introduce OCIS_INSECURE option

.drone.star

@@ -1474,16 +1474,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []):
         "IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml",
         "OCIS_LOG_LEVEL": "error",
         "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings",
-        "PROXY_OIDC_INSECURE": "true",
-        "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true",
-        "THUMBNAILS_CS3SOURCE_INSECURE": "true",
-        "STORAGE_OIDC_INSECURE": "true",
-        "STORAGE_HOME_DATAPROVIDER_INSECURE": "true",
-        "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true",
-        "STORAGE_USERS_DATAPROVIDER_INSECURE": "true",
-        "STORAGE_FRONTEND_OCDAV_INSECURE": "true",
-        "STORAGE_FRONTEND_ARCHIVER_INSECURE": "true",
-        "STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true",
+        "OCIS_INSECURE": "true",
     }
 
     # Pass in "default" accounts_hash_difficulty to not set this environment variable.

.vscode/launch.json

@@ -18,16 +18,7 @@
                 // enable basic auth for dev setup so that we can use curl for testing
                 "PROXY_ENABLE_BASIC_AUTH": "true",
                 // set insecure options because we don't have valid certificates in dev environments
-                "PROXY_OIDC_INSECURE": "true",
-                "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true",
-                "THUMBNAILS_CS3SOURCE_INSECURE": "true",
-                "STORAGE_OIDC_INSECURE": "true",
-                "STORAGE_HOME_DATAPROVIDER_INSECURE": "true",
-                "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true",
-                "STORAGE_USERS_DATAPROVIDER_INSECURE": "true",
-                "STORAGE_FRONTEND_OCDAV_INSECURE": "true",
-                "STORAGE_FRONTEND_ARCHIVER_INSECURE": "true",
-                "STORAGE_FRONTEND_APPPROVIDER_INSECURE": "true",
+                "OCIS_INSECURE": "true",
             }
         },
     ]

changelog/unreleased/insecure-options.md

@@ -1,4 +1,4 @@
-Enhancement: Make insecure options configurable
+Change: Make insecure options configurable
 
 We had several hard-coded 'insecure' flags. These options are now configurable and default to false. Also we changed all other 'insecure' flags with a previous default of true to false. In development environments using self signed certs (the default) you need to set these flags:
 
@@ -15,5 +15,11 @@ THUMBNAILS_CS3SOURCE_INSECURE=true
 THUMBNAILS_WEBDAVSOURCE_INSECURE=true
 ```
 
+As an alternative you also can set a single flag, which configures all options together:
+
+```
+OCIS_INSECURE=true
+```
+
 https://github.com/owncloud/ocis/issues/2700
 https://github.com/owncloud/ocis/pull/2745

deployments/examples/cs3_users_ocis/docker-compose.yml

@@ -87,16 +87,7 @@ services:
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
-      STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
-      STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/web-config.dist.json:/config/web-config.dist.json

deployments/examples/oc10_ocis_parallel/docker-compose.yml

@@ -117,16 +117,7 @@ services:
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
-      STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
-      STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json

deployments/examples/ocis_hello/docker-compose.yml

@@ -67,16 +67,7 @@ services:
       # make settings service available to oCIS Hello
       SETTINGS_GRPC_ADDR: 0.0.0.0:9191
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
-      STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
-      STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/web-config.dist.json:/config/web-config.dist.json

deployments/examples/ocis_keycloak/docker-compose.yml

@@ -71,16 +71,7 @@ services:
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
-      STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
-      STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/lib/ocis

deployments/examples/ocis_s3/docker-compose.yml

@@ -70,16 +70,7 @@ services:
       STORAGE_USERS_DRIVER_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key}
       STORAGE_USERS_DRIVER_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket}
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
-      STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
-      STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/lib/ocis

deployments/examples/ocis_traefik/docker-compose.yml

@@ -60,16 +60,7 @@ services:
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
-      STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
-      STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/lib/ocis

deployments/examples/ocis_wopi/docker-compose.yml

@@ -69,16 +69,7 @@ services:
       STORAGE_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
       STORAGE_APP_REGISTRY_MIMETYPES_JSON: /var/tmp/ocis/app-config/mimetypes.json
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
-      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_WEBDAVSOURCE_INSECURE: "${INSECURE:-false}"
-      THUMBNAILS_CS3SOURCE_INSECURE: "${INSECURE:-false}"
-      STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
-      STORAGE_HOME_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_METADATA_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_USERS_DATAPROVIDER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_OCDAV_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_ARCHIVER_INSECURE: "${INSECURE:-false}"
-      STORAGE_FRONTEND_APPPROVIDER_INSECURE: "${INSECURE:-false}"
+      OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/mimetypes.json:/var/tmp/ocis/app-config/mimetypes.json

docs/ocis/deployment/basic-remote-setup.md

@@ -29,9 +29,10 @@ For the following examples you need to have the oCIS binary in your current work
 
 ### Using automatically generated certificates
 
-In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname.
+In order to run oCIS with automatically generated and self signed certificates please execute following command. You need to replace `your-host` with an IP or hostname. Since you have only self signed certificates you need to have `OCIS_INSECURE` set to `true`.
 
 ```bash
+OCIS_INSECURE=true \
 PROXY_HTTP_ADDR=0.0.0.0:9200 \
 OCIS_URL=https://your-host:9200 \
 ./ocis server
@@ -42,13 +43,16 @@ OCIS_URL=https://your-host:9200 \
 If you have your own certificates already in place, you may want to make oCIS use them:
 
 ```bash
+OCIS_INSECURE=false \
 PROXY_HTTP_ADDR=0.0.0.0:9200 \
 OCIS_URL=https://your-host:9200 \
 PROXY_TRANSPORT_TLS_KEY=./certs/your-host.key \
 PROXY_TRANSPORT_TLS_CERT=./certs/your-host.crt \
 ./ocis server
 ```
 
+If you generated these certificates on your own, you might need to set `OCIS_INSECURE` to `true`.
+
 For more configuration options check the configuration section in [oCIS]({{< ref "../configuration" >}}) and the oCIS extensions.
 
 ## Start the oCIS fullstack server with Docker Compose

docs/ocis/deployment/systemd.md

@@ -45,6 +45,7 @@ In order to create the file we need first to create the folder `/etc/ocis/` and
 ```
 OCIS_URL=https://some-hostname-or-ip:9200
 PROXY_HTTP_ADDR=0.0.0.0:9200
+OCIS_INSECURE=false
 
 OCIS_LOG_LEVEL=error
 
@@ -56,7 +57,7 @@ PROXY_TRANSPORT_TLS_CERT=/etc/ocis/proxy/server.crt
 PROXY_TRANSPORT_TLS_KEY=/etc/ocis/proxy/server.key
 ```
 
-Please change your `OCIS_URL` in order to reflect your actual deployment.
+Please change your `OCIS_URL` in order to reflect your actual deployment. If you are using self signed certificates you need to set `OCIS_INSECURE=true` in `/etc/ocis/ocis.env`.
 
 
 ## Starting the oCIS service

proxy/pkg/flagset/flagset.go

@@ -210,7 +210,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "oidc-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.OIDC.Insecure, false),
 			Usage:       "OIDC allow insecure communication",
-			EnvVars:     []string{"PROXY_OIDC_INSECURE"},
+			EnvVars:     []string{"PROXY_OIDC_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.OIDC.Insecure,
 		},
 		&cli.IntFlag{

storage/pkg/flagset/authbearer.go

@@ -32,7 +32,7 @@ func AuthBearerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "oidc-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.Reva.OIDC.Insecure, false),
 			Usage:       "OIDC allow insecure communication",
-			EnvVars:     []string{"STORAGE_OIDC_INSECURE"},
+			EnvVars:     []string{"STORAGE_OIDC_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Reva.OIDC.Insecure,
 		},
 		&cli.StringFlag{

storage/pkg/flagset/frontend.go

@@ -123,7 +123,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "approvider-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.Reva.Frontend.AppProviderInsecure, false),
 			Usage:       "approvider insecure",
-			EnvVars:     []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE"},
+			EnvVars:     []string{"STORAGE_FRONTEND_APPPROVIDER_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Reva.Frontend.AppProviderInsecure,
 		},
 		&cli.StringFlag{
@@ -137,7 +137,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "archiver-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.Reva.Frontend.ArchiverInsecure, false),
 			Usage:       "archiver insecure",
-			EnvVars:     []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE"},
+			EnvVars:     []string{"STORAGE_FRONTEND_ARCHIVER_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Reva.Frontend.ArchiverInsecure,
 		},
 		&cli.StringFlag{
@@ -165,7 +165,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "ocdav-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.Reva.Frontend.OCDavInsecure, false),
 			Usage:       "owncloud webdav insecure",
-			EnvVars:     []string{"STORAGE_FRONTEND_OCDAV_INSECURE"},
+			EnvVars:     []string{"STORAGE_FRONTEND_OCDAV_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Reva.Frontend.OCDavInsecure,
 		},
 		&cli.StringFlag{

storage/pkg/flagset/storagehome.go

@@ -134,7 +134,7 @@ func StorageHomeWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "dataprovider-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.Reva.StorageHome.DataProvider.Insecure, false),
 			Usage:       "dataprovider insecure",
-			EnvVars:     []string{"STORAGE_HOME_DATAPROVIDER_INSECURE"},
+			EnvVars:     []string{"STORAGE_HOME_DATAPROVIDER_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Reva.StorageHome.DataProvider.Insecure,
 		},
 

storage/pkg/flagset/storagemetadata.go

@@ -73,7 +73,7 @@ func StorageMetadata(cfg *config.Config) []cli.Flag {
 			Name:        "dataprovider-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.Reva.StorageMetadata.DataProvider.Insecure, false),
 			Usage:       "dataprovider insecure",
-			EnvVars:     []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE"},
+			EnvVars:     []string{"STORAGE_METADATA_DATAPROVIDER_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Reva.StorageMetadata.DataProvider.Insecure,
 		},
 

storage/pkg/flagset/storageusers.go

@@ -82,7 +82,7 @@ func StorageUsersWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "dataprovider-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.Reva.StorageUsers.DataProvider.Insecure, false),
 			Usage:       "dataprovider insecure",
-			EnvVars:     []string{"STORAGE_USERS_DATAPROVIDER_INSECURE"},
+			EnvVars:     []string{"STORAGE_USERS_DATAPROVIDER_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Reva.StorageUsers.DataProvider.Insecure,
 		},
 		&cli.BoolFlag{

tests/acceptance/docker/src/ocis-base.yml

@@ -14,6 +14,7 @@ services:
       WEB_UI_CONFIG: /drone/src/tests/config/drone/ocis-config.json
       IDP_IDENTIFIER_REGISTRATION_CONF: /drone/src/tests/config/drone/identifier-registration.yml
       ACCOUNTS_HASH_DIFFICULTY: 4
+      OCIS_INSECURE: "true"
       # s3ng specific settings
       STORAGE_USERS_DRIVER_S3NG_ENDPOINT: http://ceph:8080
       STORAGE_USERS_DRIVER_S3NG_REGION: default

thumbnails/pkg/flagset/flagset.go

@@ -156,14 +156,14 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "webdavsource-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.Thumbnail.WebdavAllowInsecure, false),
 			Usage:       "Whether to skip certificate checks",
-			EnvVars:     []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE"},
+			EnvVars:     []string{"THUMBNAILS_WEBDAVSOURCE_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Thumbnail.WebdavAllowInsecure,
 		},
 		&cli.BoolFlag{
 			Name:        "cs3source-insecure",
 			Value:       flags.OverrideDefaultBool(cfg.Thumbnail.CS3AllowInsecure, false),
 			Usage:       "Whether to skip certificate checks",
-			EnvVars:     []string{"THUMBNAILS_CS3SOURCE_INSECURE"},
+			EnvVars:     []string{"THUMBNAILS_CS3SOURCE_INSECURE", "OCIS_INSECURE"},
 			Destination: &cfg.Thumbnail.CS3AllowInsecure,
 		},
 		&cli.StringSliceFlag{