Merge pull request #4374 from owncloud/rewrite-auth-middleware

[full-ci] Rewrite of the authentication middleware
2026-04-23 12:38:21 -05:00 · 2022-08-22 16:39:03 +02:00
parent 976a91c641 dfe703291f
commit c4881f5736
14 changed files with 702 additions and 586 deletions
@@ -161,6 +161,43 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 		Timeout: time.Second * 10,
 	}

+	var authenticators []middleware.Authenticator
+	if cfg.EnableBasicAuth {
+		logger.Warn().Msg("basic auth enabled, use only for testing or development")
+		authenticators = append(authenticators, middleware.BasicAuthenticator{
+			Logger:       logger,
+			UserProvider: userProvider,
+		})
+	}
+	authenticators = append(authenticators, middleware.NewOIDCAuthenticator(
+		logger,
+		cfg.OIDC.UserinfoCache.TTL,
+		oidcHTTPClient,
+		cfg.OIDC.Issuer,
+		func() (middleware.OIDCProvider, error) {
+			// Initialize a provider by specifying the issuer URL.
+			// it will fetch the keys from the issuer using the .well-known
+			// endpoint
+			return oidc.NewProvider(
+				context.WithValue(ctx, oauth2.HTTPClient, oidcHTTPClient),
+				cfg.OIDC.Issuer,
+			)
+		},
+		cfg.OIDC.JWKS,
+		cfg.OIDC.AccessTokenVerifyMethod,
+	))
+	authenticators = append(authenticators, middleware.PublicShareAuthenticator{
+		Logger:            logger,
+		RevaGatewayClient: revaClient,
+	})
+
+	authenticators = append(authenticators, middleware.SignedURLAuthenticator{
+		Logger:             logger,
+		PreSignedURLConfig: cfg.PreSignedURL,
+		UserProvider:       userProvider,
+		Store:              storeClient,
+	})
+
 	return alice.New(
 		// first make sure we log all requests and redirect to https if necessary
 		pkgmiddleware.TraceContext,
@@ -174,38 +211,12 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 			oidcHTTPClient,
 		),

-		// now that we established the basics, on with authentication middleware
 		middleware.Authentication(
-			// OIDC Options
-			middleware.OIDCProviderFunc(func() (middleware.OIDCProvider, error) {
-				// Initialize a provider by specifying the issuer URL.
-				// it will fetch the keys from the issuer using the .well-known
-				// endpoint
-				return oidc.NewProvider(
-					context.WithValue(ctx, oauth2.HTTPClient, oidcHTTPClient),
-					cfg.OIDC.Issuer,
-				)
-			}),
-			middleware.HTTPClient(oidcHTTPClient),
-			middleware.TokenCacheSize(cfg.OIDC.UserinfoCache.Size),
-			middleware.TokenCacheTTL(time.Second*time.Duration(cfg.OIDC.UserinfoCache.TTL)),
-			middleware.AccessTokenVerifyMethod(cfg.OIDC.AccessTokenVerifyMethod),
-			middleware.JWKSOptions(cfg.OIDC.JWKS),
-
-			// basic Options
-			middleware.Logger(logger),
-			middleware.EnableBasicAuth(cfg.EnableBasicAuth),
-			middleware.UserProvider(userProvider),
-			middleware.OIDCIss(cfg.OIDC.Issuer),
-			middleware.UserOIDCClaim(cfg.UserOIDCClaim),
-			middleware.UserCS3Claim(cfg.UserCS3Claim),
+			authenticators,
 			middleware.CredentialsByUserAgent(cfg.AuthMiddleware.CredentialsByUserAgent),
-		),
-		middleware.SignedURLAuth(
 			middleware.Logger(logger),
-			middleware.PreSignedURLConfig(cfg.PreSignedURL),
-			middleware.UserProvider(userProvider),
-			middleware.Store(storeClient),
+			middleware.OIDCIss(cfg.OIDC.Issuer),
+			middleware.EnableBasicAuth(cfg.EnableBasicAuth),
 		),
 		middleware.AccountResolver(
 			middleware.Logger(logger),
@@ -228,9 +239,5 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 			middleware.TokenManagerConfig(*cfg.TokenManager),
 			middleware.RevaGatewayClient(revaClient),
 		),
-		middleware.PublicShareAuth(
-			middleware.Logger(logger),
-			middleware.RevaGatewayClient(revaClient),
-		),
 	)
 }