Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add (optional) claim parameter to machine auth #2176

Merged
merged 4 commits into from
Oct 18, 2021
Merged

Add (optional) claim parameter to machine auth #2176

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
15f6b3c
Add (optional) claim parameter to machine auth
gmgigi96 Oct 14, 2021
d9ff893
Add changelog
gmgigi96 Oct 14, 2021
bf15705
Fixes for the review
gmgigi96 Oct 15, 2021
526f293
Add other claims
gmgigi96 Oct 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions changelog/unreleased/machine-auth-claim.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Enhancement: Add optional claim parameter to machine auth

https://github.com/cs3org/reva/issues/2171
https://github.com/cs3org/reva/pull/2176
35 changes: 30 additions & 5 deletions pkg/auth/manager/machine/machine.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,10 @@ package machine

import (
"context"
"strings"

authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
"github.com/cs3org/reva/pkg/auth"
"github.com/cs3org/reva/pkg/auth/manager/registry"
Expand All @@ -37,6 +38,9 @@ import (
// To impersonate the given user it's only needed an api-key, saved
// in a config file.

// supported claims
var claims = []string{"mail", "uid", "username"}
gmgigi96 marked this conversation as resolved.
Show resolved Hide resolved

type manager struct {
APIKey string `mapstructure:"api_key"`
GatewayAddr string `mapstructure:"gateway_addr"`
Expand Down Expand Up @@ -66,7 +70,7 @@ func New(conf map[string]interface{}) (auth.Manager, error) {
}

// Authenticate impersonate an user if the provided secret is equal to the api-key
func (m *manager) Authenticate(ctx context.Context, username, secret string) (*user.User, map[string]*authpb.Scope, error) {
func (m *manager) Authenticate(ctx context.Context, user, secret string) (*userpb.User, map[string]*authpb.Scope, error) {
if m.APIKey != secret {
return nil, nil, errtypes.InvalidCredentials("")
}
Expand All @@ -76,9 +80,13 @@ func (m *manager) Authenticate(ctx context.Context, username, secret string) (*u
return nil, nil, err
}

userResponse, err := gtw.GetUserByClaim(ctx, &user.GetUserByClaimRequest{
Claim: "username",
Value: username,
// username could be either a normal username or a string <claim>:<value>
// in the first case the claim is "username"
claim, value := parseUser(user)

userResponse, err := gtw.GetUserByClaim(ctx, &userpb.GetUserByClaimRequest{
Claim: claim,
Value: value,
})

switch {
Expand All @@ -98,3 +106,20 @@ func (m *manager) Authenticate(ctx context.Context, username, secret string) (*u
return userResponse.GetUser(), scope, nil

}

func contains(lst []string, s string) bool {
for _, e := range lst {
if e == s {
return true
}
}
return false
}

func parseUser(user string) (string, string) {
gmgigi96 marked this conversation as resolved.
Show resolved Hide resolved
s := strings.SplitN(user, ":", 2)
if len(s) == 2 && contains(claims, s[0]) {
return s[0], s[1]
}
return "username", user
}