services/proxy/pkg/config/config.go @@ -130,6 +130,8 @@ type Cache struct { TTL time.Duration `yaml:"ttl" env:"OCIS_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details."` Size int `yaml:"size" env:"OCIS_CACHE_SIZE;PROXY_OIDC_USERINFO_CACHE_SIZE" desc:"The maximum quantity of items in the user info cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitely set as default."` DisablePersistence bool `yaml:"disable_persistence" env:"OCIS_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false."` + AuthUsername string `yaml:"username" env:"OCIS_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured."` + AuthPassword string `yaml:"password" env:"OCIS_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured."` } // RoleAssignment contains the configuration for how to assign roles to users during login diff --git a/services/settings/pkg/config/config.go b/services/settings/pkg/config/config.go index 2a4b4bd0820..dfdefe956ac 100644 --- a/services/settings/pkg/config/config.go +++ b/services/settings/pkg/config/config.go @@ -65,4 +65,6 @@ type Cache struct { TTL time.Duration `yaml:"ttl" env:"OCIS_CACHE_TTL;SETTINGS_CACHE_TTL" desc:"Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details."` Size int `yaml:"size" env:"OCIS_CACHE_SIZE;SETTINGS_CACHE_SIZE" desc:"The maximum quantity of items in the cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitely set as default."` DisablePersistence bool `yaml:"disable_persistence" env:"OCIS_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false."` + AuthUsername string `yaml:"username" env:"OCIS_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured."` + AuthPassword string `yaml:"password" env:"OCIS_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured."` } diff --git a/services/settings/pkg/store/metadata/cache.go b/services/settings/pkg/store/metadata/cache.go index 4ded68c1f03..80ebd02a5d0 100644 --- a/services/settings/pkg/store/metadata/cache.go +++ b/services/settings/pkg/store/metadata/cache.go @@ -140,6 +140,7 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error { microstore.Database(c.cfg.Metadata.Cache.Database), microstore.Table(c.cfg.Metadata.Cache.DirectoryTable), store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence), + store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword), ) c.filesCache = store.Create( store.Store(c.cfg.Metadata.Cache.Store), @@ -149,6 +150,7 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error { microstore.Database(c.cfg.Metadata.Cache.Database), microstore.Table(c.cfg.Metadata.Cache.FileTable), store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence), + store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword), ) return c.next.Init(ctx, id) } diff --git a/services/userlog/pkg/command/server.go b/services/userlog/pkg/command/server.go index 5529ef9537d..00637c85db8 100644 --- a/services/userlog/pkg/command/server.go +++ b/services/userlog/pkg/command/server.go @@ -94,6 +94,7 @@ func Server(cfg *config.Config) *cli.Command { microstore.Nodes(cfg.Persistence.Nodes...), microstore.Database(cfg.Persistence.Database), microstore.Table(cfg.Persistence.Table), + store.Authentication(cfg.Persistence.AuthUsername, cfg.Persistence.AuthPassword), ) tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode) diff --git a/services/userlog/pkg/config/config.go b/services/userlog/pkg/config/config.go index c288318ee94..9afde9a3c73 100644 --- a/services/userlog/pkg/config/config.go +++ b/services/userlog/pkg/config/config.go @@ -39,12 +39,14 @@ type Config struct { // Persistence configures the store to use type Persistence struct { - Store string `yaml:"store" env:"OCIS_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details."` - Nodes []string `yaml:"nodes" env:"OCIS_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."` - Database string `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use."` - Table string `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use."` - TTL time.Duration `yaml:"ttl" env:"OCIS_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details."` - Size int `yaml:"size" env:"OCIS_PERSISTENT_STORE_SIZE;USERLOG_STORE_SIZE" desc:"The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitely set as default."` + Store string `yaml:"store" env:"OCIS_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details."` + Nodes []string `yaml:"nodes" env:"OCIS_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."` + Database string `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use."` + Table string `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use."` + TTL time.Duration `yaml:"ttl" env:"OCIS_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details."` + Size int `yaml:"size" env:"OCIS_PERSISTENT_STORE_SIZE;USERLOG_STORE_SIZE" desc:"The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitely set as default."` + AuthUsername string `yaml:"username" env:"OCIS_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured."` + AuthPassword string `yaml:"password" env:"OCIS_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured."` } // Events combines the configuration options for the event bus. From 15efafaf23e84dbcdd25a9b91407116ab4aee187 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Mon, 18 Dec 2023 15:18:16 +0100 Subject: [PATCH 3/4] allow authentication for the registry Signed-off-by: jkoberg --- ocis-pkg/natsjsregistry/options.go | 11 +++++++++++ ocis-pkg/natsjsregistry/registry.go | 9 ++++++++- ocis-pkg/registry/registry.go | 9 ++++++--- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/ocis-pkg/natsjsregistry/options.go b/ocis-pkg/natsjsregistry/options.go index dfcda616a59..a6e862a62a2 100644 --- a/ocis-pkg/natsjsregistry/options.go +++ b/ocis-pkg/natsjsregistry/options.go @@ -10,6 +10,7 @@ import ( type storeOptionsKey struct{} type expiryKey struct{} +type authKey struct{} // StoreOptions sets the options for the underlying store func StoreOptions(opts []store.Option) registry.Option { @@ -30,3 +31,13 @@ func ServiceExpiry(t time.Duration) registry.Option { o.Context = context.WithValue(o.Context, expiryKey{}, t) } } + +// Authenticate sets the username/password for the nats connection +func Authenticate(username, password string) registry.Option { + return func(o *registry.Options) { + if o.Context == nil { + o.Context = context.Background() + } + o.Context = context.WithValue(o.Context, authKey{}, []string{username, password}) + } +} diff --git a/ocis-pkg/natsjsregistry/registry.go b/ocis-pkg/natsjsregistry/registry.go index 1685515a21a..d751229b140 100644 --- a/ocis-pkg/natsjsregistry/registry.go +++ b/ocis-pkg/natsjsregistry/registry.go @@ -8,6 +8,7 @@ import ( "time" natsjskv "github.com/go-micro/plugins/v4/store/nats-js-kv" + "github.com/nats-io/nats.go" "go-micro.dev/v4/registry" "go-micro.dev/v4/store" "go-micro.dev/v4/util/cmd" @@ -133,5 +134,11 @@ func storeOptions(opts registry.Options) []store.Option { if so, ok := opts.Context.Value(storeOptionsKey{}).([]store.Option); ok { storeoptions = append(storeoptions, so...) } - return storeoptions + natsOptions := nats.GetDefaultOptions() + natsOptions.Name = "nats-js-kv-registry" + if auth, ok := opts.Context.Value(authKey{}).([]string); ok { + natsOptions.User = auth[0] + natsOptions.Password = auth[1] + } + return append(storeoptions, natsjskv.NatsOptions(natsOptions)) } diff --git a/ocis-pkg/registry/registry.go b/ocis-pkg/registry/registry.go index ed9ece2ae5d..cee918bf81c 100644 --- a/ocis-pkg/registry/registry.go +++ b/ocis-pkg/registry/registry.go @@ -19,8 +19,10 @@ import ( ) const ( - registryEnv = "MICRO_REGISTRY" - registryAddressEnv = "MICRO_REGISTRY_ADDRESS" + registryEnv = "MICRO_REGISTRY" + registryAddressEnv = "MICRO_REGISTRY_ADDRESS" + regisryUsernameEnv = "MICRO_REGISTRY_AUTH_USERNAME" + registryPasswordEnv = "MICRO_REGISTRY_AUTH_PASSWORD" ) var ( @@ -68,9 +70,10 @@ func GetRegistry() mRegistry.Registry { ) case "memory": reg = memr.NewRegistry() - case "natsjs": + case "natsjs", "nats-js", "nats-js-kv": // for backwards compatibility - we will stick with one of those reg = natsjsregistry.NewRegistry( mRegistry.Addrs(addresses...), + natsjsregistry.Authenticate(os.Getenv(regisryUsernameEnv), os.Getenv(registryPasswordEnv)), ) default: reg = mdnsr.NewRegistry() From 7acc141e4fb2672dbe5c43abf61d76354b8071f5 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Fri, 15 Dec 2023 15:28:53 +0100 Subject: [PATCH 4/4] bump reva Signed-off-by: jkoberg --- go.mod | 4 ++-- go.sum | 4 ++-- .../interceptors/eventsmiddleware/events.go | 17 ++++++----------- .../services/storageprovider/storageprovider.go | 2 ++ .../http/services/dataprovider/dataprovider.go | 4 ++++ .../owncloud/ocdav/propfind/propfind.go | 4 ++-- .../cs3org/reva/v2/pkg/events/stream/nats.go | 15 +++++++++------ .../v2/pkg/share/manager/jsoncs3/jsoncs3.go | 2 ++ .../cs3org/reva/v2/pkg/storage/cache/cache.go | 3 +++ .../storage/utils/decomposedfs/decomposedfs.go | 1 + .../cs3org/reva/v2/pkg/store/options.go | 14 ++++++++++++++ .../cs3org/reva/v2/pkg/store/store.go | 8 ++++++++ vendor/modules.txt | 2 +- 13 files changed, 56 insertions(+), 24 deletions(-) diff --git a/go.mod b/go.mod index d71ad8dd651..b15d8412c15 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.9.0 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 - github.com/cs3org/reva/v2 v2.17.1-0.20231218091701-6a3a91e35514 + github.com/cs3org/reva/v2 v2.17.1-0.20231219093515-da04bc32d9fb github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25 github.com/disintegration/imaging v1.6.2 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e @@ -61,6 +61,7 @@ require ( github.com/mna/pigeon v1.2.1 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 github.com/nats-io/nats-server/v2 v2.10.7 + github.com/nats-io/nats.go v1.31.0 github.com/oklog/run v1.1.0 github.com/olekukonko/tablewriter v0.0.5 github.com/onsi/ginkgo v1.16.5 @@ -275,7 +276,6 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/mschoch/smat v0.2.0 // indirect github.com/nats-io/jwt/v2 v2.5.3 // indirect - github.com/nats-io/nats.go v1.31.0 // indirect github.com/nats-io/nkeys v0.4.6 // indirect github.com/nats-io/nuid v1.0.1 // indirect github.com/nxadm/tail v1.4.8 // indirect diff --git a/go.sum b/go.sum index 1d77dc37b4b..461b8725af4 100644 --- a/go.sum +++ b/go.sum @@ -1021,8 +1021,8 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva/v2 v2.17.1-0.20231218091701-6a3a91e35514 h1:ThhcxiI3Iq8sweI6ZGaEkTzFhum+ev0EGGnDiAK8eW8= -github.com/cs3org/reva/v2 v2.17.1-0.20231218091701-6a3a91e35514/go.mod h1:QW31Q1IQ9ZCJMFv3u8/SdHSyLfCcSVNcRbqIJj+Y+7o= +github.com/cs3org/reva/v2 v2.17.1-0.20231219093515-da04bc32d9fb h1:YH5k1nDJ5tm4gqUykeniDl83Bva5EMH8D2uA++M+ziY= +github.com/cs3org/reva/v2 v2.17.1-0.20231219093515-da04bc32d9fb/go.mod h1:QW31Q1IQ9ZCJMFv3u8/SdHSyLfCcSVNcRbqIJj+Y+7o= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= diff --git a/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/eventsmiddleware/events.go b/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/eventsmiddleware/events.go index 4162503d1db..6b0f9da9b4b 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/eventsmiddleware/events.go +++ b/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/eventsmiddleware/events.go @@ -37,6 +37,7 @@ import ( "github.com/cs3org/reva/v2/pkg/rgrpc" "github.com/cs3org/reva/v2/pkg/storagespace" "github.com/cs3org/reva/v2/pkg/utils" + "github.com/mitchellh/mapstructure" ) const ( @@ -223,17 +224,11 @@ func publisherFromConfig(m map[string]interface{}) (events.Publisher, error) { default: return nil, fmt.Errorf("stream type '%s' not supported", typ) case "nats": - var tlsCert string - val, ok := m["tls-root-ca-cert"] - if ok { - tlsCert = val.(string) + var cfg stream.NatsConfig + if err := mapstructure.Decode(m, &cfg); err != nil { + return nil, err } - return stream.NatsFromConfig(m["name"].(string), false, stream.NatsConfig{ - Endpoint: m["address"].(string), - Cluster: m["clusterID"].(string), - EnableTLS: m["enable-tls"].(bool), - TLSInsecure: m["tls-insecure"].(bool), - TLSRootCACertificate: tlsCert, - }) + name, _ := m["name"].(string) + return stream.NatsFromConfig(name, false, cfg) } } diff --git a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/storageprovider/storageprovider.go b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/storageprovider/storageprovider.go index 5b1274c0e4a..532854a2902 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/storageprovider/storageprovider.go +++ b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/storageprovider/storageprovider.go @@ -76,6 +76,8 @@ type eventconfig struct { TLSInsecure bool `mapstructure:"tls_insecure" docs:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `mapstructure:"tls_root_ca_cert" docs:"The root CA certificate used to validate the server's TLS certificate."` EnableTLS bool `mapstructure:"nats_enable_tls" docs:"events tls switch"` + AuthUsername string `mapstructure:"nats_username" docs:"event stream username"` + AuthPassword string `mapstructure:"nats_password" docs:"event stream password"` } func (c *config) init() { diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/dataprovider/dataprovider.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/dataprovider/dataprovider.go index cb930b95a73..f9c14e7b88c 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/dataprovider/dataprovider.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/dataprovider/dataprovider.go @@ -48,6 +48,8 @@ type config struct { NatsTLSInsecure bool `mapstructure:"nats_tls_insecure"` NatsRootCACertPath string `mapstructure:"nats_root_ca_cert_path"` NatsEnableTLS bool `mapstructure:"nats_enable_tls"` + NatsUsername string `mapstructure:"nats_username"` + NatsPassword string `mapstructure:"nats_password"` } func (c *config) init() { @@ -86,6 +88,8 @@ func New(m map[string]interface{}, log *zerolog.Logger) (global.Service, error) EnableTLS: conf.NatsEnableTLS, TLSInsecure: conf.NatsTLSInsecure, TLSRootCACertificate: conf.NatsRootCACertPath, + AuthUsername: conf.NatsUsername, + AuthPassword: conf.NatsPassword, }) if err != nil { return nil, err diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/propfind/propfind.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/propfind/propfind.go index b2d098fffcf..f9271fbbe91 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/propfind/propfind.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/propfind/propfind.go @@ -1156,7 +1156,7 @@ func mdToPropResponse(ctx context.Context, pf *XML, md *provider.ResourceInfo, p appendToOK( prop.Escaped("oc:id", sid), prop.Escaped("oc:fileid", sid), - prop.Escaped("oc:spaceid", id.SpaceId), + prop.Escaped("oc:spaceid", storagespace.FormatStorageID(id.StorageId, id.SpaceId)), ) } @@ -1296,7 +1296,7 @@ func mdToPropResponse(ctx context.Context, pf *XML, md *provider.ResourceInfo, p } case "spaceid": if id != nil { - appendToOK(prop.Escaped("oc:spaceid", id.SpaceId)) + appendToOK(prop.Escaped("oc:spaceid", storagespace.FormatStorageID(id.StorageId, id.SpaceId))) } else { appendToNotFound(prop.Escaped("oc:spaceid", "")) } diff --git a/vendor/github.com/cs3org/reva/v2/pkg/events/stream/nats.go b/vendor/github.com/cs3org/reva/v2/pkg/events/stream/nats.go index 4910d694e23..30ffec7ca07 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/events/stream/nats.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/events/stream/nats.go @@ -17,11 +17,14 @@ import ( // NatsConfig is the configuration needed for a NATS event stream type NatsConfig struct { - Endpoint string // Endpoint of the nats server - Cluster string // CluserID of the nats cluster - TLSInsecure bool // Whether to verify TLS certificates - TLSRootCACertificate string // The root CA certificate used to validate the TLS certificate - EnableTLS bool // Enable TLS + Endpoint string `mapstructure:"address"` // Endpoint of the nats server + Cluster string `mapstructure:"clusterID"` // CluserID of the nats cluster + TLSInsecure bool `mapstructure:"tls-insecure"` // Whether to verify TLS certificates + TLSRootCACertificate string `mapstructure:"tls-root-ca-cert"` // The root CA certificate used to validate the TLS certificate + EnableTLS bool `mapstructure:"enable-tls"` // Enable TLS + AuthUsername string `mapstructure:"username"` // Username for authentication + AuthPassword string `mapstructure:"password"` // Password for authentication + } // NatsFromConfig returns a nats stream from the given config @@ -55,6 +58,7 @@ func NatsFromConfig(connName string, disableDurability bool, cfg NatsConfig) (ev natsjs.ClusterID(cfg.Cluster), natsjs.SynchronousPublish(true), natsjs.Name(connName), + natsjs.Authenticate(cfg.AuthUsername, cfg.AuthPassword), } if disableDurability { @@ -62,7 +66,6 @@ func NatsFromConfig(connName string, disableDurability bool, cfg NatsConfig) (ev } return Nats(opts...) - } // nats returns a nats streaming client diff --git a/vendor/github.com/cs3org/reva/v2/pkg/share/manager/jsoncs3/jsoncs3.go b/vendor/github.com/cs3org/reva/v2/pkg/share/manager/jsoncs3/jsoncs3.go index f0fa2cbd51b..be1629119b5 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/share/manager/jsoncs3/jsoncs3.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/share/manager/jsoncs3/jsoncs3.go @@ -133,6 +133,8 @@ type EventOptions struct { TLSInsecure bool `mapstructure:"tlsinsecure"` TLSRootCACertificate string `mapstructure:"tlsrootcacertificate"` EnableTLS bool `mapstructure:"enabletls"` + AuthUsername string `mapstructure:"authusername"` + AuthPassword string `mapstructure:"authpassword"` } // Manager implements a share manager using a cs3 storage backend with local caching diff --git a/vendor/github.com/cs3org/reva/v2/pkg/storage/cache/cache.go b/vendor/github.com/cs3org/reva/v2/pkg/storage/cache/cache.go index c02d2462426..0ff7229c423 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/storage/cache/cache.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/storage/cache/cache.go @@ -51,6 +51,8 @@ type Config struct { TTL time.Duration `mapstructure:"cache_ttl"` Size int `mapstructure:"cache_size"` DisablePersistence bool `mapstructure:"cache_disable_persistence"` + AuthUsername string `mapstructure:"cache_auth_username"` + AuthPassword string `mapstructure:"cache_auth_password"` } // Cache handles key value operations on caches @@ -240,5 +242,6 @@ func getStore(cfg Config) microstore.Store { store.TTL(cfg.TTL), store.Size(cfg.Size), store.DisablePersistence(cfg.DisablePersistence), + store.Authentication(cfg.AuthUsername, cfg.AuthPassword), ) } diff --git a/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/decomposedfs.go b/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/decomposedfs.go index 23384d55364..b6ee40d2954 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/decomposedfs.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/decomposedfs.go @@ -145,6 +145,7 @@ func NewDefault(m map[string]interface{}, bs tree.Blobstore, es events.Stream) ( microstore.Database(o.IDCache.Database), microstore.Table(o.IDCache.Table), store.DisablePersistence(o.IDCache.DisablePersistence), + store.Authentication(o.IDCache.AuthUsername, o.IDCache.AuthPassword), )) permissionsSelector, err := pool.PermissionsSelector(o.PermissionsSVC, pool.WithTLSMode(o.PermTLSMode)) diff --git a/vendor/github.com/cs3org/reva/v2/pkg/store/options.go b/vendor/github.com/cs3org/reva/v2/pkg/store/options.go index c4e177e5466..75ba99c6bbe 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/store/options.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/store/options.go @@ -89,3 +89,17 @@ func DisablePersistence(val bool) store.Option { o.Context = context.WithValue(o.Context, disablePersistanceContextKey{}, val) } } + +type authenticationContextKey struct{} + +// Authentication configures the username and password to use for authentication. +// Only supported by the `natsjskv` implementation. +func Authentication(username, password string) store.Option { + return func(o *store.Options) { + if o.Context == nil { + o.Context = context.Background() + } + + o.Context = context.WithValue(o.Context, authenticationContextKey{}, []string{username, password}) + } +} diff --git a/vendor/github.com/cs3org/reva/v2/pkg/store/store.go b/vendor/github.com/cs3org/reva/v2/pkg/store/store.go index 67ef00dd2bd..f26edff2e2d 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/store/store.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/store/store.go @@ -127,6 +127,10 @@ func Create(opts ...microstore.Option) microstore.Store { // host, port, clusterid natsOptions := nats.GetDefaultOptions() natsOptions.Name = "TODO" // we can pass in the service name to allow identifying the client, but that requires adding a custom context option + if auth, ok := options.Context.Value(authenticationContextKey{}).([]string); ok && len(auth) == 2 { + natsOptions.User = auth[0] + natsOptions.Password = auth[1] + } return natsjs.NewStore( append(opts, natsjs.NatsOptions(natsOptions), // always pass in properly initialized default nats options @@ -141,6 +145,10 @@ func Create(opts ...microstore.Option) microstore.Store { natsOptions := nats.GetDefaultOptions() natsOptions.Name = "TODO" // we can pass in the service name to allow identifying the client, but that requires adding a custom context option + if auth, ok := options.Context.Value(authenticationContextKey{}).([]string); ok && len(auth) == 2 { + natsOptions.User = auth[0] + natsOptions.Password = auth[1] + } return natsjskv.NewStore( append(opts, natsjs.NatsOptions(natsOptions), // always pass in properly initialized default nats options diff --git a/vendor/modules.txt b/vendor/modules.txt index 62e09954899..34cb3516e70 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -362,7 +362,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.17.1-0.20231218091701-6a3a91e35514 +# github.com/cs3org/reva/v2 v2.17.1-0.20231219093515-da04bc32d9fb ## explicit; go 1.21 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime