From 60c319faed9ea1687393f70534debe1c39df1071 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Mon, 5 Oct 2020 11:25:02 +0200 Subject: [PATCH] Add autoprovision accounts flag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- .../add-autoprovision-accounts-flag.md | 6 +++++ proxy/pkg/command/server.go | 1 + proxy/pkg/config/config.go | 27 ++++++++++--------- proxy/pkg/flagset/flagset.go | 11 ++++++++ proxy/pkg/middleware/account_uuid.go | 2 +- proxy/pkg/middleware/options.go | 12 ++++++++- 6 files changed, 44 insertions(+), 15 deletions(-) create mode 100644 proxy/changelog/unreleased/add-autoprovision-accounts-flag.md diff --git a/proxy/changelog/unreleased/add-autoprovision-accounts-flag.md b/proxy/changelog/unreleased/add-autoprovision-accounts-flag.md new file mode 100644 index 00000000000..6268c8e20a4 --- /dev/null +++ b/proxy/changelog/unreleased/add-autoprovision-accounts-flag.md @@ -0,0 +1,6 @@ +Enhancement: Add autoprovision accounts flag + +Added a new `PROXY_AUTOPROVISION_ACCOUNTS` environment variable. When enabled, the proxy will try to create a new account when it cannot match the username or email from the oidc userinfo to an existing user. Enable it to learn users from an external identity provider. Defaults to false. + +https://github.com/owncloud/product/issues/219 +https://github.com/owncloud/ocis/issues/629 diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go index 3006b8be0d8..d6c2892f713 100644 --- a/proxy/pkg/command/server.go +++ b/proxy/pkg/command/server.go @@ -265,6 +265,7 @@ func loadMiddlewares(ctx context.Context, l log.Logger, cfg *config.Config) alic middleware.TokenManagerConfig(cfg.TokenManager), middleware.AccountsClient(accounts), middleware.SettingsRoleService(roles), + middleware.AutoprovisionAccounts(cfg.AutoprovisionAccounts), ) // the connection will be established in a non blocking fashion diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go index 5961b32b536..f5252cc7c3b 100644 --- a/proxy/pkg/config/config.go +++ b/proxy/pkg/config/config.go @@ -85,19 +85,20 @@ type Reva struct { // Config combines all available configuration parts. type Config struct { - File string - Log Log - Debug Debug - HTTP HTTP - Service Service - Tracing Tracing - Asset Asset - Policies []Policy - OIDC OIDC - TokenManager TokenManager - PolicySelector *PolicySelector `mapstructure:"policy_selector"` - Reva Reva - PreSignedURL PreSignedURL + File string + Log Log + Debug Debug + HTTP HTTP + Service Service + Tracing Tracing + Asset Asset + Policies []Policy + OIDC OIDC + TokenManager TokenManager + PolicySelector *PolicySelector `mapstructure:"policy_selector"` + Reva Reva + PreSignedURL PreSignedURL + AutoprovisionAccounts bool } // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 4c0521b1689..1ccc497d64f 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -202,6 +202,17 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"PROXY_OIDC_INSECURE"}, Destination: &cfg.OIDC.Insecure, }, + + &cli.BoolFlag{ + Name: "autoprovision-accounts", + Value: false, + Usage: "create accounts from OIDC access tokens to learn new users", + EnvVars: []string{"PROXY_AUTOPROVISION_ACCOUNTS"}, + Destination: &cfg.AutoprovisionAccounts, + }, + + // Presigned URLs + &cli.StringSliceFlag{ Name: "presignedurl-allow-method", Value: cli.NewStringSlice("GET"), diff --git a/proxy/pkg/middleware/account_uuid.go b/proxy/pkg/middleware/account_uuid.go index c5877863e04..6850db1444e 100644 --- a/proxy/pkg/middleware/account_uuid.go +++ b/proxy/pkg/middleware/account_uuid.go @@ -104,7 +104,7 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler { w.WriteHeader(http.StatusInternalServerError) } if status != 0 || account == nil { - if status == http.StatusNotFound { + if opt.AutoprovisionAccounts && status == http.StatusNotFound { account, status = createAccount(l, claims, opt.AccountsClient) if status != 0 { w.WriteHeader(status) diff --git a/proxy/pkg/middleware/options.go b/proxy/pkg/middleware/options.go index c583ee843a4..4c7cbd623ac 100644 --- a/proxy/pkg/middleware/options.go +++ b/proxy/pkg/middleware/options.go @@ -1,9 +1,10 @@ package middleware import ( - settings "github.com/owncloud/ocis/settings/pkg/proto/v0" "net/http" + settings "github.com/owncloud/ocis/settings/pkg/proto/v0" + gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" acc "github.com/owncloud/ocis/accounts/pkg/proto/v0" "github.com/owncloud/ocis/ocis-pkg/log" @@ -36,6 +37,8 @@ type Options struct { Store storepb.StoreService // PreSignedURLConfig to configure the middleware PreSignedURLConfig config.PreSignedURL + // AutoprovisionAccounts when an account does not exist. + AutoprovisionAccounts bool } // newOptions initializes the available default options. @@ -118,3 +121,10 @@ func PreSignedURLConfig(cfg config.PreSignedURL) Option { o.PreSignedURLConfig = cfg } } + +// AutoprovisionAccounts provides a function to set the AutoprovisionAccounts config +func AutoprovisionAccounts(val bool) Option { + return func(o *Options) { + o.AutoprovisionAccounts = val + } +}