Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(GlobalScale) lock federation to internal #19391

Closed

Conversation

ArtificialOwl
Copy link
Member

@ArtificialOwl ArtificialOwl commented Feb 10, 2020

This is a long awaited feature: having gs.federation = 'internal' working.
In a GlobalScale setup, in order to have its users being able to share files to users from another instance of Nextcloud, admin must enable the global federation shares. Meaning that it is not possible to enable the federation share only for local instances defined within the lookup-server.
As a side note, the value is currently 'internal' by default, meaning that if the admin does not set the gs.federation to 'external' (and open the federated shares to the outside), shares between local instances of GS are not available. This PR respects the default value.

This PR will allow to manage those entries in config/config.php:

gs.federation = 'internal'
to limit all shares only to local instances of the GS.

gs.federation.incoming = 'internal'
to limit incoming shares only to local instances of the GS

gs.federation.outgoing = 'internal'
to limit incoming shares only to local instances of the GS

How is it working:

  • if the config is set to internal, federated shares a allowed without checking the settings related to federated shares.

  • When creating a federated shares, if the outgoing shares is limited to internal, we check that the address of the remote recipient is considered as local before initiating the generation of the federated share.

  • To avoid some spoofing from an external request, a password is added to the share during the exchange, but not stored. The password is based on the token of the share and the jwt key from the config/config.php. The password is added regardless of the limitation to internal outgoing shares, as long as the address of the recipient is known by the lookup-server.

  • When receiving a federated share, if the incoming shares is limited to internal, we compare the password of the share.

This way, every instances of the GlobalScale setup can have their own setup regarding internal/external federated shares.

WIP

Tests are not yet implemented, this edit affect so many files and test might ask for a lot of work, please review and confirm the concept first.

dependencies

To retrieve the local instances of a LUS: nextcloud/lookup-server#43

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
cleaning

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
@ArtificialOwl ArtificialOwl added this to the Nextcloud 19 milestone Mar 2, 2020
@ArtificialOwl ArtificialOwl added the 3. to review Waiting for reviews label Mar 2, 2020
This was referenced Apr 4, 2020
This was referenced Apr 15, 2020
@rullzer rullzer mentioned this pull request Apr 23, 2020
11 tasks
@rullzer rullzer removed this from the Nextcloud 19 milestone Apr 30, 2020
@rullzer
Copy link
Member

rullzer commented Mar 30, 2021

I'm going to close this due to lack of activity.
Feel free to reopen if anybody wants to continue.

@rullzer rullzer closed this Mar 30, 2021
@rullzer rullzer deleted the feature/noid/lock-federation-to-internal branch March 30, 2021 19:41
@ArtificialOwl
Copy link
Member Author

Well, it would have been nice to have at least a review on the way to implement the solution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants