From fcf25b06cea8f2f68cd00f2af8345ba3e0d67c01 Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Tue, 1 Jun 2021 12:04:58 +0200 Subject: [PATCH] Add user type resolution to GRAPPA --- examples/meshdirectory/users.demo.json | 9 ++- examples/oc-phoenix/users.demo.json | 9 ++- examples/ocm-partners/users-ailleron.json | 12 ++- examples/ocm-partners/users-cern.json | 12 ++- examples/ocm-partners/users-cesnet.json | 9 ++- examples/ocm-partners/users-cubbit.json | 9 ++- examples/ocm-partners/users-dtu.json | 73 +++++++++---------- examples/ocm-partners/users-surfsara.json | 9 ++- examples/ocm-partners/users-switch.json | 12 ++- examples/ocm-partners/users-wwu.json | 9 ++- examples/ocmd/users.demo.json | 12 ++- examples/standalone/users.demo.json | 9 ++- examples/storage-references/users.demo.json | 9 ++- .../http/services/oidcprovider/userinfo.go | 1 + pkg/auth/manager/demo/demo.go | 3 + pkg/auth/manager/impersonator/impersonator.go | 2 +- pkg/auth/manager/ldap/ldap.go | 1 + pkg/auth/manager/oidc/oidc.go | 1 + pkg/cbox/user/rest/rest.go | 41 ++++++++++- 19 files changed, 159 insertions(+), 83 deletions(-) diff --git a/examples/meshdirectory/users.demo.json b/examples/meshdirectory/users.demo.json index d13a252b9b0..12c784f7eb0 100644 --- a/examples/meshdirectory/users.demo.json +++ b/examples/meshdirectory/users.demo.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "einstein", "secret": "relativity", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "marie", "secret": "radioactivity", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "richard", "secret": "superfluidity", diff --git a/examples/oc-phoenix/users.demo.json b/examples/oc-phoenix/users.demo.json index d13a252b9b0..12c784f7eb0 100644 --- a/examples/oc-phoenix/users.demo.json +++ b/examples/oc-phoenix/users.demo.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "einstein", "secret": "relativity", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "marie", "secret": "radioactivity", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "richard", "secret": "superfluidity", diff --git a/examples/ocm-partners/users-ailleron.json b/examples/ocm-partners/users-ailleron.json index 13e47a36cac..274463f27cd 100644 --- a/examples/ocm-partners/users-ailleron.json +++ b/examples/ocm-partners/users-ailleron.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "jarek1234", - "idp": "softwaremind.com" + "idp": "softwaremind.com", + "type": 1 }, "username": "jarek", "secret": "jarekpass", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "mateusz5678", - "idp": "softwaremind.com" + "idp": "softwaremind.com", + "type": 1 }, "username": "mateusz", "secret": "mateuszpass", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "dawid9876", - "idp": "softwaremind.com" + "idp": "softwaremind.com", + "type": 1 }, "username": "dawid", "secret": "dawidpass", @@ -35,7 +38,8 @@ { "id": { "opaque_id": "test4242", - "idp": "softwaremind.com" + "idp": "softwaremind.com", + "type": 1 }, "username": "test", "secret": "testpass", diff --git a/examples/ocm-partners/users-cern.json b/examples/ocm-partners/users-cern.json index 3b6d3abd511..381db07928c 100644 --- a/examples/ocm-partners/users-cern.json +++ b/examples/ocm-partners/users-cern.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "ishank1234", - "idp": "cern.ch" + "idp": "cern.ch", + "type": 1 }, "username": "ishank", "secret": "ishankpass", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "hugo5678", - "idp": "cern.ch" + "idp": "cern.ch", + "type": 1 }, "username": "hugo", "secret": "hugopass", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "samuel9876", - "idp": "cern.ch" + "idp": "cern.ch", + "type": 1 }, "username": "samuel", "secret": "samuelpass", @@ -35,7 +38,8 @@ { "id": { "opaque_id": "test4242", - "idp": "cern.ch" + "idp": "cern.ch", + "type": 1 }, "username": "test", "secret": "testpass", diff --git a/examples/ocm-partners/users-cesnet.json b/examples/ocm-partners/users-cesnet.json index 308bccdcb2a..ecf238a0edf 100644 --- a/examples/ocm-partners/users-cesnet.json +++ b/examples/ocm-partners/users-cesnet.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "miroslav1234", - "idp": "cesnet.cz" + "idp": "cesnet.cz", + "type": 1 }, "username": "miroslav", "secret": "miroslavpass", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "milan5678", - "idp": "cesnet.cz" + "idp": "cesnet.cz", + "type": 1 }, "username": "milan", "secret": "milanpass", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "test4242", - "idp": "cesnet.cz" + "idp": "cesnet.cz", + "type": 1 }, "username": "test", "secret": "testpass", diff --git a/examples/ocm-partners/users-cubbit.json b/examples/ocm-partners/users-cubbit.json index 30004d1ae2f..c2c4fca84af 100644 --- a/examples/ocm-partners/users-cubbit.json +++ b/examples/ocm-partners/users-cubbit.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "alessandro1234", - "idp": "cubbit.io" + "idp": "cubbit.io", + "type": 1 }, "username": "alessandro", "secret": "alessandropass", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "lorenzo5678", - "idp": "cubbit.io" + "idp": "cubbit.io", + "type": 1 }, "username": "lorenzo", "secret": "lorenzopass", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "test4242", - "idp": "cubbit.io" + "idp": "cubbit.io", + "type": 1 }, "username": "test", "secret": "testpass", diff --git a/examples/ocm-partners/users-dtu.json b/examples/ocm-partners/users-dtu.json index c70f9f69d9a..543949edad2 100644 --- a/examples/ocm-partners/users-dtu.json +++ b/examples/ocm-partners/users-dtu.json @@ -1,43 +1,38 @@ [ - - { - - - "id": { - "opaque_id": "marina1234", - "idp": "dtu.dk" - - }, - "username": "marina", - "secret": "marinapass", - "mail": "marpap@dtu.dk", - "display_name": "Marina Papathanasiou", - "groups": ["sailing-lovers", "violin-haters", "physics-lovers"] + { + "id": { + "opaque_id": "marina1234", + "idp": "dtu.dk", + "type": 1 }, - { - "id": { - "opaque_id": "frederik7899", - "idp": "dtu.dk" - - }, - "username": "frederik", - "secret": "frederikpass", - "mail": "frederik.orellana@deic.dk", - "display_name": "Frederik Orellana", - "groups": ["radium-lovers", "polonium-lovers", "physics-lovers"] - - + "username": "marina", + "secret": "marinapass", + "mail": "marpap@dtu.dk", + "display_name": "Marina Papathanasiou", + "groups": ["sailing-lovers", "violin-haters", "physics-lovers"] + }, + { + "id": { + "opaque_id": "frederik7899", + "idp": "dtu.dk", + "type": 1 }, - { - "id": { - "opaque_id": "test3456", - "idp": "dtu.dk" - }, - "username": "test", - "secret": "testpass", - "mail": "test7@dtu.dk", - "display_name": "User_test", - "groups": ["test-lovers", "bug-haters", "ai-lovers"] - } - + "username": "frederik", + "secret": "frederikpass", + "mail": "frederik.orellana@deic.dk", + "display_name": "Frederik Orellana", + "groups": ["radium-lovers", "polonium-lovers", "physics-lovers"] + }, + { + "id": { + "opaque_id": "test3456", + "idp": "dtu.dk", + "type": 1 + }, + "username": "test", + "secret": "testpass", + "mail": "test7@dtu.dk", + "display_name": "User_test", + "groups": ["test-lovers", "bug-haters", "ai-lovers"] + } ] diff --git a/examples/ocm-partners/users-surfsara.json b/examples/ocm-partners/users-surfsara.json index 0edb001fd6d..be00e7f8567 100644 --- a/examples/ocm-partners/users-surfsara.json +++ b/examples/ocm-partners/users-surfsara.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "ron1234", - "idp": "surfsara.nl" + "idp": "surfsara.nl", + "type": 1 }, "username": "ron", "secret": "ronpass", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "antoon5678", - "idp": "surfsara.nl" + "idp": "surfsara.nl", + "type": 1 }, "username": "antoon", "secret": "antoonpass", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "test4242", - "idp": "surfsara.nl" + "idp": "surfsara.nl", + "type": 1 }, "username": "test", "secret": "testpass", diff --git a/examples/ocm-partners/users-switch.json b/examples/ocm-partners/users-switch.json index b2c080b8288..76c65aeee29 100644 --- a/examples/ocm-partners/users-switch.json +++ b/examples/ocm-partners/users-switch.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "kerins1234", - "idp": "switch.ch" + "idp": "switch.ch", + "type": 1 }, "username": "kerins", "secret": "kerinspass", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "furter5678", - "idp": "switch.ch" + "idp": "switch.ch", + "type": 1 }, "username": "furter", "secret": "furterpass", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "schmid9876", - "idp": "switch.ch" + "idp": "switch.ch", + "type": 1 }, "username": "schmid", "secret": "schmidpass", @@ -35,7 +38,8 @@ { "id": { "opaque_id": "test4242", - "idp": "switch.ch" + "idp": "switch.ch", + "type": 1 }, "username": "test", "secret": "testpass", diff --git a/examples/ocm-partners/users-wwu.json b/examples/ocm-partners/users-wwu.json index 5b73f88ee06..9e9373ba120 100644 --- a/examples/ocm-partners/users-wwu.json +++ b/examples/ocm-partners/users-wwu.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "holger1234", - "idp": "uni-muenster.de" + "idp": "uni-muenster.de", + "type": 1 }, "username": "holger", "secret": "holgerpass", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "daniel5678", - "idp": "uni-muenster.de" + "idp": "uni-muenster.de", + "type": 1 }, "username": "daniel", "secret": "danielpass", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "test4242", - "idp": "uni-muenster.de" + "idp": "uni-muenster.de", + "type": 1 }, "username": "test", "secret": "testpass", diff --git a/examples/ocmd/users.demo.json b/examples/ocmd/users.demo.json index 21479c1ec7c..e1b52cb8065 100644 --- a/examples/ocmd/users.demo.json +++ b/examples/ocmd/users.demo.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "idp": "cernbox.cern.ch" + "idp": "cernbox.cern.ch", + "type": 1 }, "username": "einstein", "secret": "relativity", @@ -27,7 +28,8 @@ { "id": { "opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c", - "idp": "cesnet.cz" + "idp": "cesnet.cz", + "type": 1 }, "username": "marie", "secret": "radioactivity", @@ -52,7 +54,8 @@ { "id": { "opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c", - "idp": "example.org" + "idp": "example.org", + "type": 1 }, "username": "richard", "secret": "superfluidity", @@ -77,7 +80,8 @@ { "id": { "opaque_id": "932b4522-139b-4815-8ef4-42cdf82c3d51", - "idp": "example.com" + "idp": "example.com", + "type": 1 }, "username": "test", "secret": "test", diff --git a/examples/standalone/users.demo.json b/examples/standalone/users.demo.json index d13a252b9b0..12c784f7eb0 100644 --- a/examples/standalone/users.demo.json +++ b/examples/standalone/users.demo.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "einstein", "secret": "relativity", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "marie", "secret": "radioactivity", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "richard", "secret": "superfluidity", diff --git a/examples/storage-references/users.demo.json b/examples/storage-references/users.demo.json index d13a252b9b0..12c784f7eb0 100644 --- a/examples/storage-references/users.demo.json +++ b/examples/storage-references/users.demo.json @@ -2,7 +2,8 @@ { "id": { "opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "einstein", "secret": "relativity", @@ -13,7 +14,8 @@ { "id": { "opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "marie", "secret": "radioactivity", @@ -24,7 +26,8 @@ { "id": { "opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c", - "idp": "localhost:20080" + "idp": "localhost:20080", + "type": 1 }, "username": "richard", "secret": "superfluidity", diff --git a/internal/http/services/oidcprovider/userinfo.go b/internal/http/services/oidcprovider/userinfo.go index 9fb47da0ecc..001b6200e15 100644 --- a/internal/http/services/oidcprovider/userinfo.go +++ b/internal/http/services/oidcprovider/userinfo.go @@ -80,6 +80,7 @@ func (s *svc) doUserinfo(w http.ResponseWriter, r *http.Request) { // can still resolve the user using the sidhistory attribute OpaqueId: sub, Idp: issuer, + Type: user.UserType_USER_TYPE_PRIMARY, } // Needs to be an authenticated request, for such reason we need to store the internal reva token diff --git a/pkg/auth/manager/demo/demo.go b/pkg/auth/manager/demo/demo.go index d6807d02862..1ae50dbdc03 100644 --- a/pkg/auth/manager/demo/demo.go +++ b/pkg/auth/manager/demo/demo.go @@ -72,6 +72,7 @@ func getCredentials() map[string]Credentials { Id: &user.UserId{ Idp: "http://localhost:9998", OpaqueId: "4c510ada-c86b-4815-8820-42cdf82c3d51", + Type: user.UserType_USER_TYPE_PRIMARY, }, Username: "einstein", Groups: []string{"sailing-lovers", "violin-haters", "physics-lovers"}, @@ -85,6 +86,7 @@ func getCredentials() map[string]Credentials { Id: &user.UserId{ Idp: "http://localhost:9998", OpaqueId: "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c", + Type: user.UserType_USER_TYPE_PRIMARY, }, Username: "marie", Groups: []string{"radium-lovers", "polonium-lovers", "physics-lovers"}, @@ -98,6 +100,7 @@ func getCredentials() map[string]Credentials { Id: &user.UserId{ Idp: "http://localhost:9998", OpaqueId: "932b4540-8d16-481e-8ef4-588e4b6b151c", + Type: user.UserType_USER_TYPE_PRIMARY, }, Username: "richard", Groups: []string{"quantum-lovers", "philosophy-haters", "physics-lovers"}, diff --git a/pkg/auth/manager/impersonator/impersonator.go b/pkg/auth/manager/impersonator/impersonator.go index 68bab32836c..26e73009305 100644 --- a/pkg/auth/manager/impersonator/impersonator.go +++ b/pkg/auth/manager/impersonator/impersonator.go @@ -43,7 +43,7 @@ func New(c map[string]interface{}) (auth.Manager, error) { func (m *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) (*user.User, map[string]*authpb.Scope, error) { // allow passing in uid as @ at := strings.LastIndex(clientID, "@") - uid := &user.UserId{} + uid := &user.UserId{Type: user.UserType_USER_TYPE_PRIMARY} if at < 0 { uid.OpaqueId = clientID } else { diff --git a/pkg/auth/manager/ldap/ldap.go b/pkg/auth/manager/ldap/ldap.go index bc2ef623b89..234d47e279f 100644 --- a/pkg/auth/manager/ldap/ldap.go +++ b/pkg/auth/manager/ldap/ldap.go @@ -170,6 +170,7 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) userID := &user.UserId{ Idp: am.c.Idp, OpaqueId: sr.Entries[0].GetEqualFoldAttributeValue(am.c.Schema.UID), + Type: user.UserType_USER_TYPE_PRIMARY, } gwc, err := pool.GetGatewayServiceClient(am.c.GatewaySvc) if err != nil { diff --git a/pkg/auth/manager/oidc/oidc.go b/pkg/auth/manager/oidc/oidc.go index 39c4a690e88..a2a545a5940 100644 --- a/pkg/auth/manager/oidc/oidc.go +++ b/pkg/auth/manager/oidc/oidc.go @@ -156,6 +156,7 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) userID := &user.UserId{ OpaqueId: claims[am.c.IDClaim].(string), // a stable non reassignable id Idp: claims["issuer"].(string), // in the scope of this issuer + Type: user.UserType_USER_TYPE_PRIMARY, } gwc, err := pool.GetGatewayServiceClient(am.c.GatewaySvc) if err != nil { diff --git a/pkg/cbox/user/rest/rest.go b/pkg/cbox/user/rest/rest.go index a0a878c6a2f..f235ee12e04 100644 --- a/pkg/cbox/user/rest/rest.go +++ b/pkg/cbox/user/rest/rest.go @@ -137,9 +137,12 @@ func (m *manager) getUserByParam(ctx context.Context, param, val string) (map[st return nil, errors.New("rest: error in type assertion") } - if userData["type"].(string) == "Application" || strings.HasPrefix(userData["upn"].(string), "guest") { - return nil, errors.New("rest: guest and application accounts not supported") + t, _ := userData["type"].(string) + userType := getUserType(t, userData["upn"].(string)) + if userType == userpb.UserType_USER_TYPE_APPLICATION || userType == userpb.UserType_USER_TYPE_FEDERATED { + return nil, errors.New("rest: federated and application accounts not supported") } + return userData, nil } @@ -266,17 +269,24 @@ func (m *manager) findUsersByFilter(ctx context.Context, url string, users map[s for _, usr := range userData { usrInfo, ok := usr.(map[string]interface{}) - if !ok || usrInfo["type"].(string) == "Application" || strings.HasPrefix(usrInfo["upn"].(string), "guest") { + if !ok { continue } upn, _ := usrInfo["upn"].(string) mail, _ := usrInfo["primaryAccountEmail"].(string) name, _ := usrInfo["displayName"].(string) + t, _ := usrInfo["type"].(string) + + userType := getUserType(t, upn) + if userType == userpb.UserType_USER_TYPE_APPLICATION || userType == userpb.UserType_USER_TYPE_FEDERATED { + continue + } uid := &userpb.UserId{ OpaqueId: upn, Idp: m.conf.IDProvider, + Type: userType, } users[uid.OpaqueId] = &userpb.User{ Id: uid, @@ -394,3 +404,28 @@ func extractUID(u *userpb.User) (string, error) { } return "", errors.New("rest: could not retrieve UID from user") } + +func getUserType(userType, upn string) userpb.UserType { + var t userpb.UserType + switch userType { + case "Application": + t = userpb.UserType_USER_TYPE_APPLICATION + case "Service": + t = userpb.UserType_USER_TYPE_SERVICE + case "Secondary": + t = userpb.UserType_USER_TYPE_SECONDARY + case "Person": + switch { + case strings.HasPrefix(upn, "guest"): + t = userpb.UserType_USER_TYPE_LIGHTWEIGHT + case strings.Contains(upn, "@"): + t = userpb.UserType_USER_TYPE_FEDERATED + default: + t = userpb.UserType_USER_TYPE_PRIMARY + } + default: + t = userpb.UserType_USER_TYPE_INVALID + } + return t + +}