update standalone.oidc.toml and related config (#317)

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
cs3org · Oct 17, 2019 · 9c558c1 · 9c558c1
1 parent 5fdf88d
commit 9c558c1
Show file tree

Hide file tree

Showing 3 changed files with 120 additions and 98 deletions.
diff --git a/examples/oidc-provider.toml b/examples/oidc-provider.toml
@@ -12,14 +12,14 @@ mode = "console"
 network = "tcp"
 address = "0.0.0.0:9998"
 enabled_services = [
-"authsvc"
+    "authprovider"
 ]
 
-[grpc.services.authsvc]
+[grpc.services.authprovider]
 auth_manager = "oidc"
 
-[grpc.services.authsvc.auth_managers.oidc]
-provider = "http://0.0.0.0:10000"
+[grpc.services.authprovider.auth_managers.oidc]
+provider = "http://localhost:10000"
 insecure = true
 client_id = "phoenix"
 client_secret = "foobar"
diff --git a/examples/standalone.oidc.toml b/examples/standalone.oidc.toml
@@ -1,26 +1,49 @@
+# This standalone.oidc.toml config file will start a reva service that:
+# - authenticates requests using openid connect
+# - serves http requests on port 10000
+#   - / - ocdav: owncloud webdav api
+#   - /data - dataprovider: file up and download
+#   - /oauth2 - an openid connect provider implementation for development
+#   - /.well-known - used for openid connect discovery
+#   - /metrics - prometheus: metrics
+# - serves grpc requests on port 9999
+#   - authprovider - provides basic auth
+#   - storageprovider - handles storage metadata
+#   - usershareprovider - provides user shares
+#   - userprovider - provides user matadata (used to look up email, displayname etc after a login)
+#   - preferences - provides user preferences
+#   - gateway: to lookup services and authenticate requests
+#   - authregistry - used by the gateway to look up auth providers
+#   - storageregistry - used by the gateway to look up storage providers
+
 [core]
-log_file = "stderr"
-log_mode = "dev"
-max_cpus = "100%"
+max_cpus = "2" # defaults to runtime.NumCPU()
+#tracing_enabled = false
+#tracing_endpoint = "localhost:6831"
+#tracing_collector = "http://localhost:14268/api/traces"
+#tracing_service_name = "revad"
 
 [log]
 level = "debug"
-mode = "console"
+#mode = "console" # "console" or "json"
+#output = "./standalone.log"
 
 [http]
-network = "tcp"
-address = "0.0.0.0:10000"
-enabled_services = ["datasvc", "ocdavsvc", "prometheussvc", "wellknown", "oidcprovider", "ocssvc"]
+#network = "tcp"
+# allow access from any host, not only localhost
+address = "0.0.0.0:10000" # "localhost:9998"
+enabled_services = ["dataprovider", "ocdav", "prometheus", "wellknown", "oidcprovider", "ocs"]
 enabled_middlewares = ["cors", "auth"]
 
 [http.middlewares.auth]
-gatewaysvc = "0.0.0.0:9999"
-auth_type = "oidc"
+gateway = "localhost:9999"
+auth_type = "oidc" # used to look up the authprovider in the authregistry by the gateway
 credential_strategy = "oidc"
 token_strategy = "header"
 token_writer = "header"
 token_manager = "jwt"
 skip_methods = [
+	"/favicon.ico",
 	"/status.php",
 	"/oauth2",
 	"/oauth2/auth", 
@@ -35,144 +58,140 @@ skip_methods = [
 [http.middlewares.auth.token_managers.jwt]
 secret = "Pive-Fumkiu4"
 
+[http.middlewares.cors]
+allow_credentials = true
+options_passthrough = true
 
 [http.services.wellknown]
-issuer = "http://0.0.0.0:10000"
-authorization_endpoint =  "http://0.0.0.0:10000/oauth2/auth"
-token_endpoint = "http://0.0.0.0:10000/oauth2/token" 
-revocation_endpoint =  "http://0.0.0.0:10000/oauth2/auth"
-introspection_endpoint =  "http://0.0.0.0:10000/oauth2/introspect"
-userinfo_endpoint =  "http://0.0.0.0:10000/oauth2/userinfo"
+issuer = "http://localhost:10000"
+authorization_endpoint =  "http://localhost:10000/oauth2/auth"
+token_endpoint = "http://localhost:10000/oauth2/token" 
+revocation_endpoint =  "http://localhost:10000/oauth2/auth"
+introspection_endpoint =  "http://localhost:10000/oauth2/introspect"
+userinfo_endpoint =  "http://localhost:10000/oauth2/userinfo"
 
 [http.services.oidcprovider]
-gatewaysvc = "0.0.0.0:9999"
+prefix = "oauth2"
+gateway = "localhost:9999"
 auth_type = "basic"
-issuer = "http://0.0.0.0:10000"
+issuer = "http://localhost:10000"
 
 [http.services.oidcprovider.clients.phoenix]
 id = "phoenix"
 client_secret = "$2a$10$IxMdI6d.LIRZPpSfEwNoeu4rY3FhDREsxFJXikcgdRRAStxUlsuEO"
-redirect_uris = ["http://localhost:8300/oidc-callback.html"]
+redirect_uris = ["http://localhost:8300/oidc-callback.html", "http://localhost:8300/"]
 grant_types = ["implicit", "refresh_token", "authorization_code", "password", "client_credentials"]
-response_types = ["id_token", "code", "token"]
+response_types = ["id_token token", "code"]
 scopes = ["openid", "profile", "email", "offline"]
 
-[http.middlewares.cors]
-allow_credentials = true
-options_passthrough = true
-
-
-[http.services.datasvc]
+[http.services.dataprovider]
 driver = "local"
 prefix = "data"
-temp_folder = "/var/tmp/"
+tmp_folder = "/var/tmp/"
 
-[http.services.datasvc.drivers.local]
+[http.services.dataprovider.drivers.local]
 root = "/var/tmp/reva/data"
 
-[http.services.ocdavsvc]
+[http.services.ocdav]
 prefix = ""
 chunk_folder = "/var/tmp/revad/chunks"
-gatewaysvc = "0.0.0.0:9999"
+gateway = "localhost:9999"
 
 [grpc]
-network = "tcp"
-address = "0.0.0.0:9999"
+#network = "tcp"
+# allow access from any host, not only localhost
+address = "0.0.0.0:9999" # "localhost:9999"
 enabled_services = [
-"storageprovidersvc",
-"authsvc",
-"storageregistrysvc",
-"preferencessvc",
-"usershareprovidersvc",
-"userprovidersvc",
-"gatewaysvc",
-"authregistrysvc",
+    "authprovider",         # provides basic auth
+    "storageprovider",      # handles storage metadata
+    "usershareprovider",    # provides user shares
+    "userprovider",         # provides user matadata (used to look up email, displayname etc after a login)
+    "preferences",          # provides user preferences
+    "gateway",              # to lookup services and authenticate requests
+    "authregistry",         # used by the gateway to look up auth providers
+    "storageregistry",      # used by the gateway to look up storage providers
 ]
 enabled_interceptors = ["auth"]
 
 [grpc.interceptors.auth]
 token_manager = "jwt"
+#header   = "x-access-token"
 skip_methods = [
-"/cs3.gatewayv0alpha.GatewayService/Authenticate",
-"/cs3.gatewayv0alpha.GatewayService/WhoAmI",
-"/cs3.gatewayv0alpha.GatewayService/GetUser",
-"/cs3.gatewayv0alpha.GatewayService/ListAuthProviders",
-"/cs3.authregistryv0alpha.AuthRegistryService/ListAuthProviders",
-"/cs3.authregistryv0alpha.AuthRegistryService/GetAuthProvider",
-"/cs3.authproviderv0alpha.AuthProviderService/Authenticate",
-"/cs3.userproviderv0alpha.UserProviderService/GetUser",
+    # we need to allow calls that happen during authentication
+	"/cs3.gatewayv0alpha.GatewayService/Authenticate",
+	"/cs3.gatewayv0alpha.GatewayService/WhoAmI",
+	"/cs3.gatewayv0alpha.GatewayService/GetUser",
+	"/cs3.gatewayv0alpha.GatewayService/ListAuthProviders",
+	"/cs3.authregistryv0alpha.AuthRegistryService/ListAuthProviders",
+	"/cs3.authregistryv0alpha.AuthRegistryService/GetAuthProvider",
+	"/cs3.authproviderv0alpha.AuthProviderService/Authenticate",
+	"/cs3.userproviderv0alpha.UserProviderService/GetUser",
 ]
 
 [grpc.interceptors.auth.token_managers.jwt]
 secret = "Pive-Fumkiu4"
 
-[grpc.services.userprovidersvc]
+[grpc.services.userprovider]
 driver = "json"
 
-[grpc.services.userprovidersvc.drivers.json]
+[grpc.services.userprovider.drivers.json]
 users = "./examples/users.demo.json"
 
-[grpc.services.authregistrysvc]
+[grpc.services.authregistry]
 driver = "static"
 
-[grpc.services.authregistrysvc.drivers.static.rules]
-"basic" = "0.0.0.0:9999"
-"oidc" = "0.0.0.0:9998"
+[grpc.services.authregistry.drivers.static.rules]
+basic = "localhost:9999"
+# needs to be started as a second service using the oidc-provider.toml
+oidc = "localhost:9998"
 
-
-[grpc.services.usershareprovidersvc]
+[grpc.services.usershareprovider]
 driver = "memory"
 
-[grpc.services.storageprovidersvc]
+[grpc.services.storageprovider]
 driver = "local"
 mount_path = "/"
 mount_id = "123e4567-e89b-12d3-a456-426655440000"
-data_server_url = "http://0.0.0.0:10000/data"
+data_server_url = "http://localhost:10000/data"
 expose_data_server = true
 
-[grpc.services.storageprovidersvc.available_checksums]
+[grpc.services.storageprovider.available_checksums]
 md5   = 100
 unset = 1000
 
-[grpc.services.storageprovidersvc.drivers.local]
+[grpc.services.storageprovider.drivers.local]
 root = "/var/tmp/reva/data"
 
-[grpc.services.authsvc]
-#auth_manager = "oidc"
+# cannot be started in the same process because it has to serve the same
+# "/cs3.authproviderv0alpha.AuthProviderService/Authenticate" request as the oidcprovider
+[grpc.services.authprovider]
 auth_manager = "json"
-userprovidersvc = "0.0.0.0:9999"
+userprovidersvc = "localhost:9999"
 
-[grpc.services.authsvc.auth_managers.json]
+[grpc.services.authprovider.auth_managers.json]
 users = "./examples/users.demo.json"
 
-#[grpc.services.authsvc.auth_managers.oidc]
-#provider = "http://0.0.0.0:10000"
-#insecure = true
-#client_id = "phoenix"
-#client_secret = "foobar"
-
-
-[grpc.services.storageregistrysvc]
+[grpc.services.storageregistry]
 driver = "static"
 
-[grpc.services.storageregistrysvc.drivers.static.rules]
-"/" = "0.0.0.0:9999"
-"123e4567-e89b-12d3-a456-426655440000" = "0.0.0.0:9999"
-
-
-[grpc.services.gatewaysvc]
-storageregistrysvc = "0.0.0.0:9999"
-authregistrysvc = "0.0.0.0:9999"
-userprovidersvc = "0.0.0.0:9999"
-publicshareprovidersvc = "0.0.0.0:9999"
-usershareprovidersvc = "0.0.0.0:9999"
-ocmshareprovidersvc = "0.0.0.0:9999"
-appregistrysvc = "0.0.0.0:9999"
-preferencessvc = "0.0.0.0:9999"
+[grpc.services.storageregistry.drivers.static.rules]
+"/" = "localhost:9999"
+"123e4567-e89b-12d3-a456-426655440000" = "localhost:9999"
+
+[grpc.services.gateway]
+authregistrysvc = "localhost:9999"
+storageregistrysvc = "localhost:9999"
+appregistrysvc = "localhost:9999"
+preferencessvc = "localhost:9999"
+usershareprovidersvc = "localhost:9999"
+publicshareprovidersvc = "localhost:9999"
+ocmshareprovidersvc = "localhost:9999"
+userprovidersvc = "localhost:9999"
 commit_share_to_storage_grant = true
-datagatewaysvc = "http://0.0.0.0:10000/data"
-shared_secret_key = "xyz"
+datagateway = "http://localhost:10000/data"
+transfer_shared_secret = "replace-me-with-a-transfer-secret"
+transfer_expires = 6 # give it a moment
 token_manager = "jwt"
 
-[grpc.services.gatewaysvc.token_managers.jwt]
+[grpc.services.gateway.token_managers.jwt]
 secret = "Pive-Fumkiu4"
diff --git a/examples/users.demo.json b/examples/users.demo.json
@@ -2,31 +2,34 @@
 	{
 		"id": {
 			"opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51",
-			"idp": "http://0.0.0.0:10000"
+			"idp": "http://localhost:10000"
 		},
 		"username": "einstein",
 		"secret": "relativity",
 		"mail": "einstein@example.org",
-		"display_name": "Albert Einstein"
+		"display_name": "Albert Einstein",
+		"groups": ["sailing-lovers", "violin-haters", "physics-lovers"]
 	},
 	{
 		"id": {
 			"opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
-			"idp": "http://0.0.0.0:10000"
+			"idp": "http://localhost:10000"
 		},
 		"username": "marie",
 		"secret": "radioactivity",
 		"mail": "marie@example.org",
-		"display_name": "Marie Curie"
+		"display_name": "Marie Curie",
+		"groups": ["radium-lovers", "polonium-lovers", "physics-lovers"]
 	},
 	{
 		"id": {
 			"opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c",
-			"idp": "http://0.0.0.0:10000"
+			"idp": "http://localhost:10000"
 		},
 		"username": "richard",
 		"secret": "superfluidity",
 		"mail": "richard@example.org",
-		"display_name": "Richard Feynman"
+		"display_name": "Richard Feynman",
+		"groups": ["quantum-lovers", "philosophy-haters", "physics-lovers"]
 	}
 ]