owncloud · rhafer · May 24, 2022 · May 20, 2022 · May 20, 2022 · May 24, 2022
diff --git a/changelog/unreleased/enhancement-user-autoprovision.md b/changelog/unreleased/enhancement-user-autoprovision.md
@@ -0,0 +1,7 @@
+Enhancement: reintroduce user autoprovisioning in proxy
+
+With the removal of the accounts service autoprovisioning of users upon first login
+was no longer possible. We added this feature back for the cs3 user backend in the proxy.
+Leveraging the libregraph users API for creating the users.
+
+https://github.com/owncloud/ocis/pull/3860
diff --git a/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh
diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml
@@ -49,7 +49,10 @@ services:
       ocis-net:
     entrypoint:
       - /bin/sh
-      - /entrypoint-override.sh
+    # run ocis init to initialize a configuration file with random secrets
+    # it will fail on subsequent runs, because the config file already exists
+    # therefore we ignore the error and then start the ocis server
+    command: ["-c", "ocis init || true; ocis server"]
     environment:
       # Keycloak IDP specific configuration
       PROXY_AUTOPROVISION_ACCOUNTS: "true"
@@ -64,7 +67,6 @@ services:
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # demo users
-      ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}"  # deprecated, remove after switching to LibreIDM
       IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
       # change default secrets
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
@@ -75,7 +77,6 @@ services:
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
       OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
-      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/lib/ocis
     labels:
       - "traefik.enable=true"

diff --git a/extensions/graph/pkg/identity/ldap.go b/extensions/graph/pkg/identity/ldap.go
@@ -161,6 +161,13 @@ func (i *LDAP) CreateUser(ctx context.Context, user libregraph.User) (*libregrap
 	ar.Attribute("sn", []string{sn})
 
 	if err := i.conn.Add(&ar); err != nil {
+		var lerr *ldap.Error
+		i.logger.Debug().Err(err).Msg("error adding user")
+		if errors.As(err, &lerr) {
+			if lerr.ResultCode == ldap.LDAPResultEntryAlreadyExists {
+				err = errorcode.New(errorcode.NameAlreadyExists, lerr.Error())
+			}
+		}
 		return nil, err
 	}
 

diff --git a/extensions/graph/pkg/middleware/auth.go b/extensions/graph/pkg/middleware/auth.go
@@ -6,8 +6,11 @@ import (
 	"github.com/cs3org/reva/v2/pkg/auth/scope"
 	revactx "github.com/cs3org/reva/v2/pkg/ctx"
 	"github.com/cs3org/reva/v2/pkg/token/manager/jwt"
+	"github.com/cs3org/reva/v2/pkg/utils"
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/service/v0/errorcode"
 	"github.com/owncloud/ocis/v2/ocis-pkg/account"
+	opkgm "github.com/owncloud/ocis/v2/ocis-pkg/middleware"
+	gmmetadata "go-micro.dev/v4/metadata"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -25,6 +28,8 @@ func authOptions(opts ...account.Option) account.Options {
 // Auth provides a middleware to authenticate requests using the x-access-token header value
 // and write it to the context. If there is no x-access-token the middleware prevents access and renders a json document.
 func Auth(opts ...account.Option) func(http.Handler) http.Handler {
+	// Note: This largely duplicates what ocis-pkg/middleware/account.go already does (apart from a slightly different error
+	// handling). Ideally we should merge both middlewares.
 	opt := authOptions(opts...)
 	tokenManager, err := jwt.New(map[string]interface{}{
 		"secret":  opt.JWTSecret,
@@ -69,6 +74,10 @@ func Auth(opts ...account.Option) func(http.Handler) http.Handler {
 
 			ctx = revactx.ContextSetToken(ctx, t)
 			ctx = revactx.ContextSetUser(ctx, u)
+			ctx = gmmetadata.Set(ctx, opkgm.AccountID, u.Id.OpaqueId)
+			if role := utils.ReadPlainFromOpaque(u.Opaque, "roles"); role != "" {
+				ctx = gmmetadata.Set(ctx, opkgm.RoleIDs, role)
+			}
 			ctx = metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, t)
 
 			next.ServeHTTP(w, r.WithContext(ctx))

diff --git a/extensions/graph/pkg/service/v0/service.go b/extensions/graph/pkg/service/v0/service.go
@@ -14,8 +14,6 @@ import (
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/identity"
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/identity/ldap"
 	graphm "github.com/owncloud/ocis/v2/extensions/graph/pkg/middleware"
-	"github.com/owncloud/ocis/v2/ocis-pkg/account"
-	opkgm "github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/roles"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
@@ -171,19 +169,13 @@ func NewService(opts ...Option) Service {
 					})
 				})
 			})
-			r.Group(func(r chi.Router) {
-				r.Use(opkgm.ExtractAccountUUID(
-					account.Logger(options.Logger),
-					account.JWTSecret(options.Config.TokenManager.JWTSecret)),
-				)
-				r.Route("/drives", func(r chi.Router) {
-					r.Get("/", svc.GetAllDrives)
-					r.Post("/", svc.CreateDrive)
-					r.Route("/{driveID}", func(r chi.Router) {
-						r.Patch("/", svc.UpdateDrive)
-						r.Get("/", svc.GetSingleDrive)
-						r.Delete("/", svc.DeleteDrive)
-					})
+			r.Route("/drives", func(r chi.Router) {
+				r.Get("/", svc.GetAllDrives)
+				r.Post("/", svc.CreateDrive)
+				r.Route("/{driveID}", func(r chi.Router) {
+					r.Patch("/", svc.UpdateDrive)
+					r.Get("/", svc.GetSingleDrive)
+					r.Delete("/", svc.DeleteDrive)
 				})
 			})
 		})

diff --git a/extensions/graph/pkg/service/v0/users.go b/extensions/graph/pkg/service/v0/users.go
@@ -117,7 +117,12 @@ func (g Graph) PostUser(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if u, err = g.identityBackend.CreateUser(r.Context(), *u); err != nil {
-		errorcode.GeneralException.Render(w, r, http.StatusInternalServerError, err.Error())
+		var ecErr errorcode.Error
+		if errors.As(err, &ecErr) {
+			ecErr.Render(w, r)
+		} else {
+			errorcode.GeneralException.Render(w, r, http.StatusInternalServerError, err.Error())
+		}
 		return
 	}
 

diff --git a/extensions/idp/pkg/config/config.go b/extensions/idp/pkg/config/config.go
@@ -37,7 +37,7 @@ type Ldap struct {
 	BindDN       string `yaml:"bind_dn" env:"LDAP_BIND_DN;IDP_LDAP_BIND_DN"`
 	BindPassword string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;IDP_LDAP_BIND_PASSWORD"`
 
-	BaseDN string `yaml:"base_dn" env:"LDAP_USER_BASE_DN,IDP_LDAP_BASE_DN"`
+	BaseDN string `yaml:"base_dn" env:"LDAP_USER_BASE_DN;IDP_LDAP_BASE_DN"`
 	Scope  string `yaml:"scope" env:"LDAP_USER_SCOPE;IDP_LDAP_SCOPE"`
 
 	LoginAttribute    string `yaml:"login_attribute" env:"IDP_LDAP_LOGIN_ATTRIBUTE"`

diff --git a/extensions/ocs/pkg/service/v0/service.go b/extensions/ocs/pkg/service/v0/service.go
@@ -118,7 +118,7 @@ func (o Ocs) getCS3Backend() backend.UserBackend {
 	if err != nil {
 		o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address)
 	}
-	return backend.NewCS3UserBackend(nil, revaClient, o.config.MachineAuthAPIKey, o.logger)
+	return backend.NewCS3UserBackend(nil, revaClient, o.config.MachineAuthAPIKey, "", nil, o.logger)
 }
 
 // NotImplementedStub returns a not implemented error

diff --git a/extensions/proxy/pkg/command/server.go b/extensions/proxy/pkg/command/server.go
@@ -8,9 +8,8 @@ import (
 	"os"
 	"time"
 
-	storesvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/store/v0"
-
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/cs3org/reva/v2/pkg/token/manager/jwt"
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
 	"github.com/justinas/alice"
 	"github.com/oklog/run"
@@ -30,6 +29,7 @@ import (
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
 	"github.com/owncloud/ocis/v2/ocis-pkg/version"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
+	storesvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/store/v0"
 	"github.com/urfave/cli/v2"
 	"golang.org/x/oauth2"
 )
@@ -135,7 +135,15 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 	var userProvider backend.UserBackend
 	switch cfg.AccountBackend {
 	case "cs3":
-		userProvider = backend.NewCS3UserBackend(rolesClient, revaClient, cfg.MachineAuthAPIKey, logger)
+		tokenManager, err := jwt.New(map[string]interface{}{
+			"secret": cfg.TokenManager.JWTSecret,
+		})
+		if err != nil {
+			logger.Error().Err(err).
+				Msg("Failed to create token manager")
+		}
+
+		userProvider = backend.NewCS3UserBackend(rolesClient, revaClient, cfg.MachineAuthAPIKey, cfg.OIDC.Issuer, tokenManager, logger)
 	default:
 		logger.Fatal().Msgf("Invalid accounts backend type '%s'", cfg.AccountBackend)
 	}

diff --git a/extensions/proxy/pkg/config/config.go b/extensions/proxy/pkg/config/config.go
@@ -25,13 +25,13 @@ type Config struct {
 	TokenManager          *TokenManager   `yaml:"token_manager"`
 	PolicySelector        *PolicySelector `yaml:"policy_selector"`
 	PreSignedURL          PreSignedURL    `yaml:"pre_signed_url"`
-	AccountBackend        string          `yaml:"account_backend" env:"PROXY_ACCOUNT_BACKEND_TYPE"`
-	UserOIDCClaim         string          `yaml:"user_oidc_claim" env:"PROXY_USER_OIDC_CLAIM"`
-	UserCS3Claim          string          `yaml:"user_cs3_claim" env:"PROXY_USER_CS3_CLAIM"`
-	MachineAuthAPIKey     string          `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;PROXY_MACHINE_AUTH_API_KEY"`
-	AutoprovisionAccounts bool            `yaml:"auto_provision_accounts" env:"PROXY_AUTOPROVISION_ACCOUNTS"`
-	EnableBasicAuth       bool            `yaml:"enable_basic_auth" env:"PROXY_ENABLE_BASIC_AUTH"`
-	InsecureBackends      bool            `yaml:"insecure_backends" env:"PROXY_INSECURE_BACKENDS"`
+	AccountBackend        string          `yaml:"account_backend" env:"PROXY_ACCOUNT_BACKEND_TYPE" desc:"Account backend the proxy should use, currenly only 'cs3' is possible here."`
+	UserOIDCClaim         string          `yaml:"user_oidc_claim" env:"PROXY_USER_OIDC_CLAIM" desc:"The name of an OpenID Connect claim that should be used for resolving users with the account backend. Currently defaults to 'email'."`
+	UserCS3Claim          string          `yaml:"user_cs3_claim" env:"PROXY_USER_CS3_CLAIM" desc:"The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Currently defaults to 'mail' (other possible values are: 'username', 'displayname')"`
+	MachineAuthAPIKey     string          `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;PROXY_MACHINE_AUTH_API_KEY" desc: "Machine auth API key used for accessing the 'auth-machine' service."`
+	AutoprovisionAccounts bool            `yaml:"auto_provision_accounts" env:"PROXY_AUTOPROVISION_ACCOUNTS" desc:"Set this to 'true' to automatically provsion users that do not yet exist in the users service on-demand upon first signin. To use this a write-enabled libregraph user backend needs to be setup an running."`
+	EnableBasicAuth       bool            `yaml:"enable_basic_auth" env:"PROXY_ENABLE_BASIC_AUTH" desc:"Set this to true to enable 'basic' (username/password) authentication. (Default: false)"`
+	InsecureBackends      bool            `yaml:"insecure_backends" env:"PROXY_INSECURE_BACKENDS" desc:"Disable TLS certificate validation for all http backend connections. (Default: false)"`
 	AuthMiddleware        AuthMiddleware  `yaml:"auth_middleware"`
 
 	Context context.Context `yaml:"-"`
@@ -83,8 +83,8 @@ type AuthMiddleware struct {
 // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request
 // with the configured oidc-provider
 type OIDC struct {
-	Issuer        string        `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;PROXY_OIDC_ISSUER"`
-	Insecure      bool          `yaml:"insecure" env:"OCIS_INSECURE;PROXY_OIDC_INSECURE"`
+	Issuer        string        `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;PROXY_OIDC_ISSUER" desc:"URL of the OpenID connect identity provider."`
+	Insecure      bool          `yaml:"insecure" env:"OCIS_INSECURE;PROXY_OIDC_INSECURE" desc:"Disable TLS certificate validation for connections to the IDP. (not recommended for production environments."`
 	UserinfoCache UserinfoCache `yaml:"user_info_cache"`
 }
 

diff --git a/extensions/proxy/pkg/middleware/account_resolver.go b/extensions/proxy/pkg/middleware/account_resolver.go
@@ -73,8 +73,9 @@ func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 			}
 			m.logger.Debug().Interface("claims", claims).Msg("Autoprovisioning user")
 			user, err = m.userProvider.CreateUserFromClaims(req.Context(), claims)
-			// TODO instead of creating an account create a personal storage via the CS3 admin api?
-			// see https://cs3org.github.io/cs3apis/#cs3.admin.user.v1beta1.CreateUserRequest
+			if err != nil {
+				m.logger.Error().Err(err).Msg("Autoprovisioning user failed")
+			}
 		}
 
 		if errors.Is(err, backend.ErrAccountDisabled) {