Merge nextcloud-alpha into edge (#2403)

* Nextcloud Alpha

* Hound fixes

* Fix https://lgtm.com/projects/g/cs3org/reva/rev/pr-d8736aa82c80c292a3deb71b7873a817aedddca0

* Fix pkg/auth tests

* Fix GetUser

* Fix pkg/user/manager/nextcloud tests

* Fix pkg/storage/fs/nextcloud unit tests

* Fix Nextcloud storage provider integration tests

* Oops

Co-authored-by: Michiel de Jong (Ponder Source) <michiel@pondersource.com>

changelog/unreleased/fix-ocmd-tutorial.md

@@ -0,0 +1,7 @@
+Bugfix: Accept new userid idp format
+
+The format for userid idp [changed](https://github.com/cs3org/cs3apis/pull/159)
+and this broke [the ocmd tutorial](https://reva.link/docs/tutorials/share-tutorial/#5-1-4-create-the-share)
+This PR makes the provider authorizer interceptor accept both the old and the new string format.
+
+See https://github.com/cs3org/reva/issues/2285 and https://github.com/cs3org/reva/issues/2285

changelog/unreleased/nextcloud-ocm-share-manager.md

@@ -0,0 +1,7 @@
+Enhancement: Nextcloud-based share manager for pkg/ocm/share
+
+Note that pkg/ocm/share is very similar to pkg/share,
+but it deals with cs3/sharing/ocm
+whereas pkg/share deals with cs3/sharing/collaboration
+
+https://github.com/cs3org/reva/pull/2163

examples/nextcloud-integration/revad.toml

@@ -93,19 +93,19 @@ disable_tus = true
 ".zmd" = "application/compressed-markdown"
 
 [grpc.services.storageprovider.drivers.nextcloud]
-end_point = "http://localhost/apps/sciencemesh/"
+endpoint = "http://localhost/apps/sciencemesh/"
 user_layout = "{{.Username}}"
 
 
 [grpc.services.authprovider]
 auth_manager = "nextcloud"
 [grpc.services.authprovider.drivers.nextcloud]
-end_point = "http://localhost/apps/sciencemesh/"
+endpoint = "http://localhost/apps/sciencemesh/"
 
 [grpc.services.userprovider]
 driver = "nextcloud"
 [grpc.services.userprovider.drivers.nextcloud]
-end_point = "http://localhost/apps/sciencemesh/"
+endpoint = "http://localhost/apps/sciencemesh/"
 
 [http]
 address = "0.0.0.0:19001"

internal/grpc/services/gateway/authprovider.go

@@ -24,7 +24,6 @@ import (
 	"strings"
 
 	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
-	provider "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	registry "github.com/cs3org/go-cs3apis/cs3/auth/registry/v1beta1"
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
@@ -55,7 +54,7 @@ func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest
 		}, nil
 	}
 
-	authProviderReq := &provider.AuthenticateRequest{
+	authProviderReq := &authpb.AuthenticateRequest{
 		ClientId:     req.ClientId,
 		ClientSecret: req.ClientSecret,
 	}
@@ -200,7 +199,7 @@ func (s *svc) WhoAmI(ctx context.Context, req *gateway.WhoAmIRequest) (*gateway.
 	return res, nil
 }
 
-func (s *svc) findAuthProvider(ctx context.Context, authType string) (provider.ProviderAPIClient, error) {
+func (s *svc) findAuthProvider(ctx context.Context, authType string) (authpb.ProviderAPIClient, error) {
 	c, err := pool.GetAuthRegistryServiceClient(s.c.AuthRegistryEndpoint)
 	if err != nil {
 		err = errors.Wrap(err, "gateway: error getting auth registry client")

internal/grpc/services/ocmcore/ocmcore.go

@@ -22,11 +22,11 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"strings"
 
 	ocmcore "github.com/cs3org/go-cs3apis/cs3/ocm/core/v1beta1"
 	ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	typespb "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/pkg/errtypes"
 	"github.com/cs3org/reva/pkg/ocm/share"
 	"github.com/cs3org/reva/pkg/ocm/share/manager/registry"
@@ -107,17 +107,11 @@ func (s *service) UnprotectedEndpoints() []string {
 	return []string{"/cs3.ocm.core.v1beta1.OcmCoreAPI/CreateOCMCoreShare"}
 }
 
+// CreateOCMCoreShare is called when an OCM request comes into this reva instance from
 func (s *service) CreateOCMCoreShare(ctx context.Context, req *ocmcore.CreateOCMCoreShareRequest) (*ocmcore.CreateOCMCoreShareResponse, error) {
-	parts := strings.Split(req.ProviderId, ":")
-	if len(parts) < 2 {
-		return &ocmcore.CreateOCMCoreShareResponse{
-			Status: status.NewInternal(ctx, "error decoding resource ID"),
-		}, nil
-	}
-
 	resource := &provider.ResourceId{
-		StorageId: parts[0],
-		OpaqueId:  parts[1],
+		StorageId: "remote",
+		OpaqueId:  req.Name,
 	}
 
 	var resourcePermissions *provider.ResourcePermissions
@@ -163,6 +157,15 @@ func (s *service) CreateOCMCoreShare(ctx context.Context, req *ocmcore.CreateOCM
 			// For now, we only support user shares.
 			// TODO (ishank011): To be updated once this is decided.
 			Id: &provider.Grantee_UserId{UserId: req.ShareWith},
+			// passing this in grant.Grantee.Opaque because ShareGrant itself doesn't have a root opaque.
+			Opaque: &typespb.Opaque{
+				Map: map[string]*typespb.OpaqueEntry{
+					"remoteShareId": {
+						Decoder: "plain",
+						Value:   []byte(req.ProviderId),
+					},
+				},
+			},
 		},
 		Permissions: &ocm.SharePermissions{
 			Permissions: resourcePermissions,
@@ -178,6 +181,7 @@ func (s *service) CreateOCMCoreShare(ctx context.Context, req *ocmcore.CreateOCM
 	}
 
 	share, err := s.sm.Share(ctx, resource, grant, req.Name, nil, "", req.Owner, token, shareType)
+
 	if err != nil {
 		return &ocmcore.CreateOCMCoreShareResponse{
 			Status: status.NewInternal(ctx, "error creating ocm core share"),

internal/grpc/services/ocmshareprovider/ocmshareprovider.go

@@ -102,8 +102,20 @@ func (s *service) UnprotectedEndpoints() []string {
 	return []string{}
 }
 
+// Note: this is for outgoing OCM shares
+// This function is used when you for instance
+// call `ocm-share-create` in reva-cli.
+// For incoming OCM shares from internal/http/services/ocmd/shares.go
+// there is the very similar but slightly different function
+// CreateOCMCoreShare (the "Core" somehow means "incoming").
+// So make sure to keep in mind the difference between this file for outgoing:
+// internal/grpc/services/ocmshareprovider/ocmshareprovider.go
+// and the other one for incoming:
+// internal/grpc/service/ocmcore/ocmcore.go
+// Both functions end up calling the same s.sm.Share function
+// on the OCM share manager:
+// pkg/ocm/share/manager/{json|nextcloud|...}
 func (s *service) CreateOCMShare(ctx context.Context, req *ocm.CreateOCMShareRequest) (*ocm.CreateOCMShareResponse, error) {
-
 	if req.Opaque == nil {
 		return &ocm.CreateOCMShareResponse{
 			Status: status.NewInternal(ctx, "can't find resource permissions"),
@@ -144,6 +156,7 @@ func (s *service) CreateOCMShare(ctx context.Context, req *ocm.CreateOCMShareReq
 
 	// discover share type
 	sharetype := ocm.Share_SHARE_TYPE_REGULAR
+	// FIXME: https://github.com/cs3org/reva/issues/2402
 	protocol, ok := req.Opaque.Map["protocol"]
 	if ok {
 		switch protocol.Decoder {
@@ -156,9 +169,12 @@ func (s *service) CreateOCMShare(ctx context.Context, req *ocm.CreateOCMShareReq
 				Status: status.NewInternal(ctx, "error creating share"),
 			}, nil
 		}
+		// token = protocol FIXME!
 	}
 
-	share, err := s.sm.Share(ctx, req.ResourceId, req.Grant, name, req.RecipientMeshProvider, permissions, nil, "", sharetype)
+	var sharedSecret string = ""
+	share, err := s.sm.Share(ctx, req.ResourceId, req.Grant, name, req.RecipientMeshProvider, permissions, nil, sharedSecret, sharetype)
+
 	if err != nil {
 		return &ocm.CreateOCMShareResponse{
 			Status: status.NewInternal(ctx, "error creating share"),

internal/http/interceptors/providerauthorizer/providerauthorizer.go

@@ -21,6 +21,8 @@ package providerauthorizer
 import (
 	"fmt"
 	"net/http"
+	"net/url"
+	"strings"
 
 	ocmprovider "github.com/cs3org/go-cs3apis/cs3/ocm/provider/v1beta1"
 	"github.com/cs3org/reva/pkg/appctx"
@@ -83,8 +85,19 @@ func New(m map[string]interface{}, unprotected []string, ocmPrefix string) (glob
 				return
 			}
 
+			userIdp := ctxpkg.ContextMustGetUser(ctx).Id.Idp
+			if !(strings.Contains(userIdp, "://")) {
+				userIdp = "https://" + userIdp
+			}
+			userIdpURL, err := url.Parse(userIdp)
+			if err != nil {
+				log.Error().Err(err).Msg("error parsing user idp in provider authorizer")
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
+
 			err = authorizer.IsProviderAllowed(ctx, &ocmprovider.ProviderInfo{
-				Domain: ctxpkg.ContextMustGetUser(ctx).Id.Idp,
+				Domain: userIdpURL.Hostname(),
 			})
 			if err != nil {
 				log.Error().Err(err).Msg("provider not registered in OCM")

internal/http/services/ocmd/config.go

@@ -30,7 +30,7 @@ type configData struct {
 	Enabled       bool            `json:"enabled" xml:"enabled"`
 	APIVersion    string          `json:"apiVersion" xml:"apiVersion"`
 	Host          string          `json:"host" xml:"host"`
-	Endpoint      string          `json:"endpoint" xml:"endpoint"`
+	Endpoint      string          `json:"endPoint" xml:"endPoint"`
 	Provider      string          `json:"provider" xml:"provider"`
 	ResourceTypes []resourceTypes `json:"resourceTypes" xml:"resourceTypes"`
 }
@@ -61,7 +61,11 @@ func (h *configHandler) init(c *Config) {
 		h.c.Provider = "cernbox"
 	}
 	h.c.Enabled = true
-	h.c.Endpoint = fmt.Sprintf("https://%s/%s", h.c.Host, c.Prefix)
+	if len(c.Prefix) > 0 {
+		h.c.Endpoint = fmt.Sprintf("https://%s/%s", h.c.Host, c.Prefix)
+	} else {
+		h.c.Endpoint = fmt.Sprintf("https://%s", h.c.Host)
+	}
 	h.c.ResourceTypes = []resourceTypes{{
 		Name:       "file",
 		ShareTypes: []string{"user"},