Skip to content

Commit 54edcd9

Browse files
Julian KobergJulian Koberg
Julian Koberg
authored and
Julian Koberg
committed
feat(proxy): allow multiple space claims
Signed-off-by: Julian Koberg <[email protected]>
1 parent 6f96b1c commit 54edcd9

File tree

2 files changed

+25
-3
lines changed

2 files changed

+25
-3
lines changed

changelog/unreleased/claim-managed-spaces.md

+1
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@ Enhancement: Claim managed spaces
33
Allow managing spaces from oidc claims
44

55
https://github.com/owncloud/ocis/pull/11280
6+
https://github.com/owncloud/ocis/pull/11290

services/proxy/pkg/middleware/space_manager.go

+24-3
Original file line numberDiff line numberDiff line change
@@ -158,27 +158,48 @@ func (csm claimSpaceManager) getSpaceAssignments(ctx context.Context) map[string
158158
claims := oidc.FromContext(ctx)
159159
values, ok := claims[csm.claimName].([]any)
160160
if !ok {
161-
csm.logger.Error().Interface("entitlements", claims["entitlements"]).Msg("entitlements claims are not a []string")
161+
csm.logger.Error().Interface("claims", claims).Str("claimname", csm.claimName).Msg("configured claims are not an array")
162162
}
163163

164164
assignments := make(map[string]string)
165165
for _, ent := range values {
166166
e, ok := ent.(string)
167167
if !ok {
168-
csm.logger.Error().Interface("entitlement", ent).Msg("entitlement is not a sting")
168+
csm.logger.Error().Interface("assignment", ent).Msg("assignment is not a string")
169169
continue
170170
}
171171

172172
match, spaceid, role := csm.mapper.Exec(e)
173173
if !match {
174174
continue
175175
}
176-
assignments[spaceid] = role
176+
assignments[spaceid] = chooseRole(role, assignments[spaceid])
177177
}
178178

179179
return assignments
180180
}
181181

182+
// will return the role with the highest permissions.
183+
func chooseRole(roleA, roleB string) string {
184+
if roleA == "" {
185+
return roleB
186+
}
187+
188+
if roleB == "" {
189+
return roleA
190+
}
191+
192+
permsA := conversions.RoleFromName(roleA).CS3ResourcePermissions()
193+
permsB := conversions.RoleFromName(roleB).CS3ResourcePermissions()
194+
195+
if conversions.SufficientCS3Permissions(permsA, permsB) {
196+
return roleA
197+
}
198+
// Note: This could be an issue if roleB does not contain roleA
199+
return roleB
200+
201+
}
202+
182203
func getSpaceMemberStatus(space *storageprovider.StorageSpace, userid string) (bool, *storageprovider.ResourcePermissions, error) {
183204
var permissionsMap map[string]*storageprovider.ResourcePermissions
184205
if err := utils.ReadJSONFromOpaque(space.GetOpaque(), "grants", &permissionsMap); err != nil {

0 commit comments

Comments
 (0)