From a6f05e761e4331d7dad521482191b744f3f249f6 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Fri, 20 May 2022 13:09:34 +0200
Subject: [PATCH] Let graph auth middleware add the roleids to the context

They were also added by the ExtractAccountUUID for the /drives endpoint.
We'll need some on other endpoints as well (for automatic user
provisioning).
---
 extensions/graph/pkg/middleware/auth.go    | 10 ++++++++++
 extensions/graph/pkg/service/v0/service.go | 22 +++++++---------------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/extensions/graph/pkg/middleware/auth.go b/extensions/graph/pkg/middleware/auth.go
index a460a49823..037aa0bc74 100644
--- a/extensions/graph/pkg/middleware/auth.go
+++ b/extensions/graph/pkg/middleware/auth.go
@@ -8,6 +8,8 @@ import (
 	"github.com/cs3org/reva/v2/pkg/token/manager/jwt"
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/service/v0/errorcode"
 	"github.com/owncloud/ocis/v2/ocis-pkg/account"
+	opkgm "github.com/owncloud/ocis/v2/ocis-pkg/middleware"
+	gmmetadata "go-micro.dev/v4/metadata"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -25,6 +27,8 @@ func authOptions(opts ...account.Option) account.Options {
 // Auth provides a middleware to authenticate requests using the x-access-token header value
 // and write it to the context. If there is no x-access-token the middleware prevents access and renders a json document.
 func Auth(opts ...account.Option) func(http.Handler) http.Handler {
+	// Note: This largely duplicates was ocis-pkg/middleware/account.go already does (apart from a slightly different error
+	// handling). Ideally we should merge both middlewares.
 	opt := authOptions(opts...)
 	tokenManager, err := jwt.New(map[string]interface{}{
 		"secret":  opt.JWTSecret,
@@ -69,6 +73,12 @@ func Auth(opts ...account.Option) func(http.Handler) http.Handler {
 
 			ctx = revactx.ContextSetToken(ctx, t)
 			ctx = revactx.ContextSetUser(ctx, u)
+			ctx = gmmetadata.Set(ctx, opkgm.AccountID, u.Id.OpaqueId)
+			if u.Opaque != nil {
+				if roles, ok := u.Opaque.Map["roles"]; ok {
+					ctx = gmmetadata.Set(ctx, opkgm.RoleIDs, string(roles.Value))
+				}
+			}
 			ctx = metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, t)
 
 			next.ServeHTTP(w, r.WithContext(ctx))
diff --git a/extensions/graph/pkg/service/v0/service.go b/extensions/graph/pkg/service/v0/service.go
index cf328ce050..ca880b1bb6 100644
--- a/extensions/graph/pkg/service/v0/service.go
+++ b/extensions/graph/pkg/service/v0/service.go
@@ -14,8 +14,6 @@ import (
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/identity"
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/identity/ldap"
 	graphm "github.com/owncloud/ocis/v2/extensions/graph/pkg/middleware"
-	"github.com/owncloud/ocis/v2/ocis-pkg/account"
-	opkgm "github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/roles"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
@@ -171,19 +169,13 @@ func NewService(opts ...Option) Service {
 					})
 				})
 			})
-			r.Group(func(r chi.Router) {
-				r.Use(opkgm.ExtractAccountUUID(
-					account.Logger(options.Logger),
-					account.JWTSecret(options.Config.TokenManager.JWTSecret)),
-				)
-				r.Route("/drives", func(r chi.Router) {
-					r.Get("/", svc.GetAllDrives)
-					r.Post("/", svc.CreateDrive)
-					r.Route("/{driveID}", func(r chi.Router) {
-						r.Patch("/", svc.UpdateDrive)
-						r.Get("/", svc.GetSingleDrive)
-						r.Delete("/", svc.DeleteDrive)
-					})
+			r.Route("/drives", func(r chi.Router) {
+				r.Get("/", svc.GetAllDrives)
+				r.Post("/", svc.CreateDrive)
+				r.Route("/{driveID}", func(r chi.Router) {
+					r.Patch("/", svc.UpdateDrive)
+					r.Get("/", svc.GetSingleDrive)
+					r.Delete("/", svc.DeleteDrive)
 				})
 			})
 		})