account_resolver: Handle user roles separately from user lookup

This removes the "withRoles" flag from the GetUserByClaims lookup and move the functionality into a separate method. This should make the code a bit more readable in preparation for maintaining the RoleAssignments from OIDC claims.
2026-04-25 17:25:21 +02:00 · 2023-03-07 17:30:07 +01:00
parent f5cfa7e126
commit 88e8bb1b72
7 changed files with 64 additions and 31 deletions
--- a/services/proxy/pkg/user/backend/cs3.go
+++ b/services/proxy/pkg/user/backend/cs3.go
@@ -51,7 +51,7 @@ func NewCS3UserBackend(rs settingssvc.RoleService, ap RevaAuthenticator, machine
 	}
 }

-func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, withRoles bool) (*cs3.User, string, error) {
+func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string) (*cs3.User, string, error) {
 	res, err := c.authProvider.Authenticate(ctx, &gateway.AuthenticateRequest{
 		Type:         "machine",
 		ClientId:     claim + ":" + value,
@@ -70,16 +70,17 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w

 	user := res.User

-	if !withRoles {
-		return user, res.Token, nil
-	}
+	return user, res.Token, nil
+}

+func (c *cs3backend) GetUserRoles(ctx context.Context, user *cs3.User) (*cs3.User, error) {
 	var roleIDs []string
 	if user.Id.Type != cs3.UserType_USER_TYPE_LIGHTWEIGHT {
+		var err error
 		roleIDs, err = loadRolesIDs(ctx, user.Id.OpaqueId, c.settingsRoleService)
 		if err != nil {
 			c.logger.Error().Err(err).Msgf("Could not load roles")
-			return nil, "", err
+			return nil, err
 		}

 		if len(roleIDs) == 0 {
@@ -95,7 +96,7 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
 				})
 				if err != nil {
 					c.logger.Error().Err(err).Msg("Could not add default role")
-					return nil, "", err
+					return nil, err
 				}
 				roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
 			}
@@ -105,6 +106,7 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
 	enc, err := encodeRoleIDs(roleIDs)
 	if err != nil {
 		c.logger.Error().Err(err).Msg("Could not encode loaded roles")
+		return nil, err
 	}

 	if user.Opaque == nil {
@@ -116,8 +118,7 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
 	} else {
 		user.Opaque.Map["roles"] = enc
 	}
-
-	return user, res.Token, nil
+	return user, nil
 }

 func (c *cs3backend) Authenticate(ctx context.Context, username string, password string) (*cs3.User, string, error) {
@@ -198,10 +199,6 @@ func (c *cs3backend) CreateUserFromClaims(ctx context.Context, claims map[string
 	return &cs3UserCreated, nil
 }

-func (c cs3backend) GetUserGroups(ctx context.Context, userID string) {
-	panic("implement me")
-}
-
 func (c cs3backend) setupLibregraphClient(ctx context.Context, cs3token string) (*libregraph.APIClient, error) {
 	// Use micro registry to resolve next graph service endpoint
 	next, err := c.graphSelector.Select("com.owncloud.graph.graph")