mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-01-02 02:11:18 -06:00
6bec87f582
* refactor middleware options Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use ocmemstore micro store implementaiton for token cache Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * refactor ocis store options, support redis sentinel Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * align cache configuration Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * database and tabe are used to build prefixes for inmemory stores Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add global persistent store options to userlog config Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * log cache errors but continue Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * drup unnecessary type conversion Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * Better description for the default userinfo ttl Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use global cache options for even more caches Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * don't log userinfo cache misses Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * default to stock memory store Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use correct mem store typo string Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * split cache options, doc cleanup Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * mint and write userinfo to cache async Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use hashed token as key Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * go mod tidy Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * update docs Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * update cache store naming Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * bring back depreceted ocis-pkg/store package for backwards compatability Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * update changelog Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * Apply suggestions from code review Co-authored-by: kobergj <jkoberg@owncloud.com> * revert ocis-pkg/cache to store rename Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add waiting for each step 50 milliseconds * starlack check --------- Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> Co-authored-by: kobergj <jkoberg@owncloud.com> Co-authored-by: Viktor Scharf <scharf.vi@gmail.com>
234 lines
6.8 KiB
Go
234 lines
6.8 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"time"
|
|
|
|
gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
|
|
"github.com/owncloud/ocis/v2/ocis-pkg/log"
|
|
settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
|
|
storesvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/store/v0"
|
|
"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
|
|
"github.com/owncloud/ocis/v2/services/proxy/pkg/user/backend"
|
|
"github.com/owncloud/ocis/v2/services/proxy/pkg/userroles"
|
|
store "go-micro.dev/v4/store"
|
|
)
|
|
|
|
// Option defines a single option function.
|
|
type Option func(o *Options)
|
|
|
|
// Options defines the available options for this package.
|
|
type Options struct {
|
|
// Logger to use for logging, must be set
|
|
Logger log.Logger
|
|
// TokenManagerConfig for communicating with the reva token manager
|
|
TokenManagerConfig config.TokenManager
|
|
// PolicySelectorConfig for using the policy selector
|
|
PolicySelector config.PolicySelector
|
|
// HTTPClient to use for communication with the oidcAuth provider
|
|
HTTPClient *http.Client
|
|
// UserProvider backend to use for resolving User
|
|
UserProvider backend.UserBackend
|
|
// UserRoleAssigner to user for assign a users default role
|
|
UserRoleAssigner userroles.UserRoleAssigner
|
|
// SettingsRoleService for the roles API in settings
|
|
SettingsRoleService settingssvc.RoleService
|
|
// OIDCProviderFunc to lazily initialize an oidc provider, must be set for the oidc_auth middleware
|
|
OIDCProviderFunc func() (OIDCProvider, error)
|
|
// OIDCIss is the oidcAuth-issuer
|
|
OIDCIss string
|
|
// RevaGatewayClient to send requests to the reva gateway
|
|
RevaGatewayClient gateway.GatewayAPIClient
|
|
// Store for persisting data
|
|
Store storesvc.StoreService
|
|
// PreSignedURLConfig to configure the middleware
|
|
PreSignedURLConfig config.PreSignedURL
|
|
// UserOIDCClaim to read from the oidc claims
|
|
UserOIDCClaim string
|
|
// UserCS3Claim to use when looking up a user in the CS3 API
|
|
UserCS3Claim string
|
|
// AutoprovisionAccounts when an accountResolver does not exist.
|
|
AutoprovisionAccounts bool
|
|
// EnableBasicAuth to allow basic auth
|
|
EnableBasicAuth bool
|
|
// DefaultAccessTokenTTL is used to calculate the expiration when an access token has no expiration set
|
|
DefaultAccessTokenTTL time.Duration
|
|
// Cache sets the access token cache store
|
|
Cache store.Store
|
|
// CredentialsByUserAgent sets the auth challenges on a per user-agent basis
|
|
CredentialsByUserAgent map[string]string
|
|
// AccessTokenVerifyMethod configures how access_tokens should be verified but the oidc_auth middleware.
|
|
// Possible values currently: "jwt" and "none"
|
|
AccessTokenVerifyMethod string
|
|
// JWKS sets the options for fetching the JWKS from the IDP
|
|
JWKS config.JWKS
|
|
// RoleQuotas hold userid:quota mappings. These will be used when provisioning new users.
|
|
// The users will get as much quota as is set for their role.
|
|
RoleQuotas map[string]uint64
|
|
}
|
|
|
|
// newOptions initializes the available default options.
|
|
func newOptions(opts ...Option) Options {
|
|
opt := Options{}
|
|
|
|
for _, o := range opts {
|
|
o(&opt)
|
|
}
|
|
|
|
return opt
|
|
}
|
|
|
|
// Logger provides a function to set the logger option.
|
|
func Logger(l log.Logger) Option {
|
|
return func(o *Options) {
|
|
o.Logger = l
|
|
}
|
|
}
|
|
|
|
// TokenManagerConfig provides a function to set the token manger config option.
|
|
func TokenManagerConfig(cfg config.TokenManager) Option {
|
|
return func(o *Options) {
|
|
o.TokenManagerConfig = cfg
|
|
}
|
|
}
|
|
|
|
// PolicySelectorConfig provides a function to set the policy selector config option.
|
|
func PolicySelectorConfig(cfg config.PolicySelector) Option {
|
|
return func(o *Options) {
|
|
o.PolicySelector = cfg
|
|
}
|
|
}
|
|
|
|
// HTTPClient provides a function to set the http client config option.
|
|
func HTTPClient(c *http.Client) Option {
|
|
return func(o *Options) {
|
|
o.HTTPClient = c
|
|
}
|
|
}
|
|
|
|
// SettingsRoleService provides a function to set the role service option.
|
|
func SettingsRoleService(rc settingssvc.RoleService) Option {
|
|
return func(o *Options) {
|
|
o.SettingsRoleService = rc
|
|
}
|
|
}
|
|
|
|
// OIDCProviderFunc provides a function to set the the oidc provider function option.
|
|
func OIDCProviderFunc(f func() (OIDCProvider, error)) Option {
|
|
return func(o *Options) {
|
|
o.OIDCProviderFunc = f
|
|
}
|
|
}
|
|
|
|
// OIDCIss sets the oidcAuth issuer url
|
|
func OIDCIss(iss string) Option {
|
|
return func(o *Options) {
|
|
o.OIDCIss = iss
|
|
}
|
|
}
|
|
|
|
// CredentialsByUserAgent sets UserAgentChallenges.
|
|
func CredentialsByUserAgent(v map[string]string) Option {
|
|
return func(o *Options) {
|
|
o.CredentialsByUserAgent = v
|
|
}
|
|
}
|
|
|
|
// RevaGatewayClient provides a function to set the the reva gateway service client option.
|
|
func RevaGatewayClient(gc gateway.GatewayAPIClient) Option {
|
|
return func(o *Options) {
|
|
o.RevaGatewayClient = gc
|
|
}
|
|
}
|
|
|
|
// Store provides a function to set the store option.
|
|
func Store(sc storesvc.StoreService) Option {
|
|
return func(o *Options) {
|
|
o.Store = sc
|
|
}
|
|
}
|
|
|
|
// PreSignedURLConfig provides a function to set the PreSignedURL config
|
|
func PreSignedURLConfig(cfg config.PreSignedURL) Option {
|
|
return func(o *Options) {
|
|
o.PreSignedURLConfig = cfg
|
|
}
|
|
}
|
|
|
|
// UserOIDCClaim provides a function to set the UserClaim config
|
|
func UserOIDCClaim(val string) Option {
|
|
return func(o *Options) {
|
|
o.UserOIDCClaim = val
|
|
}
|
|
}
|
|
|
|
// UserCS3Claim provides a function to set the UserClaimType config
|
|
func UserCS3Claim(val string) Option {
|
|
return func(o *Options) {
|
|
o.UserCS3Claim = val
|
|
}
|
|
}
|
|
|
|
// AutoprovisionAccounts provides a function to set the AutoprovisionAccounts config
|
|
func AutoprovisionAccounts(val bool) Option {
|
|
return func(o *Options) {
|
|
o.AutoprovisionAccounts = val
|
|
}
|
|
}
|
|
|
|
// EnableBasicAuth provides a function to set the EnableBasicAuth config
|
|
func EnableBasicAuth(enableBasicAuth bool) Option {
|
|
return func(o *Options) {
|
|
o.EnableBasicAuth = enableBasicAuth
|
|
}
|
|
}
|
|
|
|
// DefaultAccessTokenTTL provides a function to set the DefaultAccessTokenTTL
|
|
func DefaultAccessTokenTTL(ttl time.Duration) Option {
|
|
return func(o *Options) {
|
|
o.DefaultAccessTokenTTL = ttl
|
|
}
|
|
}
|
|
|
|
// Cache provides a function to set the Cache
|
|
func Cache(val store.Store) Option {
|
|
return func(o *Options) {
|
|
o.Cache = val
|
|
}
|
|
}
|
|
|
|
// UserProvider sets the accounts user provider
|
|
func UserProvider(up backend.UserBackend) Option {
|
|
return func(o *Options) {
|
|
o.UserProvider = up
|
|
}
|
|
}
|
|
|
|
// UserRoleAssigner sets the mechanism for assigning the default user roles
|
|
func UserRoleAssigner(ra userroles.UserRoleAssigner) Option {
|
|
return func(o *Options) {
|
|
o.UserRoleAssigner = ra
|
|
}
|
|
}
|
|
|
|
// AccessTokenVerifyMethod set the mechanism for access token verification
|
|
func AccessTokenVerifyMethod(method string) Option {
|
|
return func(o *Options) {
|
|
o.AccessTokenVerifyMethod = method
|
|
}
|
|
}
|
|
|
|
// JWKSOptions sets the options for fetching the JWKS from the IDP
|
|
func JWKSOptions(jo config.JWKS) Option {
|
|
return func(o *Options) {
|
|
o.JWKS = jo
|
|
}
|
|
}
|
|
|
|
// RoleQuotas sets the role quota mapping setting
|
|
func RoleQuotas(roleQuotas map[string]uint64) Option {
|
|
return func(o *Options) {
|
|
o.RoleQuotas = roleQuotas
|
|
}
|
|
}
|