Merge pull request #920 from owncloud/fix-downloads-in-bridge

Add option to disable signing keys in the proxy
owncloud · Nov 21, 2020 · d5e889e · d5e889e
2 parents 90ffb54 + bc6227e
commit d5e889e
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 15 deletions.
diff --git a/deployments/examples/ocis_oc10_backend/docker-compose.yml b/deployments/examples/ocis_oc10_backend/docker-compose.yml
@@ -70,7 +70,6 @@ services:
       OWNCLOUD_MYSQL_UTF8MB4: "true"
       OWNCLOUD_REDIS_ENABLED: "true"
       OWNCLOUD_REDIS_HOST: redis
-      OWNCLOUD_DEBUG: "true"
       OWNCLOUD_TRUSTED_PROXIES: ${OC10_DOMAIN}
       OWNCLOUD_OVERWRITE_PROTOCOL: https
       OWNCLOUD_OVERWRITE_HOST: ${OC10_DOMAIN}
@@ -111,6 +110,7 @@ services:
       PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN}
       PROXY_AUTOPROVISION_ACCOUNTS: "true"
       PROXY_OIDC_INSECURE: "${INSECURE}"
+      PROXY_ENABLE_PRESIGNEDURLS: "false"
       # konnectd - binddn must exist as oc10 admin user
       KONNECTD_ISS: https://${OCIS_DOMAIN}
       KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/config/identifier-registration.yaml"

diff --git a/proxy/changelog/unreleased/add-basic-auth-option.md b/proxy/changelog/unreleased/add-basic-auth-option.md
diff --git a/proxy/go.mod b/proxy/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/cs3org/go-cs3apis v0.0.0-20201007120910-416ed6cf8b00
 	github.com/cs3org/reva v1.3.1-0.20201023144216-cdb3d6688da5
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/google/uuid v1.1.2
 	github.com/justinas/alice v1.2.0
 	github.com/micro/cli/v2 v2.1.2

diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go
@@ -135,6 +135,7 @@ type TokenManager struct {
 // PreSignedURL is the config for the presigned url middleware
 type PreSignedURL struct {
 	AllowedHTTPMethods []string
+	Enabled            bool
 }
 
 // MigrationSelectorConf is the config for the migration-selector

diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go
@@ -226,13 +226,19 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 		},
 
 		// Presigned URLs
-
 		&cli.StringSliceFlag{
 			Name:    "presignedurl-allow-method",
 			Value:   cli.NewStringSlice("GET"),
 			Usage:   "--presignedurl-allow-method GET [--presignedurl-allow-method POST]",
 			EnvVars: []string{"PRESIGNEDURL_ALLOWED_METHODS"},
 		},
+		&cli.BoolFlag{
+			Name:        "enable-presignedurls",
+			Value:       true,
+			Usage:       "Enable or disable handling the presigned urls in the proxy",
+			EnvVars:     []string{"PROXY_ENABLE_PRESIGNEDURLS"},
+			Destination: &cfg.PreSignedURL.Enabled,
+		},
 
 		// Basic auth
 		&cli.BoolFlag{

diff --git a/proxy/pkg/middleware/signed_url_auth.go b/proxy/pkg/middleware/signed_url_auth.go
@@ -6,17 +6,18 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
 	"github.com/google/uuid"
 	accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0"
 	"github.com/owncloud/ocis/ocis-pkg/log"
 	ocisoidc "github.com/owncloud/ocis/ocis-pkg/oidc"
 	"github.com/owncloud/ocis/proxy/pkg/config"
 	store "github.com/owncloud/ocis/store/pkg/proto/v0"
 	"golang.org/x/crypto/pbkdf2"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
 )
 
 // SignedURLAuth provides a middleware to check access secured by a signed URL.
@@ -96,6 +97,9 @@ func (m signedURLAuth) claims(credential string) (*ocisoidc.StandardClaims, erro
 }
 
 func (m signedURLAuth) shouldServe(req *http.Request) bool {
+	if !m.preSignedURLConfig.Enabled {
+		return false
+	}
 	return req.URL.Query().Get("OC-Signature") != ""
 }
 

diff --git a/proxy/pkg/middleware/signed_url_auth_test.go b/proxy/pkg/middleware/signed_url_auth_test.go
@@ -10,13 +10,17 @@ func TestSignedURLAuth_shouldServe(t *testing.T) {
 	pua := signedURLAuth{}
 	tests := []struct {
 		url      string
+		enabled  bool
 		expected bool
 	}{
-		{"https://example.com/example.jpg", false},
-		{"https://example.com/example.jpg?OC-Signature=something", true},
+		{"https://example.com/example.jpg", true, false},
+		{"https://example.com/example.jpg?OC-Signature=something", true, true},
+		{"https://example.com/example.jpg", false, false},
+		{"https://example.com/example.jpg?OC-Signature=something", false, false},
 	}
 
 	for _, tt := range tests {
+		pua.preSignedURLConfig.Enabled = tt.enabled
 		r := httptest.NewRequest("", tt.url, nil)
 		result := pua.shouldServe(r)
 
@@ -102,7 +106,7 @@ func TestSignedURLAuth_urlIsExpired(t *testing.T) {
 	}
 
 	tests := []struct {
-		url      string
+		url       string
 		isExpired bool
 	}{
 		{"http://example.com/example.jpg?OC-Date=2020-02-02T12:29:00.000Z&OC-Expires=61", false},