simplify authentication and refactor or grpc and http services

CONTRIBUTORS.md

@@ -7,5 +7,6 @@
 - Hugo Gonzalez Labrador <[email protected]>
 - Ilja Neumann <[email protected]>
 - Jörn Friedrich Dreyer <[email protected]>
+- Michael D'Silva <[email protected]>
 - Mohitty <[email protected]>
 - zazola <[email protected]>

cmd/revad/runtime/runtime.go

@@ -181,6 +181,12 @@ func start(mainConf map[string]interface{}, servers map[string]grace.Server, lis
 }
 
 func newLogger(conf *logConf) (*zerolog.Logger, error) {
+	// TODO(labkode): use debug level rather than info as default until reaching a stable version.
+	// Helps having smaller development files.
+	if conf.Level == "" {
+		conf.Level = zerolog.DebugLevel.String()
+	}
+
 	var opts []logger.Option
 	opts = append(opts, logger.WithLevel(conf.Level))
 
@@ -356,8 +362,8 @@ func isEnabledGRPC(conf map[string]interface{}) bool {
 func isEnabled(key string, conf map[string]interface{}) bool {
 	if a, ok := conf[key]; ok {
 		if b, ok := a.(map[string]interface{}); ok {
-			if c, ok := b["enabled_services"]; ok {
-				if d, ok := c.([]interface{}); ok {
+			if c, ok := b["services"]; ok {
+				if d, ok := c.(map[string]interface{}); ok {
 					if len(d) > 0 {
 						return true
 					}

examples/separate/frontend.toml

@@ -1,37 +1,22 @@
-# This frontend-oidc.toml config file will start a reva service that:
-# - serves as the entypoint for legacy owncloud requests
+# This frontend.toml config file will start a reva service that:
+# - serves as the entrypoint for owncloud APIs.
 # - serves http endpoints on port 20080
 #   - /owncloud - ocdav
 #   - /ocs - ocs
 #   - /oauth2 - oidcprovider
 #   - /.well-known - wellknown service to announce openid-configuration
-#   - TODO ocm
-# - authenticates requests using oidc bearer auth
+#   - TODO(diocas): ocm
+# - authenticates requests using oidc bearer auth and basic auth as fallback
 # - serves the grpc services on port 18002
-[core]
-max_cpus = "2"
-
-[log]
-level = "debug"
-
 [grpc]
 address = "0.0.0.0:20099"
-enabled_services = [
-    "authprovider"
-]
 
 [grpc.services.authprovider]
 auth_manager = "oidc"
 
 [grpc.services.authprovider.auth_managers.oidc]
 # If you want to use your own openid provider change this config
-provider = "http://localhost:20080"
-insecure = true
-# credentials used for the introspection endpoint with basic auth
-# also rate limit the endpoint: https://tools.ietf.org/html/rfc7662#section-4
-# TODO(jfd) introduce rate limits
-client_id = "reva"
-client_secret = "foobar"
+issuer = "http://localhost:20080"
 
 [grpc.interceptors.auth]
 token_manager = "jwt"
@@ -40,9 +25,6 @@ token_manager = "jwt"
 secret = "Pive-Fumkiu4"
 
 [http]
-#enabled_services = ["ocdav", "ocs"] # use this if you want to use your own oidc provider. 
-enabled_services = ["wellknown", "oidcprovider", "ocdav", "ocs"]
-enabled_middlewares = ["cors", "auth"]
 address = "0.0.0.0:20080"
 
 [http.middlewares.auth]
@@ -51,19 +33,6 @@ credential_chain = ["basic", "bearer"]
 token_strategy = "header"
 token_writer = "header"
 token_manager = "jwt"
-skip_methods = [
-    "/status.php",
-	"/oauth2",
-	"/oauth2/auth", 
-	"/oauth2/token",
-	# TODO protect the introspection endpoint from external requests.
-	# should only be reachable by internal services, which is why the
-	# oidc-provider.toml has clientid and secret that are used for a basic auth
-	"/oauth2/introspect",
-	"/oauth2/userinfo",
-	"/oauth2/sessions",
-	"/.well-known/openid-configuration",
-]
 
 [http.middlewares.auth.token_managers.jwt]
 secret = "Pive-Fumkiu4"
@@ -123,23 +92,6 @@ response_types = ["code"] # use authorization code flow, see https://developer.o
 scopes = ["openid", "profile", "email", "offline"]
 public = true # force PKCS for public clients
 
-[http.services.oidcprovider.clients.reva]
-id = "reva"
-grant_types = ["implicit", "refresh_token", "authorization_code", "password", "client_credentials"]
-response_types = ["code"] # use authorization code flow
-# private clients can use a secret
-client_secret = "$2a$10$IxMdI6d.LIRZPpSfEwNoeu4rY3FhDREsxFJXikcgdRRAStxUlsuEO"  # = "foobar"
-scopes = ["openid", "profile", "email", "offline"]
-
-# to debug the oidc provider allow https://oidcdebugger.com
-[http.services.oidcprovider.clients.oidcdebugger]
-id = "oidcdebugger"
-redirect_uris = ["https://oidcdebugger.com/debug"]
-grant_types = ["implicit", "refresh_token", "authorization_code", "password", "client_credentials"]
-response_types = ["id_token token", "code"]
-client_secret = "$2a$10$IxMdI6d.LIRZPpSfEwNoeu4rY3FhDREsxFJXikcgdRRAStxUlsuEO"  # = "foobar"
-scopes = ["openid", "profile", "email", "offline"]
-
 [http.services.ocdav]
 # serve ocdav on the root path
 prefix = ""

examples/separate/gateway.toml

@@ -5,33 +5,11 @@
 # - serves the gateway on grpc port 19000
 # - serves http datagateway on port 19001
 #   - /data - datagateway: file up and download
-[core]
-max_cpus = "2"
-
-[log]
-level = "debug"
-
 [grpc]
 address = "0.0.0.0:19000"
-enabled_services = [
-    "gateway",
-    "appregistry", # TODO
-    "authregistry",
-    "storageregistry",
-]
-enabled_interceptors = ["auth"]
 
 [grpc.interceptors.auth]
 token_manager = "jwt"
-skip_methods = [
-  # we need to allow calls that happen during authentication
-	"/cs3.gateway.v1beta1.GatewayAPI/Authenticate",
-	"/cs3.gateway.v1beta1.GatewayAPI/WhoAmI",
-	"/cs3.gateway.v1beta1.GatewayAPI/GetUser",
-	"/cs3.gateway.v1beta1.GatewayAPI/ListAuthProviders",
-	"/cs3.auth.registry.v1beta1.RegistryAPI/ListAuthProviders",
-	"/cs3.auth.registry.v1beta1.RegistryAPI/GetAuthProvider",
-]
 
 [grpc.interceptors.auth.token_managers.jwt]
 secret = "Pive-Fumkiu4"
@@ -40,7 +18,6 @@ secret = "Pive-Fumkiu4"
 # registries
 authregistrysvc = "localhost:19000"
 storageregistrysvc = "localhost:19000"
-appregistrysvc = "localhost:19000"
 # user metadata
 preferencessvc = "localhost:18000"
 userprovidersvc = "localhost:18000"
@@ -59,14 +36,6 @@ token_manager = "jwt"
 [grpc.services.gateway.token_managers.jwt]
 secret = "Pive-Fumkiu4"
 
-[grpc.services.appregistry]
-driver = "static"
-
-[grpc.services.appregistry.static.rules]
-# TODO implement user specifir app registry
-".txt" = "localhost:18000"
-"text/plain" = "localhost:18000"
-
 [grpc.services.authregistry]
 driver = "static"
 
@@ -99,8 +68,6 @@ driver = "static"
 
 [http]
 address = "0.0.0.0:19001"
-enabled_services = ["datagateway"]
-enabled_middlewares = ["auth"]
 
 [http.services.datagateway]
 prefix = "data"

examples/separate/shares.toml

@@ -1,28 +1,17 @@
-# This storage.toml config file will start a reva service that:
-# - authenticates grpc storage provider requests using the internal jwt token
-# - authenticates http upload and download requests requests using basic auth
-# - serves the storage provider on grpc port 11000
-# - serves http dataprovider for this storage on port 11001
-#   - /data - dataprovider: file up and download
-[core]
-max_cpus = "2"
-
-[log]
-level = "debug"
-
+# GRPC:
+# - serves user and public link shares
 [grpc]
 address = "0.0.0.0:17000"
-enabled_services = ["usershareprovider", "publicshareprovider"] # TODO ocmshareprovider
-enabled_interceptors = ["auth"]
+
+[grpc.interceptors.auth]
+token_manager = "jwt"
 
 [grpc.services.usershareprovider]
 driver = "memory"
 
 [grpc.services.publicshareprovider]
 driver = "memory"
 
-[grpc.interceptors.auth]
-token_manager = "jwt"
 
 [grpc.interceptors.auth.token_managers.jwt]
 secret = "Pive-Fumkiu4"

examples/separate/storage-home.toml

@@ -8,17 +8,15 @@
 # The home storage will inject the username into the path and jail users into
 # their home directory
 
-[core]
-max_cpus = "2"
-
-[log]
-level = "debug"
-
 [grpc]
 network = "tcp"
 address = "0.0.0.0:12000"
-enabled_services = ["storageprovider"]
-enabled_interceptors = ["auth"]
+
+[grpc.interceptors.auth]
+token_manager = "jwt"
+
+[grpc.interceptors.auth.token_managers.jwt]
+secret = "Pive-Fumkiu4"
 
 # This is a storage proider that grants direct acces to the wrapped storage
 [grpc.services.storageprovider]
@@ -44,16 +42,8 @@ datadirectory = "/var/tmp/reva/data"
 [grpc.services.storageprovider.path_wrappers.context]
 prefix = ""
 
-[grpc.interceptors.auth]
-token_manager = "jwt"
-
-[grpc.interceptors.auth.token_managers.jwt]
-secret = "Pive-Fumkiu4"
-
 [http]
 address = "0.0.0.0:12001"
-enabled_services = ["dataprovider"]
-enabled_middlewares = ["auth"]
 
 [http.middlewares.auth]
 gatewaysvc = "localhost:19000"

examples/separate/storage-oc.toml

@@ -4,17 +4,15 @@
 # - serves the storage provider on grpc port 11000
 # - serves http dataprovider for this storage on port 11001
 #   - /data - dataprovider: file up and download
-[core]
-max_cpus = "2"
-
-[log]
-level = "debug"
-
 [grpc]
 network = "tcp"
 address = "0.0.0.0:11000"
-enabled_services = ["storageprovider"]
-enabled_interceptors = ["auth"]
+
+[grpc.interceptors.auth]
+token_manager = "jwt"
+
+[grpc.interceptors.auth.token_managers.jwt]
+secret = "Pive-Fumkiu4"
 
 # This is a storage proider that grants direct acces to the wrapped storage
 [grpc.services.storageprovider]
@@ -33,11 +31,6 @@ unset = 1000
 [grpc.services.storageprovider.drivers.owncloud]
 datadirectory = "/var/tmp/reva/data"
 
-[grpc.interceptors.auth]
-token_manager = "jwt"
-
-[grpc.interceptors.auth.token_managers.jwt]
-secret = "Pive-Fumkiu4"
 
 [http]
 address = "0.0.0.0:11001"

examples/separate/storage-root.toml

@@ -11,19 +11,15 @@
 # that will allow you to list the existing namespaces.
 # TODO either make the gateway return a proper ListCollection for the root,
 # TODO or implement a virtual storage that implements this
-
-[core]
-max_cpus = "2"
-disable_http = true
-
-[log]
-level = "debug"
-
 [grpc]
 network = "tcp"
 address = "0.0.0.0:11100"
-enabled_services = ["storageprovider"]
-enabled_interceptors = ["auth"]
+
+[grpc.interceptors.auth]
+token_manager = "jwt"
+
+[grpc.interceptors.auth.token_managers.jwt]
+secret = "Pive-Fumkiu4"
 
 # This is a storage proider that grants direct acces to the wrapped storage
 [grpc.services.storageprovider]
@@ -42,8 +38,3 @@ root = "/var/tmp/reva/root"
 [grpc.services.storageprovider.path_wrappers.context]
 prefix = ""
 
-[grpc.interceptors.auth]
-token_manager = "jwt"
-
-[grpc.interceptors.auth.token_managers.jwt]
-secret = "Pive-Fumkiu4"

examples/separate/users.toml

@@ -1,41 +1,16 @@
 # This users.toml config file will start a reva service that:
 # - handles user metadata and user preferences
 # - serves the grpc services on port 18000
-[core]
-max_cpus = "2"
-disable_http = true
-
-[log]
-level = "debug"
-
 [grpc]
 network = "tcp"
 address = "0.0.0.0:18000"
-enabled_interceptors = ["auth"]
-enabled_services = [
-    "appprovider",
-    "authprovider", # provides basic auth
-    "userprovider", # provides user matadata (used to look up email, displayname etc after a login)
-    "preferences",  # provides user preferences
-]
 
 [grpc.interceptors.auth]
 token_manager = "jwt"
-skip_methods = [
-    # we need to allow calls that happen during authentication
-    "/cs3.auth.provider.v1beta1.ProviderAPI/Authenticate",
-    "/cs3.identity.user.v1beta1.UserAPI/GetUser",
-]
 
 [grpc.interceptors.auth.token_managers.jwt]
 secret = "Pive-Fumkiu4"
 
-[grpc.services.appprovider]
-driver = "demo"
-
-[grpc.services.appprovider.demo]
-iframe_ui_provider = "http://localhost:19500/iframeui"
-
 [grpc.services.authprovider]
 auth_manager = "json"
 
@@ -47,9 +22,3 @@ driver = "json"
 
 [grpc.services.userprovider.drivers.json]
 users = "users.demo.json"
-
-
-# TODO bring back iframe app ui demo
-#[http]
-#address = "0.0.0.0:19500"
-#enabled_services = ["iframeui"]