diff --git a/.gitignore b/.gitignore index 7766f358..1abcdecb 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,7 @@ postgres/data/* nextcloud/html/* !nextcloud/html/.keep +nextcloud/conf/* web/logs/* web/upload/* diff --git a/docker-compose.override.yml b/docker-compose.override.yml index 066cff90..02fa96a4 100644 --- a/docker-compose.override.yml +++ b/docker-compose.override.yml @@ -47,8 +47,6 @@ services: condition: service_healthy build: context: ./nextcloud - env_file: - - ${ENV_FILE_OVERRIDE-web.env} # to get shared NEXTCLOUD_SESSIONTOKEN_KEY environment: - POSTGRES_DB=nextcloud - POSTGRES_USER=postgres @@ -62,6 +60,7 @@ services: - NEXTCLOUD_ALLOW_ORIGIN=http://localhost:5000 # allow local browser to pick nextcloud files volumes: - ./nextcloud/html:/var/www/html + - ./nextcloud/conf:/var/www/conf # to share Nextcloud Sessiontoken generated key file ports: - 80:80 healthcheck: @@ -75,11 +74,12 @@ services: nextcloud: condition: service_healthy env_file: - - ${ENV_FILE_OVERRIDE-web.env} # to get shared NC_LOGIN_API_KEY and NEXTCLOUD_SESSIONTOKEN_KEY + - ${ENV_FILE_OVERRIDE-web.env} # to get shared NC_LOGIN_API_KEY environment: - NC_HOST=http://nextcloud # nextcloud service in docker network volumes: - ./tokenmock:/var/www/html + - ./nextcloud/conf:/var/www/conf # to get shared Nextcloud Sessiontoken generated key ports: - 9000:80 diff --git a/documentation/developers/meetingFiles.md b/documentation/developers/meetingFiles.md index 22cafe94..69204d7f 100644 --- a/documentation/developers/meetingFiles.md +++ b/documentation/developers/meetingFiles.md @@ -41,10 +41,11 @@ Pour vérifier que la communication entre chacun des conteneurs fonctionne corre #### Vérifier que Nextcloud renvoie des autorisations +- Le plugin [Nextcloud Sessiontoken](https://gitlab.octopuce.fr/octopuce-public/nextcloud-sessiontoken) génère une clé au lancement du service Nextcloud trouvable dans `/nextcloud/conf/key.txt` - se connecter sur le service `tokenmock` avec `docker exec -it id /bin/bash` -- faire un appel vers le service Nextcloud en passant par le session token et en indiquant l'utilisateur concerné (comme le `bbb-visio-user` par exemple) : +- faire un appel vers le service Nextcloud en passant par le session token et en indiquant la clé générée et l'utilisateur concerné (comme le `bbb-visio-user` par exemple) : ``` -curl -X POST $NC_HOST/apps/sessiontoken/token -d "apikey=$NEXTCLOUD_SESSIONTOKEN_KEY&user=relevant-b3desk-username&name=device_name" +curl -X POST $NC_HOST/apps/sessiontoken/token -d "apikey=[nextcloud-sessiontoken-generated-key]&user=relevant-b3desk-username&name=device_name" ``` - le conteneur Nextcloud devrait répondre : ``` diff --git a/nextcloud/apache2-sessiontoken b/nextcloud/apache2-sessiontoken index 64e0f24c..3ea8de00 100755 --- a/nextcloud/apache2-sessiontoken +++ b/nextcloud/apache2-sessiontoken @@ -2,15 +2,14 @@ # deploy the sessiontoken app: git clone https://gitlab.octopuce.fr/octopuce-public/nextcloud-sessiontoken.git /var/www/html/apps/sessiontoken -cd /var/www/html/apps/sessiontoken -git config --global --add safe.directory '*' -git checkout 7cf4ff5eea1f16820aa20c3995c3a663e74a9eb7 -cd /var/www/html chown -R www-data: /var/www/html/apps/sessiontoken # ## install the sessiontoken key in /var/www/html/config/config.php -HASH=$(php /var/www/html/apps/sessiontoken/hash-apikey.php "$NEXTCLOUD_SESSIONTOKEN_KEY") -sed -i "/'datadirectory'/a 'sessiontoken_apikey_hash' => '$HASH'," /var/www/html/config/config.php +mkdir -p /var/www/conf +php /var/www/html/apps/sessiontoken/hash-apikey.php | tee > /var/www/conf/key.txt +HASH=$(sed -e '8!d' -e 's/^[ ]*//' -e 's/,$//' /var/www/conf/key.txt) +sed -i "/'datadirectory'/a $HASH," /var/www/html/config/config.php +sed -i -e '5!d' -e 's/[\t ]//g' /var/www/conf/key.txt # ## enable the sessiontoken app su -p "www-data" -s /bin/sh -c "php occ app:enable sessiontoken" diff --git a/nextcloud/nextcloudcheck.sh b/nextcloud/nextcloudcheck.sh index 83d769bd..0363e34f 100644 --- a/nextcloud/nextcloudcheck.sh +++ b/nextcloud/nextcloudcheck.sh @@ -1,6 +1,6 @@ #!/bin/bash - +NEXTCLOUD_SESSIONTOKEN_KEY=$(cat /var/www/conf/key.txt) status_code=$(curl -X POST localhost/apps/sessiontoken/token --silent --output /dev/null -d "apikey=$NEXTCLOUD_SESSIONTOKEN_KEY&user=bbb-visio-user&name=app" --write-out %{http_code}) if [[ "$status_code" -ne 200 ]] ; then diff --git a/tokenmock/config.php b/tokenmock/config.php index 4fc83adc..54468e31 100644 --- a/tokenmock/config.php +++ b/tokenmock/config.php @@ -1,7 +1,8 @@ $_ENV['NC_LOGIN_API_KEY'], + 'NC_LOGIN_API_KEY' => $_ENV['NC_LOGIN_API_KEY'], 'NC_HOST' => $_ENV['NC_HOST'], - 'NEXTCLOUD_SESSIONTOKEN_KEY' => $_ENV['NEXTCLOUD_SESSIONTOKEN_KEY'], + 'NEXTCLOUD_SESSIONTOKEN_KEY' => $NEXTCLOUD_SESSIONTOKEN_KEY, ); ?> diff --git a/tokenmock/index.php b/tokenmock/index.php index 20ed8710..d9c460b2 100755 --- a/tokenmock/index.php +++ b/tokenmock/index.php @@ -11,7 +11,7 @@ $config=include('./config.php'); -$API_KEY=$config['API_KEY']; +$NC_LOGIN_API_KEY=$config['NC_LOGIN_API_KEY']; $NEXTCLOUD_SESSIONTOKEN_ENDPOINT=$config['NC_HOST'].'/apps/sessiontoken/token'; $NEXTCLOUD_SESSIONTOKEN_KEY=$config['NEXTCLOUD_SESSIONTOKEN_KEY']; @@ -19,7 +19,7 @@ $LOGIN=$data['username']; -if (isset($_SERVER["HTTP_X_API_KEY"]) && $_SERVER["HTTP_X_API_KEY"]==$API_KEY) { +if (isset($_SERVER["HTTP_X_API_KEY"]) && $_SERVER["HTTP_X_API_KEY"]==$NC_LOGIN_API_KEY) { header("Content-Type: application/json"); diff --git a/web.env.example b/web.env.example index 18e510e6..3dd75a7d 100644 --- a/web.env.example +++ b/web.env.example @@ -79,7 +79,6 @@ UPLOAD_DIR=/tmp/b3desk/ # used by dropzone to upload files FORCE_HTTPS_ON_EXTERNAL_URLS=off NC_LOGIN_API_URL=http://tokenmock:80/index.php # nextcloud token provider endpoint (currently pointing toward related service in docker network) NC_LOGIN_API_KEY=MY-TOTALLY-COOL-API-KEY # SHARED between web and tokenmock services as nextcloud credentials -NEXTCLOUD_SESSIONTOKEN_KEY=megatokengeneratedatleast64long # SHARED between nextcloud (sessiontoken app) and tokenmock services REDIS_URL=broker:6379 # SHARED between worker and web services, used for background file management (currently pointing toward related service in docker network) # Feature flags