From 55515341de154311a69dc14e0780f2a382892e56 Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Mon, 11 Oct 2021 15:54:14 +0200 Subject: [PATCH] Restrict EOS project spaces sharing permissions to admins and writers --- .../unreleased/eos-projects-sharing-perm.md | 3 ++ pkg/cbox/storage/eoswrapper/eoswrapper.go | 46 ++++++++++++++++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/eos-projects-sharing-perm.md diff --git a/changelog/unreleased/eos-projects-sharing-perm.md b/changelog/unreleased/eos-projects-sharing-perm.md new file mode 100644 index 00000000000..a9bf47c7238 --- /dev/null +++ b/changelog/unreleased/eos-projects-sharing-perm.md @@ -0,0 +1,3 @@ +Enhancement: Restrict project spaces sharing permissions to admins and writers + +https://github.com/cs3org/reva/pull/2153 \ No newline at end of file diff --git a/pkg/cbox/storage/eoswrapper/eoswrapper.go b/pkg/cbox/storage/eoswrapper/eoswrapper.go index 2f27c422305..dfecfc73a6d 100644 --- a/pkg/cbox/storage/eoswrapper/eoswrapper.go +++ b/pkg/cbox/storage/eoswrapper/eoswrapper.go @@ -21,10 +21,12 @@ package eoshome import ( "bytes" "context" + "strings" "text/template" "github.com/Masterminds/sprig" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" + ctxpkg "github.com/cs3org/reva/pkg/ctx" "github.com/cs3org/reva/pkg/storage" "github.com/cs3org/reva/pkg/storage/fs/registry" "github.com/cs3org/reva/pkg/storage/utils/eosfs" @@ -36,8 +38,18 @@ func init() { registry.Register("eoswrapper", New) } +const ( + eosProjectsNamespace = "/eos/project" + + // We can use a regex for these, but that might have inferior performance + projectSpaceGroupsPrefix = "cernbox-project-" + projectSpaceAdminGroups = "-admins" + projectSpaceWriterGroups = "-writers" +) + type wrapper struct { storage.FS + config *eosfs.Config mountIDTemplate *template.Template } @@ -79,7 +91,7 @@ func New(m map[string]interface{}) (storage.FS, error) { return nil, err } - return &wrapper{FS: eos, mountIDTemplate: mountIDTemplate}, nil + return &wrapper{FS: eos, config: c, mountIDTemplate: mountIDTemplate}, nil } // We need to override the two methods, GetMD and ListFolder to fill the @@ -96,6 +108,11 @@ func (w *wrapper) GetMD(ctx context.Context, ref *provider.Reference, mdKeys []s // Take the first letter of the resource path after the namespace has been removed. // If it's empty, leave it empty to be filled by storageprovider. res.Id.StorageId = w.getMountID(ctx, res) + + if err = w.setProjectSharingPermissions(ctx, res); err != nil { + return nil, err + } + return res, nil } @@ -107,6 +124,9 @@ func (w *wrapper) ListFolder(ctx context.Context, ref *provider.Reference, mdKey } for _, r := range res { r.Id.StorageId = w.getMountID(ctx, r) + if err = w.setProjectSharingPermissions(ctx, r); err != nil { + continue + } } return res, nil } @@ -121,3 +141,27 @@ func (w *wrapper) getMountID(ctx context.Context, r *provider.ResourceInfo) stri } return b.String() } + +func (w *wrapper) setProjectSharingPermissions(ctx context.Context, r *provider.ResourceInfo) error { + perm := r.PermissionSet + + // Only proceed if sharing permissions are set to true + if strings.HasPrefix(w.config.Namespace, eosProjectsNamespace) && (perm.AddGrant || perm.RemoveGrant || perm.UpdateGrant) { + var userHasSharingAccess bool + user := ctxpkg.ContextMustGetUser(ctx) + for _, g := range user.Groups { + + // Check if user is present in the admins or writers groups + if strings.HasPrefix(g, projectSpaceGroupsPrefix) && (strings.HasSuffix(g, projectSpaceAdminGroups) || strings.HasSuffix(g, projectSpaceWriterGroups)) { + userHasSharingAccess = true + break + } + } + if !userHasSharingAccess { + r.PermissionSet.AddGrant = false + r.PermissionSet.RemoveGrant = false + r.PermissionSet.UpdateGrant = false + } + } + return nil +}