Support t and x in ACEs

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
cs3org · May 15, 2024 · 6675dd2 · 6675dd2
1 parent 7099ed4
commit 6675dd2
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 11 deletions.
diff --git a/changelog/unreleased/support-tx-in-aces.md b/changelog/unreleased/support-tx-in-aces.md
@@ -0,0 +1,5 @@
+Enhancement: Support t and x in ACEs
+
+To support view only shares (dowload forbidden) we added t (read attrs) and x (directory traversal) permissions to the decomposed FS ACEs. 
+
+https://github.com/cs3org/reva/pull/4685
diff --git a/pkg/storage/utils/ace/ace.go b/pkg/storage/utils/ace/ace.go
@@ -316,10 +316,15 @@ func (e *ACE) granteeType() provider.GranteeType {
 // grantPermissionSet returns the set of CS3 resource permissions representing the ACE
 func (e *ACE) grantPermissionSet() *provider.ResourcePermissions {
  p := &provider.ResourcePermissions{}
- // r
- if strings.Contains(e.permissions, "r") {
+ // t
+ if strings.Contains(e.permissions, "t") {
  p.Stat = true
  p.GetPath = true
+ }
+ // r
+ if strings.Contains(e.permissions, "r") {
+ p.Stat = true // currently assumed
+ p.GetPath = true // currently assumed
  p.InitiateFileDownload = true
  p.ListContainer = true
  }
@@ -336,10 +341,9 @@ func (e *ACE) grantPermissionSet() *provider.ResourcePermissions {
  p.CreateContainer = true
  }
  // x
- // if strings.Contains(e.Permissions, "x") {
- // TODO execute file permission?
- // TODO change directory permission?
- // }
+ if strings.Contains(e.permissions, "x") {
+ p.ListContainer = true
+ }
  // d
  if strings.Contains(e.permissions, "d") {
  p.Delete = true
@@ -436,10 +440,17 @@ func unmarshalKV(s string) (*ACE, error) {
  return e, nil
 }
 
+// getACEPerm produces an NFSv4.x inspired permission string from a CS3 resource permissions set
 func getACEPerm(set *provider.ResourcePermissions) string {
  var b strings.Builder
 
- if set.Stat || set.InitiateFileDownload || set.ListContainer || set.GetPath {
+ if set.Stat || set.GetPath {
+ b.WriteString("t")
+ }
+ if set.ListContainer { // we have no dedicated traversal permission, but to listing a container allows traversing it
+ b.WriteString("x")
+ }
+ if set.InitiateFileDownload {
  b.WriteString("r")
  }
  if set.InitiateFileUpload || set.Move {

diff --git a/pkg/storage/utils/ace/ace_test.go b/pkg/storage/utils/ace/ace_test.go
@@ -100,6 +100,21 @@ var _ = Describe("ACE", func() {
  })
 
  Describe("converting permissions", func() {
+ It("converts t", func() {
+ userGrant.Permissions.Stat = true
+ newGrant := ace.FromGrant(userGrant).Grant()
+ userGrant.Permissions.Stat = false
+ Expect(newGrant.Permissions.Stat).To(BeTrue())
+ Expect(newGrant.Permissions.Delete).To(BeFalse())
+
+ userGrant.Permissions.GetPath = true
+ newGrant = ace.FromGrant(userGrant).Grant()
+ fmt.Println(newGrant.Permissions)
+ userGrant.Permissions.GetPath = false
+ Expect(newGrant.Permissions.GetPath).To(BeTrue())
+ Expect(newGrant.Permissions.Delete).To(BeFalse())
+ })
+
  It("converts r", func() {
  userGrant.Permissions.Stat = true
  newGrant := ace.FromGrant(userGrant).Grant()
@@ -152,6 +167,14 @@ var _ = Describe("ACE", func() {
  Expect(newGrant.Permissions.Delete).To(BeFalse())
  })
 
+ It("converts x", func() {
+ userGrant.Permissions.ListContainer = true
+ newGrant := ace.FromGrant(userGrant).Grant()
+ userGrant.Permissions.ListContainer = false
+ Expect(newGrant.Permissions.ListContainer).To(BeTrue())
+ Expect(newGrant.Permissions.Delete).To(BeFalse())
+ })
+
  It("converts d", func() {
  userGrant.Permissions.Delete = true
  newGrant := ace.FromGrant(userGrant).Grant()

diff --git a/pkg/storage/utils/decomposedfs/grants_test.go b/pkg/storage/utils/decomposedfs/grants_test.go
@@ -50,9 +50,10 @@ var _ = Describe("Grants", func() {
  },
  },
  Permissions: &provider.ResourcePermissions{
- Stat: true,
- Move: true,
- Delete: false,
+ Stat: true,
+ Move: true,
+ Delete: false,
+ InitiateFileDownload: true,
  },
  Creator: &userpb.UserId{
  OpaqueId: helpers.OwnerID,
@@ -130,7 +131,7 @@ var _ = Describe("Grants", func() {
  Expect(err).ToNot(HaveOccurred())
  attr, err := n.XattrString(env.Ctx, prefixes.GrantUserAcePrefix+grant.Grantee.GetUserId().OpaqueId)
  Expect(err).ToNot(HaveOccurred())
- Expect(attr).To(Equal(fmt.Sprintf("\x00t=A:f=:p=rw:c=%s:e=0\n", o.GetOpaqueId()))) // NOTE: this tests ace package
+ Expect(attr).To(Equal(fmt.Sprintf("\x00t=A:f=:p=trw:c=%s:e=0\n", o.GetOpaqueId()))) // NOTE: this tests ace package
  })
 
  It("creates a storage space per created grant", func() {