add service-accounts auth manager

Signed-off-by: jkoberg <jkoberg@owncloud.com>
cs3org · Aug 8, 2023 · 4d7512a · 4d7512a
1 parent 5856b2e
commit 4d7512a
Show file tree

Hide file tree

Showing 5 changed files with 115 additions and 1 deletion.
diff --git a/changelog/unreleased/service-accounts.md b/changelog/unreleased/service-accounts.md
@@ -0,0 +1,5 @@
+Enhancement: Service Accounts
+
+Makes reva ready for service accounts by introducing an serviceaccounts auth manager
+
+https://github.com/cs3org/reva/pull/3926
diff --git a/pkg/auth/manager/loader/loader.go b/pkg/auth/manager/loader/loader.go
@@ -30,5 +30,6 @@ import (
 	_ "github.com/cs3org/reva/v2/pkg/auth/manager/oidc"
 	_ "github.com/cs3org/reva/v2/pkg/auth/manager/owncloudsql"
 	_ "github.com/cs3org/reva/v2/pkg/auth/manager/publicshares"
+	_ "github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts"
 	// Add your own here
 )
diff --git a/pkg/auth/manager/registry/registry.go b/pkg/auth/manager/registry/registry.go
@@ -18,7 +18,9 @@
 
 package registry
 
-import "github.com/cs3org/reva/v2/pkg/auth"
+import (
+	"github.com/cs3org/reva/v2/pkg/auth"
+)
 
 // NewFunc is the function that auth implementations
 // should register to at init time.

diff --git a/pkg/auth/manager/serviceaccounts/serviceaccounts.go b/pkg/auth/manager/serviceaccounts/serviceaccounts.go
@@ -0,0 +1,85 @@
+package serviceaccounts
+
+import (
+	"context"
+
+	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
+	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+
+	"github.com/cs3org/reva/v2/pkg/auth"
+	"github.com/cs3org/reva/v2/pkg/auth/manager/registry"
+	"github.com/cs3org/reva/v2/pkg/auth/scope"
+	"github.com/mitchellh/mapstructure"
+	"github.com/pkg/errors"
+)
+
+type conf struct {
+	ServiceUsers []serviceuser `mapstructure:"service_accounts"`
+}
+
+type serviceuser struct {
+	ID     string `mapstructure:"id"`
+	Secret string `mapstructure:"secret"`
+}
+
+type manager struct {
+	authenticate func(userID, secret string) error
+}
+
+func init() {
+	registry.Register("serviceaccounts", New)
+}
+
+// Configure parses the map conf
+func (m *manager) Configure(config map[string]interface{}) error {
+	c := &conf{}
+	if err := mapstructure.Decode(config, c); err != nil {
+		return errors.Wrap(err, "error decoding conf")
+	}
+	// only inmem authenticator for now
+	a := &inmemAuthenticator{make(map[string]string)}
+	for _, s := range c.ServiceUsers {
+		// TODO: hash secrets
+		a.m[s.ID] = s.Secret
+	}
+	m.authenticate = a.Authenticate
+	return nil
+}
+
+// New creates a new manager for the 'service' authentication
+func New(conf map[string]interface{}) (auth.Manager, error) {
+	m := &manager{}
+	err := m.Configure(conf)
+	if err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+// Authenticate authenticates the service account
+func (m *manager) Authenticate(ctx context.Context, userID string, secret string) (*userpb.User, map[string]*authpb.Scope, error) {
+	if err := m.authenticate(userID, secret); err != nil {
+		return nil, nil, err
+	}
+	scope, err := scope.AddOwnerScope(nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	return &userpb.User{
+		// TODO: more details for service users?
+		Id: &userpb.UserId{OpaqueId: userID},
+	}, scope, nil
+}
+
+type inmemAuthenticator struct {
+	m map[string]string
+}
+
+func (a *inmemAuthenticator) Authenticate(userID string, secret string) error {
+	// TODO: hash secrets
+	if a.m[userID] == secret {
+		return nil
+	}
+	return errors.New("secrets do not match")
+}
diff --git a/pkg/utils/grpc.go b/pkg/utils/grpc.go
@@ -37,6 +37,9 @@ func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient, machineAuthAPIKe
 
 // ImpersonateUser impersonates the given user
 func ImpersonateUser(usr *user.User, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, error) {
+	if true {
+		return ImpersonateServiceUser("service-user-id", gwc, "secret-string")
+	}
 	ctx := revactx.ContextSetUser(context.Background(), usr)
 	authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{
 		Type:         "machine",
@@ -52,3 +55,21 @@ func ImpersonateUser(usr *user.User, gwc gateway.GatewayAPIClient, machineAuthAP
 
 	return metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, authRes.Token), nil
 }
+
+// ImpersonateServiceUser impersonates the given user
+func ImpersonateServiceUser(userID string, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, error) {
+	ctx := context.Background()
+	authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{
+		Type:         "serviceaccounts",
+		ClientId:     userID,
+		ClientSecret: machineAuthAPIKey,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if authRes.GetStatus().GetCode() != rpc.Code_CODE_OK {
+		return nil, fmt.Errorf("error impersonating user: %s", authRes.Status.Message)
+	}
+
+	return metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, authRes.Token), nil
+}