change the default value for prefer_database_credentials to true ...

... and deprecate this setting.

In the future we'll remove prefer_database_credentials and
credentials_path and we will not allow the credentials to be saved on
the filesystem

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2022-03-13 14:29:11 +01:00
parent 5582f5c811
commit 0bec1c6012
No known key found for this signature in database
GPG key ID: 2F1FB59433D5A8CB
7 changed files with 101 additions and 6 deletions

View file

@ -296,7 +296,7 @@ func Init() {
}, },
PasswordCaching: true, PasswordCaching: true,
UpdateMode: 0, UpdateMode: 0,
PreferDatabaseCredentials: false, PreferDatabaseCredentials: true,
DelayedQuotaUpdate: 0, DelayedQuotaUpdate: 0,
CreateDefaultAdmin: false, CreateDefaultAdmin: false,
NamingRules: 0, NamingRules: 0,

View file

@ -196,7 +196,7 @@ The configuration file contains the following sections:
- `external_auth_hook`, string. Absolute path to an external program or an HTTP URL to invoke for users authentication. See [External Authentication](./external-auth.md) for more details. Leave empty to disable. - `external_auth_hook`, string. Absolute path to an external program or an HTTP URL to invoke for users authentication. See [External Authentication](./external-auth.md) for more details. Leave empty to disable.
- `external_auth_scope`, integer. 0 means all supported authentication scopes (passwords, public keys and keyboard interactive). 1 means passwords only. 2 means public keys only. 4 means key keyboard interactive only. 8 means TLS certificate. The flags can be combined, for example 6 means public keys and keyboard interactive - `external_auth_scope`, integer. 0 means all supported authentication scopes (passwords, public keys and keyboard interactive). 1 means passwords only. 2 means public keys only. 4 means key keyboard interactive only. 8 means TLS certificate. The flags can be combined, for example 6 means public keys and keyboard interactive
- `credentials_path`, string. It defines the directory for storing user provided credential files such as Google Cloud Storage credentials. This can be an absolute path or a path relative to the config dir - `credentials_path`, string. It defines the directory for storing user provided credential files such as Google Cloud Storage credentials. This can be an absolute path or a path relative to the config dir
- `prefer_database_credentials`, boolean. When `true`, users' Google Cloud Storage credentials will be written to the data provider instead of disk, though pre-existing credentials on disk will be used as a fallback. When `false`, they will be written to the directory specified by `credentials_path`. - `prefer_database_credentials`, boolean. When `true`, users' Google Cloud Storage credentials will be written to the data provider instead of disk, though pre-existing credentials on disk will be used as a fallback. When `false`, they will be written to the directory specified by `credentials_path`. :warning: Deprecation warning: this setting is deprecated and it will be removed in future versions, we'll use `true` as default and will remove `prefer_database_credentials` and `credentials_path`.
- `pre_login_hook`, string. Absolute path to an external program or an HTTP URL to invoke to modify user details just before the login. See [Dynamic user modification](./dynamic-user-mod.md) for more details. Leave empty to disable. - `pre_login_hook`, string. Absolute path to an external program or an HTTP URL to invoke to modify user details just before the login. See [Dynamic user modification](./dynamic-user-mod.md) for more details. Leave empty to disable.
- `post_login_hook`, string. Absolute path to an external program or an HTTP URL to invoke to notify a successful or failed login. See [Post-login hook](./post-login-hook.md) for more details. Leave empty to disable. - `post_login_hook`, string. Absolute path to an external program or an HTTP URL to invoke to notify a successful or failed login. See [Post-login hook](./post-login-hook.md) for more details. Leave empty to disable.
- `post_login_scope`, defines the scope for the post-login hook. 0 means notify both failed and successful logins. 1 means notify failed logins. 2 means notify successful logins. - `post_login_scope`, defines the scope for the post-login hook. 0 means notify both failed and successful logins. 1 means notify failed logins. 2 means notify successful logins.

View file

@ -1830,6 +1830,15 @@ func TestLoginWithDatabaseCredentials(t *testing.T) {
} }
func TestLoginInvalidFs(t *testing.T) { func TestLoginInvalidFs(t *testing.T) {
err := dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf := config.GetProviderConf()
providerConf.PreferDatabaseCredentials = false
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
u := getTestUser() u := getTestUser()
u.FsConfig.Provider = sdk.GCSFilesystemProvider u.FsConfig.Provider = sdk.GCSFilesystemProvider
u.FsConfig.GCSConfig.Bucket = "test" u.FsConfig.GCSConfig.Bucket = "test"
@ -1837,7 +1846,7 @@ func TestLoginInvalidFs(t *testing.T) {
user, _, err := httpdtest.AddUser(u, http.StatusCreated) user, _, err := httpdtest.AddUser(u, http.StatusCreated)
assert.NoError(t, err) assert.NoError(t, err)
providerConf := config.GetProviderConf() providerConf = config.GetProviderConf()
credentialsFile := filepath.Join(providerConf.CredentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username)) credentialsFile := filepath.Join(providerConf.CredentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username))
if !filepath.IsAbs(credentialsFile) { if !filepath.IsAbs(credentialsFile) {
credentialsFile = filepath.Join(configDir, credentialsFile) credentialsFile = filepath.Join(configDir, credentialsFile)
@ -1856,6 +1865,14 @@ func TestLoginInvalidFs(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
err = os.RemoveAll(user.GetHomeDir()) err = os.RemoveAll(user.GetHomeDir())
assert.NoError(t, err) assert.NoError(t, err)
err = dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf = config.GetProviderConf()
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
} }
func TestClientClose(t *testing.T) { func TestClientClose(t *testing.T) {

View file

@ -2788,6 +2788,16 @@ func TestUserS3Config(t *testing.T) {
} }
func TestUserGCSConfig(t *testing.T) { func TestUserGCSConfig(t *testing.T) {
err := dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf := config.GetProviderConf()
providerConf.PreferDatabaseCredentials = false
providerConf.CredentialsPath = credentialsPath
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
user, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated) user, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)
assert.NoError(t, err) assert.NoError(t, err)
err = os.RemoveAll(credentialsPath) err = os.RemoveAll(credentialsPath)
@ -2860,6 +2870,18 @@ func TestUserGCSConfig(t *testing.T) {
_, err = httpdtest.RemoveUser(user, http.StatusOK) _, err = httpdtest.RemoveUser(user, http.StatusOK)
assert.NoError(t, err) assert.NoError(t, err)
err = dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf = config.GetProviderConf()
providerConf.BackupsPath = backupsPath
providerConf.CredentialsPath = credentialsPath
err = os.RemoveAll(credentialsPath)
assert.NoError(t, err)
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
} }
func TestUserAzureBlobConfig(t *testing.T) { func TestUserAzureBlobConfig(t *testing.T) {
@ -8954,6 +8976,16 @@ func TestSFTPLoopError(t *testing.T) {
} }
func TestLoginInvalidFs(t *testing.T) { func TestLoginInvalidFs(t *testing.T) {
err := dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf := config.GetProviderConf()
providerConf.PreferDatabaseCredentials = false
providerConf.CredentialsPath = credentialsPath
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
u := getTestUser() u := getTestUser()
u.Filters.AllowAPIKeyAuth = true u.Filters.AllowAPIKeyAuth = true
u.FsConfig.Provider = sdk.GCSFilesystemProvider u.FsConfig.Provider = sdk.GCSFilesystemProvider
@ -8993,6 +9025,18 @@ func TestLoginInvalidFs(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
err = os.RemoveAll(user.GetHomeDir()) err = os.RemoveAll(user.GetHomeDir())
assert.NoError(t, err) assert.NoError(t, err)
err = dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf = config.GetProviderConf()
providerConf.BackupsPath = backupsPath
providerConf.CredentialsPath = credentialsPath
err = os.RemoveAll(credentialsPath)
assert.NoError(t, err)
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
} }
func TestWebClientChangePwd(t *testing.T) { func TestWebClientChangePwd(t *testing.T) {

View file

@ -2144,6 +2144,15 @@ func TestLoginWithDatabaseCredentials(t *testing.T) {
} }
func TestLoginInvalidFs(t *testing.T) { func TestLoginInvalidFs(t *testing.T) {
err := dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf := config.GetProviderConf()
providerConf.PreferDatabaseCredentials = false
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
usePubKey := true usePubKey := true
u := getTestUser(usePubKey) u := getTestUser(usePubKey)
u.FsConfig.Provider = sdk.GCSFilesystemProvider u.FsConfig.Provider = sdk.GCSFilesystemProvider
@ -2152,7 +2161,7 @@ func TestLoginInvalidFs(t *testing.T) {
user, _, err := httpdtest.AddUser(u, http.StatusCreated) user, _, err := httpdtest.AddUser(u, http.StatusCreated)
assert.NoError(t, err) assert.NoError(t, err)
providerConf := config.GetProviderConf() providerConf = config.GetProviderConf()
credentialsFile := filepath.Join(providerConf.CredentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username)) credentialsFile := filepath.Join(providerConf.CredentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username))
if !filepath.IsAbs(credentialsFile) { if !filepath.IsAbs(credentialsFile) {
credentialsFile = filepath.Join(configDir, credentialsFile) credentialsFile = filepath.Join(configDir, credentialsFile)
@ -2172,6 +2181,14 @@ func TestLoginInvalidFs(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
err = os.RemoveAll(user.GetHomeDir()) err = os.RemoveAll(user.GetHomeDir())
assert.NoError(t, err) assert.NoError(t, err)
err = dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf = config.GetProviderConf()
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
} }
func TestDeniedProtocols(t *testing.T) { func TestDeniedProtocols(t *testing.T) {

View file

@ -174,7 +174,7 @@
"external_auth_hook": "", "external_auth_hook": "",
"external_auth_scope": 0, "external_auth_scope": 0,
"credentials_path": "credentials", "credentials_path": "credentials",
"prefer_database_credentials": false, "prefer_database_credentials": true,
"pre_login_hook": "", "pre_login_hook": "",
"post_login_hook": "", "post_login_hook": "",
"post_login_scope": 0, "post_login_scope": 0,

View file

@ -1746,6 +1746,15 @@ func TestLoginWithDatabaseCredentials(t *testing.T) {
} }
func TestLoginInvalidFs(t *testing.T) { func TestLoginInvalidFs(t *testing.T) {
err := dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf := config.GetProviderConf()
providerConf.PreferDatabaseCredentials = false
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
u := getTestUser() u := getTestUser()
u.FsConfig.Provider = sdk.GCSFilesystemProvider u.FsConfig.Provider = sdk.GCSFilesystemProvider
u.FsConfig.GCSConfig.Bucket = "test" u.FsConfig.GCSConfig.Bucket = "test"
@ -1753,7 +1762,7 @@ func TestLoginInvalidFs(t *testing.T) {
user, _, err := httpdtest.AddUser(u, http.StatusCreated) user, _, err := httpdtest.AddUser(u, http.StatusCreated)
assert.NoError(t, err) assert.NoError(t, err)
providerConf := config.GetProviderConf() providerConf = config.GetProviderConf()
credentialsFile := filepath.Join(providerConf.CredentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username)) credentialsFile := filepath.Join(providerConf.CredentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username))
if !filepath.IsAbs(credentialsFile) { if !filepath.IsAbs(credentialsFile) {
credentialsFile = filepath.Join(configDir, credentialsFile) credentialsFile = filepath.Join(configDir, credentialsFile)
@ -1770,6 +1779,14 @@ func TestLoginInvalidFs(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
err = os.RemoveAll(user.GetHomeDir()) err = os.RemoveAll(user.GetHomeDir())
assert.NoError(t, err) assert.NoError(t, err)
err = dataprovider.Close()
assert.NoError(t, err)
err = config.LoadConfig(configDir, "")
assert.NoError(t, err)
providerConf = config.GetProviderConf()
err = dataprovider.Initialize(providerConf, configDir, true)
assert.NoError(t, err)
} }
func TestSFTPBuffered(t *testing.T) { func TestSFTPBuffered(t *testing.T) {