Add info for running Minio/RS to README

Superfluous, since the whole db should be RS only

README.md

@@ -79,6 +79,20 @@ The setup task will first delete any existing entries in the directory tree
 Note that all 389ds data is stored in `tmp/389ds`. So if you want to start over
 with a fresh installation, delete both that directory as well as the container.
 
+#### Minio / RS
+
+If you want to run remoteStorage accounts locally, you will have to create the
+respective bucket first:
+
+* `docker compose up web redis minio liquor-cabinet`
+* Head to http://localhost:9001 and log in with user `minioadmin`, password
+  `minioadmin`
+* Create a new bucket called `remotestorage` (or whatever you
+  change the `S3_BUCKET` config to)
+* Create a new key with ID "dev-key" and secret "123456789" (or whatever you
+  change `S3_ACCESS_KEY` and `S3_SECRET_KEY` to). Leave the policy field empty,
+  as it will automatically allow access to the bucket you created.
+
 ### Adding npm modules to use with Stimulus controllers
 
 The following command downloads the specified npm module to `vendor/javascript`

app/controllers/rs/oauth_controller.rb

@@ -3,8 +3,7 @@ class Rs::OauthController < ApplicationController
   before_action :authenticate_user!, only: :create
 
   def new
-    username, org  = params[:useraddress].split("@")
+    @user          = User.where(cn: params[:username].downcase, ou: Setting.primary_domain).first
-    @user          = User.where(cn: username.downcase, ou: org).first
     @scopes        = parse_scopes params[:scope]
     @redirect_uri  = params[:redirect_uri]
     @client_id     = params[:client_id]
@@ -22,7 +21,7 @@ class Rs::OauthController < ApplicationController
     unless current_user == @user
       sign_out :user
 
-      redirect_to new_rs_oauth_url(@user.address,
+      redirect_to new_rs_oauth_url(@user.cn,
                                    scope: params[:scope],
                                    redirect_uri: params[:redirect_uri],
                                    client_id: params[:client_id],
@@ -107,9 +106,8 @@ class Rs::OauthController < ApplicationController
 
   def require_signed_in_with_username
     unless user_signed_in?
-      username, org = params[:useraddress].split("@")
       session[:user_return_to] = request.url
-      redirect_to new_user_session_path(cn: username, ou: org)
+      redirect_to new_user_session_path(cn: params[:username], ou: Setting.primary_domain)
     end
   end
 

app/controllers/webfinger_controller.rb

@@ -6,15 +6,19 @@ class WebfingerController < ApplicationController
   def show
     resource = params[:resource]
 
-    if resource && resource.match(/acct:\w+/)
+    if resource && @useraddress = resource.match(/acct:(.+)/)&.[](1)
-      useraddress = resource.split(":").last
+      @username, @org = @useraddress.split("@")
-      username, org = useraddress.split("@")
+
-      username.downcase!
+      unless Rails.env.development?
-      unless User.where(cn: username, ou: org).any?
+        # Allow different domains (e.g. localhost:3000) in development only
+        head 404 and return unless @org == Setting.primary_domain
+      end
+
+      unless User.where(cn: @username.downcase, ou: Setting.primary_domain).any?
         head 404 and return
       end
 
-      render json: webfinger(useraddress).to_json,
+      render json: webfinger.to_json,
              content_type: "application/jrd+json"
     else
       head 422 and return
@@ -23,19 +27,18 @@ class WebfingerController < ApplicationController
 
   private
 
-  def webfinger(useraddress)
+  def webfinger
     links = [];
 
-    links << remotestorage_link(useraddress) if Setting.remotestorage_enabled
+    # TODO check if storage service is enabled for user, not just globally
+    links << remotestorage_link if Setting.remotestorage_enabled
 
     { "links" => links }
   end
 
-  def remotestorage_link(useraddress)
+  def remotestorage_link
-    # TODO use when OAuth routes are available
+    auth_url = new_rs_oauth_url("#{@username}@#{Setting.primary_domain}")
-    # auth_url = new_rs_oauth_url(useraddress)
+    storage_url = "#{Setting.rs_storage_url}/#{@username}"
-    auth_url = "https://example.com/rs/oauth"
-    storage_url = "#{Setting.rs_storage_url}/#{useraddress}"
 
     {
       "rel" => "http://tools.ietf.org/id/draft-dejong-remotestorage",

app/models/remote_storage_authorization.rb

@@ -29,7 +29,7 @@ class RemoteStorageAuthorization < ApplicationRecord
   end
 
   def delete_token_from_redis
-    key = "rs:authorizations:#{user.address}:#{token}"
+    key = "authorizations:#{user.cn}:#{token}"
     redis.srem? key, redis.smembers(key)
   end
 
@@ -44,7 +44,7 @@ class RemoteStorageAuthorization < ApplicationRecord
     end
 
     def store_token_in_redis
-      redis.sadd "rs:authorizations:#{user.address}:#{token}", permissions
+      redis.sadd "authorizations:#{user.cn}:#{token}", permissions
     end
 
     def schedule_token_expiry

config/routes.rb

@@ -78,8 +78,8 @@ Rails.application.routes.draw do
 
   namespace :rs do
     resource :oauth, only: [:new, :create], path_names: {
-      new: ':useraddress', create: ':useraddress'
+      new: ':username', create: ':username'
-    }, controller: 'oauth', constraints: { useraddress: /[^\/]+/}
+    }, controller: 'oauth'
     get 'oauth/token/:id/launch_app' => 'oauth#launch_app', as: :launch_app
   end
 

docker-compose.yml

@@ -37,12 +37,13 @@ services:
     environment:
       RAILS_ENV: development
       PRIMARY_DOMAIN: kosmos.org
-      REDIS_URL: redis://redis:6379/0
-      RS_REDIS_URL: redis://redis:6379/1
       LDAP_HOST: ldap
       LDAP_PORT: 3389
       LDAP_ADMIN_PASSWORD: passthebutter
       LDAP_USE_TLS: "false"
+      REDIS_URL: redis://redis:6379/0
+      RS_REDIS_URL: redis://redis:6379/1
+      RS_STORAGE_URL: "http://localhost:4567"
     depends_on:
       - ldap
       - redis
@@ -57,18 +58,48 @@ services:
     environment:
       RAILS_ENV: development
       PRIMARY_DOMAIN: kosmos.org
-      REDIS_URL: redis://redis:6379/0
-      RS_REDIS_URL: redis://redis:6379/1
       LDAP_HOST: ldap
       LDAP_PORT: 3389
       LDAP_ADMIN_PASSWORD: passthebutter
       LDAP_USE_TLS: "false"
       LAUNCHY_DRY_RUN: true
       BROWSER: /dev/null
+      REDIS_URL: redis://redis:6379/0
+      RS_REDIS_URL: redis://redis:6379/1
+      RS_STORAGE_URL: "http://localhost:4567"
     depends_on:
       - ldap
       - redis
 
+  minio:
+    image: quay.io/minio/minio:latest
+    command: "server /data --console-address ':9001'"
+    networks:
+      - external_network
+      - internal_network
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    volumes:
+      - ./tmp/minio:/data
+
+  liquor-cabinet:
+    image: gitea.kosmos.org/5apps/liquor-cabinet:latest
+    networks:
+      - external_network
+      - internal_network
+    ports:
+      - "4567:4567"
+    environment:
+      RACK_ENV: staging
+      REDIS_HOST: redis
+      REDIS_PORT: 6379
+      REDIS_DB: 1
+      S3_ENDPOINT: http://minio
+      S3_ACCESS_KEY: dev-key
+      S3_SECRET_KEY: 123456789
+      S3_BUCKET: remotestorage
+
   # phpldapadmin:
   #   image: osixia/phpldapadmin:0.9.0
   #   ports:

spec/controllers/rs/oauth_controller_spec.rb

@@ -3,7 +3,11 @@ require 'rails_helper'
 RSpec.describe Rs::OauthController, type: :controller do
   let(:user) { create :user }
 
-  describe "GET /rs/oauth/:useraddress" do
+  before do
+    allow_any_instance_of(AppCatalog::WebApp).to receive(:update_metadata).and_return(true)
+  end
+
+  describe "GET /rs/oauth/:username" do
     context "when user is signed in" do
       before do
         sign_in user
@@ -14,7 +18,7 @@ RSpec.describe Rs::OauthController, type: :controller do
 
         before do
           get :new, params: {
-            useraddress: other_user.address,
+            username: other_user.cn,
             redirect_uri: "https://example.com",
             client_id: "example.com",
             scope: "examples"
@@ -22,7 +26,7 @@ RSpec.describe Rs::OauthController, type: :controller do
         end
 
         it "logs out the users and repeats the request" do
-          url = new_rs_oauth_url other_user.address,
+          url = new_rs_oauth_url other_user.cn,
             redirect_uri: "https://example.com",
             client_id: "example.com",
             scope: "examples"
@@ -34,7 +38,7 @@ RSpec.describe Rs::OauthController, type: :controller do
       context "when no valid token exists" do
         before do
           get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
             redirect_uri: "https://example.com",
             client_id: "example.com",
             scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
@@ -61,7 +65,7 @@ RSpec.describe Rs::OauthController, type: :controller do
         context "no redirect_uri" do
           before do
             get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
               scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
               client_id: "https://example.com"
             }
@@ -75,7 +79,7 @@ RSpec.describe Rs::OauthController, type: :controller do
         context "no client_id" do
           before do
             get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
               scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
               redirect_uri: "https://example.com"
             }
@@ -89,7 +93,7 @@ RSpec.describe Rs::OauthController, type: :controller do
         context "different host for client_id and redirect_uri" do
           before do
             get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
               scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
               redirect_uri: "https://example.com/foobar",
               client_id: "https://google.com"
@@ -116,7 +120,7 @@ RSpec.describe Rs::OauthController, type: :controller do
         context "with same host for client_id and redirect_uri" do
           before do
             get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
               scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
               redirect_uri: "https://example.com",
               client_id: "https://example.com"
@@ -131,7 +135,7 @@ RSpec.describe Rs::OauthController, type: :controller do
         context "with different host for client_id and redirect_uri" do
           before do
             get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
               scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
               redirect_uri: "https://app.example.com",
               client_id: "https://example.com"
@@ -146,7 +150,7 @@ RSpec.describe Rs::OauthController, type: :controller do
         context "with different redirect_uri" do
           before do
             get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
               scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
               redirect_uri: "https://example.com/a_new_route",
               client_id: "https://example.com"
@@ -161,7 +165,7 @@ RSpec.describe Rs::OauthController, type: :controller do
         context "with state param given" do
           before do
             get :new, params: {
-              useraddress: user.address,
+              username: user.cn,
               scope: "documents,[photos], contacts:rw videos:r tasks/work/:r",
               redirect_uri: "https://example.com",
               client_id: "https://example.com",
@@ -178,7 +182,7 @@ RSpec.describe Rs::OauthController, type: :controller do
       context "no scope" do
         before do
           get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
             redirect_uri: "https://example.com",
             client_id: "https://example.com",
             state: "foobar123"
@@ -193,7 +197,7 @@ RSpec.describe Rs::OauthController, type: :controller do
       context "empty scope" do
         before do
           get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
             scope: "",
             redirect_uri: "https://example.com",
             client_id: "https://example.com",
@@ -210,7 +214,7 @@ RSpec.describe Rs::OauthController, type: :controller do
     context "when user is not signed in" do
       it "redirects to the signin page with username pre-filled" do
         get :new, params: {
-          useraddress: user.address,
+          username: user.cn,
           scope: "documents,photos",
           redirect_uri: "https://example.com"
         }
@@ -227,7 +231,7 @@ RSpec.describe Rs::OauthController, type: :controller do
       describe "full" do
         before do
           get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
             scope: "*:rw",
             redirect_uri: "https://example.com",
             client_id: "example.com"
@@ -243,7 +247,7 @@ RSpec.describe Rs::OauthController, type: :controller do
       describe "read-only" do
         before do
           get :new, params: {
-            useraddress: user.address,
+            username: user.cn,
             scope: "*:r",
             redirect_uri: "https://example.com",
             client_id: "example.com"
@@ -258,7 +262,7 @@ RSpec.describe Rs::OauthController, type: :controller do
     end
   end
 
-  describe "POST /rs/oauth/:useraddress" do
+  describe "POST /rs/oauth/:username" do
     context "when user is signed in" do
       before do
         sign_in user

spec/features/rs/oauth_spec.rb

@@ -10,7 +10,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do
 
     context "with normal permissions" do
       before do
-        visit new_rs_oauth_path(useraddress: user.address,
+        visit new_rs_oauth_path(username: user.cn,
                                 redirect_uri: "http://example.com",
                                 client_id: "http://example.com",
                                 scope: "documents,[photos], contacts:r")
@@ -36,7 +36,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do
     context "root access" do
       context "full" do
         before do
-          visit new_rs_oauth_path(useraddress: user.address,
+          visit new_rs_oauth_path(username: user.cn,
                                   redirect_uri: "http://example.com",
                                   client_id: "http://example.com",
                                   scope: ":rw")
@@ -60,7 +60,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do
     end
 
     it "prefills the username field in the signin form" do
-      visit new_rs_oauth_path(useraddress: user.address,
+      visit new_rs_oauth_path(username: user.cn,
                               redirect_uri: "http://example.com",
                               client_id: "http://example.com",
                               scope: "documents,[photos], contacts:r")
@@ -69,7 +69,7 @@ RSpec.describe 'remoteStorage OAuth Dialog', type: :feature do
     end
 
     it "redirects to the OAuth dialog after sign-in" do
-      auth_url = new_rs_oauth_url(useraddress: user.address,
+      auth_url = new_rs_oauth_url(username: user.cn,
                                    redirect_uri: "http://example.com",
                                    client_id: "http://example.com",
                                    scope: "documents,[photos], contacts:r")

spec/jobs/remote_storage_expire_authorization_job_spec.rb

@@ -2,8 +2,13 @@ require 'rails_helper'
 
 RSpec.describe RemoteStorageExpireAuthorizationJob, type: :job do
   before do
+    allow_any_instance_of(AppCatalog::WebApp).to(
+      receive(:update_metadata).and_return(true)
+    )
+
     @user = create :user, cn: "ronald", ou: "kosmos.org"
-    @rs_authorization = create :remote_storage_authorization, user: @user, expire_at: 1.day.ago
+    @rs_authorization = create :remote_storage_authorization,
+                               user: @user, expire_at: 1.day.ago
   end
 
   after do
@@ -20,7 +25,7 @@ RSpec.describe RemoteStorageExpireAuthorizationJob, type: :job do
   }
 
   it "removes the RS authorization from redis" do
-    redis_key = "rs:authorizations:#{@user.address}:#{@rs_authorization.token}"
+    redis_key = "authorizations:#{@user.cn}:#{@rs_authorization.token}"
     expect(redis.keys(redis_key)).to_not be_empty
 
     perform_enqueued_jobs { job }

spec/models/remote_storage_authorization_spec.rb

@@ -5,9 +5,13 @@ RSpec.describe RemoteStorageAuthorization, type: :model do
 
   let(:user) { create :user }
 
+  before do
+    allow_any_instance_of(AppCatalog::WebApp).to receive(:update_metadata).and_return(true)
+  end
+
   describe "#create" do
     after(:each) { clear_enqueued_jobs }
-    after(:all)  { redis_rs_delete_keys("rs:authorizations:*") }
+    after(:all)  { redis_rs_delete_keys("authorizations:*") }
 
     let(:auth) do
       user.remote_storage_authorizations.create!(
@@ -22,7 +26,7 @@ RSpec.describe RemoteStorageAuthorization, type: :model do
     end
 
     it "stores a token in redis" do
-      user_auth_keys = redis_rs.keys("rs:authorizations:#{user.address}:*")
+      user_auth_keys = redis_rs.keys("authorizations:#{user.cn}:*")
       expect(user_auth_keys.length).to eq(1)
 
       authorizations = redis_rs.smembers(user_auth_keys.first)
@@ -44,7 +48,7 @@ RSpec.describe RemoteStorageAuthorization, type: :model do
 
   describe "#destroy" do
     after(:each) { clear_enqueued_jobs }
-    after(:all)  { redis_rs_delete_keys("rs:authorizations:*") }
+    after(:all)  { redis_rs_delete_keys("authorizations:*") }
 
     it "removes the token from redis" do
       auth = user.remote_storage_authorizations.create!(
@@ -54,7 +58,7 @@ RSpec.describe RemoteStorageAuthorization, type: :model do
              )
       auth.destroy!
 
-      expect(redis_rs.keys("rs:authorizations:#{user.address}:*")).to be_empty
+      expect(redis_rs.keys("authorizations:#{user.address}:*")).to be_empty
     end
 
     context "with expiry set" do

spec/requests/webfinger_spec.rb

@@ -15,10 +15,10 @@ RSpec.describe "WebFinger", type: :request do
           res = JSON.parse(response.body)
           rs_link = res["links"].find {|l| l["rel"] == "http://tools.ietf.org/id/draft-dejong-remotestorage"}
 
-          expect(rs_link["href"]).to eql("https://storage.kosmos.org/tony@kosmos.org")
+          expect(rs_link["href"]).to eql("https://storage.kosmos.org/tony")
 
           oauth_url = rs_link["properties"]["http://tools.ietf.org/html/rfc6749#section-4.2"]
-          expect(oauth_url).to eql("https://example.com/rs/oauth")
+          expect(oauth_url).to eql("http://www.example.com/rs/oauth/tony@kosmos.org")
         end
       end