diff --git a/services/proxy/README.md b/services/proxy/README.md index 8dad362d3..7c0e9eee5 100644 --- a/services/proxy/README.md +++ b/services/proxy/README.md @@ -1,6 +1,6 @@ # Proxy -The proxy service is an API-Gateway for the ownCloud Infinite Scale microservices. Every HTTP request goes through this service. Authentication, logging and other preprocessing of requests also happens here. Mechanisms like request rate limiting or intrusion prevention are **not** included in the proxy service and must be setup in front like with an external reverse proxy. +The proxy service is an API-Gateway for the OpenCloud microservices. Every HTTP request goes through this service. Authentication, logging and other preprocessing of requests also happens here. Mechanisms like request rate limiting or intrusion prevention are **not** included in the proxy service and must be setup in front like with an external reverse proxy. The proxy service is the only service communicating to the outside and needs therefore usual protections against DDOS, Slow Loris or other attack vectors. All other services are not exposed to the outside, but also need protective measures when it comes to distributed setups like when using container orchestration over various physical servers. @@ -15,7 +15,7 @@ The following request authentication schemes are implemented: ## Configuring Routes -The proxy handles routing to all endpoints that ocis offers. The currently availabe default routes can be found [in the code](https://github.com/opencloud-eu/opencloud/blob/master/services/proxy/pkg/config/defaults/defaultconfig.go). Changing or adding routes can be necessary when writing own ocis extensions. +The proxy handles routing to all endpoints that OpenCloud offers. The currently availabe default routes can be found [in the code](https://github.com/opencloud-eu/opencloud/blob/master/services/proxy/pkg/config/defaults/defaultconfig.go). Changing or adding routes can be necessary when writing own OpenCloud extensions. Due to the complexity when defining routes, these can only be defined in the yaml file but not via environment variables. @@ -23,7 +23,7 @@ For _overwriting_ default routes, use the following yaml example: ```yaml policies: - - name: ocis + - name: opencloud routes: - endpoint: / service: eu.opencloud.web.web @@ -35,7 +35,7 @@ For adding _additional_ routes to the default routes use: ```yaml additional_policies: - - name: ocis + - name: opencloud routes: - endpoint: /custom/endpoint service: eu.opencloud.custom.custom @@ -59,7 +59,7 @@ users upon their first login. A number of prerequisites must be met for automatic user provisioning to work: -* ownCloud Infinite Scale must be configured to use an external OpenID Connect IDP +* OpenCloud must be configured to use an external OpenID Connect IDP * The `graph` service must be configured to allow updating users and groups (`GRAPH_LDAP_SERVER_WRITE_ENABLED`). * One of the claim values returned by the IDP as part of the userinfo response @@ -79,14 +79,14 @@ be set for the proxy service: Set to `true` to enable automatic user provisioning. * `PROXY_AUTOPROVISION_CLAIM_USERNAME`\ The name of an OIDC claim whose value should be used as the username for the -autoprovsioned user in ownCloud Infinite Scale. Defaults to `preferred_username`. +autoprovsioned user in OpenCloud. Defaults to `preferred_username`. Can also be set to e.g. `sub` to guarantee a unique and stable username. * `PROXY_AUTOPROVISION_CLAIM_EMAIL`\ The name of an OIDC claim whose value should be used for the `mail` attribute -of the autoprovisioned user in ownCloud Infinite Scale. Defaults to `email`. +of the autoprovisioned user in OpenCloud. Defaults to `email`. * `PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME`\ The name of an OIDC claim whose value should be used for the `displayname` -attribute of the autoprovisioned user in ownCloud Infinite Scale. Defaults to `name`. +attribute of the autoprovisioned user in OpenCloud. Defaults to `name`. * `PROXY_AUTOPROVISION_CLAIM_GROUPS`\ The name of an OIDC claim whose value should be used to maintain a user's group membership. The claim value should contain a list of group names the user should @@ -96,13 +96,13 @@ When resolving and authenticated OIDC user, the value of this claims is used to lookup the user in the users service. For auto provisioning setups this usually is the same claims as set via `PROXY_AUTOPROVISION_CLAIM_USERNAME`. * `PROXY_USER_CS3_CLAIM`\ -This is the name of the user attribute in ocis that is used to lookup the user by the +This is the name of the user attribute in OpenCloud that is used to lookup the user by the value of the `PROXY_USER_OIDC_CLAIM`. For auto provisioning setups this usually needs to be set to `username`. ### How it Works -When a user logs into ownCloud Infinite Scale for the first time, the proxy +When a user logs into OpenCloud for the first time, the proxy checks if that user already exists. This is done by querying the `users` service for users, where the attribute set in `PROXY_USER_CS3_CLAIM` matches the value of the OIDC claim configured in `PROXY_USER_OIDC_CLAIM`. @@ -186,7 +186,7 @@ in Infinite Scale via a `yaml` configuration. See the following `proxy.yaml` sni role_assignment: driver: oidc oidc_role_mapper: - role_claim: ocisRoles + role_claim: opencloudRoles role_mapping: - role_name: admin claim_value: myAdminRole @@ -198,17 +198,17 @@ role_assignment: claim_value: myGuestRole ``` -This would assign the role `admin` to users with the value `myAdminRole` in the claim `ocisRoles`. -The role `user` to users with the values `myUserRole` in the claims `ocisRoles` and so on. +This would assign the role `admin` to users with the value `myAdminRole` in the claim `opencloudRoles`. +The role `user` to users with the values `myUserRole` in the claims `opencloudRoles` and so on. -Claim values that are not mapped to a specific ownCloud Infinite Scale role will be ignored. +Claim values that are not mapped to a specific OpenCloud role will be ignored. -Note: An ownCloud Infinite Scale user can only have a single role assigned. If the configured +Note: An OpenCloud user can only have a single role assigned. If the configured `role_mapping` and a user's claim values result in multiple possible roles for a user, the order in which the role mappings are defined in the configuration is important. The first role in the `role_mappings` where the `claim_value` matches a value from the user's roles claim will be assigned -to the user. So if e.g. a user's `ocisRoles` claim has the values `myUserRole` and -`mySpaceAdminRole` that user will get the ocis role `spaceadmin` assigned (because `spaceadmin` +to the user. So if e.g. a user's `opencloudRoles` claim has the values `myUserRole` and +`mySpaceAdminRole` that user will get the OpenCloud role `spaceadmin` assigned (because `spaceadmin` appears before `user` in the above sample configuration). If a user's claim values don't match any of the configured role mappings an error will be logged and @@ -218,13 +218,13 @@ The default `role_claim` (or `PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM`) is `roles`. The ```yaml - role_name: admin - claim_value: ocisAdmin + claim_value: opencloudAdmin - role_name: spaceadmin - claim_value: ocisSpaceAdmin + claim_value: opencloudSpaceAdmin - role_name: user - claim_value: ocisUser + claim_value: opencloudUser - role_name: guest - claim_value: ocisGuest + claim_value: opencloudcloudGuest ``` ## Recommendations for Production Deployments @@ -237,7 +237,7 @@ For Infinite Scale, external resources like an IDP (e.g. Keycloak) or when using To create a Content Security Policy (CSP), you need to create a yaml file containing the CSP definitions. To activate the settings, reference the file as value in the `PROXY_CSP_CONFIG_FILE_LOCATION` environment variable. For each change, a restart of the Infinite Scale deployment or the proxy service is required. -A working example for a CSP can be found in a sub path of the `config` directory of the [ocis_full](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_full/config) deployment example. +A working example for a CSP can be found in a sub path of the `config` directory of the [opencloud_full](https://github.com/opencloud-eu/opencloud/tree/master/deployments/examples/opencloud_full/config) deployment example. See the [Content Security Policy (CSP) Quick Reference Guide](https://content-security-policy.com) for a description of directives. @@ -266,7 +266,7 @@ Store specific notes: To authenticate presigned URLs the proxy service needs to read signing keys from a store that is populated by the ocs service. Possible stores are: - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store) - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. - - `ocisstoreservice`: Stores data in the legacy ocis store service. Requires setting `PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` to `eu.opencloud.api.store`. + - `opencloudstoreservice`: Stores data in the legacy OpenCloud store service. Requires setting `PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` to `eu.opencloud.api.store`. The `memory` store cannot be used as it does not share the memory from the ocs service signing key memory store, even in a single process. @@ -276,45 +276,45 @@ Store specific notes: - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `:/` like `10.10.0.200:26379/mymaster`. - When using `nats-js-kv` it is recommended to set `OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` to the same value as `PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`. That way the ocs uses the same nats instance as the proxy service. - When using the `nats-js-kv` store, it is possible to set `PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE` to instruct nats to not persist signing key data on disc. - - When using `ocisstoreservice` the `PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` must be set to the service name `eu.opencloud.api.store`. It does not support TTL and stores the presigning keys indefinitely. Also, the store service needs to be started. + - When using `opencloudstoreservice` the `PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` must be set to the service name `eu.opencloud.api.store`. It does not support TTL and stores the presigning keys indefinitely. Also, the store service needs to be started. ## Special Settings -When using the ocis IDP service instead of an external IDP: +When using the OpenCloud IDP service instead of an external IDP: -- Use the environment variable `OC_URL` to define how ocis can be accessed, mandatory use `https` as protocol for the URL. +- Use the environment variable `OC_URL` to define how OpenCloud can be accessed, mandatory use `https` as protocol for the URL. - If no reverse proxy is set up, the `PROXY_TLS` environment variable **must** be set to `true` because the embedded `libreConnect` shipped with the IDP service has a hard check if the connection is on TLS and uses the HTTPS protocol. If this mismatches, an error will be logged and no connection from the client can be established. -- `PROXY_TLS` **can** be set to `false` if a reverse proxy is used and the https connection is terminated at the reverse proxy. When setting to `false`, the communication between the reverse proxy and ocis is not secured. If set to `true`, you must provide certificates. +- `PROXY_TLS` **can** be set to `false` if a reverse proxy is used and the https connection is terminated at the reverse proxy. When setting to `false`, the communication between the reverse proxy and OpenCloud is not secured. If set to `true`, you must provide certificates. ## Metrics -The proxy service in ocis has the ability to expose metrics in the prometheus format. The metrics are exposed on the `/metrics` endpoint. There are two ways to run the ocis proxy service which has an impact on the number of metrics exposed. +The proxy service in OpenCloud has the ability to expose metrics in the prometheus format. The metrics are exposed on the `/metrics` endpoint. There are two ways to run the OpenCloud proxy service which has an impact on the number of metrics exposed. ### 1) Single Process Mode -In the single process mode, all ocis services are running inside a single process. This is the default mode when using the `ocis server` command to start the services. In this mode, the proxy service exposes metrics about the proxy service itself and about the ocis services it is proxying. This is due to the nature of the prometheus registry which is a singleton. The metrics exposed by the proxy service itself are prefixed with `ocis_proxy_` and the metrics exposed by other ocis services are prefixed with `ocis__`. +In the single process mode, all OpenCloud services are running inside a single process. This is the default mode when using the `opencloud server` command to start the services. In this mode, the proxy service exposes metrics about the proxy service itself and about the OpenCloud services it is proxying. This is due to the nature of the prometheus registry which is a singleton. The metrics exposed by the proxy service itself are prefixed with `opencloud_proxy_` and the metrics exposed by other opencloud services are prefixed with `opencloud__`. ### 2) Standalone Mode -In this mode, the proxy service only exposes its own metrics. The metrics of the other ocis services are exposed on their own metrics endpoints. +In this mode, the proxy service only exposes its own metrics. The metrics of the other OpenCloud services are exposed on their own metrics endpoints. ### Available Metrics The following metrics are exposed by the proxy service: | Metric Name | Description | Labels | |----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------| -| `ocis_proxy_requests_total` | [Counter](https://prometheus.io/docs/tutorials/understanding_metric_types/#counter) metric which reports the total number of HTTP requests. | `method`: HTTP method of the request | -| `ocis_proxy_errors_total` | [Counter](https://prometheus.io/docs/tutorials/understanding_metric_types/#counter) metric which reports the total number of HTTP requests which have failed. That counts all response codes >= 500 | `method`: HTTP method of the request | -| `ocis_proxy_duration_seconds` | [Histogram](https://prometheus.io/docs/tutorials/understanding_metric_types/#histogram) of the time (in seconds) each request took. A histogram metric uses buckets to count the number of events that fall into each bucket. | `method`: HTTP method of the request | -| `ocis_proxy_build_info{version}` | A metric with a constant `1` value labeled by version, exposing the version of the ocis proxy service. | `version`: Build version of the proxy | +| `opencloud_proxy_requests_total` | [Counter](https://prometheus.io/docs/tutorials/understanding_metric_types/#counter) metric which reports the total number of HTTP requests. | `method`: HTTP method of the request | +| `opencloud_proxy_errors_total` | [Counter](https://prometheus.io/docs/tutorials/understanding_metric_types/#counter) metric which reports the total number of HTTP requests which have failed. That counts all response codes >= 500 | `method`: HTTP method of the request | +| `opencloud_proxy_duration_seconds` | [Histogram](https://prometheus.io/docs/tutorials/understanding_metric_types/#histogram) of the time (in seconds) each request took. A histogram metric uses buckets to count the number of events that fall into each bucket. | `method`: HTTP method of the request | +| `opencloud_proxy_build_info{version}` | A metric with a constant `1` value labeled by version, exposing the version of the OpenCloud proxy service. | `version`: Build version of the proxy | ### Prometheus Configuration -The following is an example prometheus configuration for the single process mode. It assumes that the proxy debug address is configured to bind on all interfaces `PROXY_DEBUG_ADDR=0.0.0.0:9205` and that the proxy is available via the `ocis` service name (typically in docker-compose). The prometheus service detects the `/metrics` endpoint automatically and scrapes it every 15 seconds. +The following is an example prometheus configuration for the single process mode. It assumes that the proxy debug address is configured to bind on all interfaces `PROXY_DEBUG_ADDR=0.0.0.0:9205` and that the proxy is available via the `opencloud` service name (typically in docker-compose). The prometheus service detects the `/metrics` endpoint automatically and scrapes it every 15 seconds. ```yaml global: scrape_interval: 15s scrape_configs: - - job_name: ocis_proxy + - job_name: opencloud_proxy static_configs: - - targets: ["ocis:9205"] + - targets: ["opencloud:9205"] ``` diff --git a/services/proxy/pkg/command/root.go b/services/proxy/pkg/command/root.go index 55d9ee59f..600e14787 100644 --- a/services/proxy/pkg/command/root.go +++ b/services/proxy/pkg/command/root.go @@ -22,11 +22,11 @@ func GetCommands(cfg *config.Config) cli.Commands { } } -// Execute is the entry point for the ocis-proxy command. +// Execute is the entry point for the opencloud-proxy command. func Execute(cfg *config.Config) error { app := clihelper.DefaultApp(&cli.App{ Name: "proxy", - Usage: "proxy for oCIS", + Usage: "proxy for OpenCloud", Commands: GetCommands(cfg), }) diff --git a/services/proxy/pkg/config/config.go b/services/proxy/pkg/config/config.go index 1151d4c24..16b7642c3 100644 --- a/services/proxy/pkg/config/config.go +++ b/services/proxy/pkg/config/config.go @@ -121,7 +121,7 @@ type OIDC struct { type JWKS struct { RefreshInterval uint64 `yaml:"refresh_interval" env:"PROXY_OIDC_JWKS_REFRESH_INTERVAL" desc:"The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP." introductionVersion:"pre5.0"` RefreshTimeout uint64 `yaml:"refresh_timeout" env:"PROXY_OIDC_JWKS_REFRESH_TIMEOUT" desc:"The timeout in seconds for an outgoing JWKS request." introductionVersion:"pre5.0"` - RefreshRateLimit uint64 `yaml:"refresh_limit" env:"PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT" desc:"Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via ocis." introductionVersion:"pre5.0"` + RefreshRateLimit uint64 `yaml:"refresh_limit" env:"PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT" desc:"Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud." introductionVersion:"pre5.0"` RefreshUnknownKID bool `yaml:"refresh_unknown_kid" env:"PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID" desc:"If set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this." introductionVersion:"pre5.0"` } @@ -146,12 +146,12 @@ type RoleAssignment struct { // OIDCRoleMapper contains the configuration for the "oidc" role assignment driver type OIDCRoleMapper struct { RoleClaim string `yaml:"role_claim" env:"PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM" desc:"The OIDC claim used to create the users role assignment." introductionVersion:"pre5.0"` - RolesMap []RoleMapping `yaml:"role_mapping" desc:"A list of mappings of ocis role names to PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM claim values. This setting can only be configured in the configuration file and not via environment variables."` + RolesMap []RoleMapping `yaml:"role_mapping" desc:"A list of mappings of OpenCloud role names to PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM claim values. This setting can only be configured in the configuration file and not via environment variables."` } -// RoleMapping defines which ocis role matches a specific claim value +// RoleMapping defines which OpenCloud role matches a specific claim value type RoleMapping struct { - RoleName string `yaml:"role_name" desc:"The name of an ocis role that this mapping should apply for."` + RoleName string `yaml:"role_name" desc:"The name of an OpenCloud role that this mapping should apply for."` ClaimValue string `yaml:"claim_value" desc:"The value of the 'PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM' that matches the role defined in 'role_name'."` } @@ -184,7 +184,7 @@ type PreSignedURL struct { // SigningKeys is a store configuration. type SigningKeys struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'ocisstoreservice' (deprecated). See the text description for details." introductionVersion:"5.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details." introductionVersion:"5.0"` Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"5.0"` TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"5.0"` DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE" desc:"Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true." introductionVersion:"5.0"` diff --git a/services/proxy/pkg/config/csp.yaml b/services/proxy/pkg/config/csp.yaml index 7542867ca..097eb61f3 100644 --- a/services/proxy/pkg/config/csp.yaml +++ b/services/proxy/pkg/config/csp.yaml @@ -4,7 +4,7 @@ directives: connect-src: - '''self''' - 'blob:' - - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' + - 'https://raw.githubusercontent.com/opencloud-eu/awesome/' default-src: - '''none''' font-src: @@ -19,7 +19,7 @@ directives: - '''self''' - 'data:' - 'blob:' - - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' + - 'https://raw.githubusercontent.com/opencloud-eu/awesome/' manifest-src: - '''self''' media-src: diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go index 0fd48455c..ec6483bd8 100644 --- a/services/proxy/pkg/config/defaults/defaultconfig.go +++ b/services/proxy/pkg/config/defaults/defaultconfig.go @@ -64,10 +64,10 @@ func DefaultConfig() *config.Config { OIDCRoleMapper: config.OIDCRoleMapper{ RoleClaim: "roles", RolesMap: []config.RoleMapping{ - {RoleName: "admin", ClaimValue: "ocisAdmin"}, - {RoleName: "spaceadmin", ClaimValue: "ocisSpaceAdmin"}, - {RoleName: "user", ClaimValue: "ocisUser"}, - {RoleName: "user-light", ClaimValue: "ocisGuest"}, + {RoleName: "admin", ClaimValue: "opencloudAdmin"}, + {RoleName: "spaceadmin", ClaimValue: "opencloudSpaceAdmin"}, + {RoleName: "user", ClaimValue: "opencloudUser"}, + {RoleName: "user-light", ClaimValue: "opencloudGuest"}, }, }, }, @@ -107,7 +107,7 @@ func DefaultConfig() *config.Config { func DefaultPolicies() []config.Policy { return []config.Policy{ { - Name: "ocis", + Name: "opencloud", Routes: []config.Route{ { Endpoint: "/", @@ -159,7 +159,7 @@ func DefaultPolicies() []config.Policy { }, { Type: config.RegexRoute, - Endpoint: "/ocs/v[12].php/cloud/user/signing-key", // only `user/signing-key` is left in ocis-ocs + Endpoint: "/ocs/v[12].php/cloud/user/signing-key", // only `user/signing-key` is left in opencloud-ocs Service: "eu.opencloud.web.ocs", }, { @@ -330,7 +330,7 @@ func Sanitize(cfg *config.Config) { if cfg.PolicySelector == nil { cfg.PolicySelector = &config.PolicySelector{ Static: &config.StaticSelectorConf{ - Policy: "ocis", + Policy: "opencloud", }, } } diff --git a/services/proxy/pkg/middleware/authentication.go b/services/proxy/pkg/middleware/authentication.go index b27f25bdb..61c69323f 100644 --- a/services/proxy/pkg/middleware/authentication.go +++ b/services/proxy/pkg/middleware/authentication.go @@ -19,7 +19,7 @@ var ( SupportedAuthStrategies []string // ProxyWwwAuthenticate is a list of endpoints that do not rely on reva underlying authentication, such as ocs. - // services that fallback to reva authentication are declared in the "frontend" command on oCIS. It is a list of + // services that fallback to reva authentication are declared in the "frontend" command on OpenCloud. It is a list of // regexp.Regexp which are safe to use concurrently. ProxyWwwAuthenticate = []regexp.Regexp{*regexp.MustCompile("/ocs/v[12].php/cloud/")} diff --git a/services/proxy/pkg/middleware/security_test.go b/services/proxy/pkg/middleware/security_test.go index 5e6fc2cfc..01accf2c2 100644 --- a/services/proxy/pkg/middleware/security_test.go +++ b/services/proxy/pkg/middleware/security_test.go @@ -1,8 +1,9 @@ package middleware import ( - "gotest.tools/v3/assert" "testing" + + "gotest.tools/v3/assert" ) func TestLoadCSPConfig(t *testing.T) { @@ -12,8 +13,8 @@ directives: frame-src: - '''self''' - 'https://embed.diagrams.net/' - - 'https://${ONLYOFFICE_DOMAIN|onlyoffice.owncloud.test}/' - - 'https://${COLLABORA_DOMAIN|collabora.owncloud.test}/' + - 'https://${ONLYOFFICE_DOMAIN|onlyoffice.opencloud.test}/' + - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/' ` config, err := loadCSPConfig([]byte(yaml)) @@ -22,6 +23,6 @@ directives: } assert.Equal(t, config.Directives["frame-src"][0], "'self'") assert.Equal(t, config.Directives["frame-src"][1], "https://embed.diagrams.net/") - assert.Equal(t, config.Directives["frame-src"][2], "https://onlyoffice.owncloud.test/") - assert.Equal(t, config.Directives["frame-src"][3], "https://collabora.owncloud.test/") + assert.Equal(t, config.Directives["frame-src"][2], "https://onlyoffice.opencloud.test/") + assert.Equal(t, config.Directives["frame-src"][3], "https://collabora.opencloud.test/") } diff --git a/services/proxy/pkg/middleware/signed_url_auth.go b/services/proxy/pkg/middleware/signed_url_auth.go index 3b8eca301..6954fff58 100644 --- a/services/proxy/pkg/middleware/signed_url_auth.go +++ b/services/proxy/pkg/middleware/signed_url_auth.go @@ -84,7 +84,7 @@ func (m SignedURLAuthenticator) validate(req *http.Request) (err error) { func (m SignedURLAuthenticator) allRequiredParametersArePresent(query url.Values) (err error) { // check if required query parameters exist in given request query parameters // OC-Signature - the computed signature - server will verify the request upon this REQUIRED - // OC-Credential - defines the user scope (shall we use the owncloud user id here - this might leak internal data ....) REQUIRED + // OC-Credential - defines the user scope (shall we use the opencloud user id here - this might leak internal data ....) REQUIRED // OC-Date - defined the date the url was signed (ISO 8601 UTC) REQUIRED // OC-Expires - defines the expiry interval in seconds (between 1 and 604800 = 7 days) REQUIRED // TODO OC-Verb - defines for which http verb the request is valid - defaults to GET OPTIONAL diff --git a/services/proxy/pkg/proxy/policy/selector.go b/services/proxy/pkg/proxy/policy/selector.go index 7d1287e0c..6706bbbdf 100644 --- a/services/proxy/pkg/proxy/policy/selector.go +++ b/services/proxy/pkg/proxy/policy/selector.go @@ -21,7 +21,7 @@ var ( ) const ( - SelectorCookieName = "owncloud-selector" + SelectorCookieName = "opencloud-selector" ) // Selector is a function which selects a proxy-policy based on the request. @@ -107,7 +107,7 @@ func NewStaticSelector(cfg *config.StaticSelectorConf) Selector { } } -// NewClaimsSelector selects the policy based on the "ocis.routing.policy" claim +// NewClaimsSelector selects the policy based on the "opencloud.routing.policy" claim // The policy for corner cases is configurable: // // "policy_selector": { diff --git a/services/proxy/pkg/proxy/policy/selector_test.go b/services/proxy/pkg/proxy/policy/selector_test.go index b5b6a1083..c99f39325 100644 --- a/services/proxy/pkg/proxy/policy/selector_test.go +++ b/services/proxy/pkg/proxy/policy/selector_test.go @@ -80,9 +80,9 @@ func TestClaimsSelector(t *testing.T) { var tests = []testCase{ {"unauthenticated", context.Background(), nil, "unauthenticated"}, {"default", oidc.NewContext(context.Background(), map[string]interface{}{oidc.OcisRoutingPolicy: ""}), nil, "default"}, - {"claim-value", oidc.NewContext(context.Background(), map[string]interface{}{oidc.OcisRoutingPolicy: "ocis.routing.policy-value"}), nil, "ocis.routing.policy-value"}, + {"claim-value", oidc.NewContext(context.Background(), map[string]interface{}{oidc.OcisRoutingPolicy: "opencloud.routing.policy-value"}), nil, "opencloud.routing.policy-value"}, {"cookie-only", context.Background(), &http.Cookie{Name: SelectorCookieName, Value: "cookie"}, "cookie"}, - {"claim-can-override-cookie", oidc.NewContext(context.Background(), map[string]interface{}{oidc.OcisRoutingPolicy: "ocis.routing.policy-value"}), &http.Cookie{Name: SelectorCookieName, Value: "cookie"}, "ocis.routing.policy-value"}, + {"claim-can-override-cookie", oidc.NewContext(context.Background(), map[string]interface{}{oidc.OcisRoutingPolicy: "opencloud.routing.policy-value"}), &http.Cookie{Name: SelectorCookieName, Value: "cookie"}, "opencloud.routing.policy-value"}, } for _, tc := range tests { r := httptest.NewRequest("GET", "https://example.com", nil) @@ -118,7 +118,7 @@ func TestRegexSelector(t *testing.T) { var tests = []testCase{ {"unauthenticated", context.Background(), nil, "unauthenticated"}, {"default", revactx.ContextSetUser(context.Background(), &userv1beta1.User{}), nil, "default"}, - {"mail-ocis", revactx.ContextSetUser(context.Background(), &userv1beta1.User{Mail: "marie@example.org"}), nil, "opencloud"}, + {"mail-opencloud", revactx.ContextSetUser(context.Background(), &userv1beta1.User{Mail: "marie@example.org"}), nil, "opencloud"}, {"mail-oc10", revactx.ContextSetUser(context.Background(), &userv1beta1.User{Mail: "einstein@example.org"}), nil, "oc10"}, {"username-einstein", revactx.ContextSetUser(context.Background(), &userv1beta1.User{Username: "einstein"}), nil, "opencloud"}, {"username-feynman", revactx.ContextSetUser(context.Background(), &userv1beta1.User{Username: "feynman"}), nil, "opencloud"}, diff --git a/services/proxy/pkg/router/router_test.go b/services/proxy/pkg/router/router_test.go index 2ea8d2101..3fa6e2351 100644 --- a/services/proxy/pkg/router/router_test.go +++ b/services/proxy/pkg/router/router_test.go @@ -128,7 +128,7 @@ func TestRouter(t *testing.T) { Routes: []config.Route{ {Type: config.PrefixRoute, Endpoint: "/web/unprotected/demo/", Backend: "http://web", Unprotected: true}, {Type: config.PrefixRoute, Endpoint: "/dav", Backend: "http://ocdav"}, - {Type: config.PrefixRoute, Method: "REPORT", Endpoint: "/dav", Backend: "http://ocis-webdav"}, + {Type: config.PrefixRoute, Method: "REPORT", Endpoint: "/dav", Backend: "http://opencloud-webdav"}, }, }, } @@ -139,7 +139,7 @@ func TestRouter(t *testing.T) { table := []matchertest{ {method: "PROPFIND", endpoint: "/dav/files/demo/", target: "ocdav"}, - {method: "REPORT", endpoint: "/dav/files/demo/", target: "ocis-webdav"}, + {method: "REPORT", endpoint: "/dav/files/demo/", target: "opencloud-webdav"}, {method: "GET", endpoint: "/web/unprotected/demo/", target: "web", unprotected: true}, } diff --git a/services/proxy/pkg/userroles/oidcroles.go b/services/proxy/pkg/userroles/oidcroles.go index 574355a07..fef0d5e1a 100644 --- a/services/proxy/pkg/userroles/oidcroles.go +++ b/services/proxy/pkg/userroles/oidcroles.go @@ -92,19 +92,19 @@ func (ra oidcRoleAssigner) UpdateUserRoleAssignment(ctx context.Context, user *c } // the roleMapping config is supposed to have the role mappings ordered from the highest privileged role - // down to the lowest privileged role. Since ocis currently only can handle a single role assignment we + // down to the lowest privileged role. Since OpenCloud currently only can handle a single role assignment we // pick the highest privileged role that matches a value from the claims roleIDFromClaim := "" for _, mapping := range ra.Options.roleMapping { if _, ok := claimRoles[mapping.ClaimValue]; ok { - logger.Debug().Str("ocisRole", mapping.RoleName).Str("role id", roleNamesToRoleIDs[mapping.RoleName]).Msg("first matching role") + logger.Debug().Str("opencloudRole", mapping.RoleName).Str("role id", roleNamesToRoleIDs[mapping.RoleName]).Msg("first matching role") roleIDFromClaim = roleNamesToRoleIDs[mapping.RoleName] break } } if roleIDFromClaim == "" { - err := errors.New("no role in claim maps to an ocis role") + err := errors.New("no role in claim maps to an OpenCloud role") logger.Error().Err(err).Msg("") return nil, err } diff --git a/services/proxy/pkg/userroles/userroles.go b/services/proxy/pkg/userroles/userroles.go index 0301e8c86..7093f5071 100644 --- a/services/proxy/pkg/userroles/userroles.go +++ b/services/proxy/pkg/userroles/userroles.go @@ -56,7 +56,7 @@ func WithRolesClaim(claim string) Option { } } -// WithRoleMapping configures the map of ocis role names to claims values +// WithRoleMapping configures the map of OpenCloud role names to claims values func WithRoleMapping(roleMap []config.RoleMapping) Option { return func(o *Options) { o.roleMapping = roleMap