diff --git a/changelog/unreleased/bump-reva.md b/changelog/unreleased/bump-reva.md new file mode 100644 index 00000000000..7840d319dac --- /dev/null +++ b/changelog/unreleased/bump-reva.md @@ -0,0 +1,5 @@ +Enhancement: Bump reva + +bumps reva version + +https://github.com/owncloud/ocis/pull/7721 diff --git a/go.mod b/go.mod index 74c1350de3e..9fd29de3c4b 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.7.0 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 - github.com/cs3org/reva/v2 v2.16.1-0.20231110061744-953e57a6a95c + github.com/cs3org/reva/v2 v2.16.1-0.20231113153113-e258a7c4dfb0 github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25 github.com/disintegration/imaging v1.6.2 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e diff --git a/go.sum b/go.sum index 14d62add7a3..791546b027e 100644 --- a/go.sum +++ b/go.sum @@ -1013,8 +1013,8 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva/v2 v2.16.1-0.20231110061744-953e57a6a95c h1:sxTOKm1ChsykAm8ITLHXNSic9RTUfpAq6Ujj94/irXQ= -github.com/cs3org/reva/v2 v2.16.1-0.20231110061744-953e57a6a95c/go.mod h1:utPCNSrWDdAwz2biLrKvzO6nDH9L7vRVGNzof13r8Kw= +github.com/cs3org/reva/v2 v2.16.1-0.20231113153113-e258a7c4dfb0 h1:k7WdgewYRI5sWqfnyV3GG+nPCxyAZfh1YEkqZep1Nf8= +github.com/cs3org/reva/v2 v2.16.1-0.20231113153113-e258a7c4dfb0/go.mod h1:utPCNSrWDdAwz2biLrKvzO6nDH9L7vRVGNzof13r8Kw= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/proppatch.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/proppatch.go index 492348d4072..9c920c170ba 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/proppatch.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/proppatch.go @@ -38,7 +38,9 @@ import ( "github.com/cs3org/reva/v2/pkg/appctx" ctxpkg "github.com/cs3org/reva/v2/pkg/ctx" "github.com/cs3org/reva/v2/pkg/errtypes" + "github.com/cs3org/reva/v2/pkg/permission" rstatus "github.com/cs3org/reva/v2/pkg/rgrpc/status" + "github.com/cs3org/reva/v2/pkg/utils" "github.com/rs/zerolog" ) @@ -217,6 +219,17 @@ func (s *svc) handleProppatch(ctx context.Context, w http.ResponseWriter, r *htt return nil, nil, false } currentUser := ctxpkg.ContextMustGetUser(ctx) + ok, err := utils.CheckPermission(ctx, permission.WriteFavorites, client) + if err != nil { + log.Error().Err(err).Msg("error checking permission") + w.WriteHeader(http.StatusInternalServerError) + return nil, nil, false + } + if !ok { + log.Info().Interface("user", currentUser).Msg("user not allowed to unset favorite") + w.WriteHeader(http.StatusForbidden) + return nil, nil, false + } err = s.favoritesManager.UnsetFavorite(ctx, currentUser.Id, statRes.Info) if err != nil { w.WriteHeader(http.StatusInternalServerError) @@ -275,6 +288,17 @@ func (s *svc) handleProppatch(ctx context.Context, w http.ResponseWriter, r *htt return nil, nil, false } currentUser := ctxpkg.ContextMustGetUser(ctx) + ok, err := utils.CheckPermission(ctx, permission.WriteFavorites, client) + if err != nil { + log.Error().Err(err).Msg("error checking permission") + w.WriteHeader(http.StatusInternalServerError) + return nil, nil, false + } + if !ok { + log.Info().Interface("user", currentUser).Msg("user not allowed to set favorite") + w.WriteHeader(http.StatusForbidden) + return nil, nil, false + } err = s.favoritesManager.SetFavorite(ctx, currentUser.Id, statRes.Info) if err != nil { w.WriteHeader(http.StatusInternalServerError) diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/report.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/report.go index 02f68867677..1eeaa206618 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/report.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/report.go @@ -30,6 +30,8 @@ import ( "github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/propfind" "github.com/cs3org/reva/v2/pkg/appctx" ctxpkg "github.com/cs3org/reva/v2/pkg/ctx" + "github.com/cs3org/reva/v2/pkg/permission" + "github.com/cs3org/reva/v2/pkg/utils" ) const ( @@ -73,20 +75,31 @@ func (s *svc) doFilterFiles(w http.ResponseWriter, r *http.Request, ff *reportFi if ff.Rules.Favorite { // List the users favorite resources. + client, err := s.gatewaySelector.Next() + if err != nil { + log.Error().Err(err).Msg("error selecting next gateway client") + w.WriteHeader(http.StatusInternalServerError) + return + } currentUser := ctxpkg.ContextMustGetUser(ctx) - favorites, err := s.favoritesManager.ListFavorites(ctx, currentUser.Id) + ok, err := utils.CheckPermission(ctx, permission.ListFavorites, client) if err != nil { - log.Error().Err(err).Msg("error getting favorites") + log.Error().Err(err).Msg("error checking permission") w.WriteHeader(http.StatusInternalServerError) return } - - client, err := s.gatewaySelector.Next() + if !ok { + log.Info().Interface("user", currentUser).Msg("user not allowed to list favorites") + w.WriteHeader(http.StatusForbidden) + return + } + favorites, err := s.favoritesManager.ListFavorites(ctx, currentUser.Id) if err != nil { - log.Error().Err(err).Msg("error selecting next gateway client") + log.Error().Err(err).Msg("error getting favorites") w.WriteHeader(http.StatusInternalServerError) return } + infos := make([]*provider.ResourceInfo, 0, len(favorites)) for i := range favorites { statRes, err := client.Stat(ctx, &providerv1beta1.StatRequest{Ref: &providerv1beta1.Reference{ResourceId: favorites[i]}}) diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go index 36d038ee8e1..051783b5414 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go @@ -26,13 +26,14 @@ import ( "strconv" userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" - permissionsv1beta1 "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1" rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/v2/pkg/conversions" + "github.com/cs3org/reva/v2/pkg/permission" "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool" + "github.com/cs3org/reva/v2/pkg/utils" "github.com/huandu/xstrings" "github.com/rs/zerolog/log" @@ -69,15 +70,7 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request, // NOTE: one is allowed to create an internal link without the `Publink.Write` permission if permKey != nil && *permKey != 0 { - user := ctxpkg.ContextMustGetUser(ctx) - resp, err := c.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{ - SubjectRef: &permissionsv1beta1.SubjectReference{ - Spec: &permissionsv1beta1.SubjectReference_UserId{ - UserId: user.Id, - }, - }, - Permission: "PublicLink.Write", - }) + ok, err := utils.CheckPermission(ctx, permission.WritePublicLink, c) if err != nil { return nil, &ocsError{ Code: response.MetaServerError.StatusCode, @@ -85,8 +78,7 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request, Error: err, } } - - if resp.Status.Code != rpc.Code_CODE_OK { + if !ok { return nil, &ocsError{ Code: response.MetaForbidden.StatusCode, Message: "user is not allowed to create a public link", @@ -335,20 +327,12 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar // NOTE: you are allowed to update a link TO a public link without the `PublicLink.Write` permission if you created it yourself if (permKey != nil && *permKey != 0) || !createdByUser { - resp, err := gwC.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{ - SubjectRef: &permissionsv1beta1.SubjectReference{ - Spec: &permissionsv1beta1.SubjectReference_UserId{ - UserId: user.Id, - }, - }, - Permission: "PublicLink.Write", - }) + ok, err := utils.CheckPermission(ctx, permission.WritePublicLink, gwC) if err != nil { response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "failed to check user permission", err) return } - - if resp.Status.Code != rpc.Code_CODE_OK { + if !ok { response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "user is not allowed to update the public link", nil) return } @@ -710,20 +694,12 @@ func (h *Handler) checkPasswordEnforcement(ctx context.Context, user *userv1beta response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "could not check permission", err) return errors.New("could not check permission") } - resp, err := gwC.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{ - SubjectRef: &permissionsv1beta1.SubjectReference{ - Spec: &permissionsv1beta1.SubjectReference_UserId{ - UserId: user.Id, - }, - }, - Permission: "ReadOnlyPublicLinkPassword.Delete", - }) + ok, err := utils.CheckPermission(ctx, permission.DeleteReadOnlyPassword, gwC) if err != nil { response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "failed to check user permission", err) return errors.New("failed to check user permission") } - - if resp.Status.Code != rpc.Code_CODE_OK { + if !ok { response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "user is not allowed to delete the password from the public link", nil) return errors.New("user is not allowed to delete the password from the public link") } diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go index c5114128ba5..1ec428fce02 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go @@ -42,6 +42,7 @@ import ( types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/v2/pkg/conversions" "github.com/cs3org/reva/v2/pkg/password" + "github.com/cs3org/reva/v2/pkg/permission" "github.com/go-chi/chi/v5" "github.com/rs/zerolog" "google.golang.org/grpc/metadata" @@ -233,6 +234,18 @@ func (h *Handler) CreateShare(w http.ResponseWriter, r *http.Request) { } sublog := appctx.GetLogger(ctx).With().Interface("ref", ref).Logger() + ok, err := utils.CheckPermission(ctx, permission.WriteShare, client) + if err != nil { + sublog.Error().Err(err).Msg("error checking user permissions") + response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error checking user permissions", err) + return + } + if !ok { + sublog.Debug().Interface("user", ctxpkg.ContextMustGetUser(ctx).Id).Msg("user not allowed to create share") + response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "permission denied", nil) + return + } + statReq := provider.StatRequest{Ref: &ref, FieldMask: &fieldmaskpb.FieldMask{Paths: []string{"space"}}} statRes, err := client.Stat(ctx, &statReq) if err != nil { @@ -725,6 +738,18 @@ func (h *Handler) updateShare(w http.ResponseWriter, r *http.Request, share *col return } + ok, err := utils.CheckPermission(ctx, permission.WriteShare, client) + if err != nil { + sublog.Error().Err(err).Msg("error checking user permissions") + response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error checking user permissions", err) + return + } + if !ok { + sublog.Debug().Interface("user", ctxpkg.ContextMustGetUser(ctx).Id).Msg("user not allowed to create share") + response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "permission denied", nil) + return + } + info, status, err := h.getResourceInfoByID(ctx, client, share.ResourceId) if err != nil || status.Code != rpc.Code_CODE_OK { response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error mapping share data", err) diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/user.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/user.go index e88ef16a675..d67d0f2d2e7 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/user.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/user.go @@ -32,6 +32,7 @@ import ( "github.com/cs3org/reva/v2/pkg/appctx" "github.com/cs3org/reva/v2/pkg/conversions" ctxpkg "github.com/cs3org/reva/v2/pkg/ctx" + "github.com/cs3org/reva/v2/pkg/permission" "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool" "github.com/cs3org/reva/v2/pkg/utils" ) @@ -163,6 +164,17 @@ func (h *Handler) removeUserShare(w http.ResponseWriter, r *http.Request, share return } + // TODO: should we use Share.Delete here? + ok, err := utils.CheckPermission(ctx, permission.WriteShare, uClient) + if err != nil { + response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error checking user permissions", err) + return + } + if !ok { + response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "permission denied", nil) + return + } + shareRef := &collaboration.ShareReference{ Spec: &collaboration.ShareReference_Id{ Id: share.Id, diff --git a/vendor/github.com/cs3org/reva/v2/pkg/permission/manager/demo/demo.go b/vendor/github.com/cs3org/reva/v2/pkg/permission/manager/demo/demo.go index fd55783dd5f..cc28024463e 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/permission/manager/demo/demo.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/permission/manager/demo/demo.go @@ -47,6 +47,15 @@ func (m manager) CheckPermission(perm string, subject string, ref *provider.Refe case permission.ListAllSpaces: // TODO introduce an admin role to allow listing all spaces return false + case permission.WriteShare: + // TODO guest accounts cannot share + return true + case permission.ListFavorites: + // TODO guest accounts cannot list favorites + return true + case permission.WriteFavorites: + // TODO guest accounts cannot write favorites + return true default: // We can currently return false all the time. // Once we beginn testing roles we need to somehow check the roles of the users here diff --git a/vendor/github.com/cs3org/reva/v2/pkg/permission/permission.go b/vendor/github.com/cs3org/reva/v2/pkg/permission/permission.go index 405f72bbc87..fb82add4439 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/permission/permission.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/permission/permission.go @@ -29,6 +29,14 @@ const ( CreateSpace string = "Drives.Create" // WritePublicLink is the hardcoded name for the PublicLink.Write permission WritePublicLink string = "PublicLink.Write" + // WriteShare is the hardcoded name for the Shares.Write permission + WriteShare string = "Shares.Write" + // ListFavorites is the hardcoded name for the Favorites.List permission + ListFavorites string = "Favorites.List" + // WriteFavorites is the hardcoded name for the Favorites.Write permission + WriteFavorites string = "Favorites.Write" + // DeleteReadOnlyPassword is the hardcoded name for the ReadOnlyPublicLinkPassword.Delete permission + DeleteReadOnlyPassword string = "ReadOnlyPublicLinkPassword.Delete" ) // Manager defines the interface for the permission service driver diff --git a/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go b/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go index 0be65a67db4..ae49c7ab8e2 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go @@ -9,8 +9,10 @@ import ( gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" group "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1" user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" + permissions "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1" rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" storageprovider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" + ctxpkg "github.com/cs3org/reva/v2/pkg/ctx" revactx "github.com/cs3org/reva/v2/pkg/ctx" "google.golang.org/grpc/metadata" @@ -164,6 +166,20 @@ func GetResource(ctx context.Context, ref *storageprovider.Reference, gwc gatewa return res.GetInfo(), nil } +// CheckPermission checks if the user role contains the given permission +func CheckPermission(ctx context.Context, perm string, gwc gateway.GatewayAPIClient) (bool, error) { + user := ctxpkg.ContextMustGetUser(ctx) + resp, err := gwc.CheckPermission(ctx, &permissions.CheckPermissionRequest{ + SubjectRef: &permissions.SubjectReference{ + Spec: &permissions.SubjectReference_UserId{ + UserId: user.Id, + }, + }, + Permission: perm, + }) + return resp.GetStatus().GetCode() == rpc.Code_CODE_OK, err +} + // IsStatusCodeError returns true if `err` was caused because of status code `code` func IsStatusCodeError(err error, code rpc.Code) bool { sce, ok := err.(statusCodeError) diff --git a/vendor/modules.txt b/vendor/modules.txt index 98c5c0e8a97..9775a1059cb 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -357,7 +357,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.16.1-0.20231110061744-953e57a6a95c +# github.com/cs3org/reva/v2 v2.16.1-0.20231113153113-e258a7c4dfb0 ## explicit; go 1.20 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime