mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-02 10:21:07 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add workaround for missing RoleIDs in Token

Browse Source 
This we use reva to mint tokes for users when using the CS3 backend
(https://github.com/owncloud/ocis/pull/2528) the user's roles are no
longer part of the token.

This adds a workaround to the RequireSelfOrAdmin middleware to Request
the user's role id on demand from the settings service.

Partial Fix for #2646
This commit is contained in:
Ralf Haferkamp
2022-02-02 16:52:08 +01:00
parent f7d290c131
commit ada93a95b7
2 changed files with 33 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
ocis-pkg/roles/manager.go
View File

@@ -67,3 +67,21 @@ func (m *Manager) FindPermissionByID(ctx context.Context, roleIDs []string, perm
}
return nil
}
// FindRoleIdsForUser returns all roles that are assigned to the supplied userid
func (m *Manager) FindRoleIDsForUser(ctx context.Context, userID string) ([]string, error) {
req := &settingssvc.ListRoleAssignmentsRequest{AccountUuid: userID}
assignmentResponse, err := m.roleService.ListRoleAssignments(ctx, req)
if err != nil {
return nil, err
}
roleIDs := make([]string, 0, len(assignmentResponse.Assignments))
for _, assignment := range assignmentResponse.Assignments {
roleIDs = append(roleIDs, assignment.RoleId)
}
return roleIDs, nil
}

17
ocs/pkg/middleware/requireselforadmin.go
View File

@@ -11,6 +11,7 @@ import (
"github.com/owncloud/ocis/ocis-pkg/roles"
"github.com/owncloud/ocis/ocs/pkg/service/v0/data"
"github.com/owncloud/ocis/ocs/pkg/service/v0/response"
settingsService "github.com/owncloud/ocis/settings/pkg/service/v0"
)
// RequireSelfOrAdmin middleware is used to require the requesting user to be an admin or the requested user himself
@@ -38,8 +39,20 @@ func RequireSelfOrAdmin(opts ...Option) func(next http.Handler) http.Handler {
// get roles from context
roleIDs, ok := roles.ReadRoleIDsFromContext(r.Context())
if !ok {
mustRender(w, r, response.ErrRender(data.MetaUnauthorized.StatusCode, "Unauthorized"))
return
opt.Logger.Debug().Str("userid", u.Id.OpaqueId).Msg("No roles in context, contacting settings service")
var err error
roleIDs, err = opt.RoleManager.FindRoleIDsForUser(r.Context(), u.Id.OpaqueId)
if err != nil {
opt.Logger.Err(err).Str("userid", u.Id.OpaqueId).Msg("failed to get roles for user")
mustRender(w, r, response.ErrRender(data.MetaUnauthorized.StatusCode, "Unauthorized"))
return
}
if len(roleIDs) == 0 {
roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser, settingsService.SelfManagementPermissionID)
// if roles are empty, assume we haven't seen the user before and assign a default user role. At least until
// proper roles are provided. See https://github.com/owncloud/ocis/issues/1825 for more context.
//return user, nil
}
}
// check if account management permission is present in roles of the authenticated account