fix impersonated request user mismatch

owncloud · Nov 12, 2024 · d61d63b · d61d63b
1 parent 22d8025
commit d61d63b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 5 deletions.
diff --git a/changelog/unreleased/fix-auth-app.md b/changelog/unreleased/fix-auth-app.md
@@ -0,0 +1,6 @@
+Bugfix: Fix impersonated request user mismatch
+
+We fixed a user id and name mismatch in the impersonated auth-app API request
+
+https://github.com/owncloud/ocis/pull/10548
+https://github.com/owncloud/ocis/issues/10292
diff --git a/services/auth-app/pkg/service/service.go b/services/auth-app/pkg/service/service.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"time"
 
@@ -25,6 +26,8 @@ import (
 	"google.golang.org/grpc/metadata"
 )
 
+var ErrBadRequest = errors.New("bad request")
+
 // AuthAppToken represents an app token.
 type AuthAppToken struct {
 	Token          string    `json:"token"`
@@ -97,8 +100,10 @@ func (a *AuthAppService) HandleCreate(w http.ResponseWriter, r *http.Request) {
 	}
 
 	label := "Generated via API"
-	cid := buildClientID(q.Get("userID"), q.Get("userName"))
-	if cid != "" {
+
+	// Impersonated request
+	userID, userName := q.Get("userID"), q.Get("userName")
+	if userID != "" || userName != "" {
 		if !a.cfg.AllowImpersonation {
 			sublog.Error().Msg("impersonation is not allowed")
 			http.Error(w, "impersonation is not allowed", http.StatusForbidden)
@@ -115,9 +120,13 @@ func (a *AuthAppService) HandleCreate(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusForbidden)
 			return
 		}
-		ctx, err = a.authenticateUser(cid, gwc)
+		ctx, err = a.authenticateUser(userID, userName, gwc)
 		if err != nil {
 			sublog.Error().Err(err).Msg("error authenticating user")
+			if errors.Is(err, ErrBadRequest) {
+				http.Error(w, err.Error(), http.StatusBadRequest)
+				return
+			}
 			w.WriteHeader(http.StatusInternalServerError)
 			return
 		}
@@ -241,11 +250,11 @@ func (a *AuthAppService) HandleDelete(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)
 }
 
-func (a *AuthAppService) authenticateUser(clientID string, gwc gateway.GatewayAPIClient) (context.Context, error) {
+func (a *AuthAppService) authenticateUser(userID, userName string, gwc gateway.GatewayAPIClient) (context.Context, error) {
 	ctx := context.Background()
 	authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{
 		Type:         "machine",
-		ClientId:     clientID,
+		ClientId:     buildClientID(userID, userName),
 		ClientSecret: a.cfg.MachineAuthAPIKey,
 	})
 	if err != nil {
@@ -256,6 +265,10 @@ func (a *AuthAppService) authenticateUser(clientID string, gwc gateway.GatewayAP
 		return nil, errors.New("error authenticating user: " + authRes.GetStatus().GetMessage())
 	}
 
+	if (userID != "" && authRes.GetUser().GetId().GetOpaqueId() != userID) || (userName != "" && authRes.GetUser().GetUsername() != userName) {
+		return nil, fmt.Errorf("requested user does not match authenticated user: userID:%s, userName:%s, %w", authRes.GetUser().GetId().GetOpaqueId(), authRes.GetUser().GetUsername(), ErrBadRequest)
+	}
+
 	ctx = ctxpkg.ContextSetUser(ctx, &userpb.User{Id: authRes.GetUser().GetId()})
 	return metadata.AppendToOutgoingContext(ctx, ctxpkg.TokenHeader, authRes.GetToken()), nil
 }