Use proto json marshaling

internal/grpc/interceptors/auth/auth.go

@@ -20,7 +20,6 @@ package auth
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"strings"
 
@@ -29,6 +28,7 @@ import (
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	registry "github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/pkg/appctx"
 	"github.com/cs3org/reva/pkg/errtypes"
@@ -122,7 +122,7 @@ func NewUnary(m map[string]interface{}, unprotected []string) (grpc.UnaryServerI
 		// validate the token
 		u, err := dismantleToken(ctx, tkn, req, tokenManager, conf.GatewayAddr)
 		if err != nil {
-			log.Warn().Msg("access token is invalid")
+			log.Warn().Err(err).Msg("access token is invalid")
 			return nil, status.Errorf(codes.Unauthenticated, "auth: core access token is invalid")
 		}
 
@@ -194,7 +194,7 @@ func NewStream(m map[string]interface{}, unprotected []string) (grpc.StreamServe
 		// validate the token
 		u, err := dismantleToken(ctx, tkn, ss, tokenManager, conf.GatewayAddr)
 		if err != nil {
-			log.Warn().Msg("access token invalid")
+			log.Warn().Err(err).Msg("access token is invalid")
 			return status.Errorf(codes.Unauthenticated, "auth: core access token is invalid")
 		}
 
@@ -221,21 +221,24 @@ func (ss *wrappedServerStream) Context() context.Context {
 
 func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.Manager, gatewayAddr string) (*userpb.User, error) {
 	u, scope, err := mgr.DismantleToken(ctx, tkn, req)
+	log := appctx.GetLogger(ctx)
+	log.Info().Msgf("scope: %+v, req: %+v", scope["publicshare"], req)
 
 	// Check if the err returned is PermissionDenied
 	if _, ok := err.(errtypes.PermissionDenied); ok {
+		log.Info().Msgf("resolving ref %+v", req)
 		// Check if req is of type *provider.Reference_Path
 		// If yes, the request might be coming from a share where the accessor is
 		// trying to impersonate the owner, since the share manager doesn't know the
 		// share path.
-		if ref, ok := req.(*provider.Reference); ok {
+		if ref, ok := extractRef(req); ok {
 			if ref.GetPath() != "" {
 
 				// Try to extract the resource ID from the scope resource.
 				// Currently, we only check for public shares, but this will be extended
 				// for OCM shares, guest accounts, etc.
-				var share *link.PublicShare
-				err = json.Unmarshal(scope["publicshare"].Resource.Value, &share)
+				var share link.PublicShare
+				err = utils.UnmarshalJSONToProtoV1(scope["publicshare"].Resource.Value, &share)
 				if err != nil {
 					return nil, err
 				}
@@ -261,7 +264,7 @@ func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.
 				if strings.HasPrefix(ref.GetPath(), statResponse.Info.Path) {
 					// The path corresponds to the resource to which the token has access.
 					// Add it to the scope map
-					val, err := json.Marshal(ref)
+					val, err := utils.MarshalProtoV1ToJSON(ref)
 					if err != nil {
 						return nil, err
 					}
@@ -288,3 +291,19 @@ func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.
 
 	return u, err
 }
+
+func extractRef(req interface{}) (*provider.Reference, bool) {
+	switch v := req.(type) {
+	case *registry.GetStorageProvidersRequest:
+		return v.GetRef(), true
+	case *provider.StatRequest:
+		return v.GetRef(), true
+	case *provider.ListContainerRequest:
+		return v.GetRef(), true
+	case *provider.InitiateFileDownloadRequest:
+		return v.GetRef(), true
+	case *provider.InitiateFileUploadRequest:
+		return v.GetRef(), true
+	}
+	return nil, false
+}

internal/grpc/services/authprovider/authprovider.go

@@ -112,6 +112,7 @@ func (s *service) Authenticate(ctx context.Context, req *provider.AuthenticateRe
 	switch v := err.(type) {
 	case nil:
 		log.Info().Msgf("user %s authenticated", u.String())
+		log.Info().Msgf("authprovider scope %+v", scope)
 		return &provider.AuthenticateResponse{
 			Status:     status.NewOK(ctx),
 			User:       u,

internal/grpc/services/gateway/authprovider.go

@@ -22,6 +22,7 @@ import (
 	"context"
 	"fmt"
 
+	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	registry "github.com/cs3org/go-cs3apis/cs3/auth/registry/v1beta1"
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
@@ -83,6 +84,7 @@ func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest
 			Status: status.NewInternal(ctx, err, "user is nil"),
 		}, nil
 	}
+	log.Info().Msgf("gateway scope %+v", res.TokenScope)
 
 	uid := res.User.Id
 	if uid == nil {
@@ -102,7 +104,7 @@ func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest
 		return res, nil
 	}
 
-	if s.c.DisableHomeCreationOnLogin {
+	if scope, ok := res.TokenScope["user"]; s.c.DisableHomeCreationOnLogin || !ok || scope.Role != authpb.Role_ROLE_OWNER {
 		gwRes := &gateway.AuthenticateResponse{
 			Status: status.NewOK(ctx),
 			User:   res.User,

pkg/auth/manager/demo/demo.go

@@ -20,7 +20,6 @@ package demo
 
 import (
 	"context"
-	"encoding/json"
 
 	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
@@ -29,6 +28,7 @@ import (
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
 	"github.com/cs3org/reva/pkg/errtypes"
+	"github.com/cs3org/reva/pkg/utils"
 )
 
 func init() {
@@ -58,7 +58,7 @@ func (m *manager) Authenticate(ctx context.Context, clientID, clientSecret strin
 			Path: "/",
 		},
 	}
-	val, err := json.Marshal(ref)
+	val, err := utils.MarshalProtoV1ToJSON(ref)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/auth/manager/impersonator/impersonator.go

@@ -20,7 +20,6 @@ package impersonator
 
 import (
 	"context"
-	"encoding/json"
 	"strings"
 
 	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
@@ -29,6 +28,7 @@ import (
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
+	"github.com/cs3org/reva/pkg/utils"
 )
 
 func init() {
@@ -58,7 +58,7 @@ func (m *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) (
 			Path: "/",
 		},
 	}
-	val, err := json.Marshal(ref)
+	val, err := utils.MarshalProtoV1ToJSON(ref)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/auth/manager/json/json.go

@@ -30,6 +30,7 @@ import (
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
 	"github.com/cs3org/reva/pkg/errtypes"
+	"github.com/cs3org/reva/pkg/utils"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 )
@@ -109,7 +110,7 @@ func (m *manager) Authenticate(ctx context.Context, username string, secret stri
 			Path: "/",
 		},
 	}
-	val, err := json.Marshal(ref)
+	val, err := utils.MarshalProtoV1ToJSON(ref)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/auth/manager/ldap/ldap.go

@@ -21,7 +21,6 @@ package ldap
 import (
 	"context"
 	"crypto/tls"
-	"encoding/json"
 	"fmt"
 	"strings"
 
@@ -37,6 +36,7 @@ import (
 	"github.com/cs3org/reva/pkg/logger"
 	"github.com/cs3org/reva/pkg/rgrpc/todo/pool"
 	"github.com/cs3org/reva/pkg/sharedconf"
+	"github.com/cs3org/reva/pkg/utils"
 	"github.com/go-ldap/ldap/v3"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
@@ -213,7 +213,7 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 			Path: "/",
 		},
 	}
-	val, err := json.Marshal(ref)
+	val, err := utils.MarshalProtoV1ToJSON(ref)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/auth/manager/oidc/oidc.go

@@ -22,7 +22,6 @@ package oidc
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"time"
 
@@ -37,6 +36,7 @@ import (
 	"github.com/cs3org/reva/pkg/rgrpc/todo/pool"
 	"github.com/cs3org/reva/pkg/rhttp"
 	"github.com/cs3org/reva/pkg/sharedconf"
+	"github.com/cs3org/reva/pkg/utils"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
@@ -191,7 +191,7 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 			Path: "/",
 		},
 	}
-	val, err := json.Marshal(ref)
+	val, err := utils.MarshalProtoV1ToJSON(ref)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/auth/manager/publicshares/publicshares.go

@@ -20,7 +20,6 @@ package publicshares
 
 import (
 	"context"
-	"encoding/json"
 	"strings"
 	"time"
 
@@ -30,10 +29,12 @@ import (
 	rpcv1beta1 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"github.com/cs3org/reva/pkg/appctx"
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
 	"github.com/cs3org/reva/pkg/errtypes"
 	"github.com/cs3org/reva/pkg/rgrpc/todo/pool"
+	"github.com/cs3org/reva/pkg/utils"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 )
@@ -131,6 +132,8 @@ func (m *manager) Authenticate(ctx context.Context, token, secret string) (*user
 	if err != nil {
 		return nil, nil, err
 	}
+	log := appctx.GetLogger(ctx)
+	log.Info().Msgf("publichare scope: %+v", scope)
 
 	return getUserResponse.GetUser(), scope, nil
 }
@@ -141,7 +144,7 @@ func (m *manager) getScope(ctx context.Context, share *link.PublicShare) (map[st
 		role = authpb.Role_ROLE_EDITOR
 	}
 
-	val, err := json.Marshal(share)
+	val, err := utils.MarshalProtoV1ToJSON(share)
 	if err != nil {
 		return nil, err
 	}

pkg/auth/scope/publicshare.go

@@ -19,30 +19,62 @@
 package scope
 
 import (
-	"encoding/json"
 	"fmt"
 	"strings"
 
 	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	registry "github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1"
 	"github.com/cs3org/reva/pkg/errtypes"
+	"github.com/cs3org/reva/pkg/utils"
 )
 
 func publicshareScope(scope *authpb.Scope, resource interface{}) (bool, error) {
-	var share *link.PublicShare
-	err := json.Unmarshal(scope.Resource.Value, &share)
+	var share link.PublicShare
+	err := utils.UnmarshalJSONToProtoV1(scope.Resource.Value, &share)
 	if err != nil {
 		return false, err
 	}
 
 	switch v := resource.(type) {
-	case *provider.Reference:
-		return checkStorageRef(share, v), nil
-	case *link.PublicShareReference:
-		return checkPublicShareRef(share, v), nil
+	case *registry.GetStorageProvidersRequest:
+		return checkStorageRef(&share, v.GetRef()), nil
+	case *provider.StatRequest:
+		return checkStorageRef(&share, v.GetRef()), nil
+	case *provider.ListContainerRequest:
+		return checkStorageRef(&share, v.GetRef()), nil
+	case *provider.InitiateFileDownloadRequest:
+		return checkStorageRef(&share, v.GetRef()), nil
+	case *provider.InitiateFileUploadRequest:
+		return checkStorageRef(&share, v.GetRef()), nil
+	case *link.GetPublicShareRequest:
+		return checkPublicShareRef(&share, v.GetRef()), nil
 	case string:
-		return checkPath(share, v), nil
+		return checkPath(&share, v), nil
+	}
+
+	return false, errtypes.InternalError(fmt.Sprintf("resource type assertion failed: %+v", resource))
+}
+
+func publicsharepathScope(scope *authpb.Scope, resource interface{}) (bool, error) {
+	var ref provider.Reference
+	err := utils.UnmarshalJSONToProtoV1(scope.Resource.Value, &ref)
+	if err != nil {
+		return false, err
+	}
+
+	switch v := resource.(type) {
+	case *registry.GetStorageProvidersRequest:
+		return strings.HasPrefix(v.GetRef().GetPath(), ref.GetPath()), nil
+	case *provider.StatRequest:
+		return strings.HasPrefix(v.GetRef().GetPath(), ref.GetPath()), nil
+	case *provider.ListContainerRequest:
+		return strings.HasPrefix(v.GetRef().GetPath(), ref.GetPath()), nil
+	case *provider.InitiateFileDownloadRequest:
+		return strings.HasPrefix(v.GetRef().GetPath(), ref.GetPath()), nil
+	case *provider.InitiateFileUploadRequest:
+		return strings.HasPrefix(v.GetRef().GetPath(), ref.GetPath()), nil
 	}
 
 	return false, errtypes.InternalError(fmt.Sprintf("resource type assertion failed: %+v", resource))

pkg/auth/scope/scope.go

@@ -26,8 +26,9 @@ import (
 type Verifier func(*authpb.Scope, interface{}) (bool, error)
 
 var supportedScopes = map[string]Verifier{
-	"user":        userScope,
-	"publicshare": publicshareScope,
+	"user":            userScope,
+	"publicshare":     publicshareScope,
+	"publicsharepath": publicsharepathScope,
 }
 
 // VerifyScope is the function to be called when dismantling tokens to check if
@@ -37,7 +38,7 @@ func VerifyScope(scopeMap map[string]*authpb.Scope, resource interface{}) (bool,
 		verifierFunc := supportedScopes[k]
 		valid, err := verifierFunc(scope, resource)
 		if err != nil {
-			return false, err
+			continue
 		}
 		if valid {
 			return true, nil

pkg/token/manager/jwt/jwt.go

@@ -24,6 +24,7 @@ import (
 
 	auth "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	"github.com/cs3org/reva/pkg/appctx"
 	"github.com/cs3org/reva/pkg/auth/scope"
 	"github.com/cs3org/reva/pkg/errtypes"
 	"github.com/cs3org/reva/pkg/sharedconf"
@@ -119,7 +120,10 @@ func (m *manager) DismantleToken(ctx context.Context, tkn string, resource inter
 	}
 
 	if claims, ok := token.Claims.(*claims); ok && token.Valid {
+		log := appctx.GetLogger(ctx)
+		log.Info().Msgf("jwt scope: %+v", claims.Scope)
 		ok, err = scope.VerifyScope(claims.Scope, resource)
+		log.Info().Msgf("jwt ok: %+v, err %+v", ok, err)
 		if err != nil {
 			return nil, nil, errtypes.InternalError("error verifying scope of access token")
 		}

pkg/utils/utils.go

@@ -110,6 +110,7 @@ func ResolvePath(path string) (string, error) {
 
 // RandString is a helper to create tokens.
 func RandString(n int) string {
+	rand.Seed(time.Now().UTC().UnixNano())
 	var l = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
 	b := make([]rune, n)
 	for i := range b {