Changed UID retrieval format

grycap · Jan 23, 2024 · 9863c56 · 9863c56
1 parent cd269a8
commit 9863c56
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 17 deletions.
diff --git a/pkg/handlers/create.go b/pkg/handlers/create.go
@@ -60,20 +60,11 @@ func MakeCreateHandler(cfg *types.Config, back types.ServerlessBackend) gin.Hand
 		// Check service values and set defaults
 		checkValues(&service, cfg)
 
-		uid_origin, uid_exists := c.Get("uid_origin")
-		if uid_exists {
-			uid := fmt.Sprintf("%v", uid_origin)
-			createLogger.Println("Creating service for user: ", uid)
-			service.Labels["uid"] = uid
-			service.AllowedUsers = append(service.AllowedUsers, uid)
-		}
-		createLogger.Println("Unknown user origin")
-
 		if service.VO != "" {
 			for _, vo := range cfg.OIDCGroups {
 				if vo == service.VO {
 					authHeader := c.GetHeader("Authorization")
-					err := checkVOIdentity(&service, cfg, authHeader)
+					err := checkIdentity(&service, cfg, authHeader)
 					if err != nil {
 						c.String(http.StatusBadRequest, fmt.Sprintln(err))
 					}
@@ -360,9 +351,16 @@ func isStorageProviderDefined(storageName string, storageID string, providers *t
 	return ok
 }
 
-func checkVOIdentity(service *types.Service, cfg *types.Config, authHeader string) error {
+func checkIdentity(service *types.Service, cfg *types.Config, authHeader string) error {
 	oidcManager, _ := auth.NewOIDCManager(cfg.OIDCIssuer, cfg.OIDCSubject, cfg.OIDCGroups)
 	rawToken := strings.TrimPrefix(authHeader, "Bearer ")
+	uid, err := oidcManager.GetUID(rawToken)
+
+	if err != nil {
+		createLogger.Println("Unknown user origin")
+		return err
+	}
+
 	hasVO, err := oidcManager.UserHasVO(rawToken, service.VO)
 
 	if err != nil {
@@ -374,6 +372,9 @@ func checkVOIdentity(service *types.Service, cfg *types.Config, authHeader strin
 	}
 
 	service.Labels["vo"] = service.VO
+	service.Labels["uid"] = uid
+	service.AllowedUsers = append(service.AllowedUsers, uid)
+	createLogger.Println("Creating service for user: ", uid)
 
 	return nil
 }

diff --git a/pkg/handlers/update.go b/pkg/handlers/update.go
@@ -55,10 +55,15 @@ func MakeUpdateHandler(cfg *types.Config, back types.ServerlessBackend) gin.Hand
 		}
 
 		if newService.VO != "" && newService.VO != oldService.VO {
-			authHeader := c.GetHeader("Authorization")
-			err := checkVOIdentity(&newService, cfg, authHeader)
-			if err != nil {
-				c.String(http.StatusBadRequest, fmt.Sprintf("%v"), err)
+			for _, vo := range cfg.OIDCGroups {
+				if vo == newService.VO {
+					authHeader := c.GetHeader("Authorization")
+					err := checkIdentity(&newService, cfg, authHeader)
+					if err != nil {
+						c.String(http.StatusBadRequest, fmt.Sprintln(err))
+					}
+					break
+				}
 			}
 		}
 

diff --git a/pkg/utils/auth/oidc.go b/pkg/utils/auth/oidc.go
@@ -111,8 +111,6 @@ func getOIDCMiddleware(kubeClientset *kubernetes.Clientset, minIOAdminClient *ut
 			// Create MinIO user and k8s secret with credentials
 			mc.CreateSecretForOIDC(uid, sk)
 			minIOAdminClient.CreateMinIOUser(uid, sk)
-
-			c.Set("uid_origin", uid)
 		}
 	}
 }
@@ -180,6 +178,14 @@ func (om *oidcManager) UserHasVO(rawToken string, vo string) (bool, error) {
 	return false, nil
 }
 
+func (om *oidcManager) GetUID(rawToken string) (string, error) {
+	ui, err := om.getUserInfo(rawToken)
+	if err != nil {
+		return ui.subject, nil
+	}
+	return "", err
+}
+
 // isAuthorised checks if a token is authorised to access the API
 func (om *oidcManager) isAuthorised(rawToken string) bool {
 	// Check if the token is valid