diff --git a/pkg/auth/manager/loader/loader.go b/pkg/auth/manager/loader/loader.go index 694cd98c29f..9fcba055412 100644 --- a/pkg/auth/manager/loader/loader.go +++ b/pkg/auth/manager/loader/loader.go @@ -30,5 +30,6 @@ import ( _ "github.com/cs3org/reva/v2/pkg/auth/manager/oidc" _ "github.com/cs3org/reva/v2/pkg/auth/manager/owncloudsql" _ "github.com/cs3org/reva/v2/pkg/auth/manager/publicshares" + _ "github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts" // Add your own here ) diff --git a/pkg/auth/manager/registry/registry.go b/pkg/auth/manager/registry/registry.go index aea682f79d4..8d92a13e193 100644 --- a/pkg/auth/manager/registry/registry.go +++ b/pkg/auth/manager/registry/registry.go @@ -18,7 +18,9 @@ package registry -import "github.com/cs3org/reva/v2/pkg/auth" +import ( + "github.com/cs3org/reva/v2/pkg/auth" +) // NewFunc is the function that auth implementations // should register to at init time. diff --git a/pkg/auth/manager/serviceaccounts/serviceaccounts.go b/pkg/auth/manager/serviceaccounts/serviceaccounts.go new file mode 100644 index 00000000000..43b09b7d183 --- /dev/null +++ b/pkg/auth/manager/serviceaccounts/serviceaccounts.go @@ -0,0 +1,85 @@ +package serviceaccounts + +import ( + "context" + + authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1" + userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" + + "github.com/cs3org/reva/v2/pkg/auth" + "github.com/cs3org/reva/v2/pkg/auth/manager/registry" + "github.com/cs3org/reva/v2/pkg/auth/scope" + "github.com/mitchellh/mapstructure" + "github.com/pkg/errors" +) + +type conf struct { + ServiceUsers []serviceuser `mapstructure:"service_accounts"` +} + +type serviceuser struct { + ID string `mapstructure:"id"` + Secret string `mapstructure:"secret"` +} + +type manager struct { + authenticate func(userID, secret string) error +} + +func init() { + registry.Register("serviceaccounts", New) +} + +// Configure parses the map conf +func (m *manager) Configure(config map[string]interface{}) error { + c := &conf{} + if err := mapstructure.Decode(config, c); err != nil { + return errors.Wrap(err, "error decoding conf") + } + // only inmem authenticator for now + a := &inmemAuthenticator{make(map[string]string)} + for _, s := range c.ServiceUsers { + // TODO: hash secrets + a.m[s.ID] = s.Secret + } + m.authenticate = a.Authenticate + return nil +} + +// New creates a new manager for the 'service' authentication +func New(conf map[string]interface{}) (auth.Manager, error) { + m := &manager{} + err := m.Configure(conf) + if err != nil { + return nil, err + } + + return m, nil +} + +// Authenticate authenticates the service account +func (m *manager) Authenticate(ctx context.Context, userID string, secret string) (*userpb.User, map[string]*authpb.Scope, error) { + if err := m.authenticate(userID, secret); err != nil { + return nil, nil, err + } + scope, err := scope.AddOwnerScope(nil) + if err != nil { + return nil, nil, err + } + return &userpb.User{ + // TODO: more details for service users? + Id: &userpb.UserId{OpaqueId: userID}, + }, scope, nil +} + +type inmemAuthenticator struct { + m map[string]string +} + +func (a *inmemAuthenticator) Authenticate(userID string, secret string) error { + // TODO: hash secrets + if a.m[userID] == secret { + return nil + } + return errors.New("secrets do not match") +} diff --git a/pkg/utils/grpc.go b/pkg/utils/grpc.go index 3945d32e8cb..026412f9944 100644 --- a/pkg/utils/grpc.go +++ b/pkg/utils/grpc.go @@ -37,6 +37,9 @@ func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient, machineAuthAPIKe // ImpersonateUser impersonates the given user func ImpersonateUser(usr *user.User, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, error) { + if true { + return ImpersonateServiceUser("service-user-id", gwc, machineAuthAPIKey) + } ctx := revactx.ContextSetUser(context.Background(), usr) authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{ Type: "machine", @@ -52,3 +55,21 @@ func ImpersonateUser(usr *user.User, gwc gateway.GatewayAPIClient, machineAuthAP return metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, authRes.Token), nil } + +// ImpersonateServiceUser impersonates the given user +func ImpersonateServiceUser(userID string, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, error) { + ctx := context.Background() + authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{ + Type: "serviceaccounts", + ClientId: userID, + ClientSecret: machineAuthAPIKey, + }) + if err != nil { + return nil, err + } + if authRes.GetStatus().GetCode() != rpc.Code_CODE_OK { + return nil, fmt.Errorf("error impersonating user: %s", authRes.Status.Message) + } + + return metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, authRes.Token), nil +}