Rework default role provisioning

This reworks the assignment of the default role at login. The assignment now only happens if settings service is reachable and the current user does not have an assignment yet (we check for the NotFound status). If the settings service returns an error other than 404, the GetUserByClaims() (and with it the authentication) will also error out. Closes: #3900
2026-01-06 04:09:40 -06:00 · 2022-06-08 14:16:04 +02:00
parent 15fabb155f
commit d6e695076d
2 changed files with 29 additions and 17 deletions
--- a/changelog/unreleased/fix-default-role-assign.md
+++ b/changelog/unreleased/fix-default-role-assign.md
@@ -0,0 +1,7 @@
+Bugfix: Rework default role provisioning
+
+We fixed a race condition in the default role assignment code that could lead to
+users loosing privileges. When authenticating before the settings service was fully
+running.
+
+https://github.com/owncloud/ocis/issues/3900
--- a/extensions/proxy/pkg/user/backend/cs3.go
+++ b/extensions/proxy/pkg/user/backend/cs3.go
@@ -3,6 +3,7 @@ package backend
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -21,6 +22,7 @@ import (
 	"github.com/owncloud/ocis/v2/ocis-pkg/oidc"
 	"github.com/owncloud/ocis/v2/ocis-pkg/registry"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
+	merrors "go-micro.dev/v4/errors"
 	"go-micro.dev/v4/selector"
 )

@@ -76,24 +78,27 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
 	if user.Id.Type != cs3.UserType_USER_TYPE_LIGHTWEIGHT {
 		roleIDs, err = loadRolesIDs(ctx, user.Id.OpaqueId, c.settingsRoleService)
 		if err != nil {
-			c.logger.Error().Err(err).Msgf("Could not load roles")
-		}
-	}
-
-	// if roles are empty, assume we haven't seen the user before and assign a
-	// default user role. At least until proper roles are provided. See
-	// https://github.com/owncloud/ocis/v2/issues/1825 for more context.
-	if len(roleIDs) == 0 {
-		if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY {
-			c.logger.Info().Str("userid", user.Id.OpaqueId).Msg("user has no role assigned, assigning default user role")
-			_, err := c.settingsRoleService.AssignRoleToUser(ctx, &settingssvc.AssignRoleToUserRequest{
-				AccountUuid: user.Id.OpaqueId,
-				RoleId:      settingsService.BundleUUIDRoleUser,
-			})
-			if err != nil {
-				c.logger.Warn().Err(err).Msg("Could not add default role")
+			var merr *merrors.Error
+			if errors.As(err, &merr) && merr.Code == http.StatusNotFound {
+				// This user doesn't have a role assignment yet. Assign a
+				// default user role. At least until proper roles are provided. See
+				// https://github.com/owncloud/ocis/v2/issues/1825 for more context.
+				if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY {
+					c.logger.Info().Str("userid", user.Id.OpaqueId).Msg("user has no role assigned, assigning default user role")
+					_, err := c.settingsRoleService.AssignRoleToUser(ctx, &settingssvc.AssignRoleToUserRequest{
+						AccountUuid: user.Id.OpaqueId,
+						RoleId:      settingsService.BundleUUIDRoleUser,
+					})
+					if err != nil {
+						c.logger.Error().Err(err).Msg("Could not add default role")
+						return nil, "", err
+					}
+					roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
+				}
+			} else {
+				c.logger.Error().Err(err).Msgf("Could not load roles")
+				return nil, "", err
 			}
-			roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
 		}
 	}