Add autoprovision accounts flag

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
2025-12-30 17:00:57 -06:00 · 2020-10-05 11:25:02 +02:00
parent 9a17287f73
commit 60c319faed
6 changed files with 44 additions and 15 deletions
--- a/proxy/changelog/unreleased/add-autoprovision-accounts-flag.md
+++ b/proxy/changelog/unreleased/add-autoprovision-accounts-flag.md
@@ -0,0 +1,6 @@
+Enhancement: Add autoprovision accounts flag
+
+Added a new `PROXY_AUTOPROVISION_ACCOUNTS` environment variable. When enabled, the proxy will try to create a new account when it cannot match the username or email from the oidc userinfo to an existing user. Enable it to learn users from an external identity provider. Defaults to false.
+
+https://github.com/owncloud/product/issues/219
+https://github.com/owncloud/ocis/issues/629
--- a/proxy/pkg/command/server.go
+++ b/proxy/pkg/command/server.go
@@ -265,6 +265,7 @@ func loadMiddlewares(ctx context.Context, l log.Logger, cfg *config.Config) alic
 		middleware.TokenManagerConfig(cfg.TokenManager),
 		middleware.AccountsClient(accounts),
 		middleware.SettingsRoleService(roles),
+		middleware.AutoprovisionAccounts(cfg.AutoprovisionAccounts),
 	)

 	// the connection will be established in a non blocking fashion
--- a/proxy/pkg/config/config.go
+++ b/proxy/pkg/config/config.go
@@ -85,19 +85,20 @@ type Reva struct {

 // Config combines all available configuration parts.
 type Config struct {
-	File           string
-	Log            Log
-	Debug          Debug
-	HTTP           HTTP
-	Service        Service
-	Tracing        Tracing
-	Asset          Asset
-	Policies       []Policy
-	OIDC           OIDC
-	TokenManager   TokenManager
-	PolicySelector *PolicySelector `mapstructure:"policy_selector"`
-	Reva           Reva
-	PreSignedURL   PreSignedURL
+	File                  string
+	Log                   Log
+	Debug                 Debug
+	HTTP                  HTTP
+	Service               Service
+	Tracing               Tracing
+	Asset                 Asset
+	Policies              []Policy
+	OIDC                  OIDC
+	TokenManager          TokenManager
+	PolicySelector        *PolicySelector `mapstructure:"policy_selector"`
+	Reva                  Reva
+	PreSignedURL          PreSignedURL
+	AutoprovisionAccounts bool
 }

 // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request
--- a/proxy/pkg/flagset/flagset.go
+++ b/proxy/pkg/flagset/flagset.go
@@ -202,6 +202,17 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"PROXY_OIDC_INSECURE"},
 			Destination: &cfg.OIDC.Insecure,
 		},
+
+		&cli.BoolFlag{
+			Name:        "autoprovision-accounts",
+			Value:       false,
+			Usage:       "create accounts from OIDC access tokens to learn new users",
+			EnvVars:     []string{"PROXY_AUTOPROVISION_ACCOUNTS"},
+			Destination: &cfg.AutoprovisionAccounts,
+		},
+
+		// Presigned URLs
+
 		&cli.StringSliceFlag{
 			Name:    "presignedurl-allow-method",
 			Value:   cli.NewStringSlice("GET"),
--- a/proxy/pkg/middleware/account_uuid.go
+++ b/proxy/pkg/middleware/account_uuid.go
@@ -104,7 +104,7 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler {
 				w.WriteHeader(http.StatusInternalServerError)
 			}
 			if status != 0 || account == nil {
-				if status == http.StatusNotFound {
+				if opt.AutoprovisionAccounts && status == http.StatusNotFound {
 					account, status = createAccount(l, claims, opt.AccountsClient)
 					if status != 0 {
 						w.WriteHeader(status)
--- a/proxy/pkg/middleware/options.go
+++ b/proxy/pkg/middleware/options.go
@@ -1,9 +1,10 @@
 package middleware

 import (
-	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
 	"net/http"

+	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
+
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	acc "github.com/owncloud/ocis/accounts/pkg/proto/v0"
 	"github.com/owncloud/ocis/ocis-pkg/log"
@@ -36,6 +37,8 @@ type Options struct {
 	Store storepb.StoreService
 	// PreSignedURLConfig to configure the middleware
 	PreSignedURLConfig config.PreSignedURL
+	// AutoprovisionAccounts when an account does not exist.
+	AutoprovisionAccounts bool
 }

 // newOptions initializes the available default options.
@@ -118,3 +121,10 @@ func PreSignedURLConfig(cfg config.PreSignedURL) Option {
 		o.PreSignedURLConfig = cfg
 	}
 }
+
+// AutoprovisionAccounts provides a function to set the AutoprovisionAccounts config
+func AutoprovisionAccounts(val bool) Option {
+	return func(o *Options) {
+		o.AutoprovisionAccounts = val
+	}
+}