From 042a78f99ddd9aae31f7aae391c0d6ce5b16b6a1 Mon Sep 17 00:00:00 2001 From: Joachim Bauch Date: Tue, 8 Aug 2023 10:54:47 +0200 Subject: [PATCH] Fallback to common shared secret if none is set for backends. Only applies to static backend configuration. --- backend_configuration_test.go | 51 +++++++++++++++++++++++++++++++++++ backend_storage_static.go | 12 ++++++--- server.conf.in | 17 +++++++----- 3 files changed, 70 insertions(+), 10 deletions(-) diff --git a/backend_configuration_test.go b/backend_configuration_test.go index 0a6389f..1ae52ec 100644 --- a/backend_configuration_test.go +++ b/backend_configuration_test.go @@ -617,3 +617,54 @@ func TestBackendConfiguration_Etcd(t *testing.T) { t.Errorf("Should have removed host information for %s", "domain1.invalid") } } + +func TestBackendCommonSecret(t *testing.T) { + u1, err := url.Parse("http://domain1.invalid") + if err != nil { + t.Fatal(err) + } + u2, err := url.Parse("http://domain2.invalid") + if err != nil { + t.Fatal(err) + } + original_config := goconf.NewConfigFile() + original_config.AddOption("backend", "backends", "backend1, backend2") + original_config.AddOption("backend", "secret", string(testBackendSecret)) + original_config.AddOption("backend1", "url", u1.String()) + original_config.AddOption("backend2", "url", u2.String()) + original_config.AddOption("backend2", "secret", string(testBackendSecret)+"-backend2") + cfg, err := NewBackendConfiguration(original_config, nil) + if err != nil { + t.Fatal(err) + } + + if b1 := cfg.GetBackend(u1); b1 == nil { + t.Error("didn't get backend") + } else if !bytes.Equal(b1.Secret(), testBackendSecret) { + t.Errorf("expected secret %s, got %s", string(testBackendSecret), string(b1.Secret())) + } + if b2 := cfg.GetBackend(u2); b2 == nil { + t.Error("didn't get backend") + } else if !bytes.Equal(b2.Secret(), []byte(string(testBackendSecret)+"-backend2")) { + t.Errorf("expected secret %s, got %s", string(testBackendSecret)+"-backend2", string(b2.Secret())) + } + + updated_config := goconf.NewConfigFile() + updated_config.AddOption("backend", "backends", "backend1, backend2") + updated_config.AddOption("backend", "secret", string(testBackendSecret)) + updated_config.AddOption("backend1", "url", u1.String()) + updated_config.AddOption("backend1", "secret", string(testBackendSecret)+"-backend1") + updated_config.AddOption("backend2", "url", u2.String()) + cfg.Reload(updated_config) + + if b1 := cfg.GetBackend(u1); b1 == nil { + t.Error("didn't get backend") + } else if !bytes.Equal(b1.Secret(), []byte(string(testBackendSecret)+"-backend1")) { + t.Errorf("expected secret %s, got %s", string(testBackendSecret)+"-backend1", string(b1.Secret())) + } + if b2 := cfg.GetBackend(u2); b2 == nil { + t.Error("didn't get backend") + } else if !bytes.Equal(b2.Secret(), testBackendSecret) { + t.Errorf("expected secret %s, got %s", string(testBackendSecret), string(b2.Secret())) + } +} diff --git a/backend_storage_static.go b/backend_storage_static.go index 84f078c..d75427b 100644 --- a/backend_storage_static.go +++ b/backend_storage_static.go @@ -66,7 +66,7 @@ func NewBackendStorageStatic(config *goconf.ConfigFile) (BackendStorage, error) } numBackends++ } else if backendIds, _ := config.GetString("backend", "backends"); backendIds != "" { - for host, configuredBackends := range getConfiguredHosts(backendIds, config) { + for host, configuredBackends := range getConfiguredHosts(backendIds, config, commonSecret) { backends[host] = append(backends[host], configuredBackends...) for _, be := range configuredBackends { log.Printf("Backend %s added for %s", be.id, be.url) @@ -196,7 +196,7 @@ func getConfiguredBackendIDs(backendIds string) (ids []string) { return ids } -func getConfiguredHosts(backendIds string, config *goconf.ConfigFile) (hosts map[string][]*Backend) { +func getConfiguredHosts(backendIds string, config *goconf.ConfigFile, commonSecret string) (hosts map[string][]*Backend) { hosts = make(map[string][]*Backend) for _, id := range getConfiguredBackendIDs(backendIds) { u, _ := config.GetString(id, "url") @@ -220,6 +220,10 @@ func getConfiguredHosts(backendIds string, config *goconf.ConfigFile) (hosts map } secret, _ := config.GetString(id, "secret") + if secret == "" && commonSecret != "" { + log.Printf("Backend %s has no own shared secret set, using common shared secret", id) + secret = commonSecret + } if u == "" || secret == "" { log.Printf("Backend %s is missing or incomplete, skipping", id) continue @@ -269,8 +273,10 @@ func (s *backendStorageStatic) Reload(config *goconf.ConfigFile) { return } + commonSecret, _ := config.GetString("backend", "secret") + if backendIds, _ := config.GetString("backend", "backends"); backendIds != "" { - configuredHosts := getConfiguredHosts(backendIds, config) + configuredHosts := getConfiguredHosts(backendIds, config, commonSecret) // remove backends that are no longer configured for hostname := range s.backends { diff --git a/server.conf.in b/server.conf.in index b071b9f..2a44a9a 100644 --- a/server.conf.in +++ b/server.conf.in @@ -86,9 +86,10 @@ internalsecret = the-shared-secret-for-internal-clients # only be used while running the benchmark client against the server. allowall = false -# Common shared secret for requests from and to the backend servers if -# "allowall" is enabled. This must be the same value as configured in the -# Nextcloud admin ui. +# Common shared secret for requests from and to the backend servers. Used if +# "allowall" is enabled or as fallback for individual backends that don't have +# their own secret set. +# This must be the same value as configured in the Nextcloud admin ui. #secret = the-shared-secret-for-allowall # Timeout in seconds for requests to the backend. @@ -109,8 +110,9 @@ connectionsperhost = 8 # URL of the Nextcloud instance #url = https://cloud.domain.invalid -# Shared secret for requests from and to the backend servers. This must be the -# same value as configured in the Nextcloud admin ui. +# Shared secret for requests from and to the backend servers. Leave empty to use +# the common shared secret from above. +# This must be the same value as configured in the Nextcloud admin ui. #secret = the-shared-secret # Limit the number of sessions that are allowed to connect to this backend. @@ -129,8 +131,9 @@ connectionsperhost = 8 # URL of the Nextcloud instance #url = https://cloud.otherdomain.invalid -# Shared secret for requests from and to the backend servers. This must be the -# same value as configured in the Nextcloud admin ui. +# Shared secret for requests from and to the backend servers. Leave empty to use +# the common shared secret from above. +# This must be the same value as configured in the Nextcloud admin ui. #secret = the-shared-secret [nats]