Skip to content

Commit

Permalink
Rework default role provisioning
Browse files Browse the repository at this point in the history 
This reworks the assignment of the default role at login. The assignment
now only happens if settings service is reachable and the current user
does not have an assignment yet (we check for the NotFound status).
If the settings service returns an error other than 404, the
GetUserByClaims() (and with it the authentication) will also error out.

Closes: owncloud#3900
  • Loading branch information
@rhafer
rhafer committed Jun 8, 2022
1 parent 6ed72da commit 61e4598
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 17 deletions.
7 changes: 7 additions & 0 deletions changelog/unreleased/fix-default-role-assign.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Bugfix: Rework default role provisioning

We fixed a race condition in the default role assignment code that could lead to
users loosing privileges. When authenticating before the settings service was fully
running.

https://github.com/owncloud/ocis/issues/3900
39 changes: 22 additions & 17 deletions extensions/proxy/pkg/user/backend/cs3.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package backend
import (
"context"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
Expand All @@ -21,6 +22,7 @@ import (
"github.com/owncloud/ocis/v2/ocis-pkg/oidc"
"github.com/owncloud/ocis/v2/ocis-pkg/registry"
settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
merrors "go-micro.dev/v4/errors"
"go-micro.dev/v4/selector"
)

Expand Down Expand Up @@ -76,24 +78,27 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
if user.Id.Type != cs3.UserType_USER_TYPE_LIGHTWEIGHT {
roleIDs, err = loadRolesIDs(ctx, user.Id.OpaqueId, c.settingsRoleService)
if err != nil {
c.logger.Error().Err(err).Msgf("Could not load roles")
}
}

// if roles are empty, assume we haven't seen the user before and assign a
// default user role. At least until proper roles are provided. See
// https://github.com/owncloud/ocis/v2/issues/1825 for more context.
if len(roleIDs) == 0 {
if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY {
c.logger.Info().Str("userid", user.Id.OpaqueId).Msg("user has no role assigned, assigning default user role")
_, err := c.settingsRoleService.AssignRoleToUser(ctx, &settingssvc.AssignRoleToUserRequest{
AccountUuid: user.Id.OpaqueId,
RoleId: settingsService.BundleUUIDRoleUser,
})
if err != nil {
c.logger.Warn().Err(err).Msg("Could not add default role")
var merr *merrors.Error
if errors.As(err, &merr) && merr.Code == 404 {
// This user doesn't have a role assignment yet. Assign a
// default user role. At least until proper roles are provided. See
// https://github.com/owncloud/ocis/v2/issues/1825 for more context.
if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY {
c.logger.Info().Str("userid", user.Id.OpaqueId).Msg("user has no role assigned, assigning default user role")
_, err := c.settingsRoleService.AssignRoleToUser(ctx, &settingssvc.AssignRoleToUserRequest{
AccountUuid: user.Id.OpaqueId,
RoleId: settingsService.BundleUUIDRoleUser,
})
if err != nil {
c.logger.Error().Err(err).Msg("Could not add default role")
return nil, "", err
}
roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
}
} else {
c.logger.Error().Err(err).Msgf("Could not load roles")
return nil, "", err
}
roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
}
}

Expand Down

0 comments on commit 61e4598

Please sign in to comment.