From 29f4f49e1c7ed0866a7f54333cb03947521031b7 Mon Sep 17 00:00:00 2001 From: David Christofas Date: Wed, 17 Nov 2021 17:18:03 +0100 Subject: [PATCH 1/4] first prototype of a CS3 permissions service --- go.mod | 2 +- go.sum | 3 +- settings/pkg/server/grpc/server.go | 37 ++++++++++++++++ settings/pkg/service/v0/service.go | 46 ++++++++++++++++++++ settings/pkg/settings/settings.go | 1 + settings/pkg/store/filesystem/permissions.go | 19 ++++++++ storage/pkg/command/gateway.go | 1 + storage/pkg/config/config.go | 10 +++-- storage/pkg/config/defaultconfig.go | 3 ++ 9 files changed, 116 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 52fca6537cc..01fa1f2481a 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/asim/go-micro/plugins/wrapper/trace/opencensus/v4 v4.0.0-20211220083148-8e52761edb49 github.com/blevesearch/bleve/v2 v2.3.0 github.com/coreos/go-oidc/v3 v3.1.0 - github.com/cs3org/go-cs3apis v0.0.0-20211214102047-7ce3134d7bf8 + github.com/cs3org/go-cs3apis v0.0.0-20211214102128-4e8745ab1654 github.com/cs3org/reva v1.16.1-0.20220121134812-59d1aa30eb60 github.com/disintegration/imaging v1.6.2 github.com/glauth/glauth/v2 v2.0.0-20211021011345-ef3151c28733 diff --git a/go.sum b/go.sum index 4afaffd14a1..a160ccbb947 100644 --- a/go.sum +++ b/go.sum @@ -322,8 +322,9 @@ github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3p github.com/crewjam/saml v0.4.5 h1:H9u+6CZAESUKHxMyxUbVn0IawYvKZn4nt3d4ccV4O/M= github.com/crewjam/saml v0.4.5/go.mod h1:qCJQpUtZte9R1ZjUBcW8qtCNlinbO363ooNl02S68bk= github.com/cs3org/cato v0.0.0-20200828125504-e418fc54dd5e/go.mod h1:XJEZ3/EQuI3BXTp/6DUzFr850vlxq11I6satRtz0YQ4= -github.com/cs3org/go-cs3apis v0.0.0-20211214102047-7ce3134d7bf8 h1:PqOprF37OvwCbAN5W23znknGk6N/LMayqLAeP904FHE= github.com/cs3org/go-cs3apis v0.0.0-20211214102047-7ce3134d7bf8/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= +github.com/cs3org/go-cs3apis v0.0.0-20211214102128-4e8745ab1654 h1:ha5tiuuFyDrwKUrVEc3TrRDFgTKVQ9NGDRmEP0PRPno= +github.com/cs3org/go-cs3apis v0.0.0-20211214102128-4e8745ab1654/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= github.com/cs3org/reva v1.16.1-0.20220121134812-59d1aa30eb60 h1:XaraDDlNXPv5GREzwkP7+8IEMDXbzzeHsekfUQABJzc= github.com/cs3org/reva v1.16.1-0.20220121134812-59d1aa30eb60/go.mod h1:/BofcMJgfqTIHNiCp1uXr9ABcgylp27U2W4fjYUR6Fg= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI= diff --git a/settings/pkg/server/grpc/server.go b/settings/pkg/server/grpc/server.go index a3a2bde3bda..c313f853dd1 100644 --- a/settings/pkg/server/grpc/server.go +++ b/settings/pkg/server/grpc/server.go @@ -1,10 +1,15 @@ package grpc import ( + "context" + + permissions "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1" "github.com/owncloud/ocis/ocis-pkg/service/grpc" "github.com/owncloud/ocis/ocis-pkg/version" "github.com/owncloud/ocis/settings/pkg/proto/v0" svc "github.com/owncloud/ocis/settings/pkg/service/v0" + "go-micro.dev/v4/api" + "go-micro.dev/v4/server" ) // Server initializes a new go-micro service ready to run @@ -35,5 +40,37 @@ func Server(opts ...Option) grpc.Service { options.Logger.Fatal().Err(err).Msg("could not register Permission service handler") } + if err := RegisterCS3PermissionsServiceHandler(service.Server(), handle); err != nil { + options.Logger.Fatal().Err(err).Msg("could not register CS3 Permission service handler") + } + return service } + +func RegisterCS3PermissionsServiceHandler(s server.Server, hdlr permissions.PermissionsAPIServer, opts ...server.HandlerOption) error { + type permissionsService interface { + CheckPermission(context.Context, *permissions.CheckPermissionRequest, *permissions.CheckPermissionResponse) error + } + type PermissionsAPI struct { + permissionsService + } + h := &permissionsServiceHandler{hdlr} + opts = append(opts, api.WithEndpoint(&api.Endpoint{ + Name: "PermissionsService.Checkpermission", + Path: []string{"/api/v0/permissions/check-permission"}, + Method: []string{"POST"}, + Body: "*", + Handler: "rpc", + })) + return s.Handle(s.NewHandler(&PermissionsAPI{h}, opts...)) +} + +type permissionsServiceHandler struct { + api permissions.PermissionsAPIServer +} + +func (h *permissionsServiceHandler) CheckPermission(ctx context.Context, req *permissions.CheckPermissionRequest, res *permissions.CheckPermissionResponse) error { + r, err := h.api.CheckPermission(ctx, req) + *res = *r + return err +} diff --git a/settings/pkg/service/v0/service.go b/settings/pkg/service/v0/service.go index 6dbf8cda7b9..6f335a5614b 100644 --- a/settings/pkg/service/v0/service.go +++ b/settings/pkg/service/v0/service.go @@ -4,6 +4,9 @@ import ( "context" "fmt" + permissions "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1" + rpcv1beta1 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" + "github.com/cs3org/reva/pkg/rgrpc/status" "github.com/owncloud/ocis/ocis-pkg/log" "github.com/owncloud/ocis/ocis-pkg/middleware" "github.com/owncloud/ocis/ocis-pkg/roles" @@ -36,6 +39,49 @@ func NewService(cfg *config.Config, logger log.Logger) Service { return service } +func (g Service) CheckPermission(ctx context.Context, req *permissions.CheckPermissionRequest) (*permissions.CheckPermissionResponse, error) { + spec := req.SubjectRef.Spec + + var accountID string + switch ref := spec.(type) { + case *permissions.SubjectReference_UserId: + accountID = ref.UserId.OpaqueId + case *permissions.SubjectReference_GroupId: + accountID = ref.GroupId.OpaqueId + } + + assignments, err := g.manager.ListRoleAssignments(accountID) + if err != nil { + return &permissions.CheckPermissionResponse{ + Status: status.NewInternal(ctx, err, err.Error()), + }, nil + } + + roleIDs := make([]string, 0, len(assignments)) + for _, a := range assignments { + roleIDs = append(roleIDs, a.RoleId) + } + + permission, err := g.manager.ReadPermissionByName(req.Permission, roleIDs) + if err != nil { + return &permissions.CheckPermissionResponse{ + Status: status.NewInternal(ctx, err, err.Error()), + }, nil + } + + if permission == nil { + return &permissions.CheckPermissionResponse{ + Status: &rpcv1beta1.Status{ + Code: rpcv1beta1.Code_CODE_PERMISSION_DENIED, + }, + }, nil + } + + return &permissions.CheckPermissionResponse{ + Status: status.NewOK(ctx), + }, nil +} + // RegisterDefaultRoles composes default roles and saves them. Skipped if the roles already exist. func (g Service) RegisterDefaultRoles() { // FIXME: we're writing default roles per service start (i.e. twice at the moment, for http and grpc server). has to happen only once. diff --git a/settings/pkg/settings/settings.go b/settings/pkg/settings/settings.go index 830ebc8ffd3..4f78e3e5940 100644 --- a/settings/pkg/settings/settings.go +++ b/settings/pkg/settings/settings.go @@ -50,4 +50,5 @@ type RoleAssignmentManager interface { type PermissionManager interface { ListPermissionsByResource(resource *proto.Resource, roleIDs []string) ([]*proto.Permission, error) ReadPermissionByID(permissionID string, roleIDs []string) (*proto.Permission, error) + ReadPermissionByName(name string, roleIDs []string) (*proto.Permission, error) } diff --git a/settings/pkg/store/filesystem/permissions.go b/settings/pkg/store/filesystem/permissions.go index 63b6a6e76fc..db9f67a6c42 100644 --- a/settings/pkg/store/filesystem/permissions.go +++ b/settings/pkg/store/filesystem/permissions.go @@ -38,6 +38,25 @@ func (s Store) ReadPermissionByID(permissionID string, roleIDs []string) (*proto return nil, nil } +// ReadPermissionByName finds the permission in the roles, specified by the provided roleIDs +func (s Store) ReadPermissionByName(name string, roleIDs []string) (*proto.Permission, error) { + for _, roleID := range roleIDs { + role, err := s.ReadBundle(roleID) + if err != nil { + s.Logger.Debug().Str("roleID", roleID).Msg("role not found, skipping") + continue + } + for _, permission := range role.Settings { + if permission.Name == name { + if value, ok := permission.Value.(*proto.Setting_PermissionValue); ok { + return value.PermissionValue, nil + } + } + } + } + return nil, nil +} + // extractPermissionsByResource collects all permissions from the provided role that match the requested resource func extractPermissionsByResource(resource *proto.Resource, role *proto.Bundle) []*proto.Permission { permissions := make([]*proto.Permission, 0) diff --git a/storage/pkg/command/gateway.go b/storage/pkg/command/gateway.go index b3a3cf48283..09383280905 100644 --- a/storage/pkg/command/gateway.go +++ b/storage/pkg/command/gateway.go @@ -140,6 +140,7 @@ func gatewayConfigFromStruct(c *cli.Context, cfg *config.Config, logger log.Logg "preferencessvc": cfg.Reva.Users.Endpoint, "userprovidersvc": cfg.Reva.Users.Endpoint, "groupprovidersvc": cfg.Reva.Groups.Endpoint, + "permissionssvc": cfg.Reva.Permissions.Endpoint, // sharing is located on the sharing service "usershareprovidersvc": cfg.Reva.Sharing.Endpoint, "publicshareprovidersvc": cfg.Reva.Sharing.Endpoint, diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go index a2c738bfc76..8a93c6dcbb1 100644 --- a/storage/pkg/config/config.go +++ b/storage/pkg/config/config.go @@ -199,10 +199,11 @@ type StoragePort struct { DataServerURL string `ocisConfig:"data_server_url"` // for HTTP ports with only one http service - HTTPPrefix string `ocisConfig:"http_prefix"` - TempFolder string `ocisConfig:"temp_folder"` - ReadOnly bool `ocisConfig:"read_only"` - DataProvider DataProvider `ocisConfig:"data_provider"` + HTTPPrefix string `ocisConfig:"http_prefix"` + TempFolder string `ocisConfig:"temp_folder"` + ReadOnly bool `ocisConfig:"read_only"` + DataProvider DataProvider `ocisConfig:"data_provider"` + GatewayEndpoint string `ocisConfig:"gateway_endpoint"` } // PublicStorage configures a public storage provider @@ -474,6 +475,7 @@ type Reva struct { StoragePublicLink PublicStorage `ocisConfig:"storage_public_link"` StorageMetadata StoragePort `ocisConfig:"storage_metadata"` AppProvider AppProvider `ocisConfig:"app_provider"` + Permissions Port `ocisConfig:"permissions"` // Configs can be used to configure the reva instance. // Services and Ports will be ignored if this is used Configs map[string]interface{} `ocisConfig:"configs"` diff --git a/storage/pkg/config/defaultconfig.go b/storage/pkg/config/defaultconfig.go index 23602bbf16a..13be167e91e 100644 --- a/storage/pkg/config/defaultconfig.go +++ b/storage/pkg/config/defaultconfig.go @@ -421,6 +421,9 @@ func DefaultConfig() *Config { OpenURL: "/app/open", NewURL: "/app/new", }, + Permissions: Port{ + Endpoint: "localhost:9191", + }, Configs: nil, UploadMaxChunkSize: 1e+8, UploadHTTPMethodOverride: "", From e65d80f95f566597582727abdf4fae793f197575 Mon Sep 17 00:00:00 2001 From: David Christofas Date: Thu, 27 Jan 2022 15:56:47 +0100 Subject: [PATCH 2/4] update reva --- go.mod | 14 +++++++++----- go.sum | 31 ++++++++++++++++++++---------- settings/pkg/service/v0/service.go | 4 ++-- 3 files changed, 32 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 01fa1f2481a..f9706efd637 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/blevesearch/bleve/v2 v2.3.0 github.com/coreos/go-oidc/v3 v3.1.0 github.com/cs3org/go-cs3apis v0.0.0-20211214102128-4e8745ab1654 - github.com/cs3org/reva v1.16.1-0.20220121134812-59d1aa30eb60 + github.com/cs3org/reva v1.16.1-0.20220127144606-c68537205646 github.com/disintegration/imaging v1.6.2 github.com/glauth/glauth/v2 v2.0.0-20211021011345-ef3151c28733 github.com/go-chi/chi/v5 v5.0.7 @@ -78,7 +78,7 @@ require ( require ( contrib.go.opencensus.io/exporter/prometheus v0.4.0 // indirect github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e // indirect - github.com/BurntSushi/toml v0.4.1 // indirect + github.com/BurntSushi/toml v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver v1.5.0 // indirect github.com/Masterminds/sprig v2.22.0+incompatible // indirect @@ -87,7 +87,7 @@ require ( github.com/RoaringBitmap/roaring v0.9.4 // indirect github.com/acomagu/bufpipe v1.0.3 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect - github.com/aws/aws-sdk-go v1.42.27 // indirect + github.com/aws/aws-sdk-go v1.42.39 // indirect github.com/beevik/etree v1.1.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bitly/go-simplejson v0.5.0 // indirect @@ -108,6 +108,7 @@ require ( github.com/bluele/gcache v0.0.2 // indirect github.com/bmizerany/pat v0.0.0-20210406213842-e4b6760bdd6f // indirect github.com/boombuler/barcode v1.0.1 // indirect + github.com/ceph/go-ceph v0.13.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/coreos/go-oidc v2.2.1+incompatible // indirect github.com/coreos/go-semver v0.3.0 // indirect @@ -119,6 +120,7 @@ require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/deckarep/golang-set v1.8.0 // indirect github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect + github.com/dgraph-io/ristretto v0.1.0 // indirect github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect github.com/dustin/go-humanize v1.0.0 // indirect github.com/emirpasic/gods v1.12.0 // indirect @@ -138,6 +140,7 @@ require ( github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt v3.2.2+incompatible // indirect + github.com/golang/glog v1.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect github.com/gomodule/redigo v1.8.8 // indirect @@ -146,7 +149,7 @@ require ( github.com/gookit/goutil v0.4.0 // indirect github.com/gorilla/schema v1.2.0 // indirect github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect - github.com/hashicorp/go-hclog v1.0.0 // indirect + github.com/hashicorp/go-hclog v1.1.0 // indirect github.com/hashicorp/go-plugin v1.4.3 // indirect github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect github.com/huandu/xstrings v1.3.2 // indirect @@ -167,11 +170,12 @@ require ( github.com/mattn/go-runewidth v0.0.13 // indirect github.com/mattn/go-sqlite3 v2.0.3+incompatible // indirect github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect + github.com/maxymania/go-system v0.0.0-20170110133659-647cc364bf0b // indirect github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 // indirect github.com/miekg/dns v1.1.44 // indirect github.com/mileusna/useragent v1.0.2 // indirect github.com/minio/md5-simd v1.1.2 // indirect - github.com/minio/minio-go/v7 v7.0.20 // indirect + github.com/minio/minio-go/v7 v7.0.21 // indirect github.com/minio/sha256-simd v1.0.0 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect diff --git a/go.sum b/go.sum index a160ccbb947..24fb3682079 100644 --- a/go.sum +++ b/go.sum @@ -84,8 +84,8 @@ github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzS github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e h1:ZU22z/2YRFLyf/P4ZwUYSdNCWsMEI0VeyrFoI2rAhJQ= github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw= -github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU= +github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/CiscoM31/godata v1.0.5 h1:AITXpa/5ybXEq59A0nqUGiS7ZXVJnQtFw5o09tyN/UA= github.com/CiscoM31/godata v1.0.5/go.mod h1:wcmFm66GMdOE316TgwFO1wo5ainCvTK26omd93oZf2M= @@ -185,12 +185,13 @@ github.com/asim/go-micro/plugins/wrapper/trace/opencensus/v4 v4.0.0-202112200831 github.com/asim/go-micro/plugins/wrapper/trace/opencensus/v4 v4.0.0-20211220083148-8e52761edb49/go.mod h1:PyS1JrBR0nd5tRwEUuFJFQEevYUkmyjxnSH9039c8+Q= github.com/aws/aws-sdk-go v1.20.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= +github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k= github.com/aws/aws-sdk-go v1.37.27/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.38.35/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.40.11/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= github.com/aws/aws-sdk-go v1.41.13/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= -github.com/aws/aws-sdk-go v1.42.27 h1:kxsBXQg3ee6LLbqjp5/oUeDgG7TENFrWYDmEVnd7spU= -github.com/aws/aws-sdk-go v1.42.27/go.mod h1:OGr6lGMAKGlG9CVrYnWYDKIyb829c6EVBRjxqjmPepc= +github.com/aws/aws-sdk-go v1.42.39 h1:6Lso73VoCI8Zmv3zAMv4BNg2gHAKNOlbLv1s/ew90SI= +github.com/aws/aws-sdk-go v1.42.39/go.mod h1:OGr6lGMAKGlG9CVrYnWYDKIyb829c6EVBRjxqjmPepc= github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs= github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= @@ -253,6 +254,8 @@ github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInq github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/ceph/go-ceph v0.13.0 h1:69dgIPlNHD2OCz98T0benI4++vcnShGcpQK4RIALjw4= +github.com/ceph/go-ceph v0.13.0/go.mod h1:mafFpf5Vg8Ai8Bd+FAMvKBHLmtdpTXdRP/TNq8XWegY= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -322,11 +325,10 @@ github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3p github.com/crewjam/saml v0.4.5 h1:H9u+6CZAESUKHxMyxUbVn0IawYvKZn4nt3d4ccV4O/M= github.com/crewjam/saml v0.4.5/go.mod h1:qCJQpUtZte9R1ZjUBcW8qtCNlinbO363ooNl02S68bk= github.com/cs3org/cato v0.0.0-20200828125504-e418fc54dd5e/go.mod h1:XJEZ3/EQuI3BXTp/6DUzFr850vlxq11I6satRtz0YQ4= -github.com/cs3org/go-cs3apis v0.0.0-20211214102047-7ce3134d7bf8/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= github.com/cs3org/go-cs3apis v0.0.0-20211214102128-4e8745ab1654 h1:ha5tiuuFyDrwKUrVEc3TrRDFgTKVQ9NGDRmEP0PRPno= github.com/cs3org/go-cs3apis v0.0.0-20211214102128-4e8745ab1654/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva v1.16.1-0.20220121134812-59d1aa30eb60 h1:XaraDDlNXPv5GREzwkP7+8IEMDXbzzeHsekfUQABJzc= -github.com/cs3org/reva v1.16.1-0.20220121134812-59d1aa30eb60/go.mod h1:/BofcMJgfqTIHNiCp1uXr9ABcgylp27U2W4fjYUR6Fg= +github.com/cs3org/reva v1.16.1-0.20220127144606-c68537205646 h1:B0WGEJWGX4IkIwtUKjcx5LCcdRkcXIVj1eB1nEZQs4g= +github.com/cs3org/reva v1.16.1-0.20220127144606-c68537205646/go.mod h1:I5+dJXt8MoLRuV9iDUr7QlUDJ8mIaDkAE10W8mIDKlI= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI= github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= @@ -340,8 +342,12 @@ github.com/deckarep/golang-set v1.8.0/go.mod h1:5nI87KwE7wgsBU1F4GKAw2Qod7p5kyS3 github.com/deepmap/oapi-codegen v1.3.11/go.mod h1:suMvK7+rKlx3+tpa8ByptmvoXbAV70wERKTOGH3hLp0= github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f h1:U5y3Y5UE0w7amNe7Z5G/twsBW0KEalRQXZzf8ufSh9I= github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f/go.mod h1:xH/i4TFMt8koVQZ6WFms69WAsDWr2XsYL3Hkl7jkoLE= +github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= +github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug= github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= +github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c= @@ -596,6 +602,7 @@ github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -741,8 +748,9 @@ github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/S github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= -github.com/hashicorp/go-hclog v1.0.0 h1:bkKf0BeBXcSYa7f5Fyi9gMuQ8gNsxeiNpZjR6VxNZeo= github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v1.1.0 h1:QsGcniKx5/LuX2eYoeL+Np3UKYPNaN7YKpTh29h8rbw= +github.com/hashicorp/go-hclog v1.1.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= @@ -943,6 +951,8 @@ github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4f github.com/mattn/go-tty v0.0.3/go.mod h1:ihxohKRERHTVzN+aSVRwACLCeqIoZAWpoICkkvrWyR0= github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxymania/go-system v0.0.0-20170110133659-647cc364bf0b h1:Q53idHrTuQDDHyXaxZ6pUl0I9uyD6Z6uKFK3ocX6LzI= +github.com/maxymania/go-system v0.0.0-20170110133659-647cc364bf0b/go.mod h1:KirJrATYGbTyUwVR26xIkaipRqRcMRXBf8N5dacvGus= github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 h1:Z/i1e+gTZrmcGeZyWckaLfucYG6KYOXLWo4co8pZYNY= github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103/go.mod h1:o9YPB5aGP8ob35Vy6+vyq3P3bWe7NQWzf+JLiXCiMaE= github.com/mennanov/fieldmask-utils v0.5.0 h1:8em4akN0NM3hmmrg8VbvOPfdS4SSBdbFd53m9VtfOg0= @@ -959,8 +969,8 @@ github.com/mileusna/useragent v1.0.2/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4 github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw= github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34= github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM= -github.com/minio/minio-go/v7 v7.0.20 h1:0+Xt1SkCKDgcx5cmo3UxXcJ37u5Gy+/2i/+eQYqmYJw= -github.com/minio/minio-go/v7 v7.0.20/go.mod h1:ei5JjmxwHaMrgsMrn4U/+Nmg+d8MKS1U2DAn1ou4+Do= +github.com/minio/minio-go/v7 v7.0.21 h1:xrc4BQr1Fa4s5RwY0xfMjPZFJ1bcYBCCHYlngBdWV+k= +github.com/minio/minio-go/v7 v7.0.21/go.mod h1:ei5JjmxwHaMrgsMrn4U/+Nmg+d8MKS1U2DAn1ou4+Do= github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g= github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM= @@ -1671,6 +1681,7 @@ golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= diff --git a/settings/pkg/service/v0/service.go b/settings/pkg/service/v0/service.go index 6f335a5614b..43b4b83fc3e 100644 --- a/settings/pkg/service/v0/service.go +++ b/settings/pkg/service/v0/service.go @@ -53,7 +53,7 @@ func (g Service) CheckPermission(ctx context.Context, req *permissions.CheckPerm assignments, err := g.manager.ListRoleAssignments(accountID) if err != nil { return &permissions.CheckPermissionResponse{ - Status: status.NewInternal(ctx, err, err.Error()), + Status: status.NewInternal(ctx, err.Error()), }, nil } @@ -65,7 +65,7 @@ func (g Service) CheckPermission(ctx context.Context, req *permissions.CheckPerm permission, err := g.manager.ReadPermissionByName(req.Permission, roleIDs) if err != nil { return &permissions.CheckPermissionResponse{ - Status: status.NewInternal(ctx, err, err.Error()), + Status: status.NewInternal(ctx, err.Error()), }, nil } From f01d56fe5fef946eb523db8d31d8d49ff1c4e7ff Mon Sep 17 00:00:00 2001 From: David Christofas Date: Thu, 27 Jan 2022 17:32:41 +0100 Subject: [PATCH 3/4] temporary hack to completely delete users When deleting a user using the OCS api we want to delete the users home space. Now to completely delete a space you need to send two requests. First to 'disable' a space and a second one to really purge it. This commit introduces this second purge request. Furthermore the OCS api now also deletes all spaces owned by the user not only the home space. This is needed since some tests create project spaces and then lookup the space by name. When doing multiple runs though the tests will find several spaces with the same name and will sometimes choose the wrong one which leads to test failures. The whole test tear down should be changed to correctly clean up the test setup. --- ocs/pkg/service/v0/users.go | 47 +++++++++++++++++++++++++++++++++---- 1 file changed, 43 insertions(+), 4 deletions(-) diff --git a/ocs/pkg/service/v0/users.go b/ocs/pkg/service/v0/users.go index 84cf9df2bd2..8010b10a2d8 100644 --- a/ocs/pkg/service/v0/users.go +++ b/ocs/pkg/service/v0/users.go @@ -14,6 +14,7 @@ import ( revauser "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" rpcv1beta1 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" + typesv1beta1 "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/pkg/auth/scope" revactx "github.com/cs3org/reva/pkg/ctx" "github.com/cs3org/reva/pkg/rgrpc/todo/pool" @@ -410,10 +411,44 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) { }, }, }, + }, + }) + if err != nil { + o.mustRender(w, r, response.ErrRender(data.MetaServerError.StatusCode, errors.Wrap(err, "could not list owned personal spaces").Error())) + return + } + + if lsRes.Status.Code != rpcv1beta1.Code_CODE_OK { + o.logger.Error(). + Interface("status", lsRes.Status). + Msg("DeleteUser: could not list personal spaces") + return + } + + for _, space := range lsRes.StorageSpaces { + dsRes, err := gwc.DeleteStorageSpace(ctx, &provider.DeleteStorageSpaceRequest{ + Id: space.Id, + }) + if err != nil { + o.logger.Error().Err(err).Msg("DeleteUser: could not make delete space request") + continue + } + if dsRes.Status.Code != rpcv1beta1.Code_CODE_OK && dsRes.Status.Code != rpcv1beta1.Code_CODE_NOT_FOUND { + o.logger.Error(). + Interface("status", dsRes.Status). + Msg("DeleteUser: could not delete space") + continue + } + } + lsRes, err = gwc.ListStorageSpaces(ctx, &provider.ListStorageSpacesRequest{ + Filters: []*provider.ListStorageSpacesRequest_Filter{ { - Type: provider.ListStorageSpacesRequest_Filter_TYPE_SPACE_TYPE, - Term: &provider.ListStorageSpacesRequest_Filter_SpaceType{ - SpaceType: "personal", + Type: provider.ListStorageSpacesRequest_Filter_TYPE_OWNER, + Term: &provider.ListStorageSpacesRequest_Filter_Owner{ + Owner: &revauser.UserId{ + Idp: o.config.IdentityManagement.Address, + OpaqueId: account.Id, + }, }, }, }, @@ -429,9 +464,13 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) { Msg("DeleteUser: could not list personal spaces") return } - for _, space := range lsRes.StorageSpaces { dsRes, err := gwc.DeleteStorageSpace(ctx, &provider.DeleteStorageSpaceRequest{ + Opaque: &typesv1beta1.Opaque{ + Map: map[string]*typesv1beta1.OpaqueEntry{ + "purge": {}, + }, + }, Id: space.Id, }) if err != nil { From f2b8880ab16d5e9fda1a870852dae7c02e8871bf Mon Sep 17 00:00:00 2001 From: David Christofas Date: Fri, 28 Jan 2022 12:01:28 +0100 Subject: [PATCH 4/4] improve permission code in settings service --- settings/pkg/server/grpc/server.go | 4 +++- settings/pkg/service/v0/service.go | 9 ++++++--- settings/pkg/settings/settings.go | 5 +++++ settings/pkg/store/filesystem/permissions.go | 3 ++- 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/settings/pkg/server/grpc/server.go b/settings/pkg/server/grpc/server.go index c313f853dd1..2b8fde17005 100644 --- a/settings/pkg/server/grpc/server.go +++ b/settings/pkg/server/grpc/server.go @@ -71,6 +71,8 @@ type permissionsServiceHandler struct { func (h *permissionsServiceHandler) CheckPermission(ctx context.Context, req *permissions.CheckPermissionRequest, res *permissions.CheckPermissionResponse) error { r, err := h.api.CheckPermission(ctx, req) - *res = *r + if r != nil { + *res = *r + } return err } diff --git a/settings/pkg/service/v0/service.go b/settings/pkg/service/v0/service.go index 43b4b83fc3e..97f6f222c08 100644 --- a/settings/pkg/service/v0/service.go +++ b/settings/pkg/service/v0/service.go @@ -2,6 +2,7 @@ package svc import ( "context" + "errors" "fmt" permissions "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1" @@ -64,9 +65,11 @@ func (g Service) CheckPermission(ctx context.Context, req *permissions.CheckPerm permission, err := g.manager.ReadPermissionByName(req.Permission, roleIDs) if err != nil { - return &permissions.CheckPermissionResponse{ - Status: status.NewInternal(ctx, err.Error()), - }, nil + if !errors.Is(err, settings.ErrPermissionNotFound) { + return &permissions.CheckPermissionResponse{ + Status: status.NewInternal(ctx, err.Error()), + }, nil + } } if permission == nil { diff --git a/settings/pkg/settings/settings.go b/settings/pkg/settings/settings.go index 4f78e3e5940..da0ff5347f3 100644 --- a/settings/pkg/settings/settings.go +++ b/settings/pkg/settings/settings.go @@ -1,6 +1,8 @@ package settings import ( + "errors" + "github.com/owncloud/ocis/settings/pkg/config" "github.com/owncloud/ocis/settings/pkg/proto/v0" ) @@ -8,6 +10,9 @@ import ( var ( // Registry uses the strategy pattern as a registry Registry = map[string]RegisterFunc{} + + // ErrPermissionNotFound defines a new error for when a permission was not found + ErrPermissionNotFound = errors.New("permission not found") ) // RegisterFunc stores store constructors diff --git a/settings/pkg/store/filesystem/permissions.go b/settings/pkg/store/filesystem/permissions.go index db9f67a6c42..ea63c35904e 100644 --- a/settings/pkg/store/filesystem/permissions.go +++ b/settings/pkg/store/filesystem/permissions.go @@ -2,6 +2,7 @@ package store import ( "github.com/owncloud/ocis/settings/pkg/proto/v0" + "github.com/owncloud/ocis/settings/pkg/settings" "github.com/owncloud/ocis/settings/pkg/util" ) @@ -54,7 +55,7 @@ func (s Store) ReadPermissionByName(name string, roleIDs []string) (*proto.Permi } } } - return nil, nil + return nil, settings.ErrPermissionNotFound } // extractPermissionsByResource collects all permissions from the provided role that match the requested resource