minimal webfinger (#5373)

* initial webfinger stub Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * add webfinger to proxy, return current host Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * some cleanup Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * allow passing multiple rel params Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * introduce interfaces Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * parse oidc auth token Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * add templating, drop chain, use map of relation providers Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * fix ocis url yaml Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * fix typos Co-authored-by: Dominik Schmidt <[email protected]> * switch to userinfo claims Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * readme cleanup Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * add TODO.md with ideas Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * replace subject on authenticated request responses Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * Apply suggestions from code review Co-authored-by: Martin <[email protected]> * markdown lint Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * return a 401 when bearer token expired, some more docs Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * Apply suggestions from code review Co-authored-by: Martin <[email protected]> * fix docs Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * clarify env var Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * extract handler func Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * use correct service in reflex.conf Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * test relations Signed-off-by: Jörn Friedrich Dreyer <[email protected]> * Update services/webfinger/pkg/config/config.go --------- Signed-off-by: Jörn Friedrich Dreyer <[email protected]> Co-authored-by: Dominik Schmidt <[email protected]> Co-authored-by: Martin <[email protected]>
owncloud · Feb 13, 2023 · 2c98d32 · 2c98d32
1 parent 139cf79
commit 2c98d32
Show file tree

Hide file tree

Showing 46 changed files with 2,072 additions and 1 deletion.
diff --git a/docs/services/webfinger/_index.md b/docs/services/webfinger/_index.md
@@ -0,0 +1,18 @@
+---
+title: Webfinger
+date: 2023-02-03T00:00:00+00:00
+weight: 20
+geekdocRepo: https://github.com/owncloud/ocis
+geekdocEditPath: edit/master/docs/services/webfinger
+geekdocFilePath: _index.md
+geekdocCollapseSection: true
+---
+
+## Abstract
+
+This service provides endpoints a the /.well-known/webfinger implementation.
+
+## Table of Contents
+
+{{< toc-tree >}}
+
diff --git a/docs/services/wellknown/_index.md b/docs/services/wellknown/_index.md
@@ -0,0 +1,24 @@
+---
+title: Well-Known
+date: 2023-02-03T00:00:00+00:00
+weight: 20
+geekdocRepo: https://github.com/owncloud/ocis
+geekdocEditPath: edit/master/docs/services/well-known
+geekdocFilePath: _index.md
+geekdocCollapseSection: true
+---
+
+## Abstract
+
+This service provides endpoints on the /.well-known API
+
+## Table of Contents
+
+{{< toc-tree >}}
+
+
+## Webfinger
+
+## oCIS-configuration
+
+## Libregraph?
diff --git a/ocis-pkg/config/config.go b/ocis-pkg/config/config.go
@@ -33,6 +33,7 @@ import (
 	users "github.com/owncloud/ocis/v2/services/users/pkg/config"
 	web "github.com/owncloud/ocis/v2/services/web/pkg/config"
 	webdav "github.com/owncloud/ocis/v2/services/webdav/pkg/config"
+	webfinger "github.com/owncloud/ocis/v2/services/webfinger/pkg/config"
 )
 
 const (
@@ -106,5 +107,6 @@ type Config struct {
 	Users             *users.Config          `yaml:"users"`
 	Web               *web.Config            `yaml:"web"`
 	WebDAV            *webdav.Config         `yaml:"webdav"`
+	Webfinger         *webfinger.Config      `yaml:"webfinger"`
 	Search            *search.Config         `yaml:"search"`
 }
diff --git a/ocis-pkg/config/defaultconfig.go b/ocis-pkg/config/defaultconfig.go
@@ -31,6 +31,7 @@ import (
 	users "github.com/owncloud/ocis/v2/services/users/pkg/config/defaults"
 	web "github.com/owncloud/ocis/v2/services/web/pkg/config/defaults"
 	webdav "github.com/owncloud/ocis/v2/services/webdav/pkg/config/defaults"
+	webfinger "github.com/owncloud/ocis/v2/services/webfinger/pkg/config/defaults"
 )
 
 func DefaultConfig() *Config {
@@ -71,5 +72,6 @@ func DefaultConfig() *Config {
 		Users:             users.DefaultConfig(),
 		Web:               web.DefaultConfig(),
 		WebDAV:            webdav.DefaultConfig(),
+		Webfinger:         webfinger.DefaultConfig(),
 	}
 }
diff --git a/ocis-pkg/middleware/oidc.go b/ocis-pkg/middleware/oidc.go
@@ -0,0 +1,93 @@
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"sync"
+
+	gOidc "github.com/coreos/go-oidc/v3/oidc"
+	"github.com/owncloud/ocis/v2/ocis-pkg/oidc"
+	"golang.org/x/oauth2"
+)
+
+// newOidcOptions initializes the available default options.
+func newOidcOptions(opts ...Option) Options {
+	opt := Options{}
+
+	for _, o := range opts {
+		o(&opt)
+	}
+
+	return opt
+}
+
+// OIDCProvider used to mock the oidc provider during tests
+type OIDCProvider interface {
+	UserInfo(ctx context.Context, ts oauth2.TokenSource) (*gOidc.UserInfo, error)
+}
+
+// OidcAuth provides a middleware to authenticate a bearer auth with an OpenID Connect identity provider
+// It will put all claims provided by the userinfo endpoint in the context
+func OidcAuth(opts ...Option) func(http.Handler) http.Handler {
+	opt := newOidcOptions(opts...)
+
+	// TODO use a micro store cache option
+
+	providerFunc := func() (OIDCProvider, error) {
+		// Initialize a provider by specifying the issuer URL.
+		// it will fetch the keys from the issuer using the .well-known
+		// endpoint
+		return gOidc.NewProvider(
+			context.WithValue(context.Background(), oauth2.HTTPClient, http.Client{}),
+			opt.OidcIssuer,
+		)
+	}
+	var provider OIDCProvider
+	getProviderOnce := sync.Once{}
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+			authHeader := r.Header.Get("Authorization")
+			switch {
+			case strings.HasPrefix(authHeader, "Bearer "):
+				getProviderOnce.Do(func() {
+					var err error
+					provider, err = providerFunc()
+					if err != nil {
+						return
+					}
+				})
+
+				oauth2Token := &oauth2.Token{
+					AccessToken: strings.TrimPrefix(authHeader, "Bearer "),
+				}
+
+				userInfo, err := provider.UserInfo(
+					context.WithValue(ctx, oauth2.HTTPClient, http.Client{}),
+					oauth2.StaticTokenSource(oauth2Token),
+				)
+				if err != nil {
+					w.Header().Add("WWW-Authenticate", `Bearer`)
+					w.WriteHeader(http.StatusUnauthorized)
+					return
+				}
+				claims := map[string]interface{}{}
+				err = userInfo.Claims(&claims)
+				if err != nil {
+					break
+				}
+
+				ctx = oidc.NewContext(ctx, claims)
+
+			default:
+				// do nothing
+				next.ServeHTTP(w, r.WithContext(ctx))
+				return
+			}
+
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
diff --git a/ocis-pkg/middleware/options.go b/ocis-pkg/middleware/options.go
@@ -0,0 +1,40 @@
+package middleware
+
+import (
+	gatewayv1beta1 "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+)
+
+// Option defines a single option function.
+type Option func(o *Options)
+
+// Options defines the available options for this package.
+type Options struct {
+	// Logger to use for logging, must be set
+	Logger log.Logger
+	// The OpenID Connect Issuer URL
+	OidcIssuer string
+	// GatewayAPIClient is a reva gateway client
+	GatewayAPIClient gatewayv1beta1.GatewayAPIClient
+}
+
+// WithLogger provides a function to set the openid connect issuer option.
+func WithOidcIssuer(val string) Option {
+	return func(o *Options) {
+		o.OidcIssuer = val
+	}
+}
+
+// WithLogger provides a function to set the logger option.
+func WithLogger(val log.Logger) Option {
+	return func(o *Options) {
+		o.Logger = val
+	}
+}
+
+// WithGatewayAPIClient provides a function to set the reva gateway client option.
+func WithGatewayAPIClient(val gatewayv1beta1.GatewayAPIClient) Option {
+	return func(o *Options) {
+		o.GatewayAPIClient = val
+	}
+}
diff --git a/ocis/pkg/command/webfinger.go b/ocis/pkg/command/webfinger.go
@@ -0,0 +1,31 @@
+package command
+
+import (
+	"github.com/owncloud/ocis/v2/ocis-pkg/config"
+	"github.com/owncloud/ocis/v2/ocis-pkg/config/configlog"
+	"github.com/owncloud/ocis/v2/ocis-pkg/config/parser"
+	"github.com/owncloud/ocis/v2/ocis/pkg/command/helper"
+	"github.com/owncloud/ocis/v2/ocis/pkg/register"
+	"github.com/owncloud/ocis/v2/services/webfinger/pkg/command"
+	"github.com/urfave/cli/v2"
+)
+
+// WebfingerCommand is the entrypoint for the webfinger command.
+func WebfingerCommand(cfg *config.Config) *cli.Command {
+
+	return &cli.Command{
+		Name:     cfg.Webfinger.Service.Name,
+		Usage:    helper.SubcommandDescription(cfg.Webfinger.Service.Name),
+		Category: "services",
+		Before: func(c *cli.Context) error {
+			configlog.Error(parser.ParseConfig(cfg, true))
+			cfg.Webfinger.Commons = cfg.Commons
+			return nil
+		},
+		Subcommands: command.GetCommands(cfg.Webfinger),
+	}
+}
+
+func init() {
+	register.AddCommand(WebfingerCommand)
+}
diff --git a/ocis/pkg/runtime/service/service.go b/ocis/pkg/runtime/service/service.go
@@ -48,6 +48,7 @@ import (
 	users "github.com/owncloud/ocis/v2/services/users/pkg/command"
 	web "github.com/owncloud/ocis/v2/services/web/pkg/command"
 	webdav "github.com/owncloud/ocis/v2/services/webdav/pkg/command"
+	webfinger "github.com/owncloud/ocis/v2/services/webfinger/pkg/command"
 	"github.com/thejerf/suture/v4"
 )
 
@@ -112,6 +113,7 @@ func NewService(options ...Option) (*Service, error) {
 	s.ServicesRegistry[opts.Config.Thumbnails.Service.Name] = thumbnails.NewSutureService
 	s.ServicesRegistry[opts.Config.Web.Service.Name] = web.NewSutureService
 	s.ServicesRegistry[opts.Config.WebDAV.Service.Name] = webdav.NewSutureService
+	s.ServicesRegistry[opts.Config.Webfinger.Service.Name] = webfinger.NewSutureService
 	s.ServicesRegistry[opts.Config.Frontend.Service.Name] = frontend.NewSutureService
 	s.ServicesRegistry[opts.Config.OCDav.Service.Name] = ocdav.NewSutureService
 	s.ServicesRegistry[opts.Config.Gateway.Service.Name] = gateway.NewSutureService

diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -74,7 +74,12 @@ func DefaultPolicies() []config.Policy {
 					Unprotected: true,
 				},
 				{
-					Endpoint:    "/.well-known/",
+					Endpoint:    "/.well-known/webfinger",
+					Service:     "com.owncloud.web.webfinger",
+					Unprotected: true,
+				},
+				{
+					Endpoint:    "/.well-known/openid-configuration",
 					Service:     "com.owncloud.web.idp",
 					Unprotected: true,
 				},

diff --git a/services/webfinger/.dockerignore b/services/webfinger/.dockerignore
@@ -0,0 +1,2 @@
+*
+!bin/
diff --git a/services/webfinger/Makefile b/services/webfinger/Makefile
@@ -0,0 +1,39 @@
+SHELL := bash
+NAME := webfinger
+
+include ../../.make/recursion.mk
+
+############ tooling ############
+ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warnings` for non go targets in CI
+include ../../.bingo/Variables.mk
+endif
+
+############ go tooling ############
+include ../../.make/go.mk
+
+############ release ############
+include ../../.make/release.mk
+
+############ docs generate ############
+include ../../.make/docs.mk
+
+.PHONY: docs-generate
+docs-generate: config-docs-generate
+
+############ generate ############
+include ../../.make/generate.mk
+
+.PHONY: ci-go-generate
+ci-go-generate: $(MOCKERY) # CI runs ci-node-generate automatically before this target
+	$(MOCKERY) --srcpkg github.com/go-ldap/ldap/v3 --case underscore --filename ldapclient.go --name Client
+
+
+.PHONY: ci-node-generate
+ci-node-generate:
+
+############ licenses ############
+.PHONY: ci-node-check-licenses
+ci-node-check-licenses:
+
+.PHONY: ci-node-save-licenses
+ci-node-save-licenses: