New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add claims and regex policy selector #2248

Merged

butonic merged 11 commits into master from claims-policy-selector

Jul 23, 2021

Member

butonic commented Jul 1, 2021 •

edited

Loading

Using the proxy config file, it is now possible to let let the IdP determine the routing policy by sending an ocis.routing.policy claim or by matching username, email or id using regexes.

tests
update changelog
update docs

This PR can stand on its own. But the proxy and the docs need an overhaul in subsequent PRs:

Configuring the policy selector is only possible via the config file
The proxy should always use the cs3 api. get rid of configuration choices here
We should use the cs3 api to authenticate requests ... yes it would mean more latency when authenticating, but we can cache the token afterwards. It would remove the duplicate code in the proxy and in the auth providers. This should allow us to actually get rid of several middlewares in here.
when moving the oidc auth into reva we can do the claims mapping there, including custom porperties like ocis.routing.policy or ocis.id

butonic requested a review from C0rby

July 1, 2021 21:27

butonic changed the title ~~add claims policy selector~~ add claims and regex policy selector

butonic marked this pull request as draft

July 2, 2021 06:55

butonic self-assigned this

butonic added the Category:Enhancement label

C0rby reviewed

View reviewed changes

Contributor

C0rby left a comment

Unit tests for NewClaimsSelector and NewRegexSelector would be awesome.

butonic force-pushed the claims-policy-selector branch from a8ee1dd to dc71a60 Compare

July 2, 2021 13:15

butonic marked this pull request as ready for review

July 2, 2021 15:25

butonic requested review from refs and C0rby

July 2, 2021 15:25

butonic force-pushed the claims-policy-selector branch from e1fe4dc to 47e0d4c Compare

July 5, 2021 11:22

Contributor

ownclouders commented Jul 5, 2021

💥 Acceptance tests Core-API-Tests-owncloud-storage-6 failed. The build is cancelled...

Contributor

ownclouders commented Jul 5, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

3 similar comments

Contributor

ownclouders commented Jul 5, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

Contributor

ownclouders commented Jul 5, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

Contributor

ownclouders commented Jul 5, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

Contributor

ownclouders commented Jul 5, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-9 failed. The build is cancelled...

butonic force-pushed the claims-policy-selector branch from 959d635 to e57c93d Compare

July 6, 2021 21:27

Contributor

ownclouders commented Jul 6, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

butonic force-pushed the claims-policy-selector branch from e57c93d to d1d0861 Compare

July 8, 2021 22:01

Contributor

ownclouders commented Jul 8, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

Contributor

ownclouders commented Jul 9, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-9 failed. The build is cancelled...

Contributor

ownclouders commented Jul 9, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

Contributor

ownclouders commented Jul 9, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-9 failed. The build is cancelled...

1 similar comment

Contributor

ownclouders commented Jul 9, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-9 failed. The build is cancelled...

Contributor

ownclouders commented Jul 9, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

2 similar comments

Contributor

ownclouders commented Jul 9, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

Contributor

ownclouders commented Jul 9, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

Contributor

ownclouders commented Jul 10, 2021

💥 Acceptance tests Core-API-Tests-owncloud-storage-10 failed. The build is cancelled...

Contributor

ownclouders commented Jul 11, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-9 failed. The build is cancelled...

Contributor

ownclouders commented Jul 15, 2021

💥 Acceptance tests Core-API-Tests-ocis-storage-10 failed. The build is cancelled...

butonic force-pushed the claims-policy-selector branch from 0be22de to 030af7b Compare

July 19, 2021 13:49

Contributor

ownclouders commented Jul 19, 2021

💥 Acceptance tests Core-API-Tests-owncloud-storage-10 failed. The build is cancelled...

wkloucek mentioned this pull request

add migration deployment #2302

Merged

9 tasks

Member Author

butonic commented Jul 20, 2021 •

edited

Loading

we should enable login by ownclouduuid in

ocis/proxy/pkg/middleware/account_resolver.go

Line 65 in 1af7518

//claim, value = "id", claims.OcisID

Member Author

butonic commented Jul 20, 2021 •

edited

Loading

we need a cookie to switch users between routes because some requests, especially config.json are sent without a Bearer header. To route them properly we have to fall back to a cookie.

Member Author

butonic commented Jul 20, 2021 •

edited

Loading

[tusd] 2021/07/19 14:03:15 event="ChunkWriteComplete" id="eadee146-5057-4433-861e-e7eebdf387db" bytesWritten="7" 
[tusd] 2021/07/19 14:03:15 event="ResponseOutgoing" status="204" method="PATCH" path="/eadee146-5057-4433-861e-e7eebdf387db" requestId="b518997e-976c-4db1-8512-4fc0294c4a51" 
[tusd] 2021/07/19 14:03:15 event="RequestIncoming" method="PATCH" path="/eadee146-5057-4433-861e-e7eebdf387db" requestId="40174af3-b638-4a58-9b77-fab7efb86d4a" 
[tusd] 2021/07/19 14:03:15 event="ResponseOutgoing" status="404" method="PATCH" path="/eadee146-5057-4433-861e-e7eebdf387db" error="upload not found" requestId="40174af3-b638-4a58-9b77-fab7efb86d4a" 
2021/07/19 14:03:15 httputil: ReverseProxy read error during body copy: unexpected EOF
{"level":"error","service":"ocs","error":"{\"code\":404,\"detail\":\"The requested user could not be found\",\"status\":\"Not Found\"}","userid":"Alice","time":"2021-07-19T14:03:16Z","message":"could not get account for user"}
{"level":"error","service":"proxy","error":"{\"id\":\"com.owncloud.api.accounts\",\"code\":401,\"detail\":\"account not found or invalid credentials\",\"status\":\"Unauthorized\"}","query":"login eq 'Alice' and password eq '123456'","time":"2021-07-19T14:03:16Z","message":"error fetching from accounts-service"}
[tusd] 2021/07/19 14:03:16 event="RequestIncoming" method="PATCH" path="/cd44bc26-bb11-48db-b1fa-4749d36a4a60" requestId="b4f8e24a-37b1-44fd-bfd6-178911370024" 
[tusd] 2021/07/19 14:03:16 event="ChunkWriteStart" id="cd44bc26-bb11-48db-b1fa-4749d36a4a60" maxSize="10" offset="0"

🤔

butonic mentioned this pull request

datagateway: zero content-length when swallowing body cs3org/reva#1904

Merged

Member Author

butonic commented Jul 20, 2021

I found cs3org/reva#1904

Does this PR change the request flow and cause the datagateway to spew errors?!? how?

wkloucek reviewed

View reviewed changes

proxy/pkg/middleware/account_resolver.go Show resolved Hide resolved

butonic mentioned this pull request

[full-ci] update REVA to v1.10.1-0.20210721075634-57d692feea7b #2314

Merged

Contributor

wkloucek commented Jul 21, 2021

@butonic I added the cookie logic to this PR

Member Author

butonic commented Jul 21, 2021

Custom claims mapping in #2315

butonic and others added 9 commits

July 23, 2021 08:07


          add claims policy selector

40c8031

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>


          add RegexSelector

4385d3d

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>


          add regex rule priority, drop request from selector signature, add un…

b540ccd

…it tests

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>


          fix docs typo

b0c742c

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>


          remove comma

2583c6a

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>


          use context from middleware in proxy

5c024b4

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>


          update proxy config json example files

0a632df

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>


          add todo for x-access-header handling

cb70f48

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>


          use cookie to enforce routing for regex and claim selector

a0dce56

butonic force-pushed the claims-policy-selector branch from 5fd2756 to bea986f Compare

July 23, 2021 08:55


          pass only request instead of context

bea986f

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

sonarqubecloud bot commented Jul 23, 2021

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
8 Code Smells

58.8% Coverage
0.0% Duplication


          clarify cs3 claims

07bb4a1

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

C0rby approved these changes

View reviewed changes

butonic merged commit dcd8327 into master

delete-merged-branch bot deleted the claims-policy-selector branch

July 23, 2021 11:45

ownclouders pushed a commit that referenced this pull request


          commit dcd8327

d136971

Merge: 1e4f833 07bb4a1
Author: Jörn Friedrich Dreyer <[email protected]>
Date:   Fri Jul 23 13:45:43 2021 +0200

    Merge pull request #2248 from owncloud/claims-policy-selector

    add claims and regex policy selector

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Category:Enhancement