/
nextcloud.go
189 lines (164 loc) · 5.83 KB
/
nextcloud.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
// Copyright 2018-2024 CERN
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// In applying this license, CERN does not waive the privileges and immunities
// granted to it by virtue of its status as an Intergovernmental Organization
// or submit itself to any jurisdiction.
// Package nextcloud verifies a clientID and clientSecret against a Nextcloud backend.
package nextcloud
import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"strconv"
"strings"
authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
"github.com/cs3org/reva/pkg/appctx"
"github.com/cs3org/reva/pkg/auth"
"github.com/cs3org/reva/pkg/auth/manager/registry"
"github.com/cs3org/reva/pkg/errtypes"
"github.com/cs3org/reva/pkg/utils/cfg"
"github.com/pkg/errors"
)
func init() {
registry.Register("nextcloud", New)
}
// Manager is the Nextcloud-based implementation of the auth.Manager interface
// see https://github.com/cs3org/reva/blob/v1.13.0/pkg/auth/auth.go#L32-L35
type Manager struct {
client *http.Client
sharedSecret string
endPoint string
}
// AuthManagerConfig contains config for a Nextcloud-based AuthManager.
type AuthManagerConfig struct {
EndPoint string `docs:";The Nextcloud backend endpoint for user check" mapstructure:"endpoint"`
SharedSecret string `mapstructure:"shared_secret"`
MockHTTP bool `mapstructure:"mock_http"`
}
// Action describes a REST request to forward to the Nextcloud backend.
type Action struct {
verb string
username string
argS string
}
// New returns an auth manager implementation that verifies against a Nextcloud backend.
func New(ctx context.Context, m map[string]interface{}) (auth.Manager, error) {
var c AuthManagerConfig
if err := cfg.Decode(m, &c); err != nil {
return nil, errors.Wrap(err, "nextcloud: error decoding config")
}
return NewAuthManager(&c)
}
// NewAuthManager returns a new Nextcloud-based AuthManager.
func NewAuthManager(c *AuthManagerConfig) (*Manager, error) {
var client *http.Client
if c.MockHTTP {
// called := make([]string, 0)
// nextcloudServerMock := GetNextcloudServerMock(&called)
// client, _ = TestingHTTPClient(nextcloudServerMock)
// Wait for SetHTTPClient to be called later
client = nil
} else {
if len(c.EndPoint) == 0 {
return nil, errors.New("Please specify 'endpoint' in '[grpc.services.authprovider.auth_managers.nextcloud]'")
}
client = &http.Client{}
}
return &Manager{
endPoint: c.EndPoint, // e.g. "http://nc/apps/sciencemesh/"
sharedSecret: c.SharedSecret,
client: client,
}, nil
}
// Configure method as defined in https://github.com/cs3org/reva/blob/v1.13.0/pkg/auth/auth.go#L32-L35
func (am *Manager) Configure(ml map[string]interface{}) error {
return nil
}
// SetHTTPClient sets the HTTP client.
func (am *Manager) SetHTTPClient(c *http.Client) {
am.client = c
}
func (am *Manager) do(ctx context.Context, a Action) (int, []byte, error) {
log := appctx.GetLogger(ctx)
url := am.endPoint + "~" + a.username + "/api/auth/" + a.verb
log.Info().Msgf("am.do %s %s %s", url, a.argS, am.sharedSecret)
req, err := http.NewRequest(http.MethodPost, url, strings.NewReader(a.argS))
if err != nil {
return 0, nil, err
}
req.Header.Set("X-Reva-Secret", am.sharedSecret)
req.Header.Set("Content-Type", "application/json")
resp, err := am.client.Do(req)
if err != nil {
return 0, nil, err
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return 0, nil, err
}
log.Info().Msgf("am.do response %d %s", resp.StatusCode, body)
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
return 0, nil, fmt.Errorf("Unexpected response code from EFSS API: " + strconv.Itoa(resp.StatusCode))
}
return resp.StatusCode, body, nil
}
// Authenticate method as defined in https://github.com/cs3org/reva/blob/28500a8/pkg/auth/auth.go#L31-L33
func (am *Manager) Authenticate(ctx context.Context, clientID, clientSecret string) (*user.User, map[string]*authpb.Scope, error) {
type paramsObj struct {
ClientID string `json:"clientID"`
ClientSecret string `json:"clientSecret"`
}
if clientSecret == "" {
// This may happen when the remote OCM user attempts to do basic auth with (username = sharedSecret and pwd = empty),
// and the interceptors bring us here. But authentication is properly handled by the ocm share provider.
return nil, nil, errtypes.PermissionDenied("secret is empty, ignoring")
}
bodyObj := ¶msObj{
ClientID: clientID,
ClientSecret: clientSecret,
}
bodyStr, err := json.Marshal(bodyObj)
if err != nil {
return nil, nil, err
}
log := appctx.GetLogger(ctx)
log.Info().Msgf("Authenticate %s %s", clientID, bodyStr)
statusCode, body, err := am.do(ctx, Action{"Authenticate", clientID, string(bodyStr)})
if err != nil {
return nil, nil, err
}
if statusCode != 200 {
return nil, nil, errtypes.PermissionDenied("Username/password not recognized by Nextcloud backend")
}
type resultsObj struct {
User user.User `json:"user"`
Scopes map[string]authpb.Scope `json:"scopes"`
}
result := &resultsObj{}
err = json.Unmarshal(body, &result)
if err != nil {
return nil, nil, err
}
var pointersMap = make(map[string]*authpb.Scope)
for k := range result.Scopes {
scope := result.Scopes[k]
pointersMap[k] = &scope
}
return &result.User, pointersMap, nil
}