Make it possible to use CS3 as accounts backend instead of account-service

Configureable via:
PROXY_ACCOUNT_BACKEND_TYPE=cs3
PROXY_ACCOUNT_BACKEND_TYPE=accounts (default)

By using a backend which implements the CS3 user-api (currently provided by reva/storage) it is possible to bypass
the ocis-accounts service and for example use ldap directly.

Hides user and auth related communication behind a facade (user/backend) to minimize logic-duplication across middlewares.
Allows to switich the account backend from accounts to cs3.

Co-authored-by: Jörn Friedrich Dreyer <jfd@butonic.de>

proxy/pkg/user/backend/accounts.go

@@ -0,0 +1,218 @@
+package backend
+
+import (
+	"context"
+	"fmt"
+	cs3 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0"
+	"github.com/owncloud/ocis/ocis-pkg/log"
+	"github.com/owncloud/ocis/ocis-pkg/oidc"
+	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
+	"net/http"
+	"strconv"
+	"strings"
+)
+
+// NewAccountsServiceUserBackend creates a user-provider which fetches users from the ocis accounts-service
+func NewAccountsServiceUserBackend(ac accounts.AccountsService, rs settings.RoleService, oidcISS string, logger log.Logger) UserBackend {
+	return &accountsServiceBackend{
+		accountsClient:      ac,
+		settingsRoleService: rs,
+		OIDCIss:             oidcISS,
+		logger:              logger,
+	}
+}
+
+type accountsServiceBackend struct {
+	accountsClient      accounts.AccountsService
+	settingsRoleService settings.RoleService
+	OIDCIss             string
+	logger              log.Logger
+}
+
+func (a accountsServiceBackend) GetUserByClaims(ctx context.Context, claim, value string, withRoles bool) (*cs3.User, error) {
+	var account *accounts.Account
+	var status int
+	var query string
+
+	switch claim {
+	case "mail":
+		query = fmt.Sprintf("mail eq '%s'", strings.ReplaceAll(value, "'", "''"))
+	case "username":
+		query = fmt.Sprintf("preferred_name eq '%s'", strings.ReplaceAll(value, "'", "''"))
+	case "id":
+		query = fmt.Sprintf("id eq '%s'", strings.ReplaceAll(value, "'", "''"))
+	default:
+		return nil, fmt.Errorf("invalid user by claim lookup must be  'mail', 'username' or 'id")
+	}
+
+	account, status = a.getAccount(ctx, query)
+	if status == http.StatusNotFound {
+		return nil, ErrAccountNotFound
+	}
+
+	if status != 0 || account == nil {
+		return nil, fmt.Errorf("could not get account, got status: %d", status)
+	}
+
+	if !account.AccountEnabled {
+		return nil, ErrAccountDisabled
+	}
+
+	user := a.accountToUser(account)
+
+	if !withRoles {
+		return user, nil
+	}
+
+	if err := injectRoles(ctx, user, a.settingsRoleService); err != nil {
+		a.logger.Warn().Err(err).Msgf("Could not load roles... continuing without")
+	}
+
+	return user, nil
+
+}
+
+// Authenticate authenticates against the accounts services and returns the user on success
+func (a *accountsServiceBackend) Authenticate(ctx context.Context, username string, password string) (*cs3.User, error) {
+	query := fmt.Sprintf(
+		"login eq '%s' and password eq '%s'",
+		strings.ReplaceAll(username, "'", "''"),
+		strings.ReplaceAll(password, "'", "''"),
+	)
+	account, status := a.getAccount(ctx, query)
+
+	if status != 0 {
+		return nil, fmt.Errorf("could not authenticate with username, password for user %s. Status: %d", username, status)
+	}
+
+	user := a.accountToUser(account)
+
+	if err := injectRoles(ctx, user, a.settingsRoleService); err != nil {
+		a.logger.Warn().Err(err).Msgf("Could not load roles... continuing without")
+	}
+
+	return user, nil
+}
+
+func (a accountsServiceBackend) CreateUserFromClaims(ctx context.Context, claims *oidc.StandardClaims) (*cs3.User, error) {
+	// TODO check if fields are missing.
+	req := &accounts.CreateAccountRequest{
+		Account: &accounts.Account{
+			DisplayName:              claims.DisplayName,
+			PreferredName:            claims.PreferredUsername,
+			OnPremisesSamAccountName: claims.PreferredUsername,
+			Mail:                     claims.Email,
+			CreationType:             "LocalAccount",
+			AccountEnabled:           true,
+		},
+	}
+	created, err := a.accountsClient.CreateAccount(context.Background(), req)
+	if err != nil {
+		return nil, err
+	}
+
+	user := a.accountToUser(created)
+
+	if err := injectRoles(ctx, user, a.settingsRoleService); err != nil {
+		a.logger.Warn().Err(err).Msgf("Could not load roles... continuing without")
+	}
+
+	return user, nil
+}
+
+func (a accountsServiceBackend) GetUserGroups(ctx context.Context, userID string) {
+	panic("implement me")
+}
+
+// accountToUser converts an owncloud account struct to a reva user struct. In the proxy
+// we work with the reva struct as a token can be minted from it.
+func (a *accountsServiceBackend) accountToUser(account *accounts.Account) *cs3.User {
+	user := &cs3.User{
+		Id: &cs3.UserId{
+			OpaqueId: account.Id,
+			Idp:      a.OIDCIss,
+		},
+		Username:     account.OnPremisesSamAccountName,
+		DisplayName:  account.DisplayName,
+		Mail:         account.Mail,
+		MailVerified: account.ExternalUserState == "" || account.ExternalUserState == "Accepted",
+		Groups:       expandGroups(account),
+		Opaque: &types.Opaque{
+			Map: map[string]*types.OpaqueEntry{},
+		},
+	}
+
+	user.Opaque.Map["uid"] = &types.OpaqueEntry{
+		Decoder: "plain",
+		Value:   []byte(strconv.FormatInt(account.UidNumber, 10)),
+	}
+	user.Opaque.Map["gid"] = &types.OpaqueEntry{
+		Decoder: "plain",
+		Value:   []byte(strconv.FormatInt(account.GidNumber, 10)),
+	}
+	return user
+}
+
+func (a *accountsServiceBackend) getAccount(ctx context.Context, query string) (account *accounts.Account, status int) {
+	resp, err := a.accountsClient.ListAccounts(ctx, &accounts.ListAccountsRequest{
+		Query:    query,
+		PageSize: 2,
+	})
+
+	if err != nil {
+		a.logger.Error().Err(err).Str("query", query).Msgf("error fetching from accounts-service")
+		status = http.StatusInternalServerError
+		return
+	}
+
+	if len(resp.Accounts) <= 0 {
+		a.logger.Error().Str("query", query).Msgf("account not found")
+		status = http.StatusNotFound
+		return
+	}
+
+	if len(resp.Accounts) > 1 {
+		a.logger.Error().Str("query", query).Msgf("more than one account found, aborting")
+		status = http.StatusForbidden
+		return
+	}
+
+	account = resp.Accounts[0]
+	return
+}
+
+func expandGroups(account *accounts.Account) []string {
+	groups := make([]string, len(account.MemberOf))
+	for i := range account.MemberOf {
+		// reva needs the unix group name
+		groups[i] = account.MemberOf[i].OnPremisesSamAccountName
+	}
+	return groups
+}
+
+// injectRoles adds roles from the roles-service to the user-struct by mutating an existing struct
+func injectRoles(ctx context.Context, u *cs3.User, ss settings.RoleService) error {
+	roleIDs, err := loadRolesIDs(ctx, u.Id.OpaqueId, ss)
+	if err != nil {
+		return err
+	}
+
+	if len(roleIDs) == 0 {
+		return nil
+	}
+
+	enc, err := encodeRoleIDs(roleIDs)
+	if err != nil {
+		return err
+	}
+
+	u.Opaque = &types.Opaque{
+		Map: map[string]*types.OpaqueEntry{
+			"roles": enc,
+		},
+	}
+
+	return nil
+}

proxy/pkg/user/backend/backend.go

@@ -0,0 +1,66 @@
+package backend
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	cs3 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"github.com/owncloud/ocis/ocis-pkg/oidc"
+	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
+	"google.golang.org/grpc"
+)
+
+var (
+	// ErrAccountNotFound account not found
+	ErrAccountNotFound = errors.New("user not found")
+	// ErrAccountDisabled account disabled
+	ErrAccountDisabled = errors.New("account disabled")
+	// ErrNotSupported operation not supported by user-backend
+	ErrNotSupported = errors.New("operation not supported")
+)
+
+// UserBackend allows the proxy to retrieve users from different user-backends (accounts-service, CS3)
+type UserBackend interface {
+	GetUserByClaims(ctx context.Context, claim, value string, withRoles bool) (*cs3.User, error)
+	Authenticate(ctx context.Context, username string, password string) (*cs3.User, error)
+	CreateUserFromClaims(ctx context.Context, claims *oidc.StandardClaims) (*cs3.User, error)
+	GetUserGroups(ctx context.Context, userID string)
+}
+
+// RevaAuthenticator helper interface to mock auth-method from reva gateway-client.
+type RevaAuthenticator interface {
+	Authenticate(ctx context.Context, in *gateway.AuthenticateRequest, opts ...grpc.CallOption) (*gateway.AuthenticateResponse, error)
+}
+
+// loadRolesIDs returns the role-ids assigned to an user
+func loadRolesIDs(ctx context.Context, opaqueUserID string, rs settings.RoleService) ([]string, error) {
+	req := &settings.ListRoleAssignmentsRequest{AccountUuid: opaqueUserID}
+	assignmentResponse, err := rs.ListRoleAssignments(ctx, req)
+
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]string, 0)
+
+	for _, assignment := range assignmentResponse.Assignments {
+		roleIDs = append(roleIDs, assignment.RoleId)
+	}
+
+	return roleIDs, nil
+}
+
+// encodeRoleIDs encoded the given role id's in to reva-specific format to be able to mint a token from them
+func encodeRoleIDs(roleIDs []string) (*types.OpaqueEntry, error) {
+	roleIDsJSON, err := json.Marshal(roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	return &types.OpaqueEntry{
+		Decoder: "json",
+		Value:   roleIDsJSON,
+	}, nil
+}

proxy/pkg/user/backend/cs3.go

@@ -0,0 +1,100 @@
+package backend
+
+import (
+	"context"
+	"fmt"
+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	cs3 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	rpcv1beta1 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
+	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"github.com/owncloud/ocis/ocis-pkg/log"
+	"github.com/owncloud/ocis/ocis-pkg/oidc"
+	settings "github.com/owncloud/ocis/settings/pkg/proto/v0"
+)
+
+type cs3backend struct {
+	userProvider        cs3.UserAPIClient
+	settingsRoleService settings.RoleService
+	authProvider        RevaAuthenticator
+	logger              log.Logger
+}
+
+// NewCS3UserBackend creates a user-provider which fetches users from a CS3 UserBackend
+func NewCS3UserBackend(up cs3.UserAPIClient, rs settings.RoleService, ap RevaAuthenticator, logger log.Logger) UserBackend {
+	return &cs3backend{
+		userProvider:        up,
+		settingsRoleService: rs,
+		authProvider:        ap,
+		logger:              logger,
+	}
+}
+
+func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, withRoles bool) (*cs3.User, error) {
+	res, err := c.userProvider.GetUserByClaim(ctx, &cs3.GetUserByClaimRequest{
+		Claim: claim,
+		Value: value,
+	})
+
+	switch {
+	case err != nil:
+		return nil, fmt.Errorf("could not get user by claim %v with value %v: %w", claim, value, err)
+	case res.Status.Code != rpcv1beta1.Code_CODE_OK:
+		if res.Status.Code == rpcv1beta1.Code_CODE_NOT_FOUND {
+			return nil, ErrAccountNotFound
+		}
+		return nil, fmt.Errorf("could not get user by claim %v with value %v : %w ", claim, value, err)
+	}
+
+	user := res.User
+
+	if !withRoles {
+		return user, nil
+	}
+
+	roleIDs, err := loadRolesIDs(ctx, user.Id.OpaqueId, c.settingsRoleService)
+	if err != nil {
+		c.logger.Error().Err(err).Msg("Could not load roles")
+	}
+
+	if len(roleIDs) == 0 {
+		return user, nil
+
+	}
+
+	enc, err := encodeRoleIDs(roleIDs)
+	if err != nil {
+		c.logger.Error().Err(err).Msg("Could not encode loaded roles")
+	}
+
+	user.Opaque = &types.Opaque{
+		Map: map[string]*types.OpaqueEntry{
+			"roles": enc,
+		},
+	}
+
+	return res.User, nil
+}
+
+func (c *cs3backend) Authenticate(ctx context.Context, username string, password string) (*cs3.User, error) {
+	res, err := c.authProvider.Authenticate(ctx, &gateway.AuthenticateRequest{
+		ClientId:     username,
+		ClientSecret: password,
+	})
+
+	switch {
+	case err != nil:
+		return nil, fmt.Errorf("could not authenticate with username and password user: %s, %w", username, err)
+	case res.Status.Code != rpcv1beta1.Code_CODE_OK:
+		return nil, fmt.Errorf("could not authenticate with username and password user: %s, got code: %d", username, res.Status.Code)
+	}
+
+	return res.User, nil
+}
+
+func (c *cs3backend) CreateUserFromClaims(ctx context.Context, claims *oidc.StandardClaims) (*cs3.User, error) {
+	return nil, fmt.Errorf("CS3 Backend does not support creating users from claims")
+}
+
+func (c cs3backend) GetUserGroups(ctx context.Context, userID string) {
+	panic("implement me")
+}