From fba174641b152fde2b75efa2ea979a2544098820 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Tue, 11 Aug 2020 10:23:46 +0200 Subject: [PATCH 1/3] lookup user by id as well MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- pkg/middleware/account_uuid.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/middleware/account_uuid.go b/pkg/middleware/account_uuid.go index 6639ad7..74d453e 100644 --- a/pkg/middleware/account_uuid.go +++ b/pkg/middleware/account_uuid.go @@ -112,7 +112,8 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler { if claims.Email != "" { account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("mail eq '%s'", strings.ReplaceAll(claims.Email, "'", "''"))) } else if claims.PreferredUsername != "" { - account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("preferred_name eq '%s'", strings.ReplaceAll(claims.PreferredUsername, "'", "''"))) + usernameOrID := strings.ReplaceAll(claims.PreferredUsername, "'", "''") + account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("preferred_name eq '%s' or id eq '%s'", usernameOrID, usernameOrID)) } else { // TODO allow lookup by custom claim, eg an id ... or sub l.Error().Err(err).Msgf("Could not lookup account, no mail or preferred_username claim set") From 3e29ee9fa252412764347652b784d1c7904f8b42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Tue, 11 Aug 2020 13:31:47 +0200 Subject: [PATCH 2/3] properly distinguish userid from username MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- go.mod | 2 +- go.sum | 2 ++ pkg/middleware/account_uuid.go | 5 +++-- pkg/middleware/presigned_url.go | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 7791122..c61cb27 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/openzipkin/zipkin-go v0.2.2 github.com/owncloud/flaex v0.2.0 github.com/owncloud/ocis-accounts v0.1.2-0.20200618163128-aa8ae58dd95e - github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200527082518-5641fa4a4c8c + github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200811112628-2151a60cc204 github.com/owncloud/ocis-store v0.0.0-20200716140351-f9670592fb7b github.com/prometheus/client_golang v1.7.0 github.com/restic/calens v0.2.0 diff --git a/go.sum b/go.sum index 0e414f2..a9edc2b 100644 --- a/go.sum +++ b/go.sum @@ -748,6 +748,8 @@ github.com/owncloud/ocis-pkg/v2 v2.2.1 h1:LK7WxHYugEFQ9NHTOz0EP8DRjbt51wXhyqruV0 github.com/owncloud/ocis-pkg/v2 v2.2.1/go.mod h1:MXv7QzsYsu4YWuyJxhq1kLLmJa/r5gbqHe1FXulMHaw= github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200527082518-5641fa4a4c8c h1:hYhKSfMkPO4kRLrKqRHPmePGTCpGDGji+s4yW30+tmM= github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200527082518-5641fa4a4c8c/go.mod h1:s894msGwDsULmsROHkbsXFCP/eSqDcteDFUntZOiJdc= +github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200811112628-2151a60cc204 h1:q0/LzJr+G/BX8nRUVsnUBbEE1vMybuOyQesz57QW3F4= +github.com/owncloud/ocis-pkg/v2 v2.2.2-0.20200811112628-2151a60cc204/go.mod h1:s894msGwDsULmsROHkbsXFCP/eSqDcteDFUntZOiJdc= github.com/owncloud/ocis-settings v0.0.0-20200522101320-46ea31026363/go.mod h1:/h0ceztOoFc3KAnm8nqZI4zwsaaZK9q4MTgtintwsXc= github.com/owncloud/ocis-settings v0.0.0-20200629120229-69693c5f8f43/go.mod h1:AeXZVHKEU+9Xt4+/lkHE5rx+sJH2if9dIrUGLhe+JOY= github.com/owncloud/ocis-store v0.0.0-20200716140351-f9670592fb7b h1:tjfH02oEawuMdMt3pJdCjFyuWgNRUjV7rdjoTF56Mrw= diff --git a/pkg/middleware/account_uuid.go b/pkg/middleware/account_uuid.go index 74d453e..620731e 100644 --- a/pkg/middleware/account_uuid.go +++ b/pkg/middleware/account_uuid.go @@ -112,8 +112,9 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler { if claims.Email != "" { account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("mail eq '%s'", strings.ReplaceAll(claims.Email, "'", "''"))) } else if claims.PreferredUsername != "" { - usernameOrID := strings.ReplaceAll(claims.PreferredUsername, "'", "''") - account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("preferred_name eq '%s' or id eq '%s'", usernameOrID, usernameOrID)) + account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("preferred_name eq '%s'", strings.ReplaceAll(claims.PreferredUsername, "'", "''"))) + } else if claims.OcisID != "" { + account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("id eq '%s'", strings.ReplaceAll(claims.OcisID, "'", "''"))) } else { // TODO allow lookup by custom claim, eg an id ... or sub l.Error().Err(err).Msgf("Could not lookup account, no mail or preferred_username claim set") diff --git a/pkg/middleware/presigned_url.go b/pkg/middleware/presigned_url.go index 74b6296..a6d328e 100644 --- a/pkg/middleware/presigned_url.go +++ b/pkg/middleware/presigned_url.go @@ -25,7 +25,7 @@ func PresignedURL(opts ...Option) func(next http.Handler) http.Handler { if signedRequestIsValid(l, r, opt.Store) { // use openid claims to let the account_uuid middleware do a lookup by username claims := ocisoidc.StandardClaims{ - PreferredUsername: r.URL.Query().Get("OC-Credential"), + OcisID: r.URL.Query().Get("OC-Credential"), } // inject claims to the request context for the account_uuid middleware From 6e590a051fb6f85d10b61fc2194b033b961aec90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Tue, 11 Aug 2020 16:18:37 +0200 Subject: [PATCH 3/3] add changelog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- changelog/unreleased/presigned-url-lookup-fix.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 changelog/unreleased/presigned-url-lookup-fix.md diff --git a/changelog/unreleased/presigned-url-lookup-fix.md b/changelog/unreleased/presigned-url-lookup-fix.md new file mode 100644 index 0000000..01b24ed --- /dev/null +++ b/changelog/unreleased/presigned-url-lookup-fix.md @@ -0,0 +1,7 @@ +Bugfix: Lookup user by id for presigned URLs + +Phoenix will send the `userid`, not the `username` as the `OC-Credential` for presigned URLs. This PR uses the new `ocisid` claim in the OIDC userinfo to pass the userid to the account middleware. + +https://github.com/owncloud/ocis-proxy/pull/85 +https://github.com/owncloud/ocis-pkg/pull/50 +https://github.com/owncloud/ocis/issues/436