[tests-only][full-ci] added test to enable disable Secure Viewer permissions role for federated shares

tests/acceptance/bootstrap/ArchiverContext.php

@@ -113,7 +113,7 @@ public function removeDir(string $dir): void {
 	 *
 	 * @throws Exception
 	 */
-	private function getArchiverQueryString(
+	public function getArchiverQueryString(
 		string $user,
 		string $resource,
 		string $addressType

tests/acceptance/bootstrap/OcmContext.php

@@ -27,12 +27,15 @@
 use TestHelpers\OcmHelper;
 use TestHelpers\WebDavHelper;
 use TestHelpers\BehatHelper;
+use TestHelpers\HttpRequestHelper;
 
 /**
  * Acceptance test steps related to testing federation share(ocm) features
  */
 class OcmContext implements Context {
 	private FeatureContext $featureContext;
+	private SpacesContext $spacesContext;
+	private ArchiverContext $archiverContext;
 	private string $invitationToken;
 
 	/**
@@ -50,6 +53,8 @@ public function before(BeforeScenarioScope $scope): void {
 		$environment = $scope->getEnvironment();
 		// Get all the contexts you need in this context from here
 		$this->featureContext = BehatHelper::getContext($scope, $environment, 'FeatureContext');
+		$this->spacesContext = BehatHelper::getContext($scope, $environment, 'SpacesContext');
+		$this->archiverContext = BehatHelper::getContext($scope, $environment, 'ArchiverContext');
 	}
 
 	/**
@@ -334,4 +339,68 @@ public function deleteConnection(string $user, string $ocmUser): ResponseInterfa
 			$ocmUser['idp']
 		);
 	}
+
+	/**
+	 * @Then user :user should be able to download federated shared file :resource
+	 *
+	 * @param string $user
+	 * @param string $resource
+	 *
+	 * @return void
+	 */
+	public function userShouldBeAbleToDownloadFederatedSharedFile(string $user, string $resource): void {
+		$remoteItemId = $this->spacesContext->getSharesRemoteItemId($user, $resource);
+		$baseUrl = $this->featureContext->getRemoteBaseUrl();
+		$davPath = WebDavHelper::getDavPath($this->featureContext->getDavPathVersion());
+		$response = HttpRequestHelper::get(
+			"$baseUrl/$davPath/$remoteItemId",
+			$this->featureContext->getStepLineRef(),
+			$user,
+			$this->featureContext->getPasswordForUser($user),
+		);
+		$this->featureContext->theHTTPStatusCodeShouldBe(200, "Failed to download resource $resource", $response);
+	}
+
+	/**
+	 * @Then user :user should be able to download archive of federated shared folder :resource
+	 *
+	 * @param string $user
+	 * @param string $resource
+	 *
+	 * @return void
+	 */
+	public function userShouldBeAbleToDownloadArchiveOfFederatedSharedFolder(string $user, string $resource): void {
+		$queryString = $this->archiverContext->getArchiverQueryString($user, $resource, 'remoteItemIds');
+		$response = HttpRequestHelper::get(
+			$this->archiverContext->getArchiverUrl($queryString),
+			$this->featureContext->getStepLineRef(),
+			$user,
+			$this->featureContext->getPasswordForUser($user)
+		);
+		$this->featureContext->theHTTPStatusCodeShouldBe(
+			200,
+			"Failed to download archive of resource $resource",
+			$response
+		);
+	}
+
+	/**
+	 * @When user :user sends PROPFIND request to federated share :share with depth :folderDepth using the WebDAV API
+	 *
+	 * @param string $user
+	 * @param string $share
+	 * @param string $folderDepth
+	 *
+	 * @return void
+	 * @throws GuzzleException
+	 * @throws JsonException
+	 */
+	public function userSendsPropfindRequestToFederatedShareWithDepthUsingTheWebdavApi(
+		string $user,
+		string $share,
+		string $folderDepth
+	): void {
+		$response = $this->spacesContext->sendPropfindRequestToSpace($user, "", $share, null, $folderDepth, true);
+		$this->featureContext->setResponse($response);
+	}
 }

tests/acceptance/bootstrap/SpacesContext.php

@@ -4210,6 +4210,7 @@ public function userSendsPropfindRequestToSpaceWithHeaders(
 	 * @param string|null $resource
 	 * @param array|null $headers
 	 * @param string|null $folderDepth
+	 * @param bool $federatedShare
 	 *
 	 * @return ResponseInterface
 	 * @throws GuzzleException
@@ -4218,12 +4219,20 @@ public function userSendsPropfindRequestToSpaceWithHeaders(
 	 */
 	public function sendPropfindRequestToSpace(
 		string $user,
-		string $spaceName,
+		?string $spaceName = "",
 		?string $resource = "",
 		?array $headers = [],
-		?string $folderDepth = "1"
+		?string $folderDepth = "1",
+		bool $federatedShare = false
 	): ResponseInterface {
-		$spaceId = $this->getSpaceIdByName($user, $spaceName);
+		// PROPFIND request to federated share via normal webdav path "remote.php/dav/spaces/{shares-space-id}/{resource}" returns 404 status code
+		// the federated share is only accessible using "remote-item-id", i.e. "remote.php/dav/spaces/{remote-item-id}"
+		if ($federatedShare) {
+			$spaceId = $this->getSharesRemoteItemId($user, $resource);
+			$resource = null;
+		} else {
+			$spaceId = $this->getSpaceIdByName($user, $spaceName);
+		}
 		$properties = [
 			'oc:id',
 			'oc:fileid',

tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md

@@ -336,5 +336,9 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 - [apiOcm/share.feature:1194](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiOcm/share.feature#L1194)
 - [apiOcm/share.feature:1218](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiOcm/share.feature#L1218)
 
+#### [[OCM] federated user trying to download file shared with permissions role Secure Viewer returns 500 status code](https://github.com/owncloud/ocis/issues/10822)
+- [apiOcm/enableDisablePermissionsRole.feature:18](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiOcm/enableDisablePermissionsRole.feature#L18)
+- [apiOcm/enableDisablePermissionsRole.feature:58](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiOcm/enableDisablePermissionsRole.feature#L58)
+
 Note: always have an empty line at the end of this file.
 The bash script that processes this file requires that the last line has a newline on the end.

tests/acceptance/features/apiOcm/enableDisablePermissionsRole.feature

@@ -0,0 +1,99 @@
+@ocm @env-config @issue-10824
+Feature: enable/disable permissions role
+  As a user
+  I want to enable/disable permissions role on shared resources
+  So that I can control the accessibility of shared resources to sharee
+
+  Background:
+    Given using spaces DAV path
+    And user "Alice" has been created with default attributes
+    And "Alice" has created the federation share invitation
+    And using server "REMOTE"
+    And user "Brian" has been created with default attributes
+    And "Brian" has accepted invitation
+    And using server "LOCAL"
+    And the administrator has enabled the permissions role "Secure Viewer"
+
+  @issue-10822
+  Scenario: user accesses federated shared file shared with permissions role Secure Viewer after the role is disabled (Personal Space)
+    Given user "Alice" has uploaded file with content "some content" to "textfile.txt"
+    And user "Alice" has sent the following resource share invitation to federated user:
+      | resource        | textfile.txt  |
+      | space           | Personal      |
+      | sharee          | Brian         |
+      | shareType       | user          |
+      | permissionsRole | Secure Viewer |
+    And the administrator has disabled the permissions role "Secure Viewer"
+    And using server "REMOTE"
+    When user "Brian" sends PROPFIND request to federated share "textfile.txt" with depth "0" using the WebDAV API
+    Then the HTTP status code should be "207"
+    And as user "Brian" the PROPFIND response should contain a resource "textfile.txt" with these key and value pairs:
+      | key            | value        |
+      | oc:name        | textfile.txt |
+      | oc:permissions |              |
+    And user "Brian" should have a federated share "textfile.txt" shared by user "Alice" from space "Personal"
+    And user "Brian" should be able to download federated shared file "textfile.txt"
+
+
+  Scenario: user accesses federated shared folder shared with permissions role Secure Viewer after the role is disabled (Personal Space)
+    Given user "Alice" has created folder "folderToShare"
+    And user "Alice" has sent the following resource share invitation to federated user:
+      | resource        | folderToShare |
+      | space           | Personal      |
+      | sharee          | Brian         |
+      | shareType       | user          |
+      | permissionsRole | Secure Viewer |
+    And the administrator has disabled the permissions role "Secure Viewer"
+    And using server "REMOTE"
+    When user "Brian" sends PROPFIND request to federated share "folderToShare" with depth "0" using the WebDAV API
+    Then the HTTP status code should be "207"
+    And as user "Brian" the PROPFIND response should contain a resource "folderToShare" with these key and value pairs:
+      | key            | value         |
+      | oc:name        | folderToShare |
+      | oc:permissions |               |
+    And user "Brian" should have a federated share "folderToShare" shared by user "Alice" from space "Personal"
+    And user "Brian" should be able to download archive of federated shared folder "folderToShare"
+
+  @issue-10822
+  Scenario: user accesses federated shared file shared with permissions role Secure Viewer after the role is disabled (Project Space)
+    Given the administrator has assigned the role "Space Admin" to user "Alice" using the Graph API
+    And user "Alice" has created a space "new-space" with the default quota using the Graph API
+    And user "Alice" has uploaded a file inside space "new-space" with content "some content" to "textfile.txt"
+    And user "Alice" has sent the following resource share invitation to federated user:
+      | resource        | textfile.txt  |
+      | space           | new-space     |
+      | sharee          | Brian         |
+      | shareType       | user          |
+      | permissionsRole | Secure Viewer |
+    And the administrator has disabled the permissions role "Secure Viewer"
+    And using server "REMOTE"
+    When user "Brian" sends PROPFIND request to federated share "textfile.txt" with depth "0" using the WebDAV API
+    Then the HTTP status code should be "207"
+    And as user "Brian" the PROPFIND response should contain a resource "textfile.txt" with these key and value pairs:
+      | key            | value        |
+      | oc:name        | textfile.txt |
+      | oc:permissions |              |
+    And user "Brian" should have a federated share "textfile.txt" shared by user "Alice" from space "new-space"
+    And user "Brian" should be able to download federated shared file "textfile.txt"
+
+
+  Scenario: user accesses federated shared folder shared with permissions role Secure Viewer after the role is disabled (Project Space)
+    Given the administrator has assigned the role "Space Admin" to user "Alice" using the Graph API
+    And user "Alice" has created a space "new-space" with the default quota using the Graph API
+    And user "Alice" has created a folder "folderToShare" in space "new-space"
+    And user "Alice" has sent the following resource share invitation to federated user:
+      | resource        | folderToShare |
+      | space           | new-space     |
+      | sharee          | Brian         |
+      | shareType       | user          |
+      | permissionsRole | Secure Viewer |
+    And the administrator has disabled the permissions role "Secure Viewer"
+    And using server "REMOTE"
+    When user "Brian" sends PROPFIND request to federated share "folderToShare" with depth "0" using the WebDAV API
+    Then the HTTP status code should be "207"
+    And as user "Brian" the PROPFIND response should contain a resource "folderToShare" with these key and value pairs:
+      | key            | value         |
+      | oc:name        | folderToShare |
+      | oc:permissions |               |
+    And user "Brian" should have a federated share "folderToShare" shared by user "Alice" from space "new-space"
+    And user "Brian" should be able to download archive of federated shared folder "folderToShare"