From 5fda82d23ae79c0b38eb6bd434b3da2a7479da83 Mon Sep 17 00:00:00 2001 From: Jesse Geens Date: Fri, 18 Oct 2024 16:21:53 +0200 Subject: [PATCH] Do not include HTTPS cert in EOS HTTP Client Omit HTTPS cert in EOS HTTP Client, as this causes authentication issues on EOS < 5.2.28. When EOS receives a certificate, it will look for this cert in the gridmap file. If it is not found there, the whole authn flow is aborted and the user is mapped to nobody. --- .../unreleased/no-certs-eos-http-client.md | 8 +++++++ pkg/eosclient/eosgrpc/eoshttp.go | 21 ------------------- 2 files changed, 8 insertions(+), 21 deletions(-) create mode 100644 changelog/unreleased/no-certs-eos-http-client.md diff --git a/changelog/unreleased/no-certs-eos-http-client.md b/changelog/unreleased/no-certs-eos-http-client.md new file mode 100644 index 0000000000..bb4b81b5d8 --- /dev/null +++ b/changelog/unreleased/no-certs-eos-http-client.md @@ -0,0 +1,8 @@ +Bugfix: no certs in EOS HTTP client + +Omit HTTPS cert in EOS HTTP Client, as this causes authentication issues on EOS < 5.2.28. +When EOS receives a certificate, it will look for this cert in the gridmap file. +If it is not found there, the whole authn flow is aborted and the user is mapped to nobody. + + +https://github.com/cs3org/reva/pull/4894 \ No newline at end of file diff --git a/pkg/eosclient/eosgrpc/eoshttp.go b/pkg/eosclient/eosgrpc/eoshttp.go index 4966355335..e447afea13 100644 --- a/pkg/eosclient/eosgrpc/eoshttp.go +++ b/pkg/eosclient/eosgrpc/eoshttp.go @@ -21,8 +21,6 @@ package eosgrpc import ( "bytes" "context" - "crypto/tls" - "errors" "fmt" "io" "net/http" @@ -148,10 +146,6 @@ func NewEOSHTTPClient(opt *HTTPOptions) (*EOSHTTPClient, error) { } opt.init() - baseUrl, err := url.Parse(opt.BaseURL) - if err != nil { - return nil, errors.New("Failed to parse BaseURL") - } t := &http.Transport{ MaxIdleConns: opt.MaxIdleConns, @@ -161,21 +155,6 @@ func NewEOSHTTPClient(opt *HTTPOptions) (*EOSHTTPClient, error) { DisableCompression: true, } - if baseUrl.Scheme == "https" { - cert, err := tls.LoadX509KeyPair(opt.ClientCertFile, opt.ClientKeyFile) - if err != nil { - return nil, err - } - t.TLSClientConfig = &tls.Config{ - Certificates: []tls.Certificate{cert}, - } - } - - // TODO: the error reporting of http.transport is insufficient - // we may want to check manually at least the existence of the certfiles - // The point is that also the error reporting of the context that calls this function - // is weak - cl := &http.Client{ Transport: t, CheckRedirect: func(req *http.Request, via []*http.Request) error {