This introduces the "additional_headers", "remote_user_header" and
"skip_x_access_token" config keys to allow configuring routes to
external services that require addtional headers to be set.
"remote_user_header": defines the name of a Header that will carry the
userid of the authenticated user on the outgoing request.
"additional_headers": defines a list of header names and values that will
be added to outgoing requests on matching routes.
"skip_x_access_token": when set to true the reva access token will not
be added to the outgoing request.
Needed for #206
When successfully authenticating a user via apptoken, resolve the user's
roles and add the user and the token returned by the auth service to the
request context. Rely on the account_resolve middleware to add the reva
token to the outgoing request as the other auth middlewares do.
Every time the OIDC middleware sees a new access token (i.e when it needs
to update the userinfo cache) we consider that as a new login. In this case
the middleware add a new flag to the context, which is then used by the
accountresolver middleware to publish a UserSignedIn event.
The event needs to be sent by the accountresolver middleware, because only
at that point we know the user id of the user that just logged in.
(It would probably makes sense to merge the auth and account middleware into a
single component to avoid passing flags around via context)
Add support for autoprovisioning group memberships from OIDC claims.
Users are added to and removed from groups based on the value of an OIDC
claim. If a group does not exist, it is created.
Closes: #5538
* feat: add CSP and other security related headers in the oCIS proxy service
* fix: consolidate security related headers - drop middleware.Secure
* fix: use github.com/DeepDiver1975/secure
* fix: acceptance tests
* feat: support env var replacements in csp.yaml
* bump mockery, add test stub for oidc_auth.go
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use .mockery.yaml for all mocks
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* drop legacy go:generate mockery
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* align mock placement
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* extract and test role claim parsing
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add failing test
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* read segmented roles claim as array and string
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* reuse more code by extracting WalkSegments
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add TestSplitWithEscaping
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* docs and error for unhandled case
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add claims test
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add missing ReadStringClaim docs
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* enhancement: add graph beta listPermissions endpoint
besides the new api endpoint it includes several utilities to simplify the graph api development.
* resolve drive and item id from the request path
* generic pointer and value utilities
* space root detection
* update GetDriveAndItemIDParam signature to return a error
* move errorcode package
* enhancement: add generic error code handling
* fix: rebase
This gets us a rid of the need to configure the reva jwt secret in the
proxy. Also we no longer need to fake an internal admin user for
autoprovsioning user and/or assigning the roles to users from oidc
claims.
André Duffeck