mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-04-19 08:40:37 -05:00
rewrite the auth middleware
The old approach of the authentication middlewares had the problem that when an authenticator could not authenticate a request it would still send it to the next handler, in case that the next one can authenticate it. But if no authenticator could successfully authenticate the request, it would still be handled, which leads to unauthorized access.
This commit is contained in:
David Christofas
@@ -16,9 +16,9 @@ import (
|
||||
"github.com/owncloud/ocis/v2/ocis-pkg/log"
|
||||
pkgmiddleware "github.com/owncloud/ocis/v2/ocis-pkg/middleware"
|
||||
"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
|
||||
"github.com/owncloud/ocis/v2/ocis-pkg/sync"
|
||||
"github.com/owncloud/ocis/v2/ocis-pkg/version"
|
||||
settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
|
||||
storesvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/store/v0"
|
||||
"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
|
||||
"github.com/owncloud/ocis/v2/services/proxy/pkg/config/parser"
|
||||
"github.com/owncloud/ocis/v2/services/proxy/pkg/cs3"
|
||||
@@ -149,7 +149,7 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
|
||||
logger.Fatal().Msgf("Invalid accounts backend type '%s'", cfg.AccountBackend)
|
||||
}
|
||||
|
||||
storeClient := storesvc.NewStoreService("com.owncloud.api.store", grpc.DefaultClient)
|
||||
// storeClient := storesvc.NewStoreService("com.owncloud.api.store", grpc.DefaultClient)
|
||||
if err != nil {
|
||||
logger.Error().Err(err).
|
||||
Str("gateway", cfg.Reva.Address).
|
||||
@@ -166,6 +166,38 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
|
||||
Timeout: time.Second * 10,
|
||||
}
|
||||
|
||||
var authenticators []middleware.Authenticator
|
||||
if cfg.EnableBasicAuth {
|
||||
logger.Warn().Msg("basic auth enabled, use only for testing or development")
|
||||
authenticators = append(authenticators, middleware.BasicAuthenticator{
|
||||
Logger: logger,
|
||||
UserProvider: userProvider,
|
||||
})
|
||||
}
|
||||
tokenCache := sync.NewCache(cfg.OIDC.UserinfoCache.Size)
|
||||
authenticators = append(authenticators, middleware.OIDCAuthenticator{
|
||||
Logger: logger,
|
||||
TokenCache: &tokenCache,
|
||||
TokenCacheTTL: time.Duration(cfg.OIDC.UserinfoCache.TTL),
|
||||
HTTPClient: oidcHTTPClient,
|
||||
OIDCIss: cfg.OIDC.Issuer,
|
||||
ProviderFunc: func() (middleware.OIDCProvider, error) {
|
||||
// Initialize a provider by specifying the issuer URL.
|
||||
// it will fetch the keys from the issuer using the .well-known
|
||||
// endpoint
|
||||
return oidc.NewProvider(
|
||||
context.WithValue(ctx, oauth2.HTTPClient, oidcHTTPClient),
|
||||
cfg.OIDC.Issuer,
|
||||
)
|
||||
},
|
||||
JWKSOptions: cfg.OIDC.JWKS,
|
||||
AccessTokenVerifyMethod: cfg.OIDC.AccessTokenVerifyMethod,
|
||||
})
|
||||
// authenticators = append(authenticators, middleware.PublicShareAuthenticator{
|
||||
// Logger: logger,
|
||||
// RevaGatewayClient: revaClient,
|
||||
// })
|
||||
|
||||
return alice.New(
|
||||
// first make sure we log all requests and redirect to https if necessary
|
||||
pkgmiddleware.TraceContext,
|
||||
@@ -179,39 +211,44 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
|
||||
oidcHTTPClient,
|
||||
),
|
||||
|
||||
// now that we established the basics, on with authentication middleware
|
||||
middleware.Authentication(
|
||||
// OIDC Options
|
||||
middleware.OIDCProviderFunc(func() (middleware.OIDCProvider, error) {
|
||||
// Initialize a provider by specifying the issuer URL.
|
||||
// it will fetch the keys from the issuer using the .well-known
|
||||
// endpoint
|
||||
return oidc.NewProvider(
|
||||
context.WithValue(ctx, oauth2.HTTPClient, oidcHTTPClient),
|
||||
cfg.OIDC.Issuer,
|
||||
)
|
||||
}),
|
||||
middleware.HTTPClient(oidcHTTPClient),
|
||||
middleware.TokenCacheSize(cfg.OIDC.UserinfoCache.Size),
|
||||
middleware.TokenCacheTTL(time.Second*time.Duration(cfg.OIDC.UserinfoCache.TTL)),
|
||||
middleware.AccessTokenVerifyMethod(cfg.OIDC.AccessTokenVerifyMethod),
|
||||
middleware.JWKSOptions(cfg.OIDC.JWKS),
|
||||
// middleware.AuthenticationOld(
|
||||
// // OIDC Options
|
||||
// middleware.OIDCProviderFunc(func() (middleware.OIDCProvider, error) {
|
||||
// // Initialize a provider by specifying the issuer URL.
|
||||
// // it will fetch the keys from the issuer using the .well-known
|
||||
// // endpoint
|
||||
// return oidc.NewProvider(
|
||||
// context.WithValue(ctx, oauth2.HTTPClient, oidcHTTPClient),
|
||||
// cfg.OIDC.Issuer,
|
||||
// )
|
||||
// }),
|
||||
|
||||
// basic Options
|
||||
middleware.Logger(logger),
|
||||
middleware.EnableBasicAuth(cfg.EnableBasicAuth),
|
||||
middleware.UserProvider(userProvider),
|
||||
middleware.OIDCIss(cfg.OIDC.Issuer),
|
||||
middleware.UserOIDCClaim(cfg.UserOIDCClaim),
|
||||
middleware.UserCS3Claim(cfg.UserCS3Claim),
|
||||
middleware.Authentication(
|
||||
authenticators,
|
||||
middleware.CredentialsByUserAgent(cfg.AuthMiddleware.CredentialsByUserAgent),
|
||||
),
|
||||
middleware.SignedURLAuth(
|
||||
middleware.Logger(logger),
|
||||
middleware.PreSignedURLConfig(cfg.PreSignedURL),
|
||||
middleware.UserProvider(userProvider),
|
||||
middleware.Store(storeClient),
|
||||
middleware.OIDCIss(cfg.OIDC.Issuer),
|
||||
middleware.EnableBasicAuth(cfg.EnableBasicAuth),
|
||||
),
|
||||
// middleware.HTTPClient(oidcHTTPClient),
|
||||
// middleware.TokenCacheSize(cfg.OIDC.UserinfoCache.Size),
|
||||
// middleware.TokenCacheTTL(time.Second*time.Duration(cfg.OIDC.UserinfoCache.TTL)),
|
||||
//
|
||||
// // basic Options
|
||||
// middleware.Logger(logger),
|
||||
// middleware.EnableBasicAuth(cfg.EnableBasicAuth),
|
||||
// middleware.UserProvider(userProvider),
|
||||
// middleware.OIDCIss(cfg.OIDC.Issuer),
|
||||
// middleware.UserOIDCClaim(cfg.UserOIDCClaim),
|
||||
// middleware.UserCS3Claim(cfg.UserCS3Claim),
|
||||
// middleware.CredentialsByUserAgent(cfg.AuthMiddleware.CredentialsByUserAgent),
|
||||
// ),
|
||||
// middleware.SignedURLAuth(
|
||||
// middleware.Logger(logger),
|
||||
// middleware.PreSignedURLConfig(cfg.PreSignedURL),
|
||||
// middleware.UserProvider(userProvider),
|
||||
// middleware.Store(storeClient),
|
||||
// ),
|
||||
middleware.AccountResolver(
|
||||
middleware.Logger(logger),
|
||||
middleware.UserProvider(userProvider),
|
||||
@@ -233,9 +270,9 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
|
||||
middleware.TokenManagerConfig(*cfg.TokenManager),
|
||||
middleware.RevaGatewayClient(revaClient),
|
||||
),
|
||||
middleware.PublicShareAuth(
|
||||
middleware.Logger(logger),
|
||||
middleware.RevaGatewayClient(revaClient),
|
||||
),
|
||||
// middleware.PublicShareAuth(
|
||||
// middleware.Logger(logger),
|
||||
// middleware.RevaGatewayClient(revaClient),
|
||||
// ),
|
||||
)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user