Merge pull request #85 from owncloud/presigned-url-lookup-fix

lookup user by id as well
owncloud · Aug 11, 2020 · 99c1dba · 99c1dba
2 parents 9470b36 + 6e590a0
commit 99c1dba
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 2 deletions.
diff --git a/changelog/unreleased/presigned-url-lookup-fix.md b/changelog/unreleased/presigned-url-lookup-fix.md
@@ -0,0 +1,7 @@
+Bugfix: Lookup user by id for presigned URLs
+
+Phoenix will send the `userid`, not the `username` as the `OC-Credential` for presigned URLs. This PR uses the new `ocisid` claim in the OIDC userinfo to pass the userid to the account middleware.
+
+https://github.com/owncloud/ocis-proxy/pull/85
+https://github.com/owncloud/ocis-pkg/pull/50
+https://github.com/owncloud/ocis/issues/436
diff --git a/go.mod b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/openzipkin/zipkin-go v0.2.2
 	github.com/owncloud/flaex v0.2.0
 	github.com/owncloud/ocis-accounts v0.1.2-0.20200618163128-aa8ae58dd95e
-	github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200527082518-5641fa4a4c8c
+	github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200811112628-2151a60cc204
 	github.com/owncloud/ocis-store v0.0.0-20200716140351-f9670592fb7b
 	github.com/prometheus/client_golang v1.7.0
 	github.com/restic/calens v0.2.0

diff --git a/go.sum b/go.sum
@@ -748,6 +748,8 @@ github.com/owncloud/ocis-pkg/v2 v2.2.1 h1:LK7WxHYugEFQ9NHTOz0EP8DRjbt51wXhyqruV0
 github.com/owncloud/ocis-pkg/v2 v2.2.1/go.mod h1:MXv7QzsYsu4YWuyJxhq1kLLmJa/r5gbqHe1FXulMHaw=
 github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200527082518-5641fa4a4c8c h1:hYhKSfMkPO4kRLrKqRHPmePGTCpGDGji+s4yW30+tmM=
 github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200527082518-5641fa4a4c8c/go.mod h1:s894msGwDsULmsROHkbsXFCP/eSqDcteDFUntZOiJdc=
+github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200811112628-2151a60cc204 h1:q0/LzJr+G/BX8nRUVsnUBbEE1vMybuOyQesz57QW3F4=
+github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200811112628-2151a60cc204/go.mod h1:s894msGwDsULmsROHkbsXFCP/eSqDcteDFUntZOiJdc=
 github.com/owncloud/ocis-settings v0.0.0-20200522101320-46ea31026363/go.mod h1:/h0ceztOoFc3KAnm8nqZI4zwsaaZK9q4MTgtintwsXc=
 github.com/owncloud/ocis-settings v0.0.0-20200629120229-69693c5f8f43/go.mod h1:AeXZVHKEU+9Xt4+/lkHE5rx+sJH2if9dIrUGLhe+JOY=
 github.com/owncloud/ocis-store v0.0.0-20200716140351-f9670592fb7b h1:tjfH02oEawuMdMt3pJdCjFyuWgNRUjV7rdjoTF56Mrw=

diff --git a/pkg/middleware/account_uuid.go b/pkg/middleware/account_uuid.go
@@ -113,6 +113,8 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler {
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("mail eq '%s'", strings.ReplaceAll(claims.Email, "'", "''")))
 			} else if claims.PreferredUsername != "" {
 				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("preferred_name eq '%s'", strings.ReplaceAll(claims.PreferredUsername, "'", "''")))
+			} else if claims.OcisID != "" {
+				account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("id eq '%s'", strings.ReplaceAll(claims.OcisID, "'", "''")))
 			} else {
 				// TODO allow lookup by custom claim, eg an id ... or sub
 				l.Error().Err(err).Msgf("Could not lookup account, no mail or preferred_username claim set")

diff --git a/pkg/middleware/presigned_url.go b/pkg/middleware/presigned_url.go
@@ -25,7 +25,7 @@ func PresignedURL(opts ...Option) func(next http.Handler) http.Handler {
 				if signedRequestIsValid(l, r, opt.Store) {
 					// use openid claims to let the account_uuid middleware do a lookup by username
 					claims := ocisoidc.StandardClaims{
-						PreferredUsername: r.URL.Query().Get("OC-Credential"),
+						OcisID: r.URL.Query().Get("OC-Credential"),
 					}
 
 					// inject claims to the request context for the account_uuid middleware