New OIDC ESCAPE auth driver. (#2217)

cs3org · Dec 2, 2021 · f784cb2 · f784cb2
1 parent 918d965
commit f784cb2
Show file tree

Hide file tree

Showing 8 changed files with 446 additions and 0 deletions.
diff --git a/changelog/unreleased/iodc-escape-auth.md b/changelog/unreleased/iodc-escape-auth.md
@@ -0,0 +1,7 @@
+Enhancement: OIDC auth driver for ESCAPE IAM
+
+This enhancement allows for oidc token authentication via the ESCAPE IAM service.
+Authentication relies on mappings of ESCAPE IAM groups to REVA users.
+For a valid token, if at the most one group from the groups claim is mapped to one REVA user, authentication can take place.
+
+https://github.com/cs3org/reva/pull/2217
diff --git a/examples/oidc-mapping/gateway.toml b/examples/oidc-mapping/gateway.toml
@@ -0,0 +1,39 @@
+[shared]
+jwt_secret = "jwt_secret"
+
+# services to enable
+[grpc.services.gateway]
+commit_share_to_storage_grant = true
+commit_share_to_storage_ref = true
+
+[grpc.services.storageregistry]
+[grpc.services.storageregistry.drivers.static]
+home_provider = "/home"
+
+[grpc.services.authregistry.drivers.static.rules]
+oidcmapping = "localhost:13000"
+
+[grpc.services.storageregistry.drivers.static.rules."/home"]
+address = "localhost:17000"
+[grpc.services.storageregistry.drivers.static.rules."/reva"]
+address = "localhost:18000"
+[grpc.services.storageregistry.drivers.static.rules."123e4567-e89b-12d3-a456-426655440000"]
+address = "localhost:18000"
+
+[grpc.services.authregistry]
+[grpc.services.usershareprovider]
+[grpc.services.groupprovider]
+[grpc.services.publicshareprovider]
+[grpc.services.ocmcore]
+
+[grpc.services.ocmshareprovider]
+gateway_addr = "0.0.0.0:19000"
+
+[grpc.services.ocminvitemanager]
+[grpc.services.ocmproviderauthorizer]
+
+[http.services.datagateway]
+[http.services.prometheus]
+[http.services.ocmd]
+[http.services.ocdav]
+[http.services.ocs]
diff --git a/examples/oidc-mapping/storage-home.toml b/examples/oidc-mapping/storage-home.toml
@@ -0,0 +1,17 @@
+[grpc]
+address = "0.0.0.0:17000"
+
+[grpc.services.storageprovider]
+driver = "localhome"
+mount_path = "/home"
+mount_id = "123e4567-e89b-12d3-a456-426655440000"
+data_server_url = "http://localhost:17001/data"
+
+[grpc.services.storageprovider.drivers.localhome]
+shadow = "shadowfolder"
+
+[http]
+address = "0.0.0.0:17001"
+
+[http.services.dataprovider]
+driver = "localhome"
diff --git a/examples/oidc-mapping/users-oidcmapping.json b/examples/oidc-mapping/users-oidcmapping.json
@@ -0,0 +1,12 @@
+[
+	{
+		"oidc_issuer": "http://iam-login-service:8080/",
+		"oidc_group": "Analysis",
+		"username": "einstein"
+	},
+	{
+		"oidc_issuer": "http://iam-login-service:8080/",
+		"oidc_group": "Sciencemesh",
+		"username": "marie"
+	}
+]
diff --git a/examples/oidc-mapping/users-oidcmapping.toml b/examples/oidc-mapping/users-oidcmapping.toml
@@ -0,0 +1,23 @@
+[shared]
+jwt_secret = "Pive-Fumkiu4"
+
+# This toml config file will start a reva service that:
+# - handles user metadata and user preferences
+# - serves the grpc services on port 13000
+[grpc]
+address = "0.0.0.0:13000"
+
+[grpc.services.authprovider]
+auth_manager = "oidcmapping"
+[grpc.services.authprovider.auth_managers.json]
+users = "users.json"
+[grpc.services.authprovider.auth_managers.oidcmapping]
+issuer = "http://iam-login-service:8080/"
+userprovidersvc = "0.0.0.0:13000"
+# The OIDC users mapping file path
+usersmapping = "/go/src/github/cs3org/reva/examples/oidc-mapping/users-oidcmapping.json"
+
+[grpc.services.userprovider]
+driver = "json"
+[grpc.services.userprovider.drivers.json]
+users = "users.json"
diff --git a/examples/oidc-mapping/users.json b/examples/oidc-mapping/users.json
@@ -0,0 +1,46 @@
+[
+	{
+		"id": {
+			"opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51",
+			"idp": "reva-oidc-escape:20080"
+		},
+		"username": "einstein",
+		"secret": "relativity",
+		"mail": "[email protected]",
+		"display_name": "Albert Einstein",
+		"groups": ["sailing-lovers", "violin-haters", "physics-lovers"]
+	},
+	{
+		"id": {
+			"opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
+			"idp": "reva-oidc-escape:20080"
+		},
+		"username": "marie",
+		"secret": "radioactivity",
+		"mail": "[email protected]",
+		"display_name": "Marie Curie",
+		"groups": ["radium-lovers", "polonium-lovers", "physics-lovers"]
+	},
+	{
+		"id": {
+			"opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c",
+			"idp": "reva-oidc-escape:20080"
+		},
+		"username": "richard",
+		"secret": "superfluidity",
+		"mail": "[email protected]",
+		"display_name": "Richard Feynman",
+		"groups": ["quantum-lovers", "philosophy-haters", "physics-lovers"]
+	},
+	{
+		"id": {
+			"opaque_id": "4029579c-6ad5-4cec-a9ce-e843f77de452",
+			"idp": "reva-oidc-escape:20080"
+		},
+		"username": "jimmie",
+		"secret": "spokenword",
+		"mail": "[email protected]",
+		"display_name": "Jimmie Rigg",
+		"groups": ["sailing-lovers", "violin-haters", "physics-lovers"]
+	}
+]
diff --git a/pkg/auth/manager/loader/loader.go b/pkg/auth/manager/loader/loader.go
@@ -28,6 +28,7 @@ import (
 	_ "github.com/cs3org/reva/pkg/auth/manager/machine"
 	_ "github.com/cs3org/reva/pkg/auth/manager/nextcloud"
 	_ "github.com/cs3org/reva/pkg/auth/manager/oidc"
+	_ "github.com/cs3org/reva/pkg/auth/manager/oidcmapping"
 	_ "github.com/cs3org/reva/pkg/auth/manager/owncloudsql"
 	_ "github.com/cs3org/reva/pkg/auth/manager/publicshares"
 	// Add your own here