From c119ebf7a485e0a8c776670dc27504a41ea76111 Mon Sep 17 00:00:00 2001
From: Giuseppe Lo Presti <giuseppe.lopresti@cern.ch>
Date: Tue, 12 Sep 2023 18:23:23 +0200
Subject: [PATCH] Fixes following successful config of cesnet

---
 changelog/unreleased/sm-config-docs.md |  9 +++++
 examples/sciencemesh/sciencemesh.toml  | 52 ++++++++++++++++----------
 tests/sciencemesh/scripts/reva-run.sh  |  3 +-
 3 files changed, 44 insertions(+), 20 deletions(-)
 create mode 100644 changelog/unreleased/sm-config-docs.md

diff --git a/changelog/unreleased/sm-config-docs.md b/changelog/unreleased/sm-config-docs.md
new file mode 100644
index 00000000000..acc853b0ad8
--- /dev/null
+++ b/changelog/unreleased/sm-config-docs.md
@@ -0,0 +1,9 @@
+Enhancement: Fixes in the reference configuration for ScienceMesh
+
+Following the successful onboarding of CESNET, this PR brings some
+improvements and fixes to the reference configuration, as well as
+some adaptation to the itegration tests.
+
+https://github.com/cs3org/reva/pull/4186
+https://github.com/cs3org/reva/pull/4184
+https://github.com/cs3org/reva/pull/4183
diff --git a/examples/sciencemesh/sciencemesh.toml b/examples/sciencemesh/sciencemesh.toml
index 2c2b4b38d57..357bebd5d40 100644
--- a/examples/sciencemesh/sciencemesh.toml
+++ b/examples/sciencemesh/sciencemesh.toml
@@ -2,25 +2,30 @@
 #
 ## To contextualize this configuration for your deployment, please follow these steps:
 #
-# 1. In the [vars] section below and everywhere you find it, replace `your.revad.org` with your actual domain
-# 2. Replace `your.efss.org` with the actual endpoint of your EFSS system
-# 3. Define appropriate secrets in the [vars] section, and match with the EFSS ScienceMesh app configuration
-# 4. Provide appropriate SSL certificate and key files in the [http] section
+# 1. In the [vars] section below, replace `your.revad.org` with your actual domain
+# 2. If you have a Kubernetes deployment with an ingress and a route:
+# 2.1. Set the `external_reva_endpoint` var to your actual externally-visible route to reva
+# 2.2. In the [http.services.ocmprovider] section, set a `webdav_root` to include your route, e.g. `/iop/remote.php/dav/ocm/`
+# 3. Replace `your.efss.org` with the actual endpoint of your EFSS system
+# 4. Define appropriate secrets in the [vars] section: the `efss_shared_secret` must match the `oc_appconfig.configvalue` in your EFSS DB for `oc_appconfig.app_id` = `sciencemesh`
+# 5. Provide appropriate SSL full chain certificate and key files in the [http] section
 #
 # If you want to terminate the SSL connection to reva at your reverse proxy system
 # (e.g. at your Kubernetes ingress), then you can configure reva to use http instead.
 # For that, you need to follow these steps:
 #
 # 1. Remove the `certfile` and `keyfile` entries from the [http] section
-# 2. Replace `:443` with `:80` (or any other suitable value) everywhere you find it
-# 3. replace `https` with `http` in the `datagateway` and `data_server_url` entries
+# 2. Replace the https port `443` with a port number of your choice everywhere you find it
+# 3. Make sure all `https`-served endpoints (including `datagateway`) are adapted accordingly
 
 
 [vars]
+internal_gateway = "your.revad.org"
 provider_domain = "your.revad.org"
+external_reva_endpoint = "https://your.revad.org"   # append here any route if applicable
 efss_sciencemesh_endpoint = "https://your.efss.org/index.php/apps/sciencemesh/"
 machine_api_key = "machine-api-key"
-efss_shared_secret = "shared-secret"
+efss_shared_secret = "shared-secret-1"
 
 [http]
 certfile = "/etc/revad/tls/your.revad.ssl.crt"
@@ -30,7 +35,7 @@ keyfile = "/etc/revad/tls/your.revad.ssl.key"
 level = "debug"
 
 [shared]
-gatewaysvc = "{{ vars.provider_domain }}:19000"
+gatewaysvc = "{{ vars.internal_gateway }}:19000"
 
 [grpc.services.gateway]
 address = ":19000"
@@ -88,7 +93,7 @@ auth_manager = "machine"
 
 [grpc.services.authprovider.auth_managers.machine]
 api_key = "{{ vars.machine_api_key }}"
-gateway_addr = "{{ vars.provider_domain }}:19000"
+gateway_addr = "{{ vars.internal_gateway }}:19000"
 
 [[grpc.services.authprovider]]
 auth_manager = "ocmshares"
@@ -113,7 +118,7 @@ driver = "nextcloud"
 mount_id = "nextcloud"
 expose_data_server = true
 enable_home_creation = false
-data_server_url = "https://your.revad.org:{{ http.services.dataprovider[0].address.port }}/data"
+data_server_url = "http://0.0.0.0:{{ http.services.dataprovider[0].address.port }}/data"
 
 [grpc.services.storageprovider.drivers.nextcloud]
 endpoint = "{{ vars.efss_sciencemesh_endpoint }}"
@@ -126,7 +131,7 @@ mount_id = "ocm"
 mount_path = "/ocm"
 expose_data_server = true
 enable_home_creation = false
-data_server_url = "https://your.revad.org:{{ http.services.dataprovider[1].address.port }}/data"
+data_server_url = "{{ vars.external_reva_endpoint }}/data"
 
 [grpc.services.storageprovider.drivers.ocmoutcoming]
 machine_secret = "{{ vars.machine_api_key }}"
@@ -141,35 +146,43 @@ driver = "memory"
 driver = "nextcloud"
 
 [grpc.services.ocmcore.drivers.nextcloud]
-host = "https://{{ vars.provider_domain }}/"
+host = "{{ vars.external_reva_endpoint }}"
 endpoint = "{{ vars.efss_sciencemesh_endpoint }}"
 shared_secret = "{{ vars.efss_shared_secret }}"
 mock_http = false
 
 [grpc.services.ocminvitemanager]
-# TODO the driver should become "nextcloud"
+# TODO the driver should be "nextcloud" once it is implemented
 driver = "json"
 provider_domain = "{{ vars.provider_domain }}"
 
 [grpc.services.ocmshareprovider]
 driver = "nextcloud"
 provider_domain = "{{ vars.provider_domain }}"
-endpoint = "https://{{ vars.provider_domain }}/"
-webdav_endpoint = "https://{{ vars.provider_domain }}/"
-webdav_prefix = "https://{{ vars.provider_domain }}/remote.php/dav/files"
+webdav_endpoint = "{{ vars.external_reva_endpoint }}"
+webdav_prefix = "{{ vars.external_reva_endpoint }}/remote.php/dav/files"
+# TODO the following should become {{ vars.external_reva_endpoint }}/external/{{.Token}}/...
 webapp_template = "https://your.revad.org/external/sciencemesh/{{.Token}}/{relative-path-to-shared-resource}"
 
 [grpc.services.ocmshareprovider.drivers.nextcloud]
-webdav_host = "https://{{ vars.provider_domain }}/"
+webdav_host = "{{ vars.external_reva_endpoint }}"
 endpoint = "{{ vars.efss_sciencemesh_endpoint }}"
 shared_secret = "{{ vars.efss_shared_secret }}"
 mock_http = false
 mount_id = "nextcloud"
 
 [grpc.services.ocmproviderauthorizer]
-driver = "json"
+driver = "mentix"
+
+[grpc.services.ocmproviderauthorizer.drivers.mentix]
+url = "https://iop.sciencemesh.uni-muenster.de/iop/mentix/cs3"
+verify_request_hostname = true
+insecure = false
+timeout = 10
+refresh = 900
 
 [grpc.services.ocmproviderauthorizer.drivers.json]
+# this is used by the docker-based test deployment, not in production
 providers = "providers.testnet.json"
 verify_request_hostname = true
 
@@ -223,6 +236,7 @@ shared_secret = "{{ vars.efss_shared_secret }}"
 mock_http = false
 
 [[http.services.dataprovider]]
+address = ":443"
 driver = "ocmoutcoming"
 
 [http.services.dataprovider.drivers.ocmoutcoming]
@@ -244,7 +258,7 @@ smtp_port = 25
 address = ":443"
 ocm_prefix = "ocm"
 provider = "Reva for ownCloud/Nextcloud"
-endpoint = "https://{{ vars.provider_domain }}"
+endpoint = "{{ vars.external_reva_endpoint }}"
 enable_webapp = true
 enable_datatx = true
 
diff --git a/tests/sciencemesh/scripts/reva-run.sh b/tests/sciencemesh/scripts/reva-run.sh
index 8bf4a270fa4..e6b3866cfbf 100755
--- a/tests/sciencemesh/scripts/reva-run.sh
+++ b/tests/sciencemesh/scripts/reva-run.sh
@@ -5,11 +5,12 @@ mkdir -p /revad/configs
 cp /etc/revad/sciencemesh*.toml /revad/configs/
 cp /etc/revad/providers.testnet.json /revad/configs/providers.testnet.json
 
-# substitute placeholders with correct values.
+# substitute placeholders and "external" values with valid ones for the testnet.
 sed -i "s/your.revad.ssl/${HOST}/g" /revad/configs/sciencemesh*.toml
 sed -i "s/your.revad.org/${HOST}.docker/g" /revad/configs/sciencemesh*.toml
 sed -i "s/your.efss.org/${HOST//reva/}.docker/g" /revad/configs/sciencemesh.toml
 sed -i "/^mesh_directory_url /s/=.*$/= 'https:\/\/meshdir\.docker\/meshdir'/" /revad/configs/sciencemesh.toml
+sed -i "/ocmproviderauthorizer\]/{n;s/.*/driver = \"json\"/;}" /revad/configs/sciencemesh.toml
 
 cp /etc/revad/tls/*.crt /usr/local/share/ca-certificates/
 update-ca-certificates