diff --git a/changelog/unreleased/insecure-option-ocm.md b/changelog/unreleased/insecure-option-ocm.md new file mode 100644 index 0000000000..44e7031d4c --- /dev/null +++ b/changelog/unreleased/insecure-option-ocm.md @@ -0,0 +1,6 @@ +Enhancement: Add option to config to allow requests to hosts with unverified certificates + +Allow OCM to send requests to other mesh providers with the option of skipping +certificate verification. + +https://github.com/cs3org/reva/pull/969 diff --git a/docs/content/en/docs/config/packages/user/manager/rest/_index.md b/docs/content/en/docs/config/packages/user/manager/rest/_index.md index fe6f3a7e44..6a5e781717 100644 --- a/docs/content/en/docs/config/packages/user/manager/rest/_index.md +++ b/docs/content/en/docs/config/packages/user/manager/rest/_index.md @@ -9,7 +9,7 @@ description: > # _struct: config_ {{% dir name="redis" type="string" default=":6379" %}} -The port on which the redis server is running [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L67) +The port on which the redis server is running [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L68) {{< highlight toml >}} [user.manager.rest] redis = ":6379" @@ -17,7 +17,7 @@ redis = ":6379" {{% /dir %}} {{% dir name="user_groups_cache_expiration" type="int" default=5 %}} -The time in minutes for which the groups to which a user belongs would be cached [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L69) +The time in minutes for which the groups to which a user belongs would be cached [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L70) {{< highlight toml >}} [user.manager.rest] user_groups_cache_expiration = 5 @@ -25,7 +25,7 @@ user_groups_cache_expiration = 5 {{% /dir %}} {{% dir name="id_provider" type="string" default="http://cernbox.cern.ch" %}} -The OIDC Provider [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L71) +The OIDC Provider [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L72) {{< highlight toml >}} [user.manager.rest] id_provider = "http://cernbox.cern.ch" @@ -33,7 +33,7 @@ id_provider = "http://cernbox.cern.ch" {{% /dir %}} {{% dir name="api_base_url" type="string" default="https://authorization-service-api-dev.web.cern.ch/api/v1.0" %}} -Base API Endpoint [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L73) +Base API Endpoint [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L74) {{< highlight toml >}} [user.manager.rest] api_base_url = "https://authorization-service-api-dev.web.cern.ch/api/v1.0" @@ -41,7 +41,7 @@ api_base_url = "https://authorization-service-api-dev.web.cern.ch/api/v1.0" {{% /dir %}} {{% dir name="client_id" type="string" default="-" %}} -Client ID needed to authenticate [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L75) +Client ID needed to authenticate [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L76) {{< highlight toml >}} [user.manager.rest] client_id = "-" @@ -49,7 +49,7 @@ client_id = "-" {{% /dir %}} {{% dir name="client_secret" type="string" default="-" %}} -Client Secret [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L77) +Client Secret [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L78) {{< highlight toml >}} [user.manager.rest] client_secret = "-" @@ -57,7 +57,7 @@ client_secret = "-" {{% /dir %}} {{% dir name="oidc_token_endpoint" type="string" default="https://keycloak-dev.cern.ch/auth/realms/cern/api-access/token" %}} -Endpoint to generate token to access the API [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L80) +Endpoint to generate token to access the API [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L81) {{< highlight toml >}} [user.manager.rest] oidc_token_endpoint = "https://keycloak-dev.cern.ch/auth/realms/cern/api-access/token" @@ -65,7 +65,7 @@ oidc_token_endpoint = "https://keycloak-dev.cern.ch/auth/realms/cern/api-access/ {{% /dir %}} {{% dir name="target_api" type="string" default="authorization-service-api" %}} -The target application for which token needs to be generated [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L82) +The target application for which token needs to be generated [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L83) {{< highlight toml >}} [user.manager.rest] target_api = "authorization-service-api" diff --git a/pkg/ocm/invite/manager/json/json.go b/pkg/ocm/invite/manager/json/json.go index 4306069c79..644c760eeb 100644 --- a/pkg/ocm/invite/manager/json/json.go +++ b/pkg/ocm/invite/manager/json/json.go @@ -26,6 +26,7 @@ import ( "net/http" "net/url" "os" + "strings" "sync" "time" @@ -36,6 +37,7 @@ import ( "github.com/cs3org/reva/pkg/ocm/invite" "github.com/cs3org/reva/pkg/ocm/invite/manager/registry" "github.com/cs3org/reva/pkg/ocm/invite/token" + "github.com/cs3org/reva/pkg/rhttp" "github.com/cs3org/reva/pkg/user" "github.com/mitchellh/mapstructure" "github.com/pkg/errors" @@ -56,8 +58,9 @@ type manager struct { } type config struct { - File string `mapstructure:"file"` - Expiration string `mapstructure:"expiration"` + File string `mapstructure:"file"` + Expiration string `mapstructure:"expiration"` + InsecureConnections bool `mapstructure:"insecure_connections"` } func init() { @@ -203,7 +206,15 @@ func (m *manager) ForwardInvite(ctx context.Context, invite *invitepb.InviteToke return err } - resp, err := http.PostForm(fmt.Sprintf("%s%s", ocmEndpoint, acceptInviteEndpoint), requestBody) + client := rhttp.GetHTTPClient(rhttp.Insecure(m.config.InsecureConnections)) + recipientURL := fmt.Sprintf("%s%s", ocmEndpoint, acceptInviteEndpoint) + req, err := http.NewRequest("POST", recipientURL, strings.NewReader(requestBody.Encode())) + if err != nil { + return errors.Wrap(err, "json: error framing post request") + } + req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value") + + resp, err := client.Do(req) if err != nil { err = errors.Wrap(err, "json: error sending post request") return err @@ -213,11 +224,9 @@ func (m *manager) ForwardInvite(ctx context.Context, invite *invitepb.InviteToke if resp.StatusCode != http.StatusOK { respBody, e := ioutil.ReadAll(resp.Body) if e != nil { - e = errors.Wrap(e, "json: error reading request body") - return e + return errors.Wrap(e, "json: error reading request body") } - err = errors.Wrap(errors.New(fmt.Sprintf("%s: %s", resp.Status, string(respBody))), "json: error sending accept post request") - return err + return errors.Wrap(errors.New(fmt.Sprintf("%s: %s", resp.Status, string(respBody))), "json: error sending accept post request") } return nil diff --git a/pkg/ocm/invite/manager/memory/memory.go b/pkg/ocm/invite/manager/memory/memory.go index 853fd32cb1..3f0d9f063d 100644 --- a/pkg/ocm/invite/manager/memory/memory.go +++ b/pkg/ocm/invite/manager/memory/memory.go @@ -23,6 +23,7 @@ import ( "fmt" "net/http" "net/url" + "strings" "sync" "time" @@ -35,6 +36,7 @@ import ( "github.com/cs3org/reva/pkg/ocm/invite" "github.com/cs3org/reva/pkg/ocm/invite/manager/registry" "github.com/cs3org/reva/pkg/ocm/invite/token" + "github.com/cs3org/reva/pkg/rhttp" "github.com/mitchellh/mapstructure" "github.com/pkg/errors" ) @@ -74,7 +76,8 @@ type manager struct { } type config struct { - Expiration string `mapstructure:"expiration"` + Expiration string `mapstructure:"expiration"` + InsecureConnections bool `mapstructure:"insecure_connections"` } func (m *manager) GenerateToken(ctx context.Context) (*invitepb.InviteToken, error) { @@ -104,7 +107,15 @@ func (m *manager) ForwardInvite(ctx context.Context, invite *invitepb.InviteToke return err } - resp, err := http.PostForm(fmt.Sprintf("%s%s", ocmEndpoint, acceptInviteEndpoint), requestBody) + client := rhttp.GetHTTPClient(rhttp.Insecure(m.Config.InsecureConnections)) + recipientURL := fmt.Sprintf("%s%s", ocmEndpoint, acceptInviteEndpoint) + req, err := http.NewRequest("POST", recipientURL, strings.NewReader(requestBody.Encode())) + if err != nil { + return errors.Wrap(err, "json: error framing post request") + } + req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value") + + resp, err := client.Do(req) if err != nil { err = errors.Wrap(err, "memory: error sending post request") return err diff --git a/pkg/ocm/share/manager/json/json.go b/pkg/ocm/share/manager/json/json.go index ef6671321f..354c702524 100644 --- a/pkg/ocm/share/manager/json/json.go +++ b/pkg/ocm/share/manager/json/json.go @@ -27,6 +27,7 @@ import ( "net/url" "os" "reflect" + "strings" "sync" "time" @@ -38,6 +39,7 @@ import ( "github.com/cs3org/reva/pkg/errtypes" "github.com/cs3org/reva/pkg/ocm/share" "github.com/cs3org/reva/pkg/ocm/share/manager/registry" + "github.com/cs3org/reva/pkg/rhttp" "github.com/cs3org/reva/pkg/user" "github.com/google/uuid" "github.com/mitchellh/mapstructure" @@ -118,7 +120,8 @@ type shareModel struct { } type config struct { - File string `mapstructure:"file"` + File string `mapstructure:"file"` + InsecureConnections bool `mapstructure:"insecure_connections"` } func (c *config) init() { @@ -275,7 +278,15 @@ func (m *mgr) Share(ctx context.Context, md *provider.ResourceId, g *ocm.ShareGr return nil, err } - resp, err := http.PostForm(fmt.Sprintf("%s%s", ocmEndpoint, createOCMCoreShareEndpoint), requestBody) + client := rhttp.GetHTTPClient(rhttp.Insecure(m.c.InsecureConnections)) + recipientURL := fmt.Sprintf("%s%s", ocmEndpoint, createOCMCoreShareEndpoint) + req, err := http.NewRequest("POST", recipientURL, strings.NewReader(requestBody.Encode())) + if err != nil { + return nil, errors.Wrap(err, "json: error framing post request") + } + req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value") + + resp, err := client.Do(req) if err != nil { err = errors.Wrap(err, "json: error sending post request") return nil, err diff --git a/pkg/ocm/share/manager/memory/memory.go b/pkg/ocm/share/manager/memory/memory.go index bb343acc62..1ba3f64762 100644 --- a/pkg/ocm/share/manager/memory/memory.go +++ b/pkg/ocm/share/manager/memory/memory.go @@ -25,6 +25,7 @@ import ( "net/http" "net/url" "reflect" + "strings" "sync" "time" @@ -35,8 +36,10 @@ import ( typespb "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/pkg/errtypes" "github.com/cs3org/reva/pkg/ocm/share" + "github.com/cs3org/reva/pkg/rhttp" "github.com/cs3org/reva/pkg/user" "github.com/google/uuid" + "github.com/mitchellh/mapstructure" "github.com/pkg/errors" ) @@ -49,19 +52,38 @@ func init() { // New returns a new memory manager. func New(m map[string]interface{}) (share.Manager, error) { + c, err := parseConfig(m) + if err != nil { + err = errors.Wrap(err, "error creating a new manager") + return nil, err + } state := make(map[string]map[string]ocm.ShareState) return &mgr{ + c: c, shares: sync.Map{}, state: state, }, nil } type mgr struct { + c *config shares sync.Map state map[string]map[string]ocm.ShareState } +type config struct { + InsecureConnections bool `mapstructure:"insecure_connections"` +} + +func parseConfig(m map[string]interface{}) (*config, error) { + c := &config{} + if err := mapstructure.Decode(m, c); err != nil { + return nil, err + } + return c, nil +} + func genID() string { return uuid.New().String() } @@ -167,7 +189,15 @@ func (m *mgr) Share(ctx context.Context, md *provider.ResourceId, g *ocm.ShareGr return nil, err } - resp, err := http.PostForm(fmt.Sprintf("%s%s", ocmEndpoint, createOCMCoreShareEndpoint), requestBody) + client := rhttp.GetHTTPClient(rhttp.Insecure(m.c.InsecureConnections)) + recipientURL := fmt.Sprintf("%s%s", ocmEndpoint, createOCMCoreShareEndpoint) + req, err := http.NewRequest("POST", recipientURL, strings.NewReader(requestBody.Encode())) + if err != nil { + return nil, errors.Wrap(err, "json: error framing post request") + } + req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value") + + resp, err := client.Do(req) if err != nil { err = errors.Wrap(err, "memory: error sending post request") return nil, err diff --git a/pkg/user/manager/rest/rest.go b/pkg/user/manager/rest/rest.go index f759e565f9..5f3568873b 100644 --- a/pkg/user/manager/rest/rest.go +++ b/pkg/user/manager/rest/rest.go @@ -24,6 +24,7 @@ import ( "errors" "fmt" "io/ioutil" + "net/http" "net/url" "regexp" "strings" @@ -152,7 +153,7 @@ func (m *manager) getAPIToken(ctx context.Context) (string, time.Time, error) { } httpClient := rhttp.GetHTTPClient(rhttp.Context(ctx), rhttp.Timeout(10*time.Second), rhttp.Insecure(true)) - httpReq, err := rhttp.NewRequest(ctx, "POST", m.conf.OIDCTokenEndpoint, strings.NewReader(params.Encode())) + httpReq, err := http.NewRequest("POST", m.conf.OIDCTokenEndpoint, strings.NewReader(params.Encode())) if err != nil { return "", time.Time{}, err } @@ -163,6 +164,7 @@ func (m *manager) getAPIToken(ctx context.Context) (string, time.Time, error) { if err != nil { return "", time.Time{}, err } + defer httpRes.Body.Close() body, err := ioutil.ReadAll(httpRes.Body) if err != nil { @@ -187,7 +189,7 @@ func (m *manager) sendAPIRequest(ctx context.Context, url string) ([]interface{} } httpClient := rhttp.GetHTTPClient(rhttp.Context(ctx), rhttp.Timeout(10*time.Second), rhttp.Insecure(true)) - httpReq, err := rhttp.NewRequest(ctx, "GET", url, nil) + httpReq, err := http.NewRequest("GET", url, nil) if err != nil { return nil, err } @@ -201,6 +203,7 @@ func (m *manager) sendAPIRequest(ctx context.Context, url string) ([]interface{} if err != nil { return nil, err } + defer httpRes.Body.Close() body, err := ioutil.ReadAll(httpRes.Body) if err != nil {