Publicstorageprovider rewrite (#2646)

* introduce scope context Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add scopes to context Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use mrants and mountpoints for public shares Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add changelog Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * update test config Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * fix lint Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * ocdav: replace public mountpoint fileid with grant fileid Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * cleanup Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * cleanup comments Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * prevent nil by disallowing CreateHome in public scope Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
cs3org · Mar 23, 2022 · df406ab · df406ab
1 parent bca5582
commit df406ab
Show file tree

Hide file tree

Showing 11 changed files with 273 additions and 178 deletions.
diff --git a/changelog/unreleased/publicstorageprovider-rewrite.md b/changelog/unreleased/publicstorageprovider-rewrite.md
@@ -0,0 +1,6 @@
+Bugfix: replace public mountpoint fileid with grant fileid in ocdav
+
+We now show the same resoucre id for resources when accessing them via a public links as when using a logged in user. This allows the web ui to start a WOPI session with the correct resource id.
+
+https://github.com/cs3org/reva/pull/2646
+https://github.com/cs3org/reva/issues/2635
diff --git a/internal/grpc/interceptors/auth/auth.go b/internal/grpc/interceptors/auth/auth.go
@@ -23,6 +23,7 @@ import (
  "time"
 
  "github.com/bluele/gcache"
+ authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
  gatewayv1beta1 "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
  userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
  "github.com/cs3org/reva/v2/pkg/appctx"
@@ -96,9 +97,11 @@ func NewUnary(m map[string]interface{}, unprotected []string) (grpc.UnaryServerI
  // to decide the storage provider.
  tkn, ok := ctxpkg.ContextGetToken(ctx)
  if ok {
- u, err := dismantleToken(ctx, tkn, req, tokenManager, conf.GatewayAddr, false)
+ u, tokenScope, err := dismantleToken(ctx, tkn, req, tokenManager, conf.GatewayAddr, false)
  if err == nil {
+ // store user and scopes in context
  ctx = ctxpkg.ContextSetUser(ctx, u)
+ ctx = ctxpkg.ContextSetScopes(ctx, tokenScope)
  }
  }
  return handler(ctx, req)
@@ -112,13 +115,15 @@ func NewUnary(m map[string]interface{}, unprotected []string) (grpc.UnaryServerI
  }
 
  // validate the token and ensure access to the resource is allowed
- u, err := dismantleToken(ctx, tkn, req, tokenManager, conf.GatewayAddr, true)
+ u, tokenScope, err := dismantleToken(ctx, tkn, req, tokenManager, conf.GatewayAddr, true)
  if err != nil {
  log.Warn().Err(err).Msg("access token is invalid")
  return nil, status.Errorf(codes.PermissionDenied, "auth: core access token is invalid")
  }
 
+ // store user and scopes in context
  ctx = ctxpkg.ContextSetUser(ctx, u)
+ ctx = ctxpkg.ContextSetScopes(ctx, tokenScope)
  return handler(ctx, req)
  }
  return interceptor, nil
@@ -159,9 +164,11 @@ func NewStream(m map[string]interface{}, unprotected []string) (grpc.StreamServe
  // to decide the storage provider.
  tkn, ok := ctxpkg.ContextGetToken(ctx)
  if ok {
- u, err := dismantleToken(ctx, tkn, ss, tokenManager, conf.GatewayAddr, false)
+ u, tokenScope, err := dismantleToken(ctx, tkn, ss, tokenManager, conf.GatewayAddr, false)
  if err == nil {
+ // store user and scopes in context
  ctx = ctxpkg.ContextSetUser(ctx, u)
+ ctx = ctxpkg.ContextSetScopes(ctx, tokenScope)
  ss = newWrappedServerStream(ctx, ss)
  }
  }
@@ -177,14 +184,15 @@ func NewStream(m map[string]interface{}, unprotected []string) (grpc.StreamServe
  }
 
  // validate the token and ensure access to the resource is allowed
- u, err := dismantleToken(ctx, tkn, ss, tokenManager, conf.GatewayAddr, true)
+ u, tokenScope, err := dismantleToken(ctx, tkn, ss, tokenManager, conf.GatewayAddr, true)
  if err != nil {
  log.Warn().Err(err).Msg("access token is invalid")
  return status.Errorf(codes.PermissionDenied, "auth: core access token is invalid")
  }
 
- // store user and core access token in context.
+ // store user and scopes in context
  ctx = ctxpkg.ContextSetUser(ctx, u)
+ ctx = ctxpkg.ContextSetScopes(ctx, tokenScope)
  wrapped := newWrappedServerStream(ctx, ss)
  return handler(srv, wrapped)
  }
@@ -204,39 +212,40 @@ func (ss *wrappedServerStream) Context() context.Context {
  return ss.newCtx
 }
 
-func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.Manager, gatewayAddr string, fetchUserGroups bool) (*userpb.User, error) {
+// dismantleToken extracts the user and scopes from the reva access token
+func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.Manager, gatewayAddr string, fetchUserGroups bool) (*userpb.User, map[string]*authpb.Scope, error) {
  u, tokenScope, err := mgr.DismantleToken(ctx, tkn)
  if err != nil {
- return nil, err
+ return nil, nil, err
  }
 
  client, err := pool.GetGatewayServiceClient(gatewayAddr)
  if err != nil {
- return nil, err
+ return nil, nil, err
  }
 
  if sharedconf.SkipUserGroupsInToken() && fetchUserGroups {
  groups, err := getUserGroups(ctx, u, client)
  if err != nil {
- return nil, err
+ return nil, nil, err
  }
  u.Groups = groups
  }
 
  // Check if access to the resource is in the scope of the token
  ok, err := scope.VerifyScope(ctx, tokenScope, req)
  if err != nil {
- return nil, errtypes.InternalError("error verifying scope of access token")
+ return nil, nil, errtypes.InternalError("error verifying scope of access token")
  }
  if ok {
- return u, nil
+ return u, tokenScope, nil
  }
 
  if err = expandAndVerifyScope(ctx, req, tokenScope, gatewayAddr, mgr); err != nil {
- return nil, err
+ return nil, nil, err
  }
 
- return u, nil
+ return u, tokenScope, nil
 }
 
 func getUserGroups(ctx context.Context, u *userpb.User, client gatewayv1beta1.GatewayAPIClient) ([]string, error) {