auto-accept shares in frontend service

Signed-off-by: jkoberg <jkoberg@owncloud.com>

changelog/unreleased/auto-accept-shares.md

@@ -0,0 +1,5 @@
+Enhancement: Auto-Accept Shares
+
+Automatically accept shares when configured by the user or admin
+
+https://github.com/owncloud/ocis/pull/7097

ocis/pkg/init/init.go

@@ -73,7 +73,8 @@ type IdmService struct {
 }
 
 type FrontendService struct {
-	Archiver InsecureService
+	Archiver       InsecureService
+	ServiceAccount ServiceAccount `yaml:"service_account"`
 }
 
 type AuthbasicService struct {
@@ -377,6 +378,9 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin
 		Notifications: Notifications{
 			ServiceAccount: serviceAccount,
 		},
+		Frontend: FrontendService{
+			ServiceAccount: serviceAccount,
+		},
 	}
 
 	if insecure {

services/frontend/README.md

@@ -55,3 +55,11 @@ The `frontend` service can use a configured store via `FRONTEND_OCS_STAT_CACHE_S
 2.  Though usually not necessary, a database name and a database table can be configured for event stores if the event store supports this. Generally not applicable for stores of type `in-memory`. These settings are blank by default which means that the standard settings of the configured store apply.
 3.  The frontend service can be scaled if not using `in-memory` stores and the stores are configured identically over all instances.
 4.  When using `redis-sentinel`, the Redis master to use is configured via `FRONTEND_OCS_STAT_CACHE_STORE_NODES` in the form of `<sentinel-host>:<sentinel-port>/<redis-master>` like `10.10.0.200:26379/mymaster`.
+
+## Event Handler
+
+The `frontend` service contains an eventhandler for handling `ocs` related events. As of now, it only listens to the `ShareCreated` event.
+
+### Auto-Accept Shares
+
+When setting the `FRONTEND_AUTO_ACCEPT_SHARES` to `true`, all incoming shares will be accepted automatically. Users can overwrite this setting individually in their profile.

services/frontend/pkg/command/events.go

@@ -0,0 +1,170 @@
+package command
+
+import (
+	"context"
+	"errors"
+
+	"github.com/cs3org/reva/v2/pkg/events"
+	"github.com/cs3org/reva/v2/pkg/events/stream"
+	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+	"github.com/cs3org/reva/v2/pkg/utils"
+	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+	"github.com/owncloud/ocis/v2/ocis-pkg/middleware"
+	"github.com/owncloud/ocis/v2/ocis-pkg/registry"
+	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
+	"github.com/owncloud/ocis/v2/ocis-pkg/tracing"
+	"github.com/owncloud/ocis/v2/services/frontend/pkg/config"
+	"github.com/owncloud/ocis/v2/services/settings/pkg/store/defaults"
+	"go-micro.dev/v4/metadata"
+	"google.golang.org/protobuf/types/known/fieldmaskpb"
+
+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	group "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1"
+	user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
+	collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
+	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
+)
+
+var _registeredEvents = []events.Unmarshaller{
+	events.ShareCreated{},
+}
+
+// ListenForEvents listens for events and acts accordingly
+func ListenForEvents(cfg *config.Config, l log.Logger) {
+	bus, err := stream.NatsFromConfig(cfg.Service.Name, stream.NatsConfig(cfg.Events))
+	if err != nil {
+		l.Error().Err(err).Msg("cannot connect to nats")
+		return
+	}
+
+	evChannel, err := events.Consume(bus, "frontend", _registeredEvents...)
+	if err != nil {
+		l.Error().Err(err).Msg("cannot consume from nats")
+	}
+
+	tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode)
+	if err != nil {
+		return
+	}
+
+	gatewaySelector, err := pool.GatewaySelector(
+		cfg.Reva.Address,
+		pool.WithTLSCACert(cfg.GRPCClientTLS.CACert),
+		pool.WithTLSMode(tm),
+		pool.WithRegistry(registry.GetRegistry()),
+	)
+	if err != nil {
+		l.Error().Err(err).Msg("cannot get gateway selector")
+		return
+	}
+
+	gwc, err := gatewaySelector.Next()
+	if err != nil {
+		l.Error().Err(err).Msg("cannot get gateway client")
+		return
+	}
+
+	traceProvider, err := tracing.GetServiceTraceProvider(cfg.Tracing, cfg.Service.Name)
+	if err != nil {
+		l.Error().Err(err).Msg("cannot initialize tracing")
+		return
+	}
+
+	grpcClient, err := grpc.NewClient(
+		append(
+			grpc.GetClientOptions(cfg.GRPCClientTLS),
+			grpc.WithTraceProvider(traceProvider),
+		)...,
+	)
+	if err != nil {
+		l.Error().Err(err).Msg("cannot create grpc client")
+		return
+	}
+
+	valueService := settingssvc.NewValueService("com.owncloud.api.settings", grpcClient)
+
+	for e := range evChannel {
+		switch ev := e.Event.(type) {
+		default:
+			l.Error().Interface("event", e).Msg("unhandled event")
+		case events.ShareCreated:
+			AutoAcceptShares(ev, cfg.AutoAcceptShares, l, gwc, valueService, cfg.ServiceAccount)
+		}
+	}
+}
+
+// AutoAcceptShares automatically accepts shares if configured by the admin or user
+func AutoAcceptShares(ev events.ShareCreated, autoAcceptDefault bool, l log.Logger, gwc gateway.GatewayAPIClient, vs settingssvc.ValueService, cfg config.ServiceAccount) {
+	ctx, err := utils.GetServiceUserContext(cfg.ServiceAccountID, gwc, cfg.ServiceAccountSecret)
+	if err != nil {
+		l.Error().Err(err).Msg("cannot impersonate user")
+		return
+	}
+
+	uids, err := getUserIDs(ctx, gwc, ev.GranteeUserID, ev.GranteeGroupID)
+	if err != nil {
+		l.Error().Err(err).Msg("cannot get granteess")
+		return
+	}
+
+	for _, uid := range uids {
+		if !autoAcceptShares(ctx, uid, autoAcceptDefault, vs) {
+			continue
+		}
+
+		resp, err := gwc.UpdateReceivedShare(ctx, updateShareRequest(ev.ShareID, uid))
+		if err != nil {
+			l.Error().Err(err).Msg("error sending grpc request")
+			continue
+		}
+
+		if resp.GetStatus().GetCode() != rpc.Code_CODE_OK {
+			l.Error().Interface("status", resp.GetStatus()).Str("userid", uid.GetOpaqueId()).Msg("unexpected status code while accepting share")
+		}
+	}
+
+}
+
+func getUserIDs(ctx context.Context, gwc gateway.GatewayAPIClient, uid *user.UserId, gid *group.GroupId) ([]*user.UserId, error) {
+	if uid != nil {
+		return []*user.UserId{uid}, nil
+	}
+
+	res, err := gwc.GetGroup(ctx, &group.GetGroupRequest{GroupId: gid})
+	if err != nil {
+		return nil, err
+	}
+	if res.GetStatus().GetCode() != rpc.Code_CODE_OK {
+		return nil, errors.New("could not get group")
+	}
+
+	return res.GetGroup().GetMembers(), nil
+}
+
+func autoAcceptShares(ctx context.Context, u *user.UserId, defaultValue bool, vs settingssvc.ValueService) bool {
+	granteeCtx := metadata.Set(ctx, middleware.AccountID, u.OpaqueId)
+	if resp, err := vs.GetValueByUniqueIdentifiers(granteeCtx,
+		&settingssvc.GetValueByUniqueIdentifiersRequest{
+			AccountUuid: u.OpaqueId,
+			SettingId:   defaults.SettingUUIDProfileAutoAcceptShares,
+		},
+	); err == nil {
+		return resp.GetValue().GetValue().GetBoolValue()
+
+	}
+	return defaultValue
+}
+
+func updateShareRequest(shareID *collaboration.ShareId, uid *user.UserId) *collaboration.UpdateReceivedShareRequest {
+	return &collaboration.UpdateReceivedShareRequest{
+		Opaque: utils.AppendJSONToOpaque(nil, "userid", uid),
+		Share: &collaboration.ReceivedShare{
+			Share: &collaboration.Share{
+				Id: shareID,
+			},
+			State: collaboration.ShareState_SHARE_STATE_ACCEPTED,
+		},
+		UpdateMask: &fieldmaskpb.FieldMask{Paths: []string{"state"}},
+	}
+}

services/frontend/pkg/command/server.go

@@ -90,6 +90,9 @@ func Server(cfg *config.Config) *cli.Command {
 				logger.Fatal().Err(err).Msg("failed to register the http service")
 			}
 
+			// start event handler
+			go ListenForEvents(cfg, logger)
+
 			return gr.Run()
 		},
 	}

services/frontend/pkg/config/config.go

@@ -53,6 +53,11 @@ type Config struct {
 
 	Middleware Middleware `yaml:"middleware"`
 
+	Events           Events                `yaml:"events"`
+	GRPCClientTLS    *shared.GRPCClientTLS `yaml:"grpc_client_tls"`
+	AutoAcceptShares bool                  `yaml:"auto_accept_shares" env:"FRONTEND_AUTO_ACCEPT_SHARES" desc:"Defines if shares should be auto accepted by default. Users can change this setting individually in their profile."`
+	ServiceAccount   ServiceAccount        `yaml:"service_account"`
+
 	Supervised bool            `yaml:"-"`
 	Context    context.Context `yaml:"-"`
 }
@@ -151,3 +156,18 @@ type Checksums struct {
 	SupportedTypes      []string `yaml:"supported_types" env:"FRONTEND_CHECKSUMS_SUPPORTED_TYPES" desc:"Define the checksum types that indicate to clients which hashes the server can use to verify upload integrity. You can provide multiple types separated by blank or comma. Supported types are 'sha1', 'md5' and 'adler32'."`
 	PreferredUploadType string   `yaml:"preferred_upload_type" env:"FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE" desc:"The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES."`
 }
+
+// Events combines the configuration options for the event bus.
+type Events struct {
+	Endpoint             string `yaml:"endpoint" env:"OCIS_EVENTS_ENDPOINT;FRONTEND_EVENTS_ENDPOINT" desc:"The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture."`
+	Cluster              string `yaml:"cluster" env:"OCIS_EVENTS_CLUSTER;FRONTEND_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system."`
+	TLSInsecure          bool   `yaml:"tls_insecure" env:"OCIS_INSECURE;FRONTEND_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."`
+	TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE;OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false."`
+	EnableTLS            bool   `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;FRONTEND_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."`
+}
+
+// ServiceAccount is the configuration for the used service account
+type ServiceAccount struct {
+	ServiceAccountID     string `yaml:"service_account_id" env:"OCIS_SERVICE_ACCOUNT_ID;FRONTEND_SERVICE_ACCOUNT_ID" desc:"The ID of the service account the service should use. See the 'auth-service' service description for more details."`
+	ServiceAccountSecret string `yaml:"service_account_secret" env:"OCIS_SERVICE_ACCOUNT_SECRET;FRONTEND_SERVICE_ACCOUNT_SECRET" desc:"The service account secret."`
+}

services/frontend/pkg/config/parser/parse.go

@@ -5,6 +5,7 @@ import (
 
 	ociscfg "github.com/owncloud/ocis/v2/ocis-pkg/config"
 	"github.com/owncloud/ocis/v2/ocis-pkg/shared"
+	"github.com/owncloud/ocis/v2/ocis-pkg/structs"
 	"github.com/owncloud/ocis/v2/services/frontend/pkg/config"
 	"github.com/owncloud/ocis/v2/services/frontend/pkg/config/defaults"
 
@@ -46,5 +47,9 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingMachineAuthApiKeyError(cfg.Service.Name)
 	}
 
+	if cfg.GRPCClientTLS == nil && cfg.Commons != nil {
+		cfg.GRPCClientTLS = structs.CopyOrZeroValue(cfg.Commons.GRPCClientTLS)
+	}
+
 	return nil
 }

services/ocs/README.md

@@ -1,3 +1,8 @@
-# OCS
+# OCS Service
+
+The `ocs` service (open collaboration services) serves two purpouses: it has an endpoint for signing keys and an eventhandler for ocs related events.
+
+## Signing-Keys Endpoint
+
+The `ocs` service contains an endpoint `/cloud/user/signing-key` on which a user can GET a signing key. Note, this functionality might be deprecated or moved in the future.
 
-The ocs service is an ...