Add workaround for missing RoleIDs in Token

This we use reva to mint tokes for users when using the CS3 backend (owncloud#2528) the user's roles are no longer part of the token. This adds a workaround to the RequireSelfOrAdmin middleware to Request the user's role id on demand from the settings service. Partial Fix for owncloud#2646
rhafer · Feb 2, 2022 · ada93a9 · ada93a9
1 parent f7d290c
commit ada93a9
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/ocis-pkg/roles/manager.go b/ocis-pkg/roles/manager.go
@@ -67,3 +67,21 @@ func (m *Manager) FindPermissionByID(ctx context.Context, roleIDs []string, perm
 	}
 	return nil
 }
+
+// FindRoleIdsForUser returns all roles that are assigned to the supplied userid
+func (m *Manager) FindRoleIDsForUser(ctx context.Context, userID string) ([]string, error) {
+	req := &settingssvc.ListRoleAssignmentsRequest{AccountUuid: userID}
+	assignmentResponse, err := m.roleService.ListRoleAssignments(ctx, req)
+
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]string, 0, len(assignmentResponse.Assignments))
+
+	for _, assignment := range assignmentResponse.Assignments {
+		roleIDs = append(roleIDs, assignment.RoleId)
+	}
+
+	return roleIDs, nil
+}
diff --git a/ocs/pkg/middleware/requireselforadmin.go b/ocs/pkg/middleware/requireselforadmin.go
@@ -11,6 +11,7 @@ import (
 	"github.com/owncloud/ocis/ocis-pkg/roles"
 	"github.com/owncloud/ocis/ocs/pkg/service/v0/data"
 	"github.com/owncloud/ocis/ocs/pkg/service/v0/response"
+	settingsService "github.com/owncloud/ocis/settings/pkg/service/v0"
 )
 
 // RequireSelfOrAdmin middleware is used to require the requesting user to be an admin or the requested user himself
@@ -38,8 +39,20 @@ func RequireSelfOrAdmin(opts ...Option) func(next http.Handler) http.Handler {
 			// get roles from context
 			roleIDs, ok := roles.ReadRoleIDsFromContext(r.Context())
 			if !ok {
-				mustRender(w, r, response.ErrRender(data.MetaUnauthorized.StatusCode, "Unauthorized"))
-				return
+				opt.Logger.Debug().Str("userid", u.Id.OpaqueId).Msg("No roles in context, contacting settings service")
+				var err error
+				roleIDs, err = opt.RoleManager.FindRoleIDsForUser(r.Context(), u.Id.OpaqueId)
+				if err != nil {
+					opt.Logger.Err(err).Str("userid", u.Id.OpaqueId).Msg("failed to get roles for user")
+					mustRender(w, r, response.ErrRender(data.MetaUnauthorized.StatusCode, "Unauthorized"))
+					return
+				}
+				if len(roleIDs) == 0 {
+					roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser, settingsService.SelfManagementPermissionID)
+					// if roles are empty, assume we haven't seen the user before and assign a default user role. At least until
+					// proper roles are provided. See https://github.com/owncloud/ocis/issues/1825 for more context.
+					//return user, nil
+				}
 			}
 
 			// check if account management permission is present in roles of the authenticated account