Skip account-service by talking to CS3 user-api #1020

IljaN · 2020-12-04T01:05:32Z

Hides user and auth related communication behind a facade (provider/user.go) to minimize logic-duplication across middlewares. Allows to switich the account backend from accounts to cs3.

PROXY_ACCOUNT_BACKEND_TYPE=cs3
PROXY_ACCOUNT_BACKEND_TYPE=accounts

Setup for cs3

mkdir -p  ~/ldapserver/bootscheama

Create file ~/ldapserver/bootschema/owncloud.lidif

#
# SOURCE:
# https://github.com/valerytschopp/owncloud-ldap-schema
#
# WARNING: the spaces ' ' in the definitions are very important!!!

dn: cn=owncloud,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: owncloud
olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.1 NAME 'ownCloudQuota' DESC 'User Quota (e.g. 2 GB)' EQUALITY caseExactMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.2 NAME 'ownCloudUUID' DESC 'A non-reassignable and persistent account ID)' EQUALITY uuidMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE )
olcObjectClasses: ( 1.3.6.1.4.1.39430.1.2.1 NAME 'ownCloud' DESC 'ownCloud LDAP Schema' AUXILIARY MAY ( ownCloudQuota $ ownCloudUUID ) )

Create file ~/ldapserver/bootschema/users.ldif

n: ou=users,dc=owncloud,dc=com
objectClass: organizationalUnit
ou: users

dn: cn=einstein,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: top
cn: einstein
givenName: Albert
sn: Einstein
displayName: Albert Einstein
mail: einstein@example.org
ownCloudUUID:: NGM1MTBhZGEtYzg2Yi00ODE1LTg4MjAtNDJjZGY4MmMzZDUx
uid: einstein
userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ==

dn: cn=marie,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: top
cn: marie
givenName: Marie
sn: Curie
displayName: Marie Curie
mail: marie@example.org
ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj
uid: marie
userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ==

dn: cn=richard,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: top
cn: richard
givenName: Richard
sn: Feynman
displayName: Richard Feynman
mail: richard@example.org
ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj
uid: richard
userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ==

Start ldap-server:

cd ~/ldapserver

 docker run --rm --hostname localhost  \
 -e LDAP_TLS_VERIFY_CLIENT=never \                     
 -e LDAP_DOMAIN=owncloud.com \                     
 -e LDAP_ORGANISATION=ownCloud \                     
 -e LDAP_ADMIN_PASSWORD=admin \                      
 --name docker-slapd \                     
 -p 127.0.0.1:389:389 \                    
 -p 636:636 \                      
 -v ${PWD}/bootschema:/bootschema osixia/openldap --loglevel debug

Modify schema and create test-users (einstein + marie)

docker exec docker-slapd ldapadd -Y EXTERNAL -H ldapi:/// -f /bootschema/owncloud.ldif
docker exec docker-slapd ldapadd -Y EXTERNAL -H ldapi:/// -f /bootschema/users.ldif

Start ocis:

PROXY_ACCOUNT_BACKEND_TYPE=cs3 \
LDAP_FILTER="(objectClass=owncloud)" \ 
LDAP_URI=ldap://localhost:389 \ 
LDAP_BINDDN="cn=admin,dc=owncloud,dc=com" LDAP_BINDPW=admin \
LDAP_BASEDN="dc=owncloud,dc=com" \ 
STORAGE_LDAP_HOSTNAME=localhost STORAGE_LDAP_PORT=636 STORAGE_LDAP_BASE_DN="dc=owncloud,dc=com" \
STORAGE_LDAP_BIND_DN="cn=admin,dc=owncloud,dc=com" \ 
STORAGE_LDAP_BIND_PASSWORD=admin \ 
STORAGE_LDAP_LOGINFILTER='(&(objectclass=owncloud)(|(cn={{login}})(mail={{login}})))' \
STORAGE_LDAP_USERFILTER='(&(objectclass=owncloud)(|(ownclouduuid={{.OpaqueId}})(cn={{.OpaqueId}})))' STORAGE_LDAP_ATTRIBUTEFILTER='(&(objectclass=owncloud)({{attr}}={{value}}))' \
STORAGE_LDAP_FINDFILTER='(&(objectclass=owncloud)(|(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)))' STORAGE_LDAP_GROUPFILTER='(objectclass=*)' go run cmd/ocis/main.go server

TODO:

Clean the dirt
Better naming for "provider"
Adjust tests
Test in CI?

update-docs · 2020-12-04T01:05:35Z

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

butonic · 2020-12-07T09:38:19Z

@IljaN I read up on how to provision osixia/openldap:
Put all the ldif files in a folder, eg. ldif, then use a volume to mount it to a location that is read when bootstrapping the server. Use --copy-service to keep the config, because the bootup procedure will remove the files. Ther run with:

docker run --rm --hostname localhost -e LDAP_TLS_VERIFY_CLIENT=never -e LDAP_DOMAIN=owncloud.com -e LDAP_ORGANISATION=ownCloud -e LDAP_ADMIN_PASSWORD=admin --name docker-slapd -p 127.0.0.1:389:389 -p 636:636 -v ${PWD}/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom osixia/openldap --copy-service --loglevel debug

I'm also using an updated users.ldif file with an additional ou=users, richard and their well known passwords:

dn: ou=users,dc=owncloud,dc=com
objectClass: organizationalUnit
ou: users

dn: cn=einstein,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: top
cn: einstein
givenName: Albert
sn: Einstein
displayName: Albert Einstein
mail: einstein@example.org
ownCloudUUID:: NGM1MTBhZGEtYzg2Yi00ODE1LTg4MjAtNDJjZGY4MmMzZDUx
uid: einstein
userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ==

dn: cn=marie,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: top
cn: marie
givenName: Marie
sn: Curie
displayName: Marie Curie
mail: marie@example.org
ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj
uid: marie
userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ==

dn: cn=richard,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: top
cn: richard
givenName: Richard
sn: Feynman
displayName: Richard Feynman
mail: richard@example.org
ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj
uid: richard
userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ==

add groups

Maybe we should add the test users from the acceptance tests? IIRC they have an ldif somewhere...

refs · 2020-12-07T13:11:08Z

proxy/pkg/config/config.go

@@ -115,6 +115,7 @@ type Config struct {
 	PolicySelector        *PolicySelector `mapstructure:"policy_selector"`
 	Reva                  Reva
 	PreSignedURL          PreSignedURL
+	AccountBackendType    string


I'd rename this to AccountBackend

proxy/pkg/command/server.go

proxy/pkg/middleware/_account_resolver.go

proxy/pkg/provider/user.go

IljaN · 2020-12-07T15:32:52Z

One NPE to go: https://drone.owncloud.com/owncloud/ocis/2047/25/4

IljaN · 2020-12-07T16:37:13Z

NPE Fixed

labkode · 2020-12-07T18:58:18Z

This looks promising

butonic · 2020-12-07T23:16:18Z

cool! enabling / disabling users is not implemented in the reva ocs implementation ... but we are directing all ocs requests to reva, right?

proxy/pkg/proxy/proxy.go

butonic · 2020-12-07T23:24:00Z

cool! enabling / disabling users is not implemented in the reva ocs implementation ... hm the error is Could not get user by claim in the proxy:

2020-12-07T16:22:31Z WRN http end="07/Dec/2020:16:22:31 +0000" host=127.0.0.1 method=GET pkg=rhttp proto=HTTP/1.1 service=storage size=0 start="07/Dec/2020:16:22:31 +0000" status=404 time_ns=146483 traceid=e1011d577d20932fab54f944d1ab6063 uri=/data/index.cs3/unique.github.com.owncloud.ocis.accounts.pkg.proto.v0.Account.PreferredName/alice url=/data/index.cs3/unique.github.com.owncloud.ocis.accounts.pkg.proto.v0.Account.PreferredName/alice | 399s
-- | --
6724 | 2020-12-07T16:22:31Z WRN http end="07/Dec/2020:16:22:31 +0000" host=127.0.0.1 method=GET pkg=rhttp proto=HTTP/1.1 service=storage size=0 start="07/Dec/2020:16:22:31 +0000" status=404 time_ns=111899 traceid=7a5d2d0d2bff181855fe213a8955ebfd uri=/data/index.cs3/autoincrement.github.com.owncloud.ocis.accounts.pkg.proto.v0.Account.UidNumber/20005 url=/data/index.cs3/autoincrement.github.com.owncloud.ocis.accounts.pkg.proto.v0.Account.UidNumber/20005 | 399s
6725 | 2020-12-07T16:22:31Z ERR Could not get user by claim service=proxy | 399s
6726 | 2020-12-07T16:22:31Z ERR Could not get user by claim service=proxy | 399s
6727 | 2020-12-07T16:22:31Z WRN http end="07/Dec/2020:16:22:31 +0000" host=127.0.0.1 method=GET pkg=rhttp proto=HTTP/1.1 service=storage size=0 start="07/Dec/2020:16:22:31 +0000" status=404 time_ns=193972 traceid=7330700ede396afe028359c42242b1bb uri=/data/index.cs3/unique.github.com.owncloud.ocis.accounts.pkg.proto.v0.Account.OnPremisesSamAccountName/alice url=/data/index.cs3/unique.github.com.owncloud.ocis.accounts.pkg.proto.v0.Account.OnPremisesSamAccountName/alice | 399s
6728 | 2020-12-07T16:22:31Z ERR could not get account for user error="{\"code\":404,\"detail\":\"The requested user could not be found\",\"status\":\"Not Found\"}" service=ocs userid=Alice

butonic · 2020-12-07T23:30:13Z

https://github.com/owncloud/ocis/pull/1020/files#diff-623d75273ecaa16479d6e4250fc36a6a015841b8e569bd5c2dedd7af30c0c19cL93
vs
https://github.com/owncloud/ocis/pull/1020/files#diff-9211adff30e1e173f5b4948a07b267750e39e6ceb055975e4c79d52d699abaceR148

@IljaN found your TODO ;-)

butonic · 2020-12-08T15:27:14Z

I updated the ldif files to use the RFC2307bis schema, which - while already a deprecated standard, is also used by PAM_LDAP and supported by many ldap server implementations, including AD.

ocis/config/ldap/10_owncloud_schema.ldif

# This LDIF files describes the ownCloud schema and can be used to
# add two optional attributes: ownCloudQuota and ownCloudUUID
# The ownCloudUUID is used to store a unique, non-reassignable, persistent identifier for users and groups
dn: cn=owncloud,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: owncloud
olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.1 NAME 'ownCloudQuota' DESC 'User Quota (e.g. 2 GB)' EQUALITY caseExactMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.2 NAME 'ownCloudUUID' DESC 'A non-reassignable and persistent account ID)' EQUALITY uuidMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE )
olcObjectClasses: ( 1.3.6.1.4.1.39430.1.2.1 NAME 'ownCloud' DESC 'ownCloud LDAP Schema' AUXILIARY MAY ( ownCloudQuota $ ownCloudUUID ) )

ocis/config/ldap/20_users.ldif

dn: ou=users,dc=owncloud,dc=com
objectClass: organizationalUnit
ou: users

# Start dn with uid (user identifier / login), not cn (Firstname + Surname)
dn: uid=einstein,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: posixAccount
objectClass: top
uid: einstein
givenName: Albert
sn: Einstein
cn: Albert Einstein
displayName: Albert Einstein
description: A German-born theoretical physicist who developed the theory of relativity, one of the two pillars of modern physics (alongside quantum mechanics).
mail: einstein@example.org
uidNumber: 20000
gidNumber: 30000
homeDirectory: /home/einstein
ownCloudUUID:: NGM1MTBhZGEtYzg2Yi00ODE1LTg4MjAtNDJjZGY4MmMzZDUx
userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ==

dn: uid=marie,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: posixAccount
objectClass: top
uid: marie
givenName: Marie
sn: Curie
cn: Marie Curie
displayName: Marie Skłodowska Curie
description: A Polish and naturalized-French physicist and chemist who conducted pioneering research on radioactivity.
mail: marie@example.org
uidNumber: 20001
gidNumber: 30000
homeDirectory: /home/marie
ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj
userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ==

dn: uid=richard,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ownCloud
objectClass: person
objectClass: posixAccount
objectClass: top
uid: richard
givenName: Richard
sn: Feynman
cn: Richard Feynman
displayName: Richard Phillips Feynman
description: An American theoretical physicist, known for his work in the path integral formulation of quantum mechanics, the theory of quantum electrodynamics, the physics of the superfluidity of supercooled liquid helium, as well as his work in particle physics for which he proposed the parton model.
mail: richard@example.org
uidNumber: 20002
gidNumber: 30000
homeDirectory: /home/richard
ownCloudUUID:: OTMyYjQ1NDAtOGQxNi00ODFlLThlZjQtNTg4ZTRiNmIxNTFj
userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ==

ocis/config/ldap/30_groups.ldif

dn: ou=groups,dc=owncloud,dc=com
objectClass: organizationalUnit
ou: groups

dn: cn=users,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: users
description: Users
gidNumber: 30000
ownCloudUUID:: NTA5YTlkY2QtYmIzNy00ZjRmLWEwMWEtMTlkY2EyN2Q5Y2Zh
uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com

dn: cn=sailing-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: sailing-lovers
description: Sailing lovers
gidNumber: 30001
ownCloudUUID:: NjA0MGFhMTctOWM2NC00ZmVmLTliZDAtNzcyMzRkNzFiYWQw
uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com

dn: cn=violin-haters,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: violin-haters
description: Violin haters
gidNumber: 30002
ownCloudUUID:: ZGQ1OGU1ZWMtODQyZS00OThiLTg4MDAtNjFmMmVjNmY5MTFm
uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com

dn: cn=radium-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: radium-lovers
description: Radium lovers
gidNumber: 30003
ownCloudUUID:: N2I4N2ZkNDktMjg2ZS00YTVmLWJhZmQtYzUzNWQ1ZGQ5OTdh
uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com

dn: cn=polonium-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: polonium-lovers
description: Polonium lovers
gidNumber: 30004
ownCloudUUID:: Y2VkYzIxYWEtNDA3Mi00NjE0LTg2NzYtZmE5MTY1ZjU5OGZm
uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com

dn: cn=quantum-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: quantum-lovers
description: Quantum lovers
gidNumber: 30005
ownCloudUUID:: YTE3MjYxMDgtMDFmOC00YzMwLTg4ZGYtMmIxYTlkMWNiYTFh
uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com

dn: cn=philosophy-haters,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: philosophy-haters
description: Philosophy haters
gidNumber: 30006
ownCloudUUID:: MTY3Y2JlZTItMDUxOC00NTVhLWJmYjItMDMxZmUwNjIxZTVk
uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com

dn: cn=physics-lovers,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
objectClass: top
cn: physics-lovers
description: Physics lovers
gidNumber: 30007
ownCloudUUID:: MjYyOTgyYzEtMjM2Mi00YWZhLWJmZGYtOGNiZmVmNjRhMDZl
uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com

then I start an ldap server in docker:

docker run --hostname localhost -e LDAP_TLS_VERIFY_CLIENT=never -e LDAP_DOMAIN=owncloud.com -e LDAP_ORGANISATION=ownCloud -e LDAP_ADMIN_PASSWORD=admin -e LDAP_RFC2307BIS_SCHEMA=true --name docker-slapd -p 127.0.0.1:389:389 -p 636:636 -v ${PWD}/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom osixia/openldap --copy-service --loglevel debug

provide a custom proxy.json that forwards all but the signing-key requests to reva instead of ocis ocs:


				/**/
				{
					Type:     config.RegexRoute,
					Endpoint: "/ocs/v[12].php/cloud/user/signing-key", // we have `user`, `users` and `groups` in ocis-ocs
					Backend:  "http://localhost:9110",
				},
				/**/
				/*
					{
						Type:     config.RegexRoute,
						Endpoint: "/ocs/v[12].php/cloud/(users?|groups)", // we have `user`, `users` and `groups` in ocis-ocs
						Backend:  "http://localhost:9110",
					},
				*/

finally I run ocis:

LDAP_FILTER="(&(objectclass=inetOrgPerson)(objectClass=owncloud))" \
LDAP_URI=ldap://127.0.0.1:389 \
LDAP_BINDDN="cn=admin,dc=owncloud,dc=com" \
LDAP_BINDPW=admin \
LDAP_BASEDN="dc=owncloud,dc=com" \
LDAP_LOGIN_ATTRIBUTE=uid \
LDAP_UUID_ATTRIBUTE="ownclouduuid" \
LDAP_UUID_ATTRIBUTE_TYPE=binary \
PROXY_ACCOUNT_BACKEND_TYPE=cs3 \
STORAGE_LDAP_HOSTNAME=127.0.0.1 \
STORAGE_LDAP_PORT=636 \
STORAGE_LDAP_BASE_DN="dc=owncloud,dc=com" \
STORAGE_LDAP_BIND_DN="cn=admin,dc=owncloud,dc=com" \
STORAGE_LDAP_BIND_PASSWORD=admin \
STORAGE_LDAP_LOGINFILTER='(&(objectclass=inetOrgPerson)(objectclass=owncloud)(|(uid={{login}})(mail={{login}})))' \
STORAGE_LDAP_USERFILTER='(&(objectclass=inetOrgPerson)(objectclass=owncloud)(|(ownclouduuid={{.OpaqueId}})(uid={{.OpaqueId}})))' \
STORAGE_LDAP_ATTRIBUTEFILTER='(&(objectclass=owncloud)({{attr}}={{value}}))' \
STORAGE_LDAP_FINDFILTER='(&(objectclass=owncloud)(|(uid={{query}}*)(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)(description={{query}}*)))' \
STORAGE_LDAP_GROUPFILTER='(&(objectclass=groupOfUniqueNames)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))' \
go run cmd/ocis/main.go server

While this looks wild, there are actually only two things going on:

LDAP_* and STORAGE_LDAP_* env vars configure the ldap connection and queries that make konnectd and revas ldap userprovider driver use the same ldap server. _Note to self: we could make glauth act the exact same way, really making it a drop in that is only started if no ldap is running on port 636 and 389. _ 🤔
PROXY_ACCOUNT_BACKEND_TYPE=cs3 to make the proxy use the cs3 user provider api

IljaN · 2020-12-10T10:12:48Z

Document required ocs proxy-setting:

	/*
					{
						Type:     config.RegexRoute,
						Endpoint: "/ocs/v[12].php/cloud/user/signing-key", // we have `user`, `users` and `groups` in ocis-ocs
						Backend:  "http://localhost:9110",
					},

IljaN · 2020-12-10T10:19:27Z

Changelog

proxy/pkg/user/backend/cs3.go

kulmann · 2020-12-11T10:56:04Z

proxy/pkg/middleware/signed_url_auth.go


-		claims.OcisID = account.Id
+	if err := m.validate(req); err != nil {
+		http.Error(w, "Invalid url signature1", http.StatusUnauthorized)


Suggested change

http.Error(w, "Invalid url signature1", http.StatusUnauthorized)

http.Error(w, "Invalid url signature", http.StatusUnauthorized)

kulmann · 2020-12-11T11:03:34Z

proxy/pkg/user/backend/accounts.go

+}
+
+// lazyLoadRoles adds roles from the roles-service to the user-struct by mutating an existing struct
+func lazyLoadRoles(ctx context.Context, u *cs3.User, ss settings.RoleService) error {


Proposal for function name: injectRoles

kulmann · 2020-12-11T11:05:45Z

proxy/pkg/user/backend/accounts.go

+	}
+
+	if !account.AccountEnabled {
+		// TODO: handle not found


Do the TODO 😁

kulmann · 2020-12-11T11:09:50Z

proxy/pkg/user/backend/cs3.go

+
+	switch {
+	case err != nil:
+		return nil, fmt.Errorf("could not authenticate with username and password user: %s", username)


Reminder: wrap the existing error

…rvice Configureable via: PROXY_ACCOUNT_BACKEND_TYPE=cs3 PROXY_ACCOUNT_BACKEND_TYPE=accounts (default) By using a backend which implements the CS3 user-api (currently provided by reva/storage) it is possible to bypass the ocis-accounts service and for example use ldap directly. Hides user and auth related communication behind a facade (user/backend) to minimize logic-duplication across middlewares. Allows to switich the account backend from accounts to cs3. Co-authored-by: Jörn Friedrich Dreyer <jfd@butonic.de>

This bypasses the accounts-service Co-authored-by: Willy Kloucek <wkloucek@owncloud.com>

sonarqubecloud · 2020-12-11T17:09:31Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

IljaN marked this pull request as draft December 4, 2020 01:05

IljaN force-pushed the skip-accounts-service branch 2 times, most recently from 242a2d8 to d6114ef Compare December 4, 2020 16:46

IljaN force-pushed the skip-accounts-service branch from f4e8d19 to 35045ee Compare December 7, 2020 12:52