From ad29d7da3eaa6eb3a45d4d4523586e1860bc59e4 Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Thu, 18 Apr 2024 23:34:35 +0200 Subject: [PATCH] fix: always assign the admin role to the default admin --- .../unreleased/fix-admin-role-assignment.md | 6 ++ services/settings/pkg/store/metadata/store.go | 71 ++++++++++++++++++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/fix-admin-role-assignment.md diff --git a/changelog/unreleased/fix-admin-role-assignment.md b/changelog/unreleased/fix-admin-role-assignment.md new file mode 100644 index 000000000..25b2cc84d --- /dev/null +++ b/changelog/unreleased/fix-admin-role-assignment.md @@ -0,0 +1,6 @@ +Bugfix: Update the admin user role assignment to enforce the config + +The admin user role assigment was not updated after the first assignment. We now read the assigned role during init and update the admin user ID accordingly if the role is not assigned. +This is especially needed when the OCIS_ADMIN_USER_ID is set after the autoprovisioning of the admin user when it originates from an external Identity Provider. + +https://github.com/owncloud/ocis/pull/8897 diff --git a/services/settings/pkg/store/metadata/store.go b/services/settings/pkg/store/metadata/store.go index 68946a3a8..3985e84a1 100644 --- a/services/settings/pkg/store/metadata/store.go +++ b/services/settings/pkg/store/metadata/store.go @@ -7,6 +7,7 @@ import ( "log" "sync" + "github.com/cs3org/reva/v2/pkg/errtypes" "github.com/cs3org/reva/v2/pkg/storage/utils/metadata" "github.com/gofrs/uuid" olog "github.com/owncloud/ocis/v2/ocis-pkg/log" @@ -139,10 +140,20 @@ func (s *Store) initMetadataClient(mdc MetadataClient) error { if err != nil { return err } - if len(assIDs) > 0 { + + adminUserID := accountUUID == s.cfg.AdminUserID + if len(assIDs) > 0 && !adminUserID { // There is already a role assignment for this ID, skip to the next continue } + // for the adminUserID we need to check if the user has the admin role every time + if adminUserID { + err = s.userMustHaveAdminRole(accountUUID, assIDs, mdc) + if err != nil { + return err + } + continue + } ass := &settingsmsg.UserRoleAssignment{ Id: uuid.Must(uuid.NewV4()).String(), @@ -164,6 +175,64 @@ func (s *Store) initMetadataClient(mdc MetadataClient) error { return nil } +func (s *Store) userMustHaveAdminRole(accountUUID string, assIDs []string, mdc MetadataClient) error { + ctx := context.TODO() + var hasAdminRole bool + + // load the assignments from the store and check if the admin role is already assigned + for _, assID := range assIDs { + b, err := mdc.SimpleDownload(ctx, assignmentPath(accountUUID, assID)) + switch err.(type) { + case nil: + // continue + case errtypes.NotFound: + continue + default: + return err + } + + a := &settingsmsg.UserRoleAssignment{} + err = json.Unmarshal(b, a) + if err != nil { + return err + } + + if a.RoleId == defaults.BundleUUIDRoleAdmin { + hasAdminRole = true + } + } + + // delete old role assignment and set admin role + if !hasAdminRole { + err := mdc.Delete(ctx, accountPath(accountUUID)) + switch err.(type) { + case nil: + // continue + case errtypes.NotFound: + // already gone, continue + default: + return err + } + + err = mdc.MakeDirIfNotExist(ctx, accountPath(accountUUID)) + if err != nil { + return err + } + + ass := &settingsmsg.UserRoleAssignment{ + Id: uuid.Must(uuid.NewV4()).String(), + AccountUuid: accountUUID, + RoleId: defaults.BundleUUIDRoleAdmin, + } + b, err := json.Marshal(ass) + if err != nil { + return err + } + return mdc.SimpleUpload(ctx, assignmentPath(accountUUID, ass.Id), b) + } + return nil +} + func init() { settings.Registry[managerName] = New }