define permissions for service accounts

Signed-off-by: jkoberg <jkoberg@owncloud.com>
cs3org · Aug 21, 2023 · ae3b406 · ae3b406
1 parent ca1b994
commit ae3b406
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/pkg/auth/manager/serviceaccounts/serviceaccounts.go b/pkg/auth/manager/serviceaccounts/serviceaccounts.go
@@ -68,7 +68,10 @@ func (m *manager) Authenticate(ctx context.Context, userID string, secret string
 	}
 	return &userpb.User{
 		// TODO: more details for service users?
-		Id: &userpb.UserId{OpaqueId: userID},
+		Id: &userpb.UserId{
+			OpaqueId: userID,
+			Type:     userpb.UserType_USER_TYPE_SERVICE,
+		},
 	}, scope, nil
 }
 

diff --git a/pkg/storage/utils/decomposedfs/node/node.go b/pkg/storage/utils/decomposedfs/node/node.go
@@ -974,10 +974,6 @@ func (n *Node) ReadUserPermissions(ctx context.Context, u *userpb.User) (ap prov
 		return OwnerPermissions(), false, nil
 	}
 
-	if u.Id.GetOpaqueId() == "service-user-id" {
-		return OwnerPermissions(), false, nil
-	}
-
 	ap = provider.ResourcePermissions{}
 
 	// for an efficient group lookup convert the list of groups to a map

diff --git a/pkg/storage/utils/decomposedfs/node/permissions.go b/pkg/storage/utils/decomposedfs/node/permissions.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"strings"
 
+	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/cs3org/reva/v2/pkg/appctx"
 	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
@@ -84,6 +85,21 @@ func OwnerPermissions() provider.ResourcePermissions {
 	}
 }
 
+// ServiceAccountPermissions defines the permissions for nodes when requested by a service account
+func ServiceAccountPermissions() provider.ResourcePermissions {
+	// TODO: Different permissions for different service accounts
+	return provider.ResourcePermissions{
+		Stat:                 true,
+		ListContainer:        true,
+		GetPath:              true, // for search index
+		InitiateFileUpload:   true, // for personal data export
+		InitiateFileDownload: true, // for full-text-search
+		RemoveGrant:          true, // for share expiry
+		ListRecycle:          true, // for purge-trash-bin command
+		PurgeRecycle:         true, // for purge-trash-bin command
+	}
+}
+
 // Permissions implements permission checks
 type Permissions struct {
 	lu PathLookup
@@ -113,6 +129,10 @@ func (p *Permissions) assemblePermissions(ctx context.Context, n *Node, failOnTr
 		return NoPermissions(), nil
 	}
 
+	if u.GetId().GetType() == userpb.UserType_USER_TYPE_SERVICE {
+		return ServiceAccountPermissions(), nil
+	}
+
 	// are we reading a revision?
 	if strings.Contains(n.ID, RevisionIDDelimiter) {
 		// verify revision key format