Initial QSfera import
This commit is contained in:
@@ -0,0 +1,136 @@
|
||||
/*
|
||||
* Copyright 2021 Kopano and its licensors
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
package bootstrap
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/libregraph/lico/bootstrap"
|
||||
"github.com/libregraph/lico/identifier"
|
||||
"github.com/libregraph/lico/identity"
|
||||
"github.com/libregraph/lico/identity/managers"
|
||||
|
||||
cs3 "github.com/qsfera/server/services/idp/pkg/backends/cs3/identifier"
|
||||
)
|
||||
|
||||
// Identity managers.
|
||||
const (
|
||||
identityManagerName = "cs3"
|
||||
)
|
||||
|
||||
// Register adds the CS3 identity manager to the lico bootstrap
|
||||
func Register() error {
|
||||
return bootstrap.RegisterIdentityManager(identityManagerName, NewIdentityManager)
|
||||
}
|
||||
|
||||
// MustRegister adds the CS3 identity manager to the lico bootstrap or panics
|
||||
func MustRegister() {
|
||||
if err := Register(); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
|
||||
// NewIdentityManager produces a CS3 backed identity manager instance for the idp
|
||||
func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
|
||||
config := bs.Config()
|
||||
|
||||
logger := config.Config.Logger
|
||||
|
||||
if config.AuthorizationEndpointURI.String() != "" {
|
||||
return nil, fmt.Errorf("cs3 backend is incompatible with authorization-endpoint-uri parameter")
|
||||
}
|
||||
config.AuthorizationEndpointURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier/_/authorize")
|
||||
|
||||
if config.EndSessionEndpointURI.String() != "" {
|
||||
return nil, fmt.Errorf("cs3 backend is incompatible with endsession-endpoint-uri parameter")
|
||||
}
|
||||
config.EndSessionEndpointURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier/_/endsession")
|
||||
|
||||
if config.SignInFormURI.EscapedPath() == "" {
|
||||
config.SignInFormURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier")
|
||||
}
|
||||
|
||||
if config.SignedOutURI.EscapedPath() == "" {
|
||||
config.SignedOutURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/goodbye")
|
||||
}
|
||||
|
||||
identifierBackend, identifierErr := cs3.NewCS3Backend(
|
||||
config.Config,
|
||||
config.TLSClientConfig,
|
||||
// FIXME add a map[string]interface{} property to the lico config.Config so backends can pass custom config parameters through the bootstrap process
|
||||
os.Getenv("CS3_GATEWAY"),
|
||||
os.Getenv("CS3_MACHINE_AUTH_API_KEY"),
|
||||
config.Settings.Insecure,
|
||||
)
|
||||
if identifierErr != nil {
|
||||
return nil, fmt.Errorf("failed to create identifier backend: %v", identifierErr)
|
||||
}
|
||||
|
||||
fullAuthorizationEndpointURL := bootstrap.WithSchemeAndHost(config.AuthorizationEndpointURI, config.IssuerIdentifierURI)
|
||||
fullSignInFormURL := bootstrap.WithSchemeAndHost(config.SignInFormURI, config.IssuerIdentifierURI)
|
||||
fullSignedOutEndpointURL := bootstrap.WithSchemeAndHost(config.SignedOutURI, config.IssuerIdentifierURI)
|
||||
|
||||
activeIdentifier, err := identifier.NewIdentifier(&identifier.Config{
|
||||
Config: config.Config,
|
||||
|
||||
BaseURI: config.IssuerIdentifierURI,
|
||||
PathPrefix: bs.MakeURIPath(bootstrap.APITypeSignin, ""),
|
||||
StaticFolder: config.IdentifierClientPath,
|
||||
ScopesConf: config.IdentifierScopesConf,
|
||||
WebAppDisabled: config.IdentifierClientDisabled,
|
||||
|
||||
LogonCookieName: "__Secure-KKT", // Kopano-Konnect-Token
|
||||
LogonCookieSameSite: config.CookieSameSite,
|
||||
|
||||
ConsentCookieSameSite: config.CookieSameSite,
|
||||
|
||||
StateCookieSameSite: config.CookieSameSite,
|
||||
|
||||
AuthorizationEndpointURI: fullAuthorizationEndpointURL,
|
||||
SignedOutEndpointURI: fullSignedOutEndpointURL,
|
||||
|
||||
DefaultBannerLogo: config.IdentifierDefaultBannerLogo,
|
||||
DefaultSignInPageText: config.IdentifierDefaultSignInPageText,
|
||||
DefaultUsernameHintText: config.IdentifierDefaultUsernameHintText,
|
||||
UILocales: config.IdentifierUILocales,
|
||||
|
||||
Backend: identifierBackend,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create identifier: %v", err)
|
||||
}
|
||||
err = activeIdentifier.SetKey(config.EncryptionSecret)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid --encryption-secret parameter value for identifier: %v", err)
|
||||
}
|
||||
|
||||
identityManagerConfig := &identity.Config{
|
||||
SignInFormURI: fullSignInFormURL,
|
||||
SignedOutURI: fullSignedOutEndpointURL,
|
||||
|
||||
Logger: logger,
|
||||
|
||||
ScopesSupported: config.Config.AllowedScopes,
|
||||
}
|
||||
|
||||
identifierIdentityManager := managers.NewIdentifierIdentityManager(identityManagerConfig, activeIdentifier)
|
||||
logger.Infoln("using identifier backed identity manager")
|
||||
|
||||
return identifierIdentityManager, nil
|
||||
}
|
||||
@@ -0,0 +1,230 @@
|
||||
package cs3
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
|
||||
cs3gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
|
||||
cs3rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
|
||||
"github.com/libregraph/lico"
|
||||
"github.com/libregraph/lico/config"
|
||||
"github.com/libregraph/lico/identifier/backends"
|
||||
"github.com/libregraph/lico/identifier/meta/scopes"
|
||||
"github.com/libregraph/lico/identity"
|
||||
"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
|
||||
cmap "github.com/orcaman/concurrent-map"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
const cs3BackendName = "identifier-cs3"
|
||||
|
||||
var cs3SpportedScopes = []string{
|
||||
"profile",
|
||||
"email",
|
||||
lico.ScopeUniqueUserID,
|
||||
lico.ScopeRawSubject,
|
||||
}
|
||||
|
||||
// CS3Backend holds the data for the CS3 identifier backend
|
||||
type CS3Backend struct {
|
||||
supportedScopes []string
|
||||
|
||||
logger logrus.FieldLogger
|
||||
tlsConfig *tls.Config
|
||||
gatewayAddr string
|
||||
machineAuthAPIKey string
|
||||
insecure bool
|
||||
|
||||
sessions cmap.ConcurrentMap
|
||||
}
|
||||
|
||||
// NewCS3Backend creates a new CS3 backend identifier backend
|
||||
func NewCS3Backend(
|
||||
c *config.Config,
|
||||
tlsConfig *tls.Config,
|
||||
gatewayAddr string,
|
||||
machineAuthAPIKey string,
|
||||
insecure bool,
|
||||
) (*CS3Backend, error) {
|
||||
|
||||
// Build supported scopes based on default scopes.
|
||||
supportedScopes := make([]string, len(cs3SpportedScopes))
|
||||
copy(supportedScopes, cs3SpportedScopes)
|
||||
|
||||
b := &CS3Backend{
|
||||
supportedScopes: supportedScopes,
|
||||
|
||||
logger: c.Logger,
|
||||
tlsConfig: tlsConfig,
|
||||
gatewayAddr: gatewayAddr,
|
||||
machineAuthAPIKey: machineAuthAPIKey,
|
||||
insecure: insecure,
|
||||
|
||||
sessions: cmap.New(),
|
||||
}
|
||||
|
||||
b.logger.Infoln("cs3 backend connection set up")
|
||||
|
||||
return b, nil
|
||||
}
|
||||
|
||||
// RunWithContext implements the Backend interface.
|
||||
func (b *CS3Backend) RunWithContext(_ context.Context) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Logon implements the Backend interface, enabling Logon with user name and
|
||||
// password as provided. Requests are bound to the provided context.
|
||||
func (b *CS3Backend) Logon(ctx context.Context, audience, username, password string) (bool, *string, *string, backends.UserFromBackend, error) {
|
||||
|
||||
client, err := pool.GetGatewayServiceClient(b.gatewayAddr)
|
||||
if err != nil {
|
||||
return false, nil, nil, nil, err
|
||||
}
|
||||
|
||||
res, err := client.Authenticate(ctx, &cs3gateway.AuthenticateRequest{
|
||||
Type: "basic",
|
||||
ClientId: username,
|
||||
ClientSecret: password,
|
||||
})
|
||||
if err != nil {
|
||||
return false, nil, nil, nil, fmt.Errorf("cs3 backend basic authenticate rpc error: %v", err)
|
||||
}
|
||||
if res.GetStatus().GetCode() != cs3rpc.Code_CODE_OK {
|
||||
return false, nil, nil, nil, fmt.Errorf("cs3 backend basic authenticate failed with code %s: %s", res.GetStatus().GetCode().String(), res.GetStatus().GetMessage())
|
||||
}
|
||||
|
||||
session := createSession(res.GetUser())
|
||||
|
||||
user, err := newCS3User(res.GetUser())
|
||||
if err != nil {
|
||||
return false, nil, nil, nil, fmt.Errorf("cs3 backend resolve entry data error: %v", err)
|
||||
}
|
||||
|
||||
// Use the users subject as user id.
|
||||
userID := user.Subject()
|
||||
|
||||
sessionRef := identity.GetSessionRef(b.Name(), audience, userID)
|
||||
b.sessions.Set(*sessionRef, session)
|
||||
b.logger.WithFields(logrus.Fields{
|
||||
"session": session,
|
||||
"ref": *sessionRef,
|
||||
"username": user.Username(),
|
||||
"id": userID,
|
||||
}).Debugln("cs3 backend logon")
|
||||
|
||||
return true, &userID, sessionRef, user, nil
|
||||
}
|
||||
|
||||
// GetUser implements the Backend interface, providing user meta data retrieval
|
||||
// for the user specified by the userID. Requests are bound to the provided
|
||||
// context.
|
||||
func (b *CS3Backend) GetUser(ctx context.Context, userEntryID string, sessionRef *string, _ map[string]bool) (backends.UserFromBackend, error) {
|
||||
|
||||
var session *cs3Session
|
||||
if s, ok := b.sessions.Get(*sessionRef); ok {
|
||||
// We have a cached session
|
||||
session = s.(*cs3Session)
|
||||
if session != nil {
|
||||
user, err := newCS3User(session.User())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cs3 backend get user failed to process user: %v", err)
|
||||
}
|
||||
return user, nil
|
||||
}
|
||||
}
|
||||
|
||||
// rebuild session
|
||||
|
||||
client, err := pool.GetGatewayServiceClient(b.gatewayAddr)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
res, err := client.Authenticate(ctx, &cs3gateway.AuthenticateRequest{
|
||||
Type: "machine",
|
||||
ClientId: "userid:" + userEntryID,
|
||||
ClientSecret: b.machineAuthAPIKey,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cs3 backend get user machine authenticate rpc error: %v", err)
|
||||
}
|
||||
if res.GetStatus().GetCode() != cs3rpc.Code_CODE_OK {
|
||||
return nil, fmt.Errorf("cs3 backend get user machine authenticate failed with code %s: %s", res.GetStatus().GetCode().String(), res.GetStatus().GetMessage())
|
||||
}
|
||||
|
||||
// cache session
|
||||
session = createSession(res.GetUser())
|
||||
b.sessions.Set(*sessionRef, session)
|
||||
|
||||
user, err := newCS3User(res.GetUser())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cs3 backend get user data error: %v", err)
|
||||
}
|
||||
|
||||
return user, nil
|
||||
}
|
||||
|
||||
// ResolveUserByUsername implements the Backend interface, providing lookup for
|
||||
// user by providing the username. Requests are bound to the provided context.
|
||||
func (b *CS3Backend) ResolveUserByUsername(ctx context.Context, username string) (backends.UserFromBackend, error) {
|
||||
|
||||
client, err := pool.GetGatewayServiceClient(b.gatewayAddr)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
res, err := client.Authenticate(ctx, &cs3gateway.AuthenticateRequest{
|
||||
Type: "machine",
|
||||
ClientId: "username:" + username,
|
||||
ClientSecret: b.machineAuthAPIKey,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cs3 backend machine authenticate rpc error: %v", err)
|
||||
}
|
||||
if res.GetStatus().GetCode() != cs3rpc.Code_CODE_OK {
|
||||
return nil, fmt.Errorf("cs3 backend machine authenticate failed with code %s: %s", res.GetStatus().GetCode().String(), res.GetStatus().GetMessage())
|
||||
}
|
||||
|
||||
user, err := newCS3User(res.GetUser())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cs3 backend resolve username data error: %v", err)
|
||||
}
|
||||
|
||||
return user, nil
|
||||
}
|
||||
|
||||
// RefreshSession implements the Backend interface.
|
||||
func (b *CS3Backend) RefreshSession(_ context.Context, _ string, _ *string, _ map[string]any) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DestroySession implements the Backend interface providing destroy CS3 session.
|
||||
func (b *CS3Backend) DestroySession(_ context.Context, sessionRef *string) error {
|
||||
b.sessions.Remove(*sessionRef)
|
||||
return nil
|
||||
}
|
||||
|
||||
// UserClaims implements the Backend interface, providing user specific claims
|
||||
// for the user specified by the userID.
|
||||
func (b *CS3Backend) UserClaims(_ string, _ map[string]bool) map[string]any {
|
||||
return nil
|
||||
}
|
||||
|
||||
// ScopesSupported implements the Backend interface, providing supported scopes
|
||||
// when running this backend.
|
||||
func (b *CS3Backend) ScopesSupported() []string {
|
||||
return b.supportedScopes
|
||||
}
|
||||
|
||||
// ScopesMeta implements the Backend interface, providing meta data for
|
||||
// supported scopes.
|
||||
func (b *CS3Backend) ScopesMeta() *scopes.Scopes {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Name implements the Backend interface.
|
||||
func (b *CS3Backend) Name() string {
|
||||
return cs3BackendName
|
||||
}
|
||||
@@ -0,0 +1,29 @@
|
||||
package cs3
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
cs3user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
|
||||
)
|
||||
|
||||
// createSession creates a new Session without the server using the provided
|
||||
// data.
|
||||
func createSession(u *cs3user.User) *cs3Session {
|
||||
s := &cs3Session{
|
||||
u: u,
|
||||
}
|
||||
|
||||
s.when = time.Now()
|
||||
|
||||
return s
|
||||
}
|
||||
|
||||
type cs3Session struct {
|
||||
u *cs3user.User
|
||||
when time.Time
|
||||
}
|
||||
|
||||
// User returns the cs3 user of the session
|
||||
func (s *cs3Session) User() *cs3user.User {
|
||||
return s.u
|
||||
}
|
||||
@@ -0,0 +1,74 @@
|
||||
package cs3
|
||||
|
||||
import (
|
||||
cs3user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
|
||||
konnect "github.com/libregraph/lico"
|
||||
)
|
||||
|
||||
type cs3User struct {
|
||||
u *cs3user.User
|
||||
}
|
||||
|
||||
func newCS3User(u *cs3user.User) (*cs3User, error) {
|
||||
return &cs3User{
|
||||
u: u,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Subject returns the cs3 users opaque id as sub
|
||||
func (u *cs3User) Subject() string {
|
||||
return u.u.GetId().GetOpaqueId()
|
||||
}
|
||||
|
||||
// Email returns the cs3 users email
|
||||
func (u *cs3User) Email() string {
|
||||
return u.u.GetMail()
|
||||
}
|
||||
|
||||
// EmailVerified returns the cs3 users email verified flag
|
||||
func (u *cs3User) EmailVerified() bool {
|
||||
return u.u.GetMailVerified()
|
||||
}
|
||||
|
||||
// Name returns the cs3 users displayname
|
||||
func (u *cs3User) Name() string {
|
||||
return u.u.GetDisplayName()
|
||||
}
|
||||
|
||||
// FamilyName always returns "" to fulfill the UserWithProfile interface
|
||||
func (u *cs3User) FamilyName() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
// GivenName always returns "" to fulfill the UserWithProfile interface
|
||||
func (u *cs3User) GivenName() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
// Username returns the cs3 users username
|
||||
func (u *cs3User) Username() string {
|
||||
return u.u.GetUsername()
|
||||
}
|
||||
|
||||
// UniqueID returns the cs3 users opaque id
|
||||
func (u *cs3User) UniqueID() string {
|
||||
return u.u.GetId().GetOpaqueId()
|
||||
}
|
||||
|
||||
// BackendClaims returns additional claims the cs3 users provides
|
||||
func (u *cs3User) BackendClaims() map[string]any {
|
||||
claims := make(map[string]any)
|
||||
claims[konnect.IdentifiedUserIDClaim] = u.u.GetId().GetOpaqueId()
|
||||
|
||||
return claims
|
||||
}
|
||||
|
||||
// BackendScopes returns nil to fulfill the UserFromBackend interface
|
||||
func (u *cs3User) BackendScopes() []string {
|
||||
return nil
|
||||
}
|
||||
|
||||
// RequiredScopes returns nil to fulfill the UserFromBackend interface
|
||||
func (u *cs3User) RequiredScopes() []string {
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user