Fallback to common shared secret if none is set for backends.

Only applies to static backend configuration.

backend_configuration_test.go

@@ -617,3 +617,54 @@ func TestBackendConfiguration_Etcd(t *testing.T) {
 		t.Errorf("Should have removed host information for %s", "domain1.invalid")
 	}
 }
+
+func TestBackendCommonSecret(t *testing.T) {
+	u1, err := url.Parse("http://domain1.invalid")
+	if err != nil {
+		t.Fatal(err)
+	}
+	u2, err := url.Parse("http://domain2.invalid")
+	if err != nil {
+		t.Fatal(err)
+	}
+	original_config := goconf.NewConfigFile()
+	original_config.AddOption("backend", "backends", "backend1, backend2")
+	original_config.AddOption("backend", "secret", string(testBackendSecret))
+	original_config.AddOption("backend1", "url", u1.String())
+	original_config.AddOption("backend2", "url", u2.String())
+	original_config.AddOption("backend2", "secret", string(testBackendSecret)+"-backend2")
+	cfg, err := NewBackendConfiguration(original_config, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if b1 := cfg.GetBackend(u1); b1 == nil {
+		t.Error("didn't get backend")
+	} else if !bytes.Equal(b1.Secret(), testBackendSecret) {
+		t.Errorf("expected secret %s, got %s", string(testBackendSecret), string(b1.Secret()))
+	}
+	if b2 := cfg.GetBackend(u2); b2 == nil {
+		t.Error("didn't get backend")
+	} else if !bytes.Equal(b2.Secret(), []byte(string(testBackendSecret)+"-backend2")) {
+		t.Errorf("expected secret %s, got %s", string(testBackendSecret)+"-backend2", string(b2.Secret()))
+	}
+
+	updated_config := goconf.NewConfigFile()
+	updated_config.AddOption("backend", "backends", "backend1, backend2")
+	updated_config.AddOption("backend", "secret", string(testBackendSecret))
+	updated_config.AddOption("backend1", "url", u1.String())
+	updated_config.AddOption("backend1", "secret", string(testBackendSecret)+"-backend1")
+	updated_config.AddOption("backend2", "url", u2.String())
+	cfg.Reload(updated_config)
+
+	if b1 := cfg.GetBackend(u1); b1 == nil {
+		t.Error("didn't get backend")
+	} else if !bytes.Equal(b1.Secret(), []byte(string(testBackendSecret)+"-backend1")) {
+		t.Errorf("expected secret %s, got %s", string(testBackendSecret)+"-backend1", string(b1.Secret()))
+	}
+	if b2 := cfg.GetBackend(u2); b2 == nil {
+		t.Error("didn't get backend")
+	} else if !bytes.Equal(b2.Secret(), testBackendSecret) {
+		t.Errorf("expected secret %s, got %s", string(testBackendSecret), string(b2.Secret()))
+	}
+}

backend_storage_static.go

@@ -66,7 +66,7 @@ func NewBackendStorageStatic(config *goconf.ConfigFile) (BackendStorage, error)
 		}
 		numBackends++
 	} else if backendIds, _ := config.GetString("backend", "backends"); backendIds != "" {
-		for host, configuredBackends := range getConfiguredHosts(backendIds, config) {
+		for host, configuredBackends := range getConfiguredHosts(backendIds, config, commonSecret) {
 			backends[host] = append(backends[host], configuredBackends...)
 			for _, be := range configuredBackends {
 				log.Printf("Backend %s added for %s", be.id, be.url)
@@ -196,7 +196,7 @@ func getConfiguredBackendIDs(backendIds string) (ids []string) {
 	return ids
 }
 
-func getConfiguredHosts(backendIds string, config *goconf.ConfigFile) (hosts map[string][]*Backend) {
+func getConfiguredHosts(backendIds string, config *goconf.ConfigFile, commonSecret string) (hosts map[string][]*Backend) {
 	hosts = make(map[string][]*Backend)
 	for _, id := range getConfiguredBackendIDs(backendIds) {
 		u, _ := config.GetString(id, "url")
@@ -220,6 +220,10 @@ func getConfiguredHosts(backendIds string, config *goconf.ConfigFile) (hosts map
 		}
 
 		secret, _ := config.GetString(id, "secret")
+		if secret == "" && commonSecret != "" {
+			log.Printf("Backend %s has no own shared secret set, using common shared secret", id)
+			secret = commonSecret
+		}
 		if u == "" || secret == "" {
 			log.Printf("Backend %s is missing or incomplete, skipping", id)
 			continue
@@ -269,8 +273,10 @@ func (s *backendStorageStatic) Reload(config *goconf.ConfigFile) {
 		return
 	}
 
+	commonSecret, _ := config.GetString("backend", "secret")
+
 	if backendIds, _ := config.GetString("backend", "backends"); backendIds != "" {
-		configuredHosts := getConfiguredHosts(backendIds, config)
+		configuredHosts := getConfiguredHosts(backendIds, config, commonSecret)
 
 		// remove backends that are no longer configured
 		for hostname := range s.backends {

server.conf.in

@@ -86,9 +86,10 @@ internalsecret = the-shared-secret-for-internal-clients
 # only be used while running the benchmark client against the server.
 allowall = false
 
-# Common shared secret for requests from and to the backend servers if
-# "allowall" is enabled. This must be the same value as configured in the
-# Nextcloud admin ui.
+# Common shared secret for requests from and to the backend servers. Used if
+# "allowall" is enabled or as fallback for individual backends that don't have
+# their own secret set.
+# This must be the same value as configured in the Nextcloud admin ui.
 #secret = the-shared-secret-for-allowall
 
 # Timeout in seconds for requests to the backend.
@@ -109,8 +110,9 @@ connectionsperhost = 8
 # URL of the Nextcloud instance
 #url = https://cloud.domain.invalid
 
-# Shared secret for requests from and to the backend servers. This must be the
-# same value as configured in the Nextcloud admin ui.
+# Shared secret for requests from and to the backend servers. Leave empty to use
+# the common shared secret from above.
+# This must be the same value as configured in the Nextcloud admin ui.
 #secret = the-shared-secret
 
 # Limit the number of sessions that are allowed to connect to this backend.
@@ -129,8 +131,9 @@ connectionsperhost = 8
 # URL of the Nextcloud instance
 #url = https://cloud.otherdomain.invalid
 
-# Shared secret for requests from and to the backend servers. This must be the
-# same value as configured in the Nextcloud admin ui.
+# Shared secret for requests from and to the backend servers. Leave empty to use
+# the common shared secret from above.
+# This must be the same value as configured in the Nextcloud admin ui.
 #secret = the-shared-secret
 
 [nats]