Initial QSfera import

This commit is contained in:
Курнат Андрей
2026-06-07 10:20:04 +03:00
commit 2315f25754
16485 changed files with 4826827 additions and 0 deletions
@@ -0,0 +1,136 @@
/*
* Copyright 2021 Kopano and its licensors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package bootstrap
import (
"fmt"
"os"
"github.com/libregraph/lico/bootstrap"
"github.com/libregraph/lico/identifier"
"github.com/libregraph/lico/identity"
"github.com/libregraph/lico/identity/managers"
cs3 "github.com/qsfera/server/services/idp/pkg/backends/cs3/identifier"
)
// Identity managers.
const (
identityManagerName = "cs3"
)
// Register adds the CS3 identity manager to the lico bootstrap
func Register() error {
return bootstrap.RegisterIdentityManager(identityManagerName, NewIdentityManager)
}
// MustRegister adds the CS3 identity manager to the lico bootstrap or panics
func MustRegister() {
if err := Register(); err != nil {
panic(err)
}
}
// NewIdentityManager produces a CS3 backed identity manager instance for the idp
func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
config := bs.Config()
logger := config.Config.Logger
if config.AuthorizationEndpointURI.String() != "" {
return nil, fmt.Errorf("cs3 backend is incompatible with authorization-endpoint-uri parameter")
}
config.AuthorizationEndpointURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier/_/authorize")
if config.EndSessionEndpointURI.String() != "" {
return nil, fmt.Errorf("cs3 backend is incompatible with endsession-endpoint-uri parameter")
}
config.EndSessionEndpointURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier/_/endsession")
if config.SignInFormURI.EscapedPath() == "" {
config.SignInFormURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/identifier")
}
if config.SignedOutURI.EscapedPath() == "" {
config.SignedOutURI.Path = bs.MakeURIPath(bootstrap.APITypeSignin, "/goodbye")
}
identifierBackend, identifierErr := cs3.NewCS3Backend(
config.Config,
config.TLSClientConfig,
// FIXME add a map[string]interface{} property to the lico config.Config so backends can pass custom config parameters through the bootstrap process
os.Getenv("CS3_GATEWAY"),
os.Getenv("CS3_MACHINE_AUTH_API_KEY"),
config.Settings.Insecure,
)
if identifierErr != nil {
return nil, fmt.Errorf("failed to create identifier backend: %v", identifierErr)
}
fullAuthorizationEndpointURL := bootstrap.WithSchemeAndHost(config.AuthorizationEndpointURI, config.IssuerIdentifierURI)
fullSignInFormURL := bootstrap.WithSchemeAndHost(config.SignInFormURI, config.IssuerIdentifierURI)
fullSignedOutEndpointURL := bootstrap.WithSchemeAndHost(config.SignedOutURI, config.IssuerIdentifierURI)
activeIdentifier, err := identifier.NewIdentifier(&identifier.Config{
Config: config.Config,
BaseURI: config.IssuerIdentifierURI,
PathPrefix: bs.MakeURIPath(bootstrap.APITypeSignin, ""),
StaticFolder: config.IdentifierClientPath,
ScopesConf: config.IdentifierScopesConf,
WebAppDisabled: config.IdentifierClientDisabled,
LogonCookieName: "__Secure-KKT", // Kopano-Konnect-Token
LogonCookieSameSite: config.CookieSameSite,
ConsentCookieSameSite: config.CookieSameSite,
StateCookieSameSite: config.CookieSameSite,
AuthorizationEndpointURI: fullAuthorizationEndpointURL,
SignedOutEndpointURI: fullSignedOutEndpointURL,
DefaultBannerLogo: config.IdentifierDefaultBannerLogo,
DefaultSignInPageText: config.IdentifierDefaultSignInPageText,
DefaultUsernameHintText: config.IdentifierDefaultUsernameHintText,
UILocales: config.IdentifierUILocales,
Backend: identifierBackend,
})
if err != nil {
return nil, fmt.Errorf("failed to create identifier: %v", err)
}
err = activeIdentifier.SetKey(config.EncryptionSecret)
if err != nil {
return nil, fmt.Errorf("invalid --encryption-secret parameter value for identifier: %v", err)
}
identityManagerConfig := &identity.Config{
SignInFormURI: fullSignInFormURL,
SignedOutURI: fullSignedOutEndpointURL,
Logger: logger,
ScopesSupported: config.Config.AllowedScopes,
}
identifierIdentityManager := managers.NewIdentifierIdentityManager(identityManagerConfig, activeIdentifier)
logger.Infoln("using identifier backed identity manager")
return identifierIdentityManager, nil
}
@@ -0,0 +1,230 @@
package cs3
import (
"context"
"crypto/tls"
"fmt"
cs3gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
cs3rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
"github.com/libregraph/lico"
"github.com/libregraph/lico/config"
"github.com/libregraph/lico/identifier/backends"
"github.com/libregraph/lico/identifier/meta/scopes"
"github.com/libregraph/lico/identity"
"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
cmap "github.com/orcaman/concurrent-map"
"github.com/sirupsen/logrus"
)
const cs3BackendName = "identifier-cs3"
var cs3SpportedScopes = []string{
"profile",
"email",
lico.ScopeUniqueUserID,
lico.ScopeRawSubject,
}
// CS3Backend holds the data for the CS3 identifier backend
type CS3Backend struct {
supportedScopes []string
logger logrus.FieldLogger
tlsConfig *tls.Config
gatewayAddr string
machineAuthAPIKey string
insecure bool
sessions cmap.ConcurrentMap
}
// NewCS3Backend creates a new CS3 backend identifier backend
func NewCS3Backend(
c *config.Config,
tlsConfig *tls.Config,
gatewayAddr string,
machineAuthAPIKey string,
insecure bool,
) (*CS3Backend, error) {
// Build supported scopes based on default scopes.
supportedScopes := make([]string, len(cs3SpportedScopes))
copy(supportedScopes, cs3SpportedScopes)
b := &CS3Backend{
supportedScopes: supportedScopes,
logger: c.Logger,
tlsConfig: tlsConfig,
gatewayAddr: gatewayAddr,
machineAuthAPIKey: machineAuthAPIKey,
insecure: insecure,
sessions: cmap.New(),
}
b.logger.Infoln("cs3 backend connection set up")
return b, nil
}
// RunWithContext implements the Backend interface.
func (b *CS3Backend) RunWithContext(_ context.Context) error {
return nil
}
// Logon implements the Backend interface, enabling Logon with user name and
// password as provided. Requests are bound to the provided context.
func (b *CS3Backend) Logon(ctx context.Context, audience, username, password string) (bool, *string, *string, backends.UserFromBackend, error) {
client, err := pool.GetGatewayServiceClient(b.gatewayAddr)
if err != nil {
return false, nil, nil, nil, err
}
res, err := client.Authenticate(ctx, &cs3gateway.AuthenticateRequest{
Type: "basic",
ClientId: username,
ClientSecret: password,
})
if err != nil {
return false, nil, nil, nil, fmt.Errorf("cs3 backend basic authenticate rpc error: %v", err)
}
if res.GetStatus().GetCode() != cs3rpc.Code_CODE_OK {
return false, nil, nil, nil, fmt.Errorf("cs3 backend basic authenticate failed with code %s: %s", res.GetStatus().GetCode().String(), res.GetStatus().GetMessage())
}
session := createSession(res.GetUser())
user, err := newCS3User(res.GetUser())
if err != nil {
return false, nil, nil, nil, fmt.Errorf("cs3 backend resolve entry data error: %v", err)
}
// Use the users subject as user id.
userID := user.Subject()
sessionRef := identity.GetSessionRef(b.Name(), audience, userID)
b.sessions.Set(*sessionRef, session)
b.logger.WithFields(logrus.Fields{
"session": session,
"ref": *sessionRef,
"username": user.Username(),
"id": userID,
}).Debugln("cs3 backend logon")
return true, &userID, sessionRef, user, nil
}
// GetUser implements the Backend interface, providing user meta data retrieval
// for the user specified by the userID. Requests are bound to the provided
// context.
func (b *CS3Backend) GetUser(ctx context.Context, userEntryID string, sessionRef *string, _ map[string]bool) (backends.UserFromBackend, error) {
var session *cs3Session
if s, ok := b.sessions.Get(*sessionRef); ok {
// We have a cached session
session = s.(*cs3Session)
if session != nil {
user, err := newCS3User(session.User())
if err != nil {
return nil, fmt.Errorf("cs3 backend get user failed to process user: %v", err)
}
return user, nil
}
}
// rebuild session
client, err := pool.GetGatewayServiceClient(b.gatewayAddr)
if err != nil {
return nil, err
}
res, err := client.Authenticate(ctx, &cs3gateway.AuthenticateRequest{
Type: "machine",
ClientId: "userid:" + userEntryID,
ClientSecret: b.machineAuthAPIKey,
})
if err != nil {
return nil, fmt.Errorf("cs3 backend get user machine authenticate rpc error: %v", err)
}
if res.GetStatus().GetCode() != cs3rpc.Code_CODE_OK {
return nil, fmt.Errorf("cs3 backend get user machine authenticate failed with code %s: %s", res.GetStatus().GetCode().String(), res.GetStatus().GetMessage())
}
// cache session
session = createSession(res.GetUser())
b.sessions.Set(*sessionRef, session)
user, err := newCS3User(res.GetUser())
if err != nil {
return nil, fmt.Errorf("cs3 backend get user data error: %v", err)
}
return user, nil
}
// ResolveUserByUsername implements the Backend interface, providing lookup for
// user by providing the username. Requests are bound to the provided context.
func (b *CS3Backend) ResolveUserByUsername(ctx context.Context, username string) (backends.UserFromBackend, error) {
client, err := pool.GetGatewayServiceClient(b.gatewayAddr)
if err != nil {
return nil, err
}
res, err := client.Authenticate(ctx, &cs3gateway.AuthenticateRequest{
Type: "machine",
ClientId: "username:" + username,
ClientSecret: b.machineAuthAPIKey,
})
if err != nil {
return nil, fmt.Errorf("cs3 backend machine authenticate rpc error: %v", err)
}
if res.GetStatus().GetCode() != cs3rpc.Code_CODE_OK {
return nil, fmt.Errorf("cs3 backend machine authenticate failed with code %s: %s", res.GetStatus().GetCode().String(), res.GetStatus().GetMessage())
}
user, err := newCS3User(res.GetUser())
if err != nil {
return nil, fmt.Errorf("cs3 backend resolve username data error: %v", err)
}
return user, nil
}
// RefreshSession implements the Backend interface.
func (b *CS3Backend) RefreshSession(_ context.Context, _ string, _ *string, _ map[string]any) error {
return nil
}
// DestroySession implements the Backend interface providing destroy CS3 session.
func (b *CS3Backend) DestroySession(_ context.Context, sessionRef *string) error {
b.sessions.Remove(*sessionRef)
return nil
}
// UserClaims implements the Backend interface, providing user specific claims
// for the user specified by the userID.
func (b *CS3Backend) UserClaims(_ string, _ map[string]bool) map[string]any {
return nil
}
// ScopesSupported implements the Backend interface, providing supported scopes
// when running this backend.
func (b *CS3Backend) ScopesSupported() []string {
return b.supportedScopes
}
// ScopesMeta implements the Backend interface, providing meta data for
// supported scopes.
func (b *CS3Backend) ScopesMeta() *scopes.Scopes {
return nil
}
// Name implements the Backend interface.
func (b *CS3Backend) Name() string {
return cs3BackendName
}
@@ -0,0 +1,29 @@
package cs3
import (
"time"
cs3user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
)
// createSession creates a new Session without the server using the provided
// data.
func createSession(u *cs3user.User) *cs3Session {
s := &cs3Session{
u: u,
}
s.when = time.Now()
return s
}
type cs3Session struct {
u *cs3user.User
when time.Time
}
// User returns the cs3 user of the session
func (s *cs3Session) User() *cs3user.User {
return s.u
}
@@ -0,0 +1,74 @@
package cs3
import (
cs3user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
konnect "github.com/libregraph/lico"
)
type cs3User struct {
u *cs3user.User
}
func newCS3User(u *cs3user.User) (*cs3User, error) {
return &cs3User{
u: u,
}, nil
}
// Subject returns the cs3 users opaque id as sub
func (u *cs3User) Subject() string {
return u.u.GetId().GetOpaqueId()
}
// Email returns the cs3 users email
func (u *cs3User) Email() string {
return u.u.GetMail()
}
// EmailVerified returns the cs3 users email verified flag
func (u *cs3User) EmailVerified() bool {
return u.u.GetMailVerified()
}
// Name returns the cs3 users displayname
func (u *cs3User) Name() string {
return u.u.GetDisplayName()
}
// FamilyName always returns "" to fulfill the UserWithProfile interface
func (u *cs3User) FamilyName() string {
return ""
}
// GivenName always returns "" to fulfill the UserWithProfile interface
func (u *cs3User) GivenName() string {
return ""
}
// Username returns the cs3 users username
func (u *cs3User) Username() string {
return u.u.GetUsername()
}
// UniqueID returns the cs3 users opaque id
func (u *cs3User) UniqueID() string {
return u.u.GetId().GetOpaqueId()
}
// BackendClaims returns additional claims the cs3 users provides
func (u *cs3User) BackendClaims() map[string]any {
claims := make(map[string]any)
claims[konnect.IdentifiedUserIDClaim] = u.u.GetId().GetOpaqueId()
return claims
}
// BackendScopes returns nil to fulfill the UserFromBackend interface
func (u *cs3User) BackendScopes() []string {
return nil
}
// RequiredScopes returns nil to fulfill the UserFromBackend interface
func (u *cs3User) RequiredScopes() []string {
return nil
}