Add info for running Minio/RS to README

Add minio to Docker Compose setup, configure Liquor Cabinet
Adjust specs for web app metadata fetching
2023-11-01 22:01:14 +01:00 · 2023-11-01 21:51:29 +01:00 · 2023-11-01 21:49:08 +01:00 · 2023-11-01 21:48:16 +01:00 · 2023-11-01 21:46:38 +01:00
11 changed files with 114 additions and 55 deletions
--- a/README.md
+++ b/README.md
@@ -79,6 +79,20 @@ The setup task will first delete any existing entries in the directory tree
 Note that all 389ds data is stored in `tmp/389ds`. So if you want to start over
 with a fresh installation, delete both that directory as well as the container.

+#### Minio / RS
+
+If you want to run remoteStorage accounts locally, you will have to create the
+respective bucket first:
+
+* `docker compose up web redis minio liquor-cabinet`
+* Head to http://localhost:9001 and log in with user `minioadmin`, password
+  `minioadmin`
+* Create a new bucket called `remotestorage` (or whatever you
+  change the `S3_BUCKET` config to)
+* Create a new key with ID "dev-key" and secret "123456789" (or whatever you
+  change `S3_ACCESS_KEY` and `S3_SECRET_KEY` to). Leave the policy field empty,
+  as it will automatically allow access to the bucket you created.
+
 ### Adding npm modules to use with Stimulus controllers

 The following command downloads the specified npm module to `vendor/javascript`
--- a/app/controllers/rs/oauth_controller.rb
+++ b/app/controllers/rs/oauth_controller.rb
@@ -3,8 +3,7 @@ class Rs::OauthController < ApplicationController
  before_action :authenticate_user!, only: :create

  def new
-    username, org  = params[:useraddress].split("@")
-    @user          = User.where(cn: username.downcase, ou: org).first
+    @user          = User.where(cn: params[:username].downcase, ou: Setting.primary_domain).first
    @scopes        = parse_scopes params[:scope]
    @redirect_uri  = params[:redirect_uri]
    @client_id     = params[:client_id]
@@ -22,7 +21,7 @@ class Rs::OauthController < ApplicationController
    unless current_user == @user
      sign_out :user

-      redirect_to new_rs_oauth_url(@user.address,
+      redirect_to new_rs_oauth_url(@user.cn,
                                   scope: params[:scope],
                                   redirect_uri: params[:redirect_uri],
                                   client_id: params[:client_id],
@@ -107,9 +106,8 @@ class Rs::OauthController < ApplicationController

  def require_signed_in_with_username
    unless user_signed_in?
-      username, org = params[:useraddress].split("@")
      session[:user_return_to] = request.url
-      redirect_to new_user_session_path(cn: username, ou: org)
+      redirect_to new_user_session_path(cn: params[:username], ou: Setting.primary_domain)
    end
  end

--- a/app/controllers/webfinger_controller.rb
+++ b/app/controllers/webfinger_controller.rb
@@ -6,15 +6,19 @@ class WebfingerController < ApplicationController
  def show
    resource = params[:resource]

-    if resource && resource.match(/acct:\w+/)
-      useraddress = resource.split(":").last
-      username, org = useraddress.split("@")
-      username.downcase!
-      unless User.where(cn: username, ou: org).any?
+    if resource && @useraddress = resource.match(/acct:(.+)/)&.[](1)
+      @username, @org = @useraddress.split("@")
+
+      unless Rails.env.development?
+        # Allow different domains (e.g. localhost:3000) in development only
+        head 404 and return unless @org == Setting.primary_domain
+      end
+
+      unless User.where(cn: @username.downcase, ou: Setting.primary_domain).any?
        head 404 and return
      end

-      render json: webfinger(useraddress).to_json,
+      render json: webfinger.to_json,
             content_type: "application/jrd+json"
    else
      head 422 and return
@@ -23,19 +27,18 @@ class WebfingerController < ApplicationController

  private

-  def webfinger(useraddress)
+  def webfinger
    links = [];

-    links << remotestorage_link(useraddress) if Setting.remotestorage_enabled
+    # TODO check if storage service is enabled for user, not just globally
+    links << remotestorage_link if Setting.remotestorage_enabled

    { "links" => links }
  end

-  def remotestorage_link(useraddress)
-    # TODO use when OAuth routes are available
-    # auth_url = new_rs_oauth_url(useraddress)
-    auth_url = "https://example.com/rs/oauth"
-    storage_url = "#{Setting.rs_storage_url}/#{useraddress}"
+  def remotestorage_link
+    auth_url = new_rs_oauth_url("#{@username}@#{Setting.primary_domain}")
+    storage_url = "#{Setting.rs_storage_url}/#{@username}"

    {
      "rel" => "http://tools.ietf.org/id/draft-dejong-remotestorage",
--- a/app/models/remote_storage_authorization.rb
+++ b/app/models/remote_storage_authorization.rb
@@ -29,7 +29,7 @@ class RemoteStorageAuthorization < ApplicationRecord
  end

  def delete_token_from_redis
-    key = "rs:authorizations:#{user.address}:#{token}"
+    key = "authorizations:#{user.cn}:#{token}"
    redis.srem? key, redis.smembers(key)
  end

@@ -44,7 +44,7 @@ class RemoteStorageAuthorization < ApplicationRecord
    end

    def store_token_in_redis
-      redis.sadd "rs:authorizations:#{user.address}:#{token}", permissions
+      redis.sadd "authorizations:#{user.cn}:#{token}", permissions
    end

    def schedule_token_expiry
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -78,8 +78,8 @@ Rails.application.routes.draw do

  namespace :rs do
    resource :oauth, only: [:new, :create], path_names: {
-      new: ':useraddress', create: ':useraddress'
-    }, controller: 'oauth', constraints: { useraddress: /[^\/]+/}
+      new: ':username', create: ':username'
+    }, controller: 'oauth'
    get 'oauth/token/:id/launch_app' => 'oauth#launch_app', as: :launch_app
  end

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -37,12 +37,13 @@ services:
    environment:
      RAILS_ENV: development
      PRIMARY_DOMAIN: kosmos.org
-      REDIS_URL: redis://redis:6379/0
-      RS_REDIS_URL: redis://redis:6379/1
      LDAP_HOST: ldap
      LDAP_PORT: 3389
      LDAP_ADMIN_PASSWORD: passthebutter
      LDAP_USE_TLS: "false"
+      REDIS_URL: redis://redis:6379/0
+      RS_REDIS_URL: redis://redis:6379/1
+      RS_STORAGE_URL: "http://localhost:4567"
    depends_on:
      - ldap
      - redis
@@ -57,18 +58,48 @@ services:
    environment:
      RAILS_ENV: development
      PRIMARY_DOMAIN: kosmos.org
-      REDIS_URL: redis://redis:6379/0
-      RS_REDIS_URL: redis://redis:6379/1
      LDAP_HOST: ldap
      LDAP_PORT: 3389
      LDAP_ADMIN_PASSWORD: passthebutter
      LDAP_USE_TLS: "false"
      LAUNCHY_DRY_RUN: true
      BROWSER: /dev/null
+      REDIS_URL: redis://redis:6379/0
+      RS_REDIS_URL: redis://redis:6379/1
+      RS_STORAGE_URL: "http://localhost:4567"
    depends_on:
      - ldap
      - redis

+  minio:
+    image: quay.io/minio/minio:latest
+    command: "server /data --console-address ':9001'"
+    networks:
+      - external_network
+      - internal_network
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    volumes:
+      - ./tmp/minio:/data
+
+  liquor-cabinet:
+    image: gitea.kosmos.org/5apps/liquor-cabinet:latest
+    networks:
+      - external_network
+      - internal_network
+    ports:
+      - "4567:4567"
+    environment:
+      RACK_ENV: staging
+      REDIS_HOST: redis
+      REDIS_PORT: 6379
+      REDIS_DB: 1
+      S3_ENDPOINT: http://minio
+      S3_ACCESS_KEY: dev-key
+      S3_SECRET_KEY: 123456789
+      S3_BUCKET: remotestorage
+
  # phpldapadmin:
  #   image: osixia/phpldapadmin:0.9.0
  #   ports:
--- a/spec/controllers/rs/oauth_controller_spec.rb
+++ b/spec/controllers/rs/oauth_controller_spec.rb
@@ -3,7 +3,11 @@ require 'rails_helper'
 RSpec.describe Rs::OauthController, type: :controller do
  let(:user) { create :user }

-  describe "GET /rs/oauth/:useraddress" do
+  before do
+    allow_any_instance_of(AppCatalog::WebApp).to receive(:update_metadata).and_return(true)
+  end
+
+  describe "GET /rs/oauth/:username" do
    context "when user is signed in" do
      before do
        sign_in user
@@ -14,7 +18,7 @@ RSpec.describe Rs::OauthController, type: :controller do

        before do
          get :new, params: {
-            useraddress: other_user.address,
+            username: other_user.cn,
            redirect_uri: "https://example.com",
            client_id: "example.com",
            scope: "examples"
@@ -22,7 +26,7 @@ RSpec.describe Rs::OauthController, type: :controller do
        end

        it "logs out the users and repeats the request" do
-          url = new_rs_oauth_url other_user.address,
+          url = new_rs_oauth_url other_user.cn,
            redirect_uri: "https://example.com",
            client_id: "example.com",
            scope: "examples"
@@ -34,7 +38,7 @@ RSpec.describe Rs::OauthController, type: :controller do
      context "when no valid token exists" do
        before do
          get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
            redirect_uri: "https://example.com",
            client_id: "example.com",
            scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
@@ -61,7 +65,7 @@ RSpec.describe Rs::OauthController, type: :controller do
        context "no redirect_uri" do
          before do
            get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
              scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
              client_id: "https://example.com"
            }
@@ -75,7 +79,7 @@ RSpec.describe Rs::OauthController, type: :controller do
        context "no client_id" do
          before do
            get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
              scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
              redirect_uri: "https://example.com"
            }
@@ -89,7 +93,7 @@ RSpec.describe Rs::OauthController, type: :controller do
        context "different host for client_id and redirect_uri" do
          before do
            get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
              scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
              redirect_uri: "https://example.com/foobar",
              client_id: "https://google.com"
@@ -116,7 +120,7 @@ RSpec.describe Rs::OauthController, type: :controller do
        context "with same host for client_id and redirect_uri" do
          before do
            get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
              scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
              redirect_uri: "https://example.com",
              client_id: "https://example.com"
@@ -131,7 +135,7 @@ RSpec.describe Rs::OauthController, type: :controller do
        context "with different host for client_id and redirect_uri" do
          before do
            get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
              scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
              redirect_uri: "https://app.example.com",
              client_id: "https://example.com"
@@ -146,7 +150,7 @@ RSpec.describe Rs::OauthController, type: :controller do
        context "with different redirect_uri" do
          before do
            get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
              scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
              redirect_uri: "https://example.com/a_new_route",
              client_id: "https://example.com"
@@ -161,7 +165,7 @@ RSpec.describe Rs::OauthController, type: :controller do
        context "with state param given" do
          before do
            get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
              scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
              redirect_uri: "https://example.com",
              client_id: "https://example.com",
@@ -178,7 +182,7 @@ RSpec.describe Rs::OauthController, type: :controller do
      context "no scope" do
        before do
          get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
            redirect_uri: "https://example.com",
            client_id: "https://example.com",
            state: "foobar123"
@@ -193,7 +197,7 @@ RSpec.describe Rs::OauthController, type: :controller do
      context "empty scope" do
        before do
          get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
            scope: "",
            redirect_uri: "https://example.com",
            client_id: "https://example.com",
@@ -210,7 +214,7 @@ RSpec.describe Rs::OauthController, type: :controller do
    context "when user is not signed in" do
      it "redirects to the signin page with username pre-filled" do
        get :new, params: {
-          useraddress: user.address,
+          username: user.cn,
          scope: "documents,photos",
          redirect_uri: "https://example.com"
        }
@@ -227,7 +231,7 @@ RSpec.describe Rs::OauthController, type: :controller do
      describe "full" do
        before do
          get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
            scope: "*:rw",
            redirect_uri: "https://example.com",
            client_id: "example.com"
@@ -243,7 +247,7 @@ RSpec.describe Rs::OauthController, type: :controller do
      describe "read-only" do
        before do
          get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
            scope: "*:r",
            redirect_uri: "https://example.com",
            client_id: "example.com"
@@ -258,7 +262,7 @@ RSpec.describe Rs::OauthController, type: :controller do
    end
  end

-  describe "POST /rs/oauth/:useraddress" do
+  describe "POST /rs/oauth/:username" do
    context "when user is signed in" do
      before do
        sign_in user
--- a/spec/features/rs/oauth_spec.rb
+++ b/spec/features/rs/oauth_spec.rb
@@ -10,7 +10,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do

    context "with normal permissions" do
      before do
-        visit new_rs_oauth_path(useraddress: user.address,
+        visit new_rs_oauth_path(username: user.cn,
                                redirect_uri: "http://example.com",
                                client_id: "http://example.com",
                                scope: "documents,[photos], contacts:r")
@@ -36,7 +36,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do
    context "root access" do
      context "full" do
        before do
-          visit new_rs_oauth_path(useraddress: user.address,
+          visit new_rs_oauth_path(username: user.cn,
                                  redirect_uri: "http://example.com",
                                  client_id: "http://example.com",
                                  scope: ":rw")
@@ -60,7 +60,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do
    end

    it "prefills the username field in the signin form" do
-      visit new_rs_oauth_path(useraddress: user.address,
+      visit new_rs_oauth_path(username: user.cn,
                              redirect_uri: "http://example.com",
                              client_id: "http://example.com",
                              scope: "documents,[photos], contacts:r")
@@ -69,7 +69,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do
    end

    it "redirects to the OAuth dialog after sign-in" do
-      auth_url = new_rs_oauth_url(useraddress: user.address,
+      auth_url = new_rs_oauth_url(username: user.cn,
                                   redirect_uri: "http://example.com",
                                   client_id: "http://example.com",
                                   scope: "documents,[photos], contacts:r")
--- a/spec/jobs/remote_storage_expire_authorization_job_spec.rb
+++ b/spec/jobs/remote_storage_expire_authorization_job_spec.rb
@@ -2,8 +2,13 @@ require 'rails_helper'

 RSpec.describe RemoteStorageExpireAuthorizationJob, type: :job do
  before do
+    allow_any_instance_of(AppCatalog::WebApp).to(
+      receive(:update_metadata).and_return(true)
+    )
+
    @user = create :user, cn: "ronald", ou: "kosmos.org"
-    @rs_authorization = create :remote_storage_authorization, user: @user, expire_at: 1.day.ago
+    @rs_authorization = create :remote_storage_authorization,
+                               user: @user, expire_at: 1.day.ago
  end

  after do
@@ -20,7 +25,7 @@ RSpec.describe RemoteStorageExpireAuthorizationJob, type: :job do
  }

  it "removes the RS authorization from redis" do
-    redis_key = "rs:authorizations:#{@user.address}:#{@rs_authorization.token}"
+    redis_key = "authorizations:#{@user.cn}:#{@rs_authorization.token}"
    expect(redis.keys(redis_key)).to_not be_empty

    perform_enqueued_jobs { job }
--- a/spec/models/remote_storage_authorization_spec.rb
+++ b/spec/models/remote_storage_authorization_spec.rb
@@ -5,9 +5,13 @@ RSpec.describe RemoteStorageAuthorization, type: :model do

  let(:user) { create :user }

+  before do
+    allow_any_instance_of(AppCatalog::WebApp).to receive(:update_metadata).and_return(true)
+  end
+
  describe "#create" do
    after(:each) { clear_enqueued_jobs }
-    after(:all)  { redis_rs_delete_keys("rs:authorizations:*") }
+    after(:all)  { redis_rs_delete_keys("authorizations:*") }

    let(:auth) do
      user.remote_storage_authorizations.create!(
@@ -22,7 +26,7 @@ RSpec.describe RemoteStorageAuthorization, type: :model do
    end

    it "stores a token in redis" do
-      user_auth_keys = redis_rs.keys("rs:authorizations:#{user.address}:*")
+      user_auth_keys = redis_rs.keys("authorizations:#{user.cn}:*")
      expect(user_auth_keys.length).to eq(1)

      authorizations = redis_rs.smembers(user_auth_keys.first)
@@ -44,7 +48,7 @@ RSpec.describe RemoteStorageAuthorization, type: :model do

  describe "#destroy" do
    after(:each) { clear_enqueued_jobs }
-    after(:all)  { redis_rs_delete_keys("rs:authorizations:*") }
+    after(:all)  { redis_rs_delete_keys("authorizations:*") }

    it "removes the token from redis" do
      auth = user.remote_storage_authorizations.create!(
@@ -54,7 +58,7 @@ RSpec.describe RemoteStorageAuthorization, type: :model do
             )
      auth.destroy!

-      expect(redis_rs.keys("rs:authorizations:#{user.address}:*")).to be_empty
+      expect(redis_rs.keys("authorizations:#{user.address}:*")).to be_empty
    end

    context "with expiry set" do
--- a/spec/requests/webfinger_spec.rb
+++ b/spec/requests/webfinger_spec.rb
@@ -15,10 +15,10 @@ RSpec.describe "WebFinger", type: :request do
          res = JSON.parse(response.body)
          rs_link = res["links"].find {|l| l["rel"] == "http://tools.ietf.org/id/draft-dejong-remotestorage"}

-          expect(rs_link["href"]).to eql("https://storage.kosmos.org/tony@kosmos.org")
+          expect(rs_link["href"]).to eql("https://storage.kosmos.org/tony")

          oauth_url = rs_link["properties"]["http://tools.ietf.org/html/rfc6749#section-4.2"]
-          expect(oauth_url).to eql("https://example.com/rs/oauth")
+          expect(oauth_url).to eql("http://www.example.com/rs/oauth/tony@kosmos.org")
        end
      end
Author	SHA1	Message	Date
Râu Cao	00049f3743	Add info for running Minio/RS to README All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2023-11-01 22:01:14 +01:00
Râu Cao	60c0a43f33	Add minio to Docker Compose setup, configure Liquor Cabinet	2023-11-01 21:51:29 +01:00
Râu Cao	0c1b1b4afe	Adjust specs for web app metadata fetching	2023-11-01 21:49:08 +01:00
Râu Cao	92310d434a	Remove rs namespace from Redis keys Superfluous, since the whole db should be RS only	2023-11-01 21:48:16 +01:00
Râu Cao	56c127ca0c	Only allow primary domain for RS Replace user addresses with usernames in the respective URLs	2023-11-01 21:46:38 +01:00