store the userid in the context when authenticating credentials (#239)

* store the userid in the context when authenticating credentials

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* make all managers return proper user ids

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* update demo tests

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

cmd/revad/svcs/grpcsvcs/authsvc/authsvc.go

@@ -130,7 +130,6 @@ func (s *service) GenerateAccessToken(ctx context.Context, req *authv0alphapb.Ge
 	log := appctx.GetLogger(ctx)
 	username := req.ClientId
 	password := req.ClientSecret
-	uid := &typespb.UserId{OpaqueId: username}
 
 	ctx, err := s.authmgr.Authenticate(ctx, username, password)
 	if err != nil {
@@ -141,6 +140,15 @@ func (s *service) GenerateAccessToken(ctx context.Context, req *authv0alphapb.Ge
 		return res, nil
 	}
 
+	uid, ok := user.ContextGetUserID(ctx)
+	if !ok {
+		// try to look up user by username
+		// TODO log warning or should we fail?
+		uid = &typespb.UserId{
+			OpaqueId: username,
+		}
+	}
+
 	user, err := s.usermgr.GetUser(ctx, uid)
 	if err != nil {
 		err = errors.Wrap(err, "authsvc: error in GetUser")

cmd/revad/users.demo.json

@@ -1,8 +1,8 @@
 [
 	{
 		"id": {
-			"opaque_id": "37a08ed30093a133b1bb4ae0b8f3601f",
-			"idp": "localhost"
+			"opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51",
+			"idp": "http://localhost:9998"
 		},
 		"username": "einstein",
 		"secret": "relativity",
@@ -11,8 +11,8 @@
 	},
 	{
 		"id": {
-			"opaque_id": "b3725122c9d3bfef5664619e08e31877",
-			"idp": "localhost"
+			"opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
+			"idp": "http://localhost:9998"
 		},
 		"username": "marie",
 		"secret": "radioactivity",
@@ -21,8 +21,8 @@
 	},
 	{
 		"id": {
-			"opaque_id": "6ae199a93c381bf6d5de27491139d3f9",
-			"idp": "localhost"
+			"opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c",
+			"idp": "http://localhost:9998"
 		},
 		"username": "richard",
 		"secret": "superfluidity",

pkg/auth/manager/demo/demo.go

@@ -21,17 +21,25 @@ package demo
 import (
 	"context"
 
+	typespb "github.com/cs3org/go-cs3apis/cs3/types"
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
 	"github.com/cs3org/reva/pkg/errtypes"
+	"github.com/cs3org/reva/pkg/user"
 )
 
 func init() {
 	registry.Register("demo", New)
 }
 
 type manager struct {
-	credentials map[string]string
+	credentials map[string]Credentials
+}
+
+// Credentials holds a pair of secret and userid
+type Credentials struct {
+	ID     *typespb.UserId
+	Secret string
 }
 
 // New returns a new auth Manager.
@@ -42,18 +50,36 @@ func New(m map[string]interface{}) (auth.Manager, error) {
 }
 
 func (m *manager) Authenticate(ctx context.Context, clientID, clientSecret string) (context.Context, error) {
-	if secret, ok := m.credentials[clientID]; ok {
-		if secret == clientSecret {
-			return ctx, nil
+	if c, ok := m.credentials[clientID]; ok {
+		if c.Secret == clientSecret {
+			return user.ContextSetUserID(ctx, c.ID), nil
 		}
 	}
 	return ctx, errtypes.InvalidCredentials(clientID)
 }
 
-func getCredentials() map[string]string {
-	return map[string]string{
-		"einstein": "relativity",
-		"marie":    "radioactivity",
-		"richard":  "superfluidity",
+func getCredentials() map[string]Credentials {
+	return map[string]Credentials{
+		"einstein": Credentials{
+			Secret: "relativity",
+			ID: &typespb.UserId{
+				OpaqueId: "4c510ada-c86b-4815-8820-42cdf82c3d51",
+				Idp:      "http://localhost:9998",
+			},
+		},
+		"marie": Credentials{
+			Secret: "radioactivity",
+			ID: &typespb.UserId{
+				OpaqueId: "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
+				Idp:      "http://localhost:9998",
+			},
+		},
+		"richard": Credentials{
+			Secret: "superfluidity",
+			ID: &typespb.UserId{
+				OpaqueId: "932b4540-8d16-481e-8ef4-588e4b6b151c",
+				Idp:      "http://localhost:9998",
+			},
+		},
 	}
 }

pkg/auth/manager/impersonator/impersonator.go

@@ -20,9 +20,12 @@ package impersonator
 
 import (
 	"context"
+	"strings"
 
+	typespb "github.com/cs3org/go-cs3apis/cs3/types"
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
+	"github.com/cs3org/reva/pkg/user"
 )
 
 func init() {
@@ -37,5 +40,14 @@ func New(c map[string]interface{}) (auth.Manager, error) {
 }
 
 func (m *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) (context.Context, error) {
-	return ctx, nil
+	// allow passing in uid as <opaqueid>@<idp>
+	at := strings.LastIndex(clientID, "@")
+	uid := &typespb.UserId{}
+	if at < 0 {
+		uid.OpaqueId = clientID
+	} else {
+		uid.OpaqueId = clientID[:at]
+		uid.Idp = clientID[at+1:]
+	}
+	return user.ContextSetUserID(ctx, uid), nil
 }

pkg/auth/manager/impersonator/impersonator_test.go

@@ -21,13 +21,41 @@ package impersonator
 import (
 	"context"
 	"testing"
+
+	"github.com/cs3org/reva/pkg/user"
 )
 
 func TestImpersonator(t *testing.T) {
 	ctx := context.Background()
 	i, _ := New(nil)
-	_, err := i.Authenticate(ctx, "admin", "pwd")
+	ctx, err := i.Authenticate(ctx, "admin", "pwd")
 	if err != nil {
 		t.Fatal(err)
 	}
+	uid, ok := user.ContextGetUserID(ctx)
+	if !ok {
+		t.Fatal("no userid in context")
+	}
+	if uid.OpaqueId != "admin" {
+		t.Errorf("%#v, wanted %#v", uid.OpaqueId, "admin")
+	}
+	if uid.Idp != "" {
+		t.Errorf("%#v, wanted %#v", uid.Idp, "")
+	}
+
+	ctx = context.Background()
+	ctx, err = i.Authenticate(ctx, "opaqueid@idp", "pwd")
+	if err != nil {
+		t.Fatal(err)
+	}
+	uid, ok = user.ContextGetUserID(ctx)
+	if !ok {
+		t.Fatal("no userid in context")
+	}
+	if uid.OpaqueId != "opaqueid" {
+		t.Errorf("%#v, wanted %#v", uid.OpaqueId, "opaqueid")
+	}
+	if uid.Idp != "idp" {
+		t.Errorf("%#v, wanted %#v", uid.Idp, "idp")
+	}
 }

pkg/auth/manager/json/json.go

@@ -23,9 +23,11 @@ import (
 	"encoding/json"
 	"io/ioutil"
 
+	typespb "github.com/cs3org/go-cs3apis/cs3/types"
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
 	"github.com/cs3org/reva/pkg/errtypes"
+	"github.com/cs3org/reva/pkg/user"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 )
@@ -34,15 +36,15 @@ func init() {
 	registry.Register("json", New)
 }
 
-// Credentials holds a pair of username and secret
-// TOTDO id?
+// Credentials holds a pair of secret and userid
 type Credentials struct {
-	Username string `mapstructure:"username"`
-	Secret   string `mapstructure:"secret"`
+	ID       *typespb.UserId `mapstructure:"id"`
+	Username string          `mapstructure:"username"`
+	Secret   string          `mapstructure:"secret"`
 }
 
 type manager struct {
-	credentials map[string]string
+	credentials map[string]*Credentials
 }
 
 type config struct {
@@ -66,29 +68,31 @@ func New(m map[string]interface{}) (auth.Manager, error) {
 		return nil, err
 	}
 
-	manager := &manager{credentials: map[string]string{}}
+	manager := &manager{credentials: map[string]*Credentials{}}
 
-	credentials := []*Credentials{}
 	f, err := ioutil.ReadFile(c.Users)
 	if err != nil {
 		return nil, err
 	}
+
+	credentials := []*Credentials{}
+
 	err = json.Unmarshal(f, &credentials)
 	if err != nil {
 		return nil, err
 	}
 
 	for _, c := range credentials {
-		manager.credentials[c.Username] = c.Secret
+		manager.credentials[c.Username] = c
 	}
 
 	return manager, nil
 }
 
 func (m *manager) Authenticate(ctx context.Context, username string, secret string) (context.Context, error) {
-	if s, ok := m.credentials[username]; ok {
-		if s == secret {
-			return ctx, nil
+	if c, ok := m.credentials[username]; ok {
+		if c.Secret == secret {
+			return user.ContextSetUserID(ctx, c.ID), nil
 		}
 	}
 	return ctx, errtypes.InvalidCredentials(username)

pkg/auth/manager/ldap/ldap.go

@@ -23,10 +23,12 @@ import (
 	"crypto/tls"
 	"fmt"
 
+	typespb "github.com/cs3org/go-cs3apis/cs3/types"
 	"github.com/cs3org/reva/pkg/appctx"
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
 	"github.com/cs3org/reva/pkg/errtypes"
+	"github.com/cs3org/reva/pkg/user"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 	"gopkg.in/ldap.v2"
@@ -100,7 +102,8 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 		am.baseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
 		fmt.Sprintf(am.filter, clientID),
-		[]string{"dn"},
+		// TODO(jfd): objectguid, entryuuid etc ... make configurable
+		[]string{"dn", "objectguid"},
 		nil,
 	)
 
@@ -123,6 +126,13 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 		return ctx, err
 	}
 
-	return ctx, nil
+	uid := &typespb.UserId{
+		// TODO(jfd): how do we determine the issuer for ldap? ... make configurable
+		Idp: fmt.Sprintf("%s:%d", am.hostname, am.port),
+		// TODO(jfd): objectguid, entryuuid etc ... make configurable
+		OpaqueId: sr.Entries[0].GetAttributeValue("objectguid"),
+	}
+
+	return user.ContextSetUserID(ctx, uid), nil
 
 }

pkg/auth/manager/oidc/oidc.go

@@ -29,9 +29,11 @@ import (
 	"time"
 
 	oidc "github.com/coreos/go-oidc"
+	typespb "github.com/cs3org/go-cs3apis/cs3/types"
 	"github.com/cs3org/reva/pkg/appctx"
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
+	"github.com/cs3org/reva/pkg/user"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2"
@@ -221,6 +223,11 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, token string) (contex
 
 	// store claims in context
 	ctx = context.WithValue(ctx, ClaimsKey, claims)
+	uid := &typespb.UserId{
+		Idp:      claims.Iss,
+		OpaqueId: claims.Sub,
+	}
+	ctx = user.ContextSetUserID(ctx, uid)
 
 	return ctx, nil
 }