improve service user authentication

Signed-off-by: jkoberg <jkoberg@owncloud.com>
cs3org · Aug 25, 2023 · c2f5d68 · c2f5d68
1 parent ae3b406
commit c2f5d68
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/pkg/auth/manager/serviceaccounts/serviceaccounts.go b/pkg/auth/manager/serviceaccounts/serviceaccounts.go
@@ -39,7 +39,6 @@ func (m *manager) Configure(config map[string]interface{}) error {
 	// only inmem authenticator for now
 	a := &inmemAuthenticator{make(map[string]string)}
 	for _, s := range c.ServiceUsers {
-		// TODO: hash secrets
 		a.m[s.ID] = s.Secret
 	}
 	m.authenticate = a.Authenticate
@@ -71,6 +70,7 @@ func (m *manager) Authenticate(ctx context.Context, userID string, secret string
 		Id: &userpb.UserId{
 			OpaqueId: userID,
 			Type:     userpb.UserType_USER_TYPE_SERVICE,
+			Idp:      "none",
 		},
 	}, scope, nil
 }
@@ -80,7 +80,9 @@ type inmemAuthenticator struct {
 }
 
 func (a *inmemAuthenticator) Authenticate(userID string, secret string) error {
-	// TODO: hash secrets
+	if secret == "" || a.m[userID] == "" {
+		return errors.New("unknown user")
+	}
 	if a.m[userID] == secret {
 		return nil
 	}

diff --git a/pkg/utils/grpc.go b/pkg/utils/grpc.go
@@ -24,8 +24,8 @@ func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient) (*user.User, err
 	return getUserResponse.GetUser(), nil
 }
 
-// ImpersonateServiceUser impersonates the given user
-func ImpersonateServiceUser(serviceUserID string, gwc gateway.GatewayAPIClient, serviceUserSecret string) (context.Context, error) {
+// GetServiceUserContext returns an authenticated context of the given service user
+func GetServiceUserContext(serviceUserID string, gwc gateway.GatewayAPIClient, serviceUserSecret string) (context.Context, error) {
 	ctx := context.Background()
 	authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{
 		Type:         "serviceaccounts",
@@ -36,7 +36,7 @@ func ImpersonateServiceUser(serviceUserID string, gwc gateway.GatewayAPIClient,
 		return nil, err
 	}
 	if authRes.GetStatus().GetCode() != rpc.Code_CODE_OK {
-		return nil, fmt.Errorf("error impersonating user: %s", authRes.Status.Message)
+		return nil, fmt.Errorf("error authenticating service user: %s", authRes.Status.Message)
 	}
 
 	return metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, authRes.Token), nil