(GlobalScale) lock federation to internal #19391
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
kesselb
reviewed
Feb 10, 2020
Signed-off-by: Maxence Lange <maxence@artificial-owl.com> cleaning Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
ArtificialOwl
force-pushed
the
feature/noid/lock-federation-to-internal
branch
from
175374b
to
a2a0e63
Compare
|
I'm going to close this due to lack of activity. |
|
Well, it would have been nice to have at least a review on the way to implement the solution |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a long awaited feature: having
gs.federation = 'internal'working.In a GlobalScale setup, in order to have its users being able to share files to users from another instance of Nextcloud, admin must enable the global federation shares. Meaning that it is not possible to enable the federation share only for local instances defined within the lookup-server.
As a side note, the value is currently 'internal' by default, meaning that if the admin does not set the
gs.federationto'external'(and open the federated shares to the outside), shares between local instances of GS are not available. This PR respects the default value.This PR will allow to manage those entries in
config/config.php:gs.federation = 'internal'to limit all shares only to local instances of the GS.
gs.federation.incoming = 'internal'to limit incoming shares only to local instances of the GS
gs.federation.outgoing = 'internal'to limit incoming shares only to local instances of the GS
How is it working:
if the config is set to internal, federated shares a allowed without checking the settings related to federated shares.
When creating a federated shares, if the outgoing shares is limited to internal, we check that the address of the remote recipient is considered as local before initiating the generation of the federated share.
To avoid some spoofing from an external request, a password is added to the share during the exchange, but not stored. The password is based on the token of the share and the jwt key from the
config/config.php. The password is added regardless of the limitation to internal outgoing shares, as long as the address of the recipient is known by the lookup-server.When receiving a federated share, if the incoming shares is limited to internal, we compare the password of the share.
This way, every instances of the GlobalScale setup can have their own setup regarding internal/external federated shares.
WIP
Tests are not yet implemented, this edit affect so many files and test might ask for a lot of work, please review and confirm the concept first.
dependencies
To retrieve the local instances of a LUS: nextcloud/lookup-server#43