From 940657a96f4964837435e50489ba0fe23982bbbe Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Thu, 9 Mar 2023 14:15:52 +0100 Subject: [PATCH 1/3] disable sharing of low level paths --- .../storageprovider/storageprovider.go | 38 ++++++++++++++----- tests/ocis | 2 +- 2 files changed, 30 insertions(+), 10 deletions(-) diff --git a/internal/grpc/services/storageprovider/storageprovider.go b/internal/grpc/services/storageprovider/storageprovider.go index 838f70a472..572cf2bdd0 100644 --- a/internal/grpc/services/storageprovider/storageprovider.go +++ b/internal/grpc/services/storageprovider/storageprovider.go @@ -54,15 +54,16 @@ func init() { } type config struct { - MountPath string `mapstructure:"mount_path" docs:"/;The path where the file system would be mounted."` - MountID string `mapstructure:"mount_id" docs:"-;The ID of the mounted file system."` - Driver string `mapstructure:"driver" docs:"localhome;The storage driver to be used."` - Drivers map[string]map[string]interface{} `mapstructure:"drivers" docs:"url:pkg/storage/fs/localhome/localhome.go"` - TmpFolder string `mapstructure:"tmp_folder" docs:"/var/tmp;Path to temporary folder."` - DataServerURL string `mapstructure:"data_server_url" docs:"http://localhost/data;The URL for the data server."` - ExposeDataServer bool `mapstructure:"expose_data_server" docs:"false;Whether to expose data server."` // if true the client will be able to upload/download directly to it - AvailableXS map[string]uint32 `mapstructure:"available_checksums" docs:"nil;List of available checksums."` - CustomMimeTypesJSON string `mapstructure:"custom_mime_types_json" docs:"nil;An optional mapping file with the list of supported custom file extensions and corresponding mime types."` + MountPath string `mapstructure:"mount_path" docs:"/;The path where the file system would be mounted."` + MountID string `mapstructure:"mount_id" docs:"-;The ID of the mounted file system."` + Driver string `mapstructure:"driver" docs:"localhome;The storage driver to be used."` + Drivers map[string]map[string]interface{} `mapstructure:"drivers" docs:"url:pkg/storage/fs/localhome/localhome.go"` + TmpFolder string `mapstructure:"tmp_folder" docs:"/var/tmp;Path to temporary folder."` + DataServerURL string `mapstructure:"data_server_url" docs:"http://localhost/data;The URL for the data server."` + ExposeDataServer bool `mapstructure:"expose_data_server" docs:"false;Whether to expose data server."` // if true the client will be able to upload/download directly to it + AvailableXS map[string]uint32 `mapstructure:"available_checksums" docs:"nil;List of available checksums."` + CustomMimeTypesJSON string `mapstructure:"custom_mime_types_json" docs:"nil;An optional mapping file with the list of supported custom file extensions and corresponding mime types."` + MinimunAllowedPathLevelForShare int `mapstructure:"minimum_allowed_path_level_for_share"` } func (c *config) init() { @@ -822,6 +823,7 @@ func (s *service) Stat(ctx context.Context, req *provider.StatRequest) (*provide Status: status.NewInternal(ctx, err, "error wrapping path"), }, nil } + s.fixPermissions(md) res := &provider.StatResponse{ Status: status.NewOK(ctx), Info: md, @@ -829,6 +831,23 @@ func (s *service) Stat(ctx context.Context, req *provider.StatRequest) (*provide return res, nil } +func pathLevels(p string) int { + if p == "/" { + return 0 + } + return strings.Count(p, "/") +} + +func (s *service) fixPermissions(md *provider.ResourceInfo) { + // do not allow shares for low path levels + if pathLevels(md.Path) < s.conf.MinimunAllowedPathLevelForShare { + md.PermissionSet.AddGrant = false + md.PermissionSet.RemoveGrant = false + md.PermissionSet.DenyGrant = false + md.PermissionSet.UpdateGrant = false + } +} + func (s *service) statVirtualView(ctx context.Context, ref *provider.Reference) (*provider.StatResponse, error) { // The reference in the request encompasses this provider // So we need to stat root, and update the required path @@ -962,6 +981,7 @@ func (s *service) ListContainer(ctx context.Context, req *provider.ListContainer Status: status.NewInternal(ctx, err, "error wrapping path"), }, nil } + s.fixPermissions(md) infos = append(infos, md) } res := &provider.ListContainerResponse{ diff --git a/tests/ocis b/tests/ocis index 804d177705..6357a70318 160000 --- a/tests/ocis +++ b/tests/ocis @@ -1 +1 @@ -Subproject commit 804d1777051c3583dfeebae467466f1316fa3583 +Subproject commit 6357a703181b368e2109f720e0785a11222eed88 From 79d1e372725787dd69c3c927aebf045547a01bb9 Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Fri, 10 Mar 2023 08:45:24 +0100 Subject: [PATCH 2/3] add changelog --- changelog/unreleased/disable-shares-low-level-paths.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 changelog/unreleased/disable-shares-low-level-paths.md diff --git a/changelog/unreleased/disable-shares-low-level-paths.md b/changelog/unreleased/disable-shares-low-level-paths.md new file mode 100644 index 0000000000..2a95f314f2 --- /dev/null +++ b/changelog/unreleased/disable-shares-low-level-paths.md @@ -0,0 +1,10 @@ +Enhancement: Disable sharing on low level paths + +Sharing can be disable in the user share provider +for some paths, but the storage provider +was still sending the sharing permissions for those paths. +This adds a config option in the storage provider, +`minimum_allowed_path_level_for_share`, to disable sharing +permissions for resources up to a defined path level. + +https://github.com/cs3org/reva/pull/3717 \ No newline at end of file From afd3b34dcdedea68a8917e1c193f790b59d9043e Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Fri, 10 Mar 2023 09:30:14 +0100 Subject: [PATCH 3/3] use 804d1777051c3583dfeebae467466f1316fa3583 commit --- tests/ocis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ocis b/tests/ocis index 6357a70318..804d177705 160000 --- a/tests/ocis +++ b/tests/ocis @@ -1 +1 @@ -Subproject commit 6357a703181b368e2109f720e0785a11222eed88 +Subproject commit 804d1777051c3583dfeebae467466f1316fa3583