Add UID and GID to the user object from EOS fs (#995)

cs3org · Jul 28, 2020 · 99db7c1 · 99db7c1
1 parent be8a8c9
commit 99db7c1
Show file tree

Hide file tree

Showing 29 changed files with 1,051 additions and 402 deletions.
diff --git a/changelog/unreleased/uid-gid-user-object.md b/changelog/unreleased/uid-gid-user-object.md
@@ -0,0 +1,7 @@
+Enhancement: Add UID and GID to the user object from user package
+
+Currently, the UID and GID for users need to be read from the local system which
+requires local users to be present. This change retrieves that information from
+the user and auth packages and adds methods to retrieve it.
+
+https://github.com/cs3org/reva/pull/995
diff --git a/docs/content/en/docs/config/packages/auth/_index.md b/docs/content/en/docs/config/packages/auth/_index.md
@@ -0,0 +1,7 @@
+---
+title: "auth"
+linkTitle: "auth"
+weight: 10
+description: >
+  Configuration for the auth service
+---
diff --git a/docs/content/en/docs/config/packages/auth/manager/_index.md b/docs/content/en/docs/config/packages/auth/manager/_index.md
@@ -0,0 +1,7 @@
+---
+title: "manager"
+linkTitle: "manager"
+weight: 10
+description: >
+  Configuration for the manager service
+---
diff --git a/docs/content/en/docs/config/packages/auth/manager/oidc/_index.md b/docs/content/en/docs/config/packages/auth/manager/oidc/_index.md
@@ -0,0 +1,50 @@
+---
+title: "oidc"
+linkTitle: "oidc"
+weight: 10
+description: >
+  Configuration for the oidc service
+---
+
+# _struct: config_
+
+{{% dir name="insecure" type="bool" default=false %}}
+Whether to skip certificate checks when sending requests. [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/auth/manager/oidc/oidc.go#L50)
+{{< highlight toml >}}
+[auth.manager.oidc]
+insecure = false
+{{< /highlight >}}
+{{% /dir %}}
+
+{{% dir name="issuer" type="string" default="" %}}
+The issuer of the OIDC token. [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/auth/manager/oidc/oidc.go#L51)
+{{< highlight toml >}}
+[auth.manager.oidc]
+issuer = ""
+{{< /highlight >}}
+{{% /dir %}}
+
+{{% dir name="id_claim" type="string" default="sub" %}}
+The claim containing the ID of the user. [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/auth/manager/oidc/oidc.go#L52)
+{{< highlight toml >}}
+[auth.manager.oidc]
+id_claim = "sub"
+{{< /highlight >}}
+{{% /dir %}}
+
+{{% dir name="uid_claim" type="string" default="" %}}
+The claim containing the UID of the user. [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/auth/manager/oidc/oidc.go#L53)
+{{< highlight toml >}}
+[auth.manager.oidc]
+uid_claim = ""
+{{< /highlight >}}
+{{% /dir %}}
+
+{{% dir name="gid_claim" type="string" default="" %}}
+The claim containing the GID of the user. [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/auth/manager/oidc/oidc.go#L54)
+{{< highlight toml >}}
+[auth.manager.oidc]
+gid_claim = ""
+{{< /highlight >}}
+{{% /dir %}}
+
diff --git a/docs/content/en/docs/config/packages/storage/fs/eos/_index.md b/docs/content/en/docs/config/packages/storage/fs/eos/_index.md
@@ -136,3 +136,11 @@ use_keytab = false
 {{< /highlight >}}
 {{% /dir %}}
 
+{{% dir name="gatewaysvc" type="string" default="0.0.0.0:19000" %}}
+GatewaySvc stores the endpoint at which the GRPC gateway is exposed. [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/storage/fs/eos/eos.go#L94)
+{{< highlight toml >}}
+[storage.fs.eos]
+gatewaysvc = "0.0.0.0:19000"
+{{< /highlight >}}
+{{% /dir %}}
+
diff --git a/docs/content/en/docs/config/packages/storage/fs/eoshome/_index.md b/docs/content/en/docs/config/packages/storage/fs/eoshome/_index.md
@@ -144,3 +144,11 @@ use_keytab = false
 {{< /highlight >}}
 {{% /dir %}}
 
+{{% dir name="gatewaysvc" type="string" default="0.0.0.0:19000" %}}
+GatewaySvc stores the endpoint at which the GRPC gateway is exposed. [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/storage/fs/eoshome/eoshome.go#L100)
+{{< highlight toml >}}
+[storage.fs.eoshome]
+gatewaysvc = "0.0.0.0:19000"
+{{< /highlight >}}
+{{% /dir %}}
+
diff --git a/docs/content/en/docs/config/packages/user/manager/rest/_index.md b/docs/content/en/docs/config/packages/user/manager/rest/_index.md
@@ -8,64 +8,64 @@ description: >
 
 # _struct: config_
 
-{{% dir name="redis" type="string" default=":6379" %}}
-The port on which the redis server is running [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L68)
+{{% dir name="redis_address" type="string" default="localhost:6379" %}}
+The address at which the redis server is running [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L68)
 {{< highlight toml >}}
 [user.manager.rest]
-redis = ":6379"
+redis_address = "localhost:6379"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="user_groups_cache_expiration" type="int" default=5 %}}
-The time in minutes for which the groups to which a user belongs would be cached [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L70)
+The time in minutes for which the groups to which a user belongs would be cached [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L74)
 {{< highlight toml >}}
 [user.manager.rest]
 user_groups_cache_expiration = 5
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="id_provider" type="string" default="http://cernbox.cern.ch" %}}
-The OIDC Provider [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L72)
+The OIDC Provider [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L76)
 {{< highlight toml >}}
 [user.manager.rest]
 id_provider = "http://cernbox.cern.ch"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="api_base_url" type="string" default="https://authorization-service-api-dev.web.cern.ch/api/v1.0" %}}
-Base API Endpoint [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L74)
+Base API Endpoint [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L78)
 {{< highlight toml >}}
 [user.manager.rest]
 api_base_url = "https://authorization-service-api-dev.web.cern.ch/api/v1.0"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="client_id" type="string" default="-" %}}
-Client ID needed to authenticate [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L76)
+Client ID needed to authenticate [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L80)
 {{< highlight toml >}}
 [user.manager.rest]
 client_id = "-"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="client_secret" type="string" default="-" %}}
-Client Secret [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L78)
+Client Secret [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L82)
 {{< highlight toml >}}
 [user.manager.rest]
 client_secret = "-"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="oidc_token_endpoint" type="string" default="https://keycloak-dev.cern.ch/auth/realms/cern/api-access/token" %}}
-Endpoint to generate token to access the API [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L81)
+Endpoint to generate token to access the API [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L85)
 {{< highlight toml >}}
 [user.manager.rest]
 oidc_token_endpoint = "https://keycloak-dev.cern.ch/auth/realms/cern/api-access/token"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="target_api" type="string" default="authorization-service-api" %}}
-The target application for which token needs to be generated [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L83)
+The target application for which token needs to be generated [[Ref]](https://github.com/cs3org/reva/tree/master/pkg/user/manager/rest/rest.go#L87)
 {{< highlight toml >}}
 [user.manager.rest]
 target_api = "authorization-service-api"

diff --git a/go.mod b/go.mod
@@ -11,15 +11,15 @@ require (
 	github.com/cheggaaa/pb v1.0.28
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/cs3org/cato v0.0.0-20200626150132-28a40e643719
-	github.com/cs3org/go-cs3apis v0.0.0-20200709064917-d96c5f2a42ad
+	github.com/cs3org/go-cs3apis v0.0.0-20200728114537-4efa23660dbe
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/eventials/go-tus v0.0.0-20200718001131-45c7ec8f5d59
 	github.com/go-ldap/ldap/v3 v3.2.3
 	github.com/go-openapi/errors v0.19.6
 	github.com/go-openapi/strfmt v0.19.2 // indirect
 	github.com/gofrs/uuid v3.3.0+incompatible
 	github.com/golang/protobuf v1.4.2
-	github.com/gomodule/redigo v2.0.0+incompatible
+	github.com/gomodule/redigo v1.8.2
 	github.com/google/go-github v17.0.0+incompatible
 	github.com/google/go-querystring v1.0.0 // indirect
 	github.com/google/uuid v1.1.1

diff --git a/go.sum b/go.sum
@@ -109,6 +109,10 @@ github.com/cs3org/cato v0.0.0-20200626150132-28a40e643719 h1:3vDKYhsyWSbrtX67i66
 github.com/cs3org/cato v0.0.0-20200626150132-28a40e643719/go.mod h1:XJEZ3/EQuI3BXTp/6DUzFr850vlxq11I6satRtz0YQ4=
 github.com/cs3org/go-cs3apis v0.0.0-20200709064917-d96c5f2a42ad h1:XxB0h+UKILRKdr+WgPJaOfW8duVPeVKq/18aip5D/Ws=
 github.com/cs3org/go-cs3apis v0.0.0-20200709064917-d96c5f2a42ad/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
+github.com/cs3org/go-cs3apis v0.0.0-20200720081540-0d96aec81a2e h1:Q1GsuqKBo74Z6WNkUTVmyCATf7WwaTk8Fyx3Xw4CrU4=
+github.com/cs3org/go-cs3apis v0.0.0-20200720081540-0d96aec81a2e/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
+github.com/cs3org/go-cs3apis v0.0.0-20200728114537-4efa23660dbe h1:CQ/Grq7oVFqwiUg4VA/T+fl3JHZKEyo/RcTE7C23rW4=
+github.com/cs3org/go-cs3apis v0.0.0-20200728114537-4efa23660dbe/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -362,8 +366,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
 github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/gomodule/redigo v2.0.0+incompatible h1:K/R+8tc58AaqLkqG2Ol3Qk+DR/TlNuhuh457pBFPtt0=
-github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4=
+github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k=
+github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=

diff --git a/internal/grpc/services/gateway/appprovider.go b/internal/grpc/services/gateway/appprovider.go
@@ -54,14 +54,12 @@ func (s *svc) OpenFileInAppProvider(ctx context.Context, req *providerpb.OpenFil
 	}
 
 	statRes, err := c.Stat(ctx, statReq)
-
 	if err != nil {
 		log.Err(err).Msg("gateway: error calling Stat for the share resource path:" + req.Ref.GetPath())
 		return &providerpb.OpenFileInAppProviderResponse{
 			Status: status.NewInternal(ctx, err, "gateway: error calling Stat for the share resource id"),
 		}, nil
 	}
-
 	if statRes.Status.Code != rpc.Code_CODE_OK {
 		err := status.NewErrorFromCode(statRes.Status.GetCode(), "gateway")
 		log.Err(err).Msg("gateway: error calling Stat for the share resource id:" + req.Ref.GetPath())

diff --git a/internal/grpc/services/gateway/userprovider.go b/internal/grpc/services/gateway/userprovider.go
@@ -43,6 +43,22 @@ func (s *svc) GetUser(ctx context.Context, req *user.GetUserRequest) (*user.GetU
 	return res, nil
 }
 
+func (s *svc) GetUserByClaim(ctx context.Context, req *user.GetUserByClaimRequest) (*user.GetUserByClaimResponse, error) {
+	c, err := pool.GetUserProviderServiceClient(s.c.UserProviderEndpoint)
+	if err != nil {
+		return &user.GetUserByClaimResponse{
+			Status: status.NewInternal(ctx, err, "error getting auth client"),
+		}, nil
+	}
+
+	res, err := c.GetUserByClaim(ctx, req)
+	if err != nil {
+		return nil, errors.Wrap(err, "gateway: error calling GetUserByClaim")
+	}
+
+	return res, nil
+}
+
 func (s *svc) FindUsers(ctx context.Context, req *user.FindUsersRequest) (*user.FindUsersResponse, error) {
 	c, err := pool.GetUserProviderServiceClient(s.c.UserProviderEndpoint)
 	if err != nil {

diff --git a/internal/grpc/services/gateway/usershareprovider.go b/internal/grpc/services/gateway/usershareprovider.go
@@ -41,12 +41,10 @@ func (s *svc) CreateShare(ctx context.Context, req *collaboration.CreateShareReq
 			Status: status.NewInternal(ctx, err, "error getting user share provider client"),
 		}, nil
 	}
-
 	res, err := c.CreateShare(ctx, req)
 	if err != nil {
 		return nil, errors.Wrap(err, "gateway: error calling CreateShare")
 	}
-
 	if res.Status.Code != rpc.Code_CODE_OK {
 		return res, nil
 	}

diff --git a/internal/grpc/services/storageprovider/storageprovider.go b/internal/grpc/services/storageprovider/storageprovider.go
@@ -688,7 +688,25 @@ func (s *service) PurgeRecycle(ctx context.Context, req *provider.PurgeRecycleRe
 }
 
 func (s *service) ListGrants(ctx context.Context, req *provider.ListGrantsRequest) (*provider.ListGrantsResponse, error) {
-	return nil, nil
+	newRef, err := s.unwrap(ctx, req.Ref)
+	if err != nil {
+		return &provider.ListGrantsResponse{
+			Status: status.NewInternal(ctx, err, "error unwrapping path"),
+		}, nil
+	}
+
+	grants, err := s.storage.ListGrants(ctx, newRef)
+	if err != nil {
+		return &provider.ListGrantsResponse{
+			Status: status.NewInternal(ctx, err, "error listing ACLs"),
+		}, nil
+	}
+
+	res := &provider.ListGrantsResponse{
+		Status: status.NewOK(ctx),
+		Grants: grants,
+	}
+	return res, nil
 }
 
 func (s *service) AddGrant(ctx context.Context, req *provider.AddGrantRequest) (*provider.AddGrantResponse, error) {

diff --git a/internal/grpc/services/userprovider/userprovider.go b/internal/grpc/services/userprovider/userprovider.go
@@ -104,7 +104,7 @@ func (s *service) GetUser(ctx context.Context, req *userpb.GetUserRequest) (*use
 		// TODO(labkode): check for not found.
 		err = errors.Wrap(err, "userprovidersvc: error getting user")
 		res := &userpb.GetUserResponse{
-			Status: status.NewInternal(ctx, err, "error authenticating user"),
+			Status: status.NewInternal(ctx, err, "error getting user"),
 		}
 		return res, nil
 	}
@@ -116,6 +116,24 @@ func (s *service) GetUser(ctx context.Context, req *userpb.GetUserRequest) (*use
 	return res, nil
 }
 
+func (s *service) GetUserByClaim(ctx context.Context, req *userpb.GetUserByClaimRequest) (*userpb.GetUserByClaimResponse, error) {
+	user, err := s.usermgr.GetUserByClaim(ctx, req.Claim, req.Value)
+	if err != nil {
+		// TODO(labkode): check for not found.
+		err = errors.Wrap(err, "userprovidersvc: error getting user by claim")
+		res := &userpb.GetUserByClaimResponse{
+			Status: status.NewInternal(ctx, err, "error getting user by claim"),
+		}
+		return res, nil
+	}
+
+	res := &userpb.GetUserByClaimResponse{
+		Status: status.NewOK(ctx),
+		User:   user,
+	}
+	return res, nil
+}
+
 func (s *service) FindUsers(ctx context.Context, req *userpb.FindUsersRequest) (*userpb.FindUsersResponse, error) {
 	users, err := s.usermgr.FindUsers(ctx, req.Filter)
 	if err != nil {

diff --git a/pkg/auth/manager/oidc/oidc.go b/pkg/auth/manager/oidc/oidc.go
@@ -27,6 +27,7 @@ import (
 
 	oidc "github.com/coreos/go-oidc"
 	user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
 	"github.com/cs3org/reva/pkg/rhttp"
@@ -46,9 +47,11 @@ type mgr struct {
 }
 
 type config struct {
-	Insecure bool   `mapstructure:"insecure"`
-	Issuer   string `mapstructure:"issuer"`
-	IDClaim  string `mapstructure:"id_claim"`
+	Insecure bool   `mapstructure:"insecure" docs:"false;Whether to skip certificate checks when sending requests."`
+	Issuer   string `mapstructure:"issuer" docs:";The issuer of the OIDC token."`
+	IDClaim  string `mapstructure:"id_claim" docs:"sub;The claim containing the ID of the user."`
+	UIDClaim string `mapstructure:"uid_claim" docs:";The claim containing the UID of the user."`
+	GIDClaim string `mapstructure:"gid_claim" docs:";The claim containing the GID of the user."`
 }
 
 func (c *config) init() {
@@ -120,6 +123,28 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 		return nil, fmt.Errorf("no \"preferred_username\" or \"name\" attribute found in userinfo: maybe the client did not request the oidc \"profile\"-scope")
 	}
 
+	opaqueObj := &types.Opaque{
+		Map: map[string]*types.OpaqueEntry{},
+	}
+	if am.c.UIDClaim != "" {
+		uid, ok := claims[am.c.UIDClaim]
+		if ok {
+			opaqueObj.Map["uid"] = &types.OpaqueEntry{
+				Decoder: "plain",
+				Value:   []byte(fmt.Sprintf("%0.f", uid)),
+			}
+		}
+	}
+	if am.c.GIDClaim != "" {
+		gid, ok := claims[am.c.GIDClaim]
+		if ok {
+			opaqueObj.Map["gid"] = &types.OpaqueEntry{
+				Decoder: "plain",
+				Value:   []byte(fmt.Sprintf("%0.f", gid)),
+			}
+		}
+	}
+
 	u := &user.User{
 		Id: &user.UserId{
 			OpaqueId: claims[am.c.IDClaim].(string), // a stable non reassignable id
@@ -134,6 +159,7 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 		Mail:         claims["email"].(string),
 		MailVerified: claims["email_verified"].(bool),
 		DisplayName:  claims["name"].(string),
+		Opaque:       opaqueObj,
 	}
 
 	return u, nil