update 6.3 -> 6.4 collabora -> wopi(ocis) access unauthorized

[chrismaster]

simple setup with

• ocis
• ocis as wopi server
• collabora

With update from 6.3 to 6.4 collabora gives access denied WOPI::CheckFileInfo failed for URI [https://wopi.example.com:9300/wopi/files/7.....]: 401 (Unauthorized) Unauthorized. Headers: Content-Type: text/plain; charset=utf-8 / X-Collaboration.collabora-Version: 6.4.0 / X-Content-Type-Options: nosniff / X-Request-Id: ocis/6SjX1tUiuI-000002 / Date: Sun, 15 Sep 2024 10:24:15 GMT / Content-Length: 13 Body: [Unauthorized

wsd-00001-00031 2024-09-15 10:24:15.266499 +0000 [ websrv_poll ] ERR #35: Invalid URI or access denied to [https://wopi.example.com:9300/wopi/files/73......

Going back from 6.4 to 6.3 everything works. same settings only ocis & wopi(ocis) version change

I didn't find any new settings for wopi server in 6.4. Everything is setup in a ocis_full github example way, only with podman and collabora latest version.

[jvillafanez]

we'll need server logs, in particular the ones related to the wopi server (likely under the "collaboration" service name)

[chrismaster]

while trying to open a file in ocis with collabora. log file from wopi with level debug Sep 17 16:58:04 cs wopi[961954]: b00a63e4ad78ff0e905316efedfafebf7e0fab1db610d888408d8661cde2b0a1 Sep 17 16:58:04 cs podman[961954]: 2024-09-17 16:58:04.185620926 +0200 CEST m=+0.019283207 image pull 1a89dcf9934d6163102f0dd8771fc7e21a654505d9b67fe105d737daba385354 docker.io/owncloud/ocis-rolling:6.4 Sep 17 16:58:04 cs wopi[961965]: 2024/09/17 14:58:04 INFO memory is not limited, skipping package=github.com/KimMachineGun/automemlimit/memlimit Sep 17 16:58:04 cs wopi[961965]: {"level":"info","service":"collaboration","time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/registry/register.go:17","message":"registering external service com.owncloud.api.collaboration.Collabora-3699e3e3-76c4-48b8-9338-bfd0518a96a5@10.0.2.0:9301"} Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","AppName":"Collabora","Mimetypes":["application/vnd.ms-excel.sheet.macroenabled.12","application/vnd.openxmlformats-officedocument.wordprocessingml.document","application/vnd.oasis.opendocument.spreadsheet","application/x-pilot","application/vnd.ms-powerpoint.presentation.macroenabled.12","application/vnd.ms-word.document.macroenabled.12","application/vnd.ms-powerpoint.template.macroenabled.12","application/vnd.ms-excel.template.macroenabled.12","application/vnd.oasis.opendocument.graphics","application/vnd.oasis.opendocument.presentation","application/vnd.oasis.opendocument.text-web","image/wmf","image/emf","application/vnd.wordperfect","image/x-freehand","image/cgm","application/vnd.sun.xml.draw.template","application/vnd.oasis.opendocument.spreadsheet-template","application/vnd.oasis.opendocument.graphics-template","application/msword","image/gif","application/vnd.ms-excel","application/vnd.ms-excel.sheet.binary.macroenabled.12","application/x-gnumeric","application/vnd.sun.xml.impress","application/vnd.ms-powerpoint","image/png","application/vnd.openxmlformats-officedocument.spreadsheetml.sheet","application/octet-stream","image/jpeg","application/vnd.visio","application/vnd.oasis.opendocument.presentation-template","application/vnd.sun.xml.writer.template","text/csv","application/vnd.openxmlformats-officedocument.presentationml.slideshow","application/pdf","application/vnd.sun.xml.writer","application/vnd.apple.numbers","application/vnd.oasis.opendocument.text-master","text/rtf","application/vnd.openxmlformats-officedocument.presentationml.presentation","image/vnd.dxf","application/x-abiword","application/vnd.sun.xml.writer.global","application/vnd.sun.xml.calc","image/svg+xml","application/x-mspublisher","application/vnd.sun.xml.impress.template","application/vnd.openxmlformats-officedocument.spreadsheetml.template","application/vnd.openxmlformats-officedocument.wordprocessingml.template","application/vnd.openxmlformats-officedocument.presentationml.template","application/vnd.apple.pages","application/vnd.oasis.opendocument.text-template","application/vnd.sun.xml.draw","text/plain","application/vnd.oasis.opendocument.text","image/x-ms-bmp","image/tiff","application/x-mswrite","application/vnd.ms-works","application/vnd.sun.xml.calc.template","application/vnd.ms-word.template.macroenabled.12"],"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/helpers/registration.go:54","message":"Registering mimetypes in the app provider"} Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"GET","route":"/wopi/","middlewares":6,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"} Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"POST","route":"/wopi/files/{fileid}/","middlewares":9,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"} Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"GET","route":"/wopi/files/{fileid}/","middlewares":9,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"} Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"GET","route":"/wopi/files/{fileid}/contents/","middlewares":9,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"} Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"POST","route":"/wopi/files/{fileid}/contents/","middlewares":9,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"} Sep 17 16:58:29 cs wopi[961965]: {"level":"debug","service":"collaboration","service":{"name":"com.owncloud.api.collaboration.Collabora","version":"6.4.0","metadata":null,"endpoints":[],"nodes":[{"metadata":{"protocol":"grpc","registry":"cache","server":"grpc","transport":"tcp"},"id":"com.owncloud.api.collaboration.Collabora-3699e3e3-76c4-48b8-9338-bfd0518a96a5","address":"10.0.2.0:9301"}]},"time":"2024-09-17T14:58:29Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/registry/register.go:30","message":"refreshing external service-registration"} Sep 17 16:58:53 cs wopi[961965]: {"level":"debug","service":"collaboration","FileReference":"resource_id:{storage_id:\"6ca7ec6b-d1e9-4147-af8f-ac9fe5b13c39\" opaque_id:\"ec810a41-2374-4fe9-8b0f-b213c225e3db\" space_id:\"eab2b4c4-1d88-4a0a-b35f-3f7a3b3d9204\"} path:\".\"","ViewMode":"VIEW_MODE_READ_WRITE","Requester":"idp:\"https://files.example.com\" opaque_id:\"eab2b4c4-1d88-4a0a-b35f-3f7a3b3d9204\" type:USER_TYPE_PRIMARY","time":"2024-09-17T14:58:53Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/service/grpc/v0/service.go:124","message":"OpenInApp: success"} Sep 17 16:58:53 cs wopi[961965]: {"level":"info","service":"collaboration","proto":"HTTP/1.1","request-id":"ocis/sUWXqvmmtp-000001","traceid":"00000000000000000000000000000000","remote-addr":"12.128.14.64:55662","method":"GET","wopi-action":"","status":401,"path":"/wopi/files/bb2bc34b7f4471e9eb917c2a6ea140f22e0b174c5ac9f31ee4e3e307a8ebbb81","duration":0.343636,"bytes":13,"time":"2024-09-17T14:58:53Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware/accesslog.go:35","message":"access-log"} Sep 17 16:58:54 cs wopi[961965]: {"level":"debug","service":"collaboration","service":{"name":"com.owncloud.api.collaboration.Collabora","version":"6.4.0","metadata":null,"endpoints":[],"nodes":[{"metadata":{"protocol":"grpc","registry":"cache","server":"grpc","transport":"tcp"},"id":"com.owncloud.api.collaboration.Collabora-3699e3e3-76c4-48b8-9338-bfd0518a96a5","address":"10.0.2.0:9301"}]},"time":"2024-09-17T14:58:54Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/registry/register.go:30","message":"refreshing external service-registration"}

[jvillafanez]

I can't reproduce the issue... any steps to reproduce for dummies? maybe there is something missing.

I see some changes regarding the token used for wopi, but it works for me on a fresh 6.4 installation. Both ocis and wopi server using the 6.4 version

It's also unclear how did you upgrade ocis. You should use the same ocis version across all ocis containers. This means that both the ocis and the wopi server (also ocis) should use the same 6.3 or 6.4 version. I'm not sure if you're mixing versions, but that could be a problem.

[chrismaster]

For upgrade/downgrade I just change the line Image=docker.io/owncloud/ocis-rolling:6.3 to Image=docker.io/owncloud/ocis-rolling:6.4 in wopi and ocis config file. So version is on wopi and ocis the same.

But even ocis on 6.4 and wopi on 6.3 works. It just breaks with wopi 6.4 with error in collabora collabora[1095662]: WOPI::CheckFileInfo failed for URI... collabora[1095662]: wsd-00001-00027 2024-09-18 04:52:03.381986 +0000 [ websrv_poll ] ERR #32: Invalid URI or access denied to ...

I'll try to create a minimal configuration to reproduce it

[jvillafanez]

  ocis:
    image: owncloud/ocis-rolling:6.4
    networks:
      ocis-net:
    ports:
      - "9143:9143"
    entrypoint:
      - /bin/sh
    # run ocis init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the ocis server
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      OCIS_CONFIG_DIR: /etc/ocis/
      OCIS_URL: https://ocis.${DOMAIN:-owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-warning}
      OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers

      WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web}
      PROXY_USER_OIDC_CLAIM: "preferred_username"
      PROXY_USER_CS3_CLAIM: "username"

      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"

      # INSECURE: needed if oCIS / Traefik is using self generated certificates
      OCIS_INSECURE: "true"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # fulltext search
      SEARCH_EXTRACTOR_TYPE: tika
      SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998
      FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true"
      # make the registry available to the app provider containers
      MICRO_REGISTRY: "nats-js-kv"
      MICRO_REGISTRY_ADDRESS: "127.0.0.1:9233"
      NATS_NATS_HOST: "0.0.0.0"
      NATS_NATS_PORT: "9233"
      OCIS_RUNTIME_HOST: "ocis"

      GATEWAY_DEBUG_ADDR: 0.0.0.0:9143
      GATEWAY_DEBUG_PPROF: "true"
      GATEWAY_DEBUG_ZPAGES: "true"

      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
    volumes:
      - ocis-config:/etc/ocis
      - ocis-data:/var/lib/ocis
      - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
      - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ocis.entrypoints=https"
      - "traefik.http.routers.ocis.rule=Host(`ocis.${DOMAIN:-owncloud.test}`)"
      - "traefik.http.routers.ocis.tls.certresolver=http"
      - "traefik.http.routers.ocis.service=ocis"
      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
    logging:
      driver: "local"
    restart: always

  wopiserver_co:
    image: owncloud/ocis-rolling:6.4
    networks:
      ocis-net:
    ports:
      - "29304:9304"
    depends_on:
      collabora:
        condition: service_healthy
    entrypoint:
      - /bin/sh
    command: [ "-c", "ocis collaboration server" ]
    environment:
      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
      MICRO_REGISTRY: "nats-js-kv"
      MICRO_REGISTRY_ADDRESS: "ocis:9233"
      COLLABORATION_WOPI_SRC: http://wopiserver_co:9300
      COLLABORATION_APP_NAME: "Collabora"
      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}
      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304
      COLLABORATION_DEBUG_PPROF: "true"
      COLLABORATION_DEBUG_ZPAGES: "true"
      
      COLLABORATION_LOG_LEVEL: debug

      OCIS_CONFIG_DIR: /etc/ocis/
      OCIS_URL: https://ocis.${DOMAIN:-owncloud.test}
    volumes:
      - ocis-config:/etc/ocis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wopiserver_co.entrypoints=https"
      - "traefik.http.routers.wopiserver_co.rule=Host(`wopiserver_co.${DOMAIN:-owncloud.test}`)"
      - "traefik.http.routers.wopiserver_co.tls.certresolver=http"
      - "traefik.http.routers.wopiserver_co.service=wopiserver_co"
      - "traefik.http.services.wopiserver_co.loadbalancer.server.port=9300"
    logging:
      driver: "local"
    restart: always

That works for me. You can ignore the COLLABORATION_DEBUG* vars as well as the exposed port.

I've also tried the upgrade:

1. Setup ocis and wopiserver with the image owncloud/ocis-rolling:6.3 (environment vars as shown above)
2. Upload a docx file
3. Open it with Collabora. Check the file opens and can be edited in Collabora
4. Stop all the containers with docker compose -f comp.yaml down
5. Change the docker image for ocis and wopiserver to owncloud/ocis-rolling:6.4
6. Start all the containers
7. Check you can open and edit the file uploaded in step 2.

[chrismaster]

@jvillafanez thx for your config, but I use podman without compose....

With 6.5 the error log got better, at least I think here is the problem. With ocis 6.5 and wopiserver 6.3 everything works, with ocis 6.5 and wopiserver 6.5 this error pops up. {"level":"error","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"GET","path":"/wopi/files/ec5677aca......................4c77","WopiSessionId":"","WopiOverride":"","WopiProof":"","WopiProofOld":"","WopiStamp":"","error":"error parsing token: signature is invalid","time":"2024-10-02T15:41:00Z","message":"failed to dismantle reva token manager"} Do you have an idea, where I should look with this error?

[jvillafanez]

There has been some changes about the token in the wopi server... it's possible that you're using a token from 6.3 which can't be decoded in 6.5. Could you try to clear all the browser data and retry? OwnCloud web stores some data in the browser so maybe that cached data is being used. Browser's incognito mode might work too, although I'm not fully sure.

The other thing you can check is that both ocis and the wopi server must share the same ocis configuration. In my setup, there is an ocis-config volume which is shared, so we ensure the ocis configuration is the same. The ocis configuration has a token manager with a jwt_secret. I assume this secret is different between ocis and the wopi server, so that could be the problem. I'm quite sure the jwt_secret must be the same in both containers.

[chrismaster]

thats it.... ocis and wopiserver didn't share the ocis.yaml. I thought wopiserver is more or less independent. My fault.... Sorry Thx for the help

[jvillafanez]

I'm glad there is no need to touch the code :smile:

@mmattel could you check if this is documented? I assume the deployment examples have this setup, but it might be easy to overlook it.

[mmattel]

The admin docs use the yaml files coming from the ocis repo but are linked to the tagged version, means we respect changes. There is no mentioning about a change in the jwt secret between versions and their incompatibility... The docs are agnostic to changes under the hood - if not explicit mentioned.

Rolling is, compared to production, not stable. But if there are incompatible changes between rolling versions, we need to take doc care.

From what I see in our ocis_full deployment example, the ocis-config volume is used in both the ocis.yml and collabora.yml, so they share the same config.

Could one pls explain me the issue in detail and what needs to be done to fix it (without losing data). I will take care on documenting it.

Note that this also impacts the upgrade procedure from v5 to the new stable.

[jvillafanez]

The issue is that, in 6.3 and earlier, there wasn't an explicit requirement of the wopi server to have the same configuration as ocis. It could have its own separated configuration.

With 6.4, I think at least the token's manager jwt_secret needs to be same between ocis and the wopi server. The OCIS_URL env variable might also be included in the list. The easiest solution is that both containers (wopi and ocis) share the same configuration files. This is what the ocis examples are doing. My point is that sharing the configuration files are now a requirement (you might still copy the contents but it will be too annoying). Maybe people overlook the shared volume, or ignore it because most of the configuration is done through environment variables.

Just a warning like "if you have the ocis' collaboration service in a different container, ensure the ocis configuration is shared with it as shown in the example deployment" should be enough.

Maybe @micbar can add more info.

[mmattel]

@jvillafanez thanks for the comment. I will add that to the docs.