rename folder extensions -> services

Signed-off-by: Christian Richter <crichter@owncloud.com>
2026-01-06 12:19:37 -06:00 · 2022-06-20 16:46:09 +02:00
parent 1aea93d8cd
commit 78064e6bab
926 changed files with 0 additions and 0 deletions
--- a/services/graph/pkg/middleware/auth.go
+++ b/services/graph/pkg/middleware/auth.go
@@ -0,0 +1,87 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/cs3org/reva/v2/pkg/auth/scope"
+	revactx "github.com/cs3org/reva/v2/pkg/ctx"
+	"github.com/cs3org/reva/v2/pkg/token/manager/jwt"
+	"github.com/owncloud/ocis/v2/extensions/graph/pkg/service/v0/errorcode"
+	"github.com/owncloud/ocis/v2/ocis-pkg/account"
+	opkgm "github.com/owncloud/ocis/v2/ocis-pkg/middleware"
+	gmmetadata "go-micro.dev/v4/metadata"
+	"google.golang.org/grpc/metadata"
+)
+
+// authOptions initializes the available default options.
+func authOptions(opts ...account.Option) account.Options {
+	opt := account.Options{}
+
+	for _, o := range opts {
+		o(&opt)
+	}
+
+	return opt
+}
+
+// Auth provides a middleware to authenticate requests using the x-access-token header value
+// and write it to the context. If there is no x-access-token the middleware prevents access and renders a json document.
+func Auth(opts ...account.Option) func(http.Handler) http.Handler {
+	// Note: This largely duplicates what ocis-pkg/middleware/account.go already does (apart from a slightly different error
+	// handling). Ideally we should merge both middlewares.
+	opt := authOptions(opts...)
+	tokenManager, err := jwt.New(map[string]interface{}{
+		"secret":  opt.JWTSecret,
+		"expires": int64(24 * 60 * 60),
+	})
+	if err != nil {
+		opt.Logger.Fatal().Err(err).Msgf("Could not initialize token-manager")
+	}
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+			t := r.Header.Get("x-access-token")
+			if t == "" {
+				errorcode.InvalidAuthenticationToken.Render(w, r, http.StatusUnauthorized, "Access token is empty.")
+				/* msgraph error for GET https://graph.microsoft.com/v1.0/me
+				{
+					"error":
+				 	{
+						"code":"InvalidAuthenticationToken",
+						"message":"Access token is empty.",
+						"innerError":{
+							"date":"2021-07-09T14:40:51",
+							"request-id":"bb12f7db-b4c4-43a9-ba4b-31676aeed019",
+							"client-request-id":"bb12f7db-b4c4-43a9-ba4b-31676aeed019"
+						}
+					}
+				}
+				*/
+				return
+			}
+
+			u, tokenScope, err := tokenManager.DismantleToken(r.Context(), t)
+			if err != nil {
+				errorcode.InvalidAuthenticationToken.Render(w, r, http.StatusUnauthorized, "invalid token")
+				return
+			}
+			if ok, err := scope.VerifyScope(ctx, tokenScope, r); err != nil || !ok {
+				opt.Logger.Error().Err(err).Msg("verifying scope failed")
+				errorcode.InvalidAuthenticationToken.Render(w, r, http.StatusUnauthorized, "verifying scope failed")
+				return
+			}
+
+			ctx = revactx.ContextSetToken(ctx, t)
+			ctx = revactx.ContextSetUser(ctx, u)
+			ctx = gmmetadata.Set(ctx, opkgm.AccountID, u.Id.OpaqueId)
+			if u.Opaque != nil && u.Opaque.Map != nil {
+				if roles, ok := u.Opaque.Map["roles"]; ok {
+					ctx = gmmetadata.Set(ctx, opkgm.RoleIDs, string(roles.Value))
+				}
+			}
+			ctx = metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, t)
+
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
--- a/services/graph/pkg/middleware/requireadmin.go
+++ b/services/graph/pkg/middleware/requireadmin.go
@@ -0,0 +1,53 @@
+package middleware
+
+import (
+	"net/http"
+
+	revactx "github.com/cs3org/reva/v2/pkg/ctx"
+	"github.com/owncloud/ocis/v2/extensions/graph/pkg/service/v0/errorcode"
+	settings "github.com/owncloud/ocis/v2/extensions/settings/pkg/service/v0"
+	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+	"github.com/owncloud/ocis/v2/ocis-pkg/roles"
+)
+
+// RequireAdmin middleware is used to require the user in context to be an admin / have account management permissions
+func RequireAdmin(rm *roles.Manager, logger log.Logger) func(next http.Handler) http.Handler {
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			u, ok := revactx.ContextGetUser(r.Context())
+			if !ok {
+				errorcode.AccessDenied.Render(w, r, http.StatusUnauthorized, "Unauthorized")
+				return
+			}
+			if u.Id == nil || u.Id.OpaqueId == "" {
+				errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "user is missing an id")
+				return
+			}
+			// get roles from context
+			roleIDs, ok := roles.ReadRoleIDsFromContext(r.Context())
+			if !ok {
+				logger.Debug().Str("userid", u.Id.OpaqueId).Msg("No roles in context, contacting settings service")
+				var err error
+				roleIDs, err = rm.FindRoleIDsForUser(r.Context(), u.Id.OpaqueId)
+				if err != nil {
+					logger.Err(err).Str("userid", u.Id.OpaqueId).Msg("failed to get roles for user")
+					errorcode.AccessDenied.Render(w, r, http.StatusUnauthorized, "Unauthorized")
+					return
+				}
+				if len(roleIDs) == 0 {
+					errorcode.AccessDenied.Render(w, r, http.StatusUnauthorized, "Unauthorized")
+					return
+				}
+			}
+
+			// check if permission is present in roles of the authenticated account
+			if rm.FindPermissionByID(r.Context(), roleIDs, settings.AccountManagementPermissionID) != nil {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			errorcode.AccessDenied.Render(w, r, http.StatusUnauthorized, "Unauthorized")
+		})
+	}
+}