eliott/ocis
1
0
Fork 0
mirror of https://github.com/owncloud/ocis synced 2026-04-26 01:35:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

account_resolver: Handle user roles separately from user lookup

Browse Source 
This removes the "withRoles" flag from the GetUserByClaims lookup and move the
functionality into a separate method. This should make the code a bit more readable
in preparation for maintaining the RoleAssignments from OIDC claims.
This commit is contained in:
Ralf Haferkamp
2023-03-07 17:30:07 +01:00
committed by Ralf Haferkamp
parent f5cfa7e126
commit 88e8bb1b72
7 changed files with 64 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
services/proxy/pkg/user/backend/backend.go
View File

@@ -25,10 +25,10 @@ var (
// UserBackend allows the proxy to retrieve users from different user-backends (accounts-service, CS3)
type UserBackend interface {
GetUserByClaims(ctx context.Context, claim, value string, withRoles bool) (*cs3.User, string, error)
GetUserByClaims(ctx context.Context, claim, value string) (*cs3.User, string, error)
GetUserRoles(ctx context.Context, user *cs3.User) (*cs3.User, error)
Authenticate(ctx context.Context, username string, password string) (*cs3.User, string, error)
CreateUserFromClaims(ctx context.Context, claims map[string]interface{}) (*cs3.User, error)
GetUserGroups(ctx context.Context, userID string)
}
// RevaAuthenticator helper interface to mock auth-method from reva gateway-client.

21
services/proxy/pkg/user/backend/cs3.go
View File

@@ -51,7 +51,7 @@ func NewCS3UserBackend(rs settingssvc.RoleService, ap RevaAuthenticator, machine
}
}
func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, withRoles bool) (*cs3.User, string, error) {
func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string) (*cs3.User, string, error) {
res, err := c.authProvider.Authenticate(ctx, &gateway.AuthenticateRequest{
Type: "machine",
ClientId: claim + ":" + value,
@@ -70,16 +70,17 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
user := res.User
if !withRoles {
return user, res.Token, nil
}
return user, res.Token, nil
}
func (c *cs3backend) GetUserRoles(ctx context.Context, user *cs3.User) (*cs3.User, error) {
var roleIDs []string
if user.Id.Type != cs3.UserType_USER_TYPE_LIGHTWEIGHT {
var err error
roleIDs, err = loadRolesIDs(ctx, user.Id.OpaqueId, c.settingsRoleService)
if err != nil {
c.logger.Error().Err(err).Msgf("Could not load roles")
return nil, "", err
return nil, err
}
if len(roleIDs) == 0 {
@@ -95,7 +96,7 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
})
if err != nil {
c.logger.Error().Err(err).Msg("Could not add default role")
return nil, "", err
return nil, err
}
roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
}
@@ -105,6 +106,7 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
enc, err := encodeRoleIDs(roleIDs)
if err != nil {
c.logger.Error().Err(err).Msg("Could not encode loaded roles")
return nil, err
}
if user.Opaque == nil {
@@ -116,8 +118,7 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
} else {
user.Opaque.Map["roles"] = enc
}
return user, res.Token, nil
return user, nil
}
func (c *cs3backend) Authenticate(ctx context.Context, username string, password string) (*cs3.User, string, error) {
@@ -198,10 +199,6 @@ func (c *cs3backend) CreateUserFromClaims(ctx context.Context, claims map[string
return &cs3UserCreated, nil
}
func (c cs3backend) GetUserGroups(ctx context.Context, userID string) {
panic("implement me")
}
func (c cs3backend) setupLibregraphClient(ctx context.Context, cs3token string) (*libregraph.APIClient, error) {
// Use micro registry to resolve next graph service endpoint
next, err := c.graphSelector.Select("com.owncloud.graph.graph")

42
services/proxy/pkg/user/backend/mocks/UserBackend.go
View File

@@ -67,13 +67,13 @@ func (_m *UserBackend) CreateUserFromClaims(ctx context.Context, claims map[stri
return r0, r1
}
// GetUserByClaims provides a mock function with given fields: ctx, claim, value, withRoles
func (_m *UserBackend) GetUserByClaims(ctx context.Context, claim string, value string, withRoles bool) (*userv1beta1.User, string, error) {
ret := _m.Called(ctx, claim, value, withRoles)
// GetUserByClaims provides a mock function with given fields: ctx, claim, value
func (_m *UserBackend) GetUserByClaims(ctx context.Context, claim string, value string) (*userv1beta1.User, string, error) {
ret := _m.Called(ctx, claim, value)
var r0 *userv1beta1.User
if rf, ok := ret.Get(0).(func(context.Context, string, string, bool) *userv1beta1.User); ok {
r0 = rf(ctx, claim, value, withRoles)
if rf, ok := ret.Get(0).(func(context.Context, string, string) *userv1beta1.User); ok {
r0 = rf(ctx, claim, value)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*userv1beta1.User)
@@ -81,15 +81,15 @@ func (_m *UserBackend) GetUserByClaims(ctx context.Context, claim string, value
}
var r1 string
if rf, ok := ret.Get(1).(func(context.Context, string, string, bool) string); ok {
r1 = rf(ctx, claim, value, withRoles)
if rf, ok := ret.Get(1).(func(context.Context, string, string) string); ok {
r1 = rf(ctx, claim, value)
} else {
r1 = ret.Get(1).(string)
}
var r2 error
if rf, ok := ret.Get(2).(func(context.Context, string, string, bool) error); ok {
r2 = rf(ctx, claim, value, withRoles)
if rf, ok := ret.Get(2).(func(context.Context, string, string) error); ok {
r2 = rf(ctx, claim, value)
} else {
r2 = ret.Error(2)
}
@@ -97,9 +97,27 @@ func (_m *UserBackend) GetUserByClaims(ctx context.Context, claim string, value
return r0, r1, r2
}
// GetUserGroups provides a mock function with given fields: ctx, userID
func (_m *UserBackend) GetUserGroups(ctx context.Context, userID string) {
_m.Called(ctx, userID)
// GetUserRoles provides a mock function with given fields: ctx, user
func (_m *UserBackend) GetUserRoles(ctx context.Context, user *userv1beta1.User) (*userv1beta1.User, error) {
ret := _m.Called(ctx, user)
var r0 *userv1beta1.User
if rf, ok := ret.Get(0).(func(context.Context, *userv1beta1.User) *userv1beta1.User); ok {
r0 = rf(ctx, user)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*userv1beta1.User)
}
}
var r1 error
if rf, ok := ret.Get(1).(func(context.Context, *userv1beta1.User) error); ok {
r1 = rf(ctx, user)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
type mockConstructorTestingTNewUserBackend interface {