From 4e1a20132745dc3f5381b8f386c3c0c982dda460 Mon Sep 17 00:00:00 2001
From: Denis Arh <denis.arh@gmail.com>
Date: Fri, 31 Jan 2020 00:29:15 +0100
Subject: [PATCH] Allow indirect (no current user) script execution

---
 pkg/corredor/service.go | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/pkg/corredor/service.go b/pkg/corredor/service.go
index 2d0f94b31..dc306c233 100644
--- a/pkg/corredor/service.go
+++ b/pkg/corredor/service.go
@@ -492,11 +492,14 @@ func (svc service) exec(ctx context.Context, script string, runAs string, event
 	var (
 		rsp *ExecResponse
 
+		invoker auth.Identifiable
+
 		encodedEvent   map[string][]byte
 		encodedResults = make(map[string][]byte)
 
 		log = svc.log.With(
 			zap.String("script", script),
+			zap.String("runAs", runAs),
 			zap.String("event", event.EventType()),
 			zap.String("resource", event.ResourceType()),
 		)
@@ -521,15 +524,18 @@ func (svc service) exec(ctx context.Context, script string, runAs string, event
 		req.Args[key] = string(encodedEvent[key])
 	}
 
-	// Resolve/expand invoker user details from the context
-	invoker, err := svc.users.FindByAny(ctx)
-	if err != nil {
-		return err
-	}
+	// Resolve/expand invoker user details from the context (if present
+	if i := auth.GetIdentityFromContext(ctx); i.Valid() {
+		invoker, err = svc.users.FindByAny(i)
+		if err != nil {
+			return err
+		}
 
-	log = log.With(zap.Stringer("invoker", invoker))
-	if err = encodeArguments(req.Args, "invoker", invoker); err != nil {
-		return
+		log = log.With(zap.Stringer("invoker", invoker))
+
+		if err = encodeArguments(req.Args, "invoker", invoker); err != nil {
+			return
+		}
 	}
 
 	if len(runAs) > 0 {
@@ -539,7 +545,7 @@ func (svc service) exec(ctx context.Context, script string, runAs string, event
 
 		var definer auth.Identifiable
 
-		// Run this script as defined user (definer)
+		// Run this script as defined user
 		//
 		// We search for the defined (run-as) user,
 		// assign it to authUser argument and make an
@@ -560,7 +566,7 @@ func (svc service) exec(ctx context.Context, script string, runAs string, event
 			return
 		}
 
-	} else {
+	} else if invoker != nil {
 		// Run script with the same user that invoked it
 
 		// current (authenticated) user