cs3org · ishank011 · May 17, 2022 · Apr 21, 2022 · Apr 23, 2022 · Apr 28, 2022
@@ -0,0 +1,5 @@
+Bugfix: Make hardcoded HTTP "insecure" options configurable
+
+HTTP "insecure" options must be configurable and default to false.
+
+https://github.com/cs3org/reva/issues/2216
@@ -23,7 +23,6 @@ import (
 	"io"
 	"net/http"
 	"os"
-	"time"
 
 	"github.com/cheggaaa/pb"
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
@@ -50,15 +49,15 @@ func downloadCommand() *command {
 		remote := cmd.Args()[0]
 		local := cmd.Args()[1]
 
-		client, err := getClient()
+		gatewayClient, err := getClient()
 		if err != nil {
 			return err
 		}
 
 		ref := &provider.Reference{Path: remote}
 		req1 := &provider.StatRequest{Ref: ref}
 		ctx := getAuthContext()
-		res1, err := client.Stat(ctx, req1)
+		res1, err := gatewayClient.Stat(ctx, req1)
 		if err != nil {
 			return err
 		}
@@ -71,7 +70,7 @@ func downloadCommand() *command {
 		req2 := &provider.InitiateFileDownloadRequest{
 			Ref: &provider.Reference{Path: remote},
 		}
-		res, err := client.InitiateFileDownload(ctx, req2)
+		res, err := gatewayClient.InitiateFileDownload(ctx, req2)
 		if err != nil {
 			return err
 		}
@@ -102,15 +101,8 @@ func downloadCommand() *command {
 			}
 
 			httpReq.Header.Set(datagateway.TokenTransportHeader, p.Token)
-			httpClient := rhttp.GetHTTPClient(
-				rhttp.Context(ctx),
-				// TODO make insecure configurable
-				rhttp.Insecure(true),
-				// TODO make timeout configurable
-				rhttp.Timeout(time.Duration(24*int64(time.Hour))),
-			)
-
-			httpRes, err := httpClient.Do(httpReq)
+
+			httpRes, err := client.Do(httpReq)
 			if err != nil {
 				return err
 			}
@@ -144,7 +136,10 @@ func downloadCommand() *command {
 	return cmd
 }
 
-func getDownloadProtocolInfo(protocolInfos []*gateway.FileDownloadProtocol, protocol string) (*gateway.FileDownloadProtocol, error) {
+func getDownloadProtocolInfo(
+	protocolInfos []*gateway.FileDownloadProtocol,
+	protocol string,
+) (*gateway.FileDownloadProtocol, error) {
 	for _, p := range protocolInfos {
 		if p.Protocol == protocol {
 			return p, nil

@@ -30,7 +30,7 @@ import (
 
 // Executor provides exec command handler
 type Executor struct {
-	Timeout int
+	Timeout int64
 }
 
 // Execute provides execute commands
@@ -79,7 +79,7 @@ func (e *Executor) Execute(s string) {
 					select {
 					case <-signalChan:
 						cancel()
-					case <-time.After(time.Duration(e.Timeout * int(time.Second))):
+					case <-time.After(time.Duration(e.Timeout * int64(time.Second))):
 						cancel()
 					case <-ctx.Done():
 					}

@@ -31,10 +31,10 @@ import (
 )
 
 var (
-	conf                                   *config
-	host                                   string
-	insecure, skipverify, disableargprompt bool
-	timeout                                int
+	conf                                                        *config
+	host                                                        string
+	insecure, skipverify, disableargprompt, insecuredatagateway bool
+	timeout                                                     int64
 
 	helpCommandOutput string
 
@@ -97,9 +97,20 @@ var (
 func init() {
 	flag.StringVar(&host, "host", "", "address of the GRPC gateway host")
 	flag.BoolVar(&insecure, "insecure", false, "disables grpc transport security")
-	flag.BoolVar(&skipverify, "skip-verify", false, "whether to skip verifying the server's certificate chain and host name")
+	flag.BoolVar(
+		&insecuredatagateway,
+		"insecure-data-gateway",
+		false,
+		"disables grpc transport security for data gateway service",
+	)
+	flag.BoolVar(
+		&skipverify,
+		"skip-verify",
+		false,
+		"whether to skip verifying the server's certificate chain and host name",
+	)
 	flag.BoolVar(&disableargprompt, "disable-arg-prompt", false, "whether to disable prompts for command arguments")
-	flag.IntVar(&timeout, "timout", -1, "the timeout in seconds for executing the commands, -1 means no timeout")
+	flag.Int64Var(&timeout, "timeout", -1, "the timeout in seconds for executing the commands, -1 means no timeout")
 	flag.Parse()
 }
 
@@ -114,10 +125,8 @@ func main() {
 	}
 
 	client = rhttp.GetHTTPClient(
-		// TODO make insecure configurable
-		rhttp.Insecure(true),
-		// TODO make timeout configurable
-		rhttp.Timeout(time.Duration(24*int64(time.Hour))),
+		rhttp.Insecure(insecuredatagateway),
+		rhttp.Timeout(time.Duration(timeout*int64(time.Hour))),
 	)
 
 	generateMainUsage()
@@ -153,6 +162,11 @@ func generateMainUsage() {
 
 	helpCommandOutput = "Command line interface to REVA:\n"
 	for _, cmd := range commands {
-		helpCommandOutput += fmt.Sprintf("%s%s%s\n", cmd.Name, strings.Repeat(" ", 4+(n-len(cmd.Name))), cmd.Description())
+		helpCommandOutput += fmt.Sprintf(
+			"%s%s%s\n",
+			cmd.Name,
+			strings.Repeat(" ", 4+(n-len(cmd.Name))),
+			cmd.Description(),
+		)
 	}
 }
@@ -116,7 +116,10 @@ func New(m map[string]interface{}) (group.Manager, error) {
 	c.init()
 
 	redisPool := initRedisPool(c.RedisAddress, c.RedisUsername, c.RedisPassword)
-	apiTokenManager := utils.InitAPITokenManager(c.TargetAPI, c.OIDCTokenEndpoint, c.ClientID, c.ClientSecret)
+	apiTokenManager, err := utils.InitAPITokenManager(m)
+	if err != nil {
+		return nil, err
+	}
 
 	mgr := &manager{
 		conf:            c,

@@ -123,7 +123,10 @@ func (m *manager) Configure(ml map[string]interface{}) error {
 	}
 	c.init()
 	redisPool := initRedisPool(c.RedisAddress, c.RedisUsername, c.RedisPassword)
-	apiTokenManager := utils.InitAPITokenManager(c.TargetAPI, c.OIDCTokenEndpoint, c.ClientID, c.ClientSecret)
+	apiTokenManager, err := utils.InitAPITokenManager(ml)
+	if err != nil {
+		return err
+	}
 	m.conf = c
 	m.redisPool = redisPool
 	m.apiTokenManager = apiTokenManager

@@ -30,6 +30,7 @@ import (
 	"time"
 
 	"github.com/cs3org/reva/pkg/rhttp"
+	"github.com/mitchellh/mapstructure"
 )
 
 // APITokenManager stores config related to api management
@@ -47,26 +48,27 @@ type OIDCToken struct {
 }
 
 type config struct {
-	TargetAPI         string
-	OIDCTokenEndpoint string
-	ClientID          string
-	ClientSecret      string
+	TargetAPI         string `mapstructure:"target_api"`
+	OIDCTokenEndpoint string `mapstructure:"oidc_token_endpoint"`
+	ClientID          string `mapstructure:"client_id"`
+	ClientSecret      string `mapstructure:"client_secret"`
+	Timeout           int64  `mapstructure:"timeout"`
+	Insecure          bool   `mapstructure:"insecure"`
 }
 
 // InitAPITokenManager initializes a new APITokenManager
-func InitAPITokenManager(targetAPI, oidcTokenEndpoint, clientID, clientSecret string) *APITokenManager {
+func InitAPITokenManager(conf map[string]interface{}) (*APITokenManager, error) {
+	c := &config{}
+	if err := mapstructure.Decode(conf, c); err != nil {
+		return nil, err
+	}
+
 	return &APITokenManager{
-		conf: &config{
-			TargetAPI:         targetAPI,
-			OIDCTokenEndpoint: oidcTokenEndpoint,
-			ClientID:          clientID,
-			ClientSecret:      clientSecret,
-		},
+		conf: c,
 		client: rhttp.GetHTTPClient(
-			rhttp.Timeout(10*time.Second),
-			rhttp.Insecure(true),
-		),
-	}
+			rhttp.Timeout(time.Duration(c.Timeout*int64(time.Second))),
+			rhttp.Insecure(c.Insecure),
+		)}, nil
 }
 
 func (a *APITokenManager) renewAPIToken(ctx context.Context, forceRenewal bool) error {

@@ -67,6 +67,7 @@ type config struct {
 	File                   string `mapstructure:"file"`
 	JobStatusCheckInterval int    `mapstructure:"job_status_check_interval"`
 	JobTimeout             int    `mapstructure:"job_timeout"`
+	Insecure               bool   `mapstructure:"insecure"`
 }
 
 type rclone struct {
@@ -125,8 +126,7 @@ func New(m map[string]interface{}) (txdriver.Manager, error) {
 	}
 	c.init(m)
 
-	// TODO insecure should be configurable
-	client := rhttp.GetHTTPClient(rhttp.Insecure(true))
+	client := rhttp.GetHTTPClient(rhttp.Insecure(c.Insecure))
 
 	// The persistency driver
 	// Load or create 'db'