owncloud · butonic · Dec 12, 2022 · Dec 6, 2022 · Dec 6, 2022 · Dec 7, 2022
diff --git a/services/graph/pkg/config/http.go b/services/graph/pkg/config/http.go
@@ -8,4 +8,5 @@ type HTTP struct {
 	Namespace string                `yaml:"-"`
 	Root      string                `yaml:"root" env:"GRAPH_HTTP_ROOT" desc:"Subdirectory that serves as the root for this HTTP service."`
 	TLS       shared.HTTPServiceTLS `yaml:"tls"`
+	APIToken  string                `yaml:"apitoken" env:"GRAPH_HTTP_API_TOKEN" desc:"An optional API bearer token"`
 }
diff --git a/services/graph/pkg/identity/ldap.go b/services/graph/pkg/identity/ldap.go
@@ -280,6 +280,7 @@ func (i *LDAP) UpdateUser(ctx context.Context, nameOrID string, user libregraph.
 			updateNeeded = true
 		}
 	}
+	// TODO implement account disabled/enabled
 
 	if updateNeeded {
 		if err := i.conn.Modify(&mr); err != nil {

diff --git a/services/graph/pkg/server/http/server.go b/services/graph/pkg/server/http/server.go
@@ -4,16 +4,20 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	stdhttp "net/http"
 	"os"
 
 	"github.com/cs3org/reva/v2/pkg/events/server"
+	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-micro/plugins/v4/events/natsjs"
 	"github.com/owncloud/ocis/v2/ocis-pkg/account"
 	ociscrypto "github.com/owncloud/ocis/v2/ocis-pkg/crypto"
 	"github.com/owncloud/ocis/v2/ocis-pkg/middleware"
+	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/http"
 	"github.com/owncloud/ocis/v2/ocis-pkg/version"
+	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
 	graphMiddleware "github.com/owncloud/ocis/v2/services/graph/pkg/middleware"
 	svc "github.com/owncloud/ocis/v2/services/graph/pkg/service/v0"
 	"github.com/pkg/errors"
@@ -82,25 +86,49 @@ func Server(opts ...Option) (http.Service, error) {
 		}
 	}
 
-	handle := svc.NewService(
-		svc.Logger(options.Logger),
-		svc.Config(options.Config),
-		svc.Middleware(
-			middleware.TraceContext,
-			chimiddleware.RequestID,
-			middleware.Version(
-				"graph",
-				version.GetString(),
-			),
-			middleware.Logger(
-				options.Logger,
-			),
+	middlewares := []func(stdhttp.Handler) stdhttp.Handler{
+		middleware.TraceContext,
+		chimiddleware.RequestID,
+		middleware.Version(
+			"graph",
+			version.GetString(),
+		),
+		middleware.Logger(
+			options.Logger,
+		),
+	}
+	// how do we secure the api?
+	var requireAdminMiddleware func(stdhttp.Handler) stdhttp.Handler
+	var roleService svc.RoleService
+	var gatewayClient svc.GatewayClient
+	if options.Config.HTTP.APIToken == "" {
+		middlewares = append(middlewares,
 			graphMiddleware.Auth(
 				account.Logger(options.Logger),
 				account.JWTSecret(options.Config.TokenManager.JWTSecret),
-			),
-		),
+			))
+		roleService = settingssvc.NewRoleService("com.owncloud.api.settings", grpc.DefaultClient())
+		gatewayClient, err = pool.GetGatewayServiceClient(options.Config.Reva.Address, options.Config.Reva.GetRevaOptions()...)
+		if err != nil {
+			return http.Service{}, errors.Wrap(err, "could not initialize gateway client")
+		}
+	} else {
+		middlewares = append(middlewares, middleware.Token(options.Config.HTTP.APIToken))
+		// use a dummy admin middleware for the chi router
+		requireAdminMiddleware = func(next stdhttp.Handler) stdhttp.Handler {
+			return next
+		}
+		// no gatewayclient needed
+	}
+
+	handle := svc.NewService(
+		svc.Logger(options.Logger),
+		svc.Config(options.Config),
+		svc.Middleware(middlewares...),
 		svc.EventsPublisher(publisher),
+		svc.WithRoleService(roleService),
+		svc.WithRequireAdminMiddleware(requireAdminMiddleware),
+		svc.WithGatewayClient(gatewayClient),
 	)
 
 	if handle == nil {

diff --git a/services/graph/pkg/service/v0/groups.go b/services/graph/pkg/service/v0/groups.go
@@ -92,7 +92,7 @@ func (g Graph) PostGroup(w http.ResponseWriter, r *http.Request) {
 		currentUser := revactx.ContextMustGetUser(r.Context())
 		g.publishEvent(events.GroupCreated{Executant: currentUser.Id, GroupID: *grp.Id})
 	}
-	render.Status(r, http.StatusOK)
+	render.Status(r, http.StatusOK) // FIXME 201 should return 201 created
 	render.JSON(w, r, grp)
 }
 
@@ -167,7 +167,7 @@ func (g Graph) PatchGroup(w http.ResponseWriter, r *http.Request) {
 		}
 		return
 	}
-	render.Status(r, http.StatusNoContent)
+	render.Status(r, http.StatusNoContent) // TODO StatusNoContent when prefer=minimal is used, otherwise OK and the resource in the body
 	render.NoContent(w, r)
 }
 

diff --git a/services/graph/pkg/service/v0/groups_test.go b/services/graph/pkg/service/v0/groups_test.go
@@ -222,7 +222,7 @@ var _ = Describe("Groups", func() {
 			Expect(rr.Code).To(Equal(http.StatusBadRequest))
 		})
 
-		It("disallows user create ids", func() {
+		It("disallows group create ids", func() {
 			newGroup = libregraph.NewGroup()
 			newGroup.SetId("disallowed")
 			newGroup.SetDisplayName("New Group")

diff --git a/services/graph/pkg/service/v0/option.go b/services/graph/pkg/service/v0/option.go
@@ -16,15 +16,16 @@ type Option func(o *Options)
 
 // Options defines the available options for this package.
 type Options struct {
-	Logger            log.Logger
-	Config            *config.Config
-	Middleware        []func(http.Handler) http.Handler
-	GatewayClient     GatewayClient
-	IdentityBackend   identity.Backend
-	RoleService       RoleService
-	PermissionService Permissions
-	RoleManager       *roles.Manager
-	EventsPublisher   events.Publisher
+	Logger                 log.Logger
+	Config                 *config.Config
+	Middleware             []func(http.Handler) http.Handler
+	RequireAdminMiddleware func(http.Handler) http.Handler
+	GatewayClient          GatewayClient
+	IdentityBackend        identity.Backend
+	RoleService            RoleService
+	PermissionService      Permissions
+	RoleManager            *roles.Manager
+	EventsPublisher        events.Publisher
 }
 
 // newOptions initializes the available default options.
@@ -59,6 +60,13 @@ func Middleware(val ...func(http.Handler) http.Handler) Option {
 	}
 }
 
+// WithRequireAdminMiddleware provides a function to set the RequireAdminMiddleware option.
+func WithRequireAdminMiddleware(val func(http.Handler) http.Handler) Option {
+	return func(o *Options) {
+		o.RequireAdminMiddleware = val
+	}
+}
+
 // WithGatewayClient provides a function to set the gateway client option.
 func WithGatewayClient(val GatewayClient) Option {
 	return func(o *Options) {

diff --git a/services/graph/pkg/service/v0/service.go b/services/graph/pkg/service/v0/service.go
@@ -7,7 +7,6 @@ import (
 	"os"
 	"strconv"
 
-	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/jellydator/ttlcache/v2"
@@ -69,17 +68,9 @@ func NewService(opts ...Option) Service {
 		logger:               &options.Logger,
 		spacePropertiesCache: ttlcache.NewCache(),
 		eventsPublisher:      options.EventsPublisher,
+		gatewayClient:        options.GatewayClient,
 	}
-	if options.GatewayClient == nil {
-		var err error
-		svc.gatewayClient, err = pool.GetGatewayServiceClient(options.Config.Reva.Address, options.Config.Reva.GetRevaOptions()...)
-		if err != nil {
-			options.Logger.Error().Err(err).Msg("Could not get gateway client")
-			return nil
-		}
-	} else {
-		svc.gatewayClient = options.GatewayClient
-	}
+
 	if options.IdentityBackend == nil {
 		switch options.Config.Identity.Backend {
 		case "cs3":
@@ -145,12 +136,6 @@ func NewService(opts ...Option) Service {
 		svc.identityBackend = options.IdentityBackend
 	}
 
-	if options.RoleService == nil {
-		svc.roleService = settingssvc.NewRoleService("com.owncloud.api.settings", grpc.DefaultClient())
-	} else {
-		svc.roleService = options.RoleService
-	}
-
 	if options.PermissionService == nil {
 		svc.permissionsService = settingssvc.NewPermissionService("com.owncloud.api.settings", grpc.DefaultClient())
 	} else {
@@ -167,12 +152,17 @@ func NewService(opts ...Option) Service {
 		m := roles.NewManager(
 			roles.StoreOptions(storeOptions),
 			roles.Logger(options.Logger),
-			roles.RoleService(svc.roleService),
+			roles.RoleService(options.RoleService),
 		)
 		roleManager = &m
 	}
 
-	requireAdmin := graphm.RequireAdmin(roleManager, options.Logger)
+	var requireAdmin func(http.Handler) http.Handler
+	if options.RequireAdminMiddleware == nil {
+		requireAdmin = graphm.RequireAdmin(roleManager, options.Logger)
+	} else {
+		requireAdmin = options.RequireAdminMiddleware
+	}
 
 	m.Route(options.Config.HTTP.Root, func(r chi.Router) {
 		r.Use(middleware.StripSlashes)