update 6.3 -> 6.4 collabora -> wopi(ocis) access unauthorized

[chrismaster]

simple setup with

• ocis
• ocis as wopi server
• collabora

With update from 6.3 to 6.4 collabora gives access denied
WOPI::CheckFileInfo failed for URI [https://wopi.example.com:9300/wopi/files/7.....]: 401 (Unauthorized) Unauthorized. Headers: Content-Type: text/plain; charset=utf-8 / X-Collaboration.collabora-Version: 6.4.0 / X-Content-Type-Options: nosniff / X-Request-Id: ocis/6SjX1tUiuI-000002 / Date: Sun, 15 Sep 2024 10:24:15 GMT / Content-Length: 13 Body: [Unauthorized

wsd-00001-00031 2024-09-15 10:24:15.266499 +0000 [ websrv_poll ] ERR #35: Invalid URI or access denied to [https://wopi.example.com:9300/wopi/files/73......

Going back from 6.4 to 6.3 everything works. same settings only ocis & wopi(ocis) version change

I didn't find any new settings for wopi server in 6.4.
Everything is setup in a ocis_full github example way, only with podman and collabora latest version.

[jvillafanez]

we'll need server logs, in particular the ones related to the wopi server (likely under the "collaboration" service name)

[chrismaster]

while trying to open a file in ocis with collabora.
log file from wopi with level debug
Sep 17 16:58:04 cs wopi[961954]: b00a63e4ad78ff0e905316efedfafebf7e0fab1db610d888408d8661cde2b0a1
Sep 17 16:58:04 cs podman[961954]: 2024-09-17 16:58:04.185620926 +0200 CEST m=+0.019283207 image pull 1a89dcf9934d6163102f0dd8771fc7e21a654505d9b67fe105d737daba385354 docker.io/owncloud/ocis-rolling:6.4
Sep 17 16:58:04 cs wopi[961965]: 2024/09/17 14:58:04 INFO memory is not limited, skipping package=github.com/KimMachineGun/automemlimit/memlimit
Sep 17 16:58:04 cs wopi[961965]: {"level":"info","service":"collaboration","time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/registry/register.go:17","message":"registering external service com.owncloud.api.collaboration.Collabora-3699e3e3-76c4-48b8-9338-bfd0518a96a5@10.0.2.0:9301"}
Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","AppName":"Collabora","Mimetypes":["application/vnd.ms-excel.sheet.macroenabled.12","application/vnd.openxmlformats-officedocument.wordprocessingml.document","application/vnd.oasis.opendocument.spreadsheet","application/x-pilot","application/vnd.ms-powerpoint.presentation.macroenabled.12","application/vnd.ms-word.document.macroenabled.12","application/vnd.ms-powerpoint.template.macroenabled.12","application/vnd.ms-excel.template.macroenabled.12","application/vnd.oasis.opendocument.graphics","application/vnd.oasis.opendocument.presentation","application/vnd.oasis.opendocument.text-web","image/wmf","image/emf","application/vnd.wordperfect","image/x-freehand","image/cgm","application/vnd.sun.xml.draw.template","application/vnd.oasis.opendocument.spreadsheet-template","application/vnd.oasis.opendocument.graphics-template","application/msword","image/gif","application/vnd.ms-excel","application/vnd.ms-excel.sheet.binary.macroenabled.12","application/x-gnumeric","application/vnd.sun.xml.impress","application/vnd.ms-powerpoint","image/png","application/vnd.openxmlformats-officedocument.spreadsheetml.sheet","application/octet-stream","image/jpeg","application/vnd.visio","application/vnd.oasis.opendocument.presentation-template","application/vnd.sun.xml.writer.template","text/csv","application/vnd.openxmlformats-officedocument.presentationml.slideshow","application/pdf","application/vnd.sun.xml.writer","application/vnd.apple.numbers","application/vnd.oasis.opendocument.text-master","text/rtf","application/vnd.openxmlformats-officedocument.presentationml.presentation","image/vnd.dxf","application/x-abiword","application/vnd.sun.xml.writer.global","application/vnd.sun.xml.calc","image/svg+xml","application/x-mspublisher","application/vnd.sun.xml.impress.template","application/vnd.openxmlformats-officedocument.spreadsheetml.template","application/vnd.openxmlformats-officedocument.wordprocessingml.template","application/vnd.openxmlformats-officedocument.presentationml.template","application/vnd.apple.pages","application/vnd.oasis.opendocument.text-template","application/vnd.sun.xml.draw","text/plain","application/vnd.oasis.opendocument.text","image/x-ms-bmp","image/tiff","application/x-mswrite","application/vnd.ms-works","application/vnd.sun.xml.calc.template","application/vnd.ms-word.template.macroenabled.12"],"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/helpers/registration.go:54","message":"Registering mimetypes in the app provider"}
Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"GET","route":"/wopi/","middlewares":6,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"}
Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"POST","route":"/wopi/files/{fileid}/","middlewares":9,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"}
Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"GET","route":"/wopi/files/{fileid}/","middlewares":9,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"}
Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"GET","route":"/wopi/files/{fileid}/contents/","middlewares":9,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"}
Sep 17 16:58:04 cs wopi[961965]: {"level":"debug","service":"collaboration","method":"POST","route":"/wopi/files/{fileid}/contents/","middlewares":9,"time":"2024-09-17T14:58:04Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/server/http/server.go:84","message":"serving endpoint"}
Sep 17 16:58:29 cs wopi[961965]: {"level":"debug","service":"collaboration","service":{"name":"com.owncloud.api.collaboration.Collabora","version":"6.4.0","metadata":null,"endpoints":[],"nodes":[{"metadata":{"protocol":"grpc","registry":"cache","server":"grpc","transport":"tcp"},"id":"com.owncloud.api.collaboration.Collabora-3699e3e3-76c4-48b8-9338-bfd0518a96a5","address":"10.0.2.0:9301"}]},"time":"2024-09-17T14:58:29Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/registry/register.go:30","message":"refreshing external service-registration"}
Sep 17 16:58:53 cs wopi[961965]: {"level":"debug","service":"collaboration","FileReference":"resource_id:{storage_id:\"6ca7ec6b-d1e9-4147-af8f-ac9fe5b13c39\" opaque_id:\"ec810a41-2374-4fe9-8b0f-b213c225e3db\" space_id:\"eab2b4c4-1d88-4a0a-b35f-3f7a3b3d9204\"} path:\".\"","ViewMode":"VIEW_MODE_READ_WRITE","Requester":"idp:\"https://files.example.com\" opaque_id:\"eab2b4c4-1d88-4a0a-b35f-3f7a3b3d9204\" type:USER_TYPE_PRIMARY","time":"2024-09-17T14:58:53Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/service/grpc/v0/service.go:124","message":"OpenInApp: success"}
Sep 17 16:58:53 cs wopi[961965]: {"level":"info","service":"collaboration","proto":"HTTP/1.1","request-id":"ocis/sUWXqvmmtp-000001","traceid":"00000000000000000000000000000000","remote-addr":"12.128.14.64:55662","method":"GET","wopi-action":"","status":401,"path":"/wopi/files/bb2bc34b7f4471e9eb917c2a6ea140f22e0b174c5ac9f31ee4e3e307a8ebbb81","duration":0.343636,"bytes":13,"time":"2024-09-17T14:58:53Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware/accesslog.go:35","message":"access-log"}
Sep 17 16:58:54 cs wopi[961965]: {"level":"debug","service":"collaboration","service":{"name":"com.owncloud.api.collaboration.Collabora","version":"6.4.0","metadata":null,"endpoints":[],"nodes":[{"metadata":{"protocol":"grpc","registry":"cache","server":"grpc","transport":"tcp"},"id":"com.owncloud.api.collaboration.Collabora-3699e3e3-76c4-48b8-9338-bfd0518a96a5","address":"10.0.2.0:9301"}]},"time":"2024-09-17T14:58:54Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/registry/register.go:30","message":"refreshing external service-registration"}

[jvillafanez]

I can't reproduce the issue... any steps to reproduce for dummies? maybe there is something missing.

I see some changes regarding the token used for wopi, but it works for me on a fresh 6.4 installation. Both ocis and wopi server using the 6.4 version

It's also unclear how did you upgrade ocis. You should use the same ocis version across all ocis containers. This means that both the ocis and the wopi server (also ocis) should use the same 6.3 or 6.4 version. I'm not sure if you're mixing versions, but that could be a problem.

[chrismaster]

For upgrade/downgrade I just change the line
Image=docker.io/owncloud/ocis-rolling:6.3 to
Image=docker.io/owncloud/ocis-rolling:6.4
in wopi and ocis config file. So version is on wopi and ocis the same.

But even ocis on 6.4 and wopi on 6.3 works.
It just breaks with wopi 6.4
with error in collabora
collabora[1095662]: WOPI::CheckFileInfo failed for URI...
collabora[1095662]: wsd-00001-00027 2024-09-18 04:52:03.381986 +0000 [ websrv_poll ] ERR #32: Invalid URI or access denied to ...

I'll try to create a minimal configuration to reproduce it

[jvillafanez]

  ocis:
    image: owncloud/ocis-rolling:6.4
    networks:
      ocis-net:
    ports:
      - "9143:9143"
    entrypoint:
      - /bin/sh
    # run ocis init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the ocis server
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      OCIS_CONFIG_DIR: /etc/ocis/
      OCIS_URL: https://ocis.${DOMAIN:-owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-warning}
      OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers

      WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web}
      PROXY_USER_OIDC_CLAIM: "preferred_username"
      PROXY_USER_CS3_CLAIM: "username"

      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"

      # INSECURE: needed if oCIS / Traefik is using self generated certificates
      OCIS_INSECURE: "true"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # fulltext search
      SEARCH_EXTRACTOR_TYPE: tika
      SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998
      FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true"
      # make the registry available to the app provider containers
      MICRO_REGISTRY: "nats-js-kv"
      MICRO_REGISTRY_ADDRESS: "127.0.0.1:9233"
      NATS_NATS_HOST: "0.0.0.0"
      NATS_NATS_PORT: "9233"
      OCIS_RUNTIME_HOST: "ocis"

      GATEWAY_DEBUG_ADDR: 0.0.0.0:9143
      GATEWAY_DEBUG_PPROF: "true"
      GATEWAY_DEBUG_ZPAGES: "true"

      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
    volumes:
      - ocis-config:/etc/ocis
      - ocis-data:/var/lib/ocis
      - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
      - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ocis.entrypoints=https"
      - "traefik.http.routers.ocis.rule=Host(`ocis.${DOMAIN:-owncloud.test}`)"
      - "traefik.http.routers.ocis.tls.certresolver=http"
      - "traefik.http.routers.ocis.service=ocis"
      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
    logging:
      driver: "local"
    restart: always

  wopiserver_co:
    image: owncloud/ocis-rolling:6.4
    networks:
      ocis-net:
    ports:
      - "29304:9304"
    depends_on:
      collabora:
        condition: service_healthy
    entrypoint:
      - /bin/sh
    command: [ "-c", "ocis collaboration server" ]
    environment:
      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
      MICRO_REGISTRY: "nats-js-kv"
      MICRO_REGISTRY_ADDRESS: "ocis:9233"
      COLLABORATION_WOPI_SRC: http://wopiserver_co:9300
      COLLABORATION_APP_NAME: "Collabora"
      COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.owncloud.test}
      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304
      COLLABORATION_DEBUG_PPROF: "true"
      COLLABORATION_DEBUG_ZPAGES: "true"
      
      COLLABORATION_LOG_LEVEL: debug

      OCIS_CONFIG_DIR: /etc/ocis/
      OCIS_URL: https://ocis.${DOMAIN:-owncloud.test}
    volumes:
      - ocis-config:/etc/ocis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wopiserver_co.entrypoints=https"
      - "traefik.http.routers.wopiserver_co.rule=Host(`wopiserver_co.${DOMAIN:-owncloud.test}`)"
      - "traefik.http.routers.wopiserver_co.tls.certresolver=http"
      - "traefik.http.routers.wopiserver_co.service=wopiserver_co"
      - "traefik.http.services.wopiserver_co.loadbalancer.server.port=9300"
    logging:
      driver: "local"
    restart: always

That works for me. You can ignore the COLLABORATION_DEBUG* vars as well as the exposed port.

I've also tried the upgrade:

1. Setup ocis and wopiserver with the image owncloud/ocis-rolling:6.3 (environment vars as shown above)
2. Upload a docx file
3. Open it with Collabora. Check the file opens and can be edited in Collabora
4. Stop all the containers with docker compose -f comp.yaml down
5. Change the docker image for ocis and wopiserver to owncloud/ocis-rolling:6.4
6. Start all the containers
7. Check you can open and edit the file uploaded in step 2.