From f2feb7a8a553b25e3352b2c3a74e257db05a0fb4 Mon Sep 17 00:00:00 2001
From: jkoberg <jkoberg@owncloud.com>
Date: Thu, 24 Aug 2023 13:04:52 +0200
Subject: [PATCH] improve service user authentication

Signed-off-by: jkoberg <jkoberg@owncloud.com>
---
 pkg/auth/manager/serviceaccounts/serviceaccounts.go | 3 +--
 pkg/utils/grpc.go                                   | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/pkg/auth/manager/serviceaccounts/serviceaccounts.go b/pkg/auth/manager/serviceaccounts/serviceaccounts.go
index 48e16cf09db..22a615e0a4d 100644
--- a/pkg/auth/manager/serviceaccounts/serviceaccounts.go
+++ b/pkg/auth/manager/serviceaccounts/serviceaccounts.go
@@ -39,7 +39,6 @@ func (m *manager) Configure(config map[string]interface{}) error {
 	// only inmem authenticator for now
 	a := &inmemAuthenticator{make(map[string]string)}
 	for _, s := range c.ServiceUsers {
-		// TODO: hash secrets
 		a.m[s.ID] = s.Secret
 	}
 	m.authenticate = a.Authenticate
@@ -71,6 +70,7 @@ func (m *manager) Authenticate(ctx context.Context, userID string, secret string
 		Id: &userpb.UserId{
 			OpaqueId: userID,
 			Type:     userpb.UserType_USER_TYPE_SERVICE,
+			Idp:      "none",
 		},
 	}, scope, nil
 }
@@ -80,7 +80,6 @@ type inmemAuthenticator struct {
 }
 
 func (a *inmemAuthenticator) Authenticate(userID string, secret string) error {
-	// TODO: hash secrets
 	if a.m[userID] == secret {
 		return nil
 	}
diff --git a/pkg/utils/grpc.go b/pkg/utils/grpc.go
index 06ce9753f8f..90547443fa2 100644
--- a/pkg/utils/grpc.go
+++ b/pkg/utils/grpc.go
@@ -24,8 +24,8 @@ func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient) (*user.User, err
 	return getUserResponse.GetUser(), nil
 }
 
-// ImpersonateServiceUser impersonates the given user
-func ImpersonateServiceUser(serviceUserID string, gwc gateway.GatewayAPIClient, serviceUserSecret string) (context.Context, error) {
+// GetServiceUserContext returns an authenticated context of the given service user
+func GetServiceUserContext(serviceUserID string, gwc gateway.GatewayAPIClient, serviceUserSecret string) (context.Context, error) {
 	ctx := context.Background()
 	authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{
 		Type:         "serviceaccounts",
@@ -36,7 +36,7 @@ func ImpersonateServiceUser(serviceUserID string, gwc gateway.GatewayAPIClient,
 		return nil, err
 	}
 	if authRes.GetStatus().GetCode() != rpc.Code_CODE_OK {
-		return nil, fmt.Errorf("error impersonating user: %s", authRes.Status.Message)
+		return nil, fmt.Errorf("error authenticating service user: %s", authRes.Status.Message)
 	}
 
 	return metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, authRes.Token), nil