Add directory parameter to eosclient.GenerateToken

changelog/unreleased/eos-token-dir.md

@@ -0,0 +1,3 @@
+Bugfix: Add directory parameter to eosclient.GenerateToken
+
+https://github.com/cs3org/reva/pull/1883

pkg/cbox/utils/conversions.go

@@ -19,6 +19,7 @@
 package utils
 
 import (
+	"strings"
 	"time"
 
 	grouppb "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1"
@@ -165,7 +166,11 @@ func FormatUserID(u *userpb.UserId) string {
 
 // ExtractUserID retrieves a CS3API user ID from a string
 func ExtractUserID(u string) *userpb.UserId {
-	return &userpb.UserId{OpaqueId: u}
+	t := userpb.UserType_USER_TYPE_PRIMARY
+	if strings.HasPrefix(u, "guest:") {
+		t = userpb.UserType_USER_TYPE_LIGHTWEIGHT
+	}
+	return &userpb.UserId{OpaqueId: u, Type: t}
 }
 
 // FormatGroupID formats a CS3API group ID to a string

pkg/eosclient/eosbinary/eosbinary.go

@@ -304,7 +304,7 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat
 			Key:  lwShareAttrKey,
 			Val:  sysACL,
 		}
-		if err = c.SetAttr(ctx, auth, sysACLAttr, true, path); err != nil {
+		if err = c.SetAttr(ctx, auth, sysACLAttr, finfo.IsDir, path); err != nil {
 			return err
 		}
 		return nil
@@ -361,7 +361,7 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori
 			Key:  lwShareAttrKey,
 			Val:  sysACL,
 		}
-		if err = c.SetAttr(ctx, auth, sysACLAttr, true, path); err != nil {
+		if err = c.SetAttr(ctx, auth, sysACLAttr, finfo.IsDir, path); err != nil {
 			return err
 		}
 		return nil
@@ -373,13 +373,6 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori
 		args = append(args, "--sys", "--recursive")
 	} else {
 		args = append(args, "--user")
-		userACLAttr := &eosclient.Attribute{
-			Type: SystemAttr,
-			Key:  "eval.useracl",
-		}
-		if err = c.UnsetAttr(ctx, auth, userACLAttr, path); err != nil {
-			return err
-		}
 	}
 	args = append(args, sysACL, path)
 
@@ -509,6 +502,7 @@ func (c *Client) UnsetAttr(ctx context.Context, auth eosclient.Authorization, at
 	if !isValidAttribute(attr) {
 		return errors.New("eos: attr is invalid: " + serializeAttribute(attr))
 	}
+
 	args := []string{"attr", "-r", "rm", fmt.Sprintf("%d.%s", attr.Type, attr.Key), path}
 	_, _, err := c.executeEOS(ctx, args, auth)
 	if err != nil {
@@ -697,9 +691,13 @@ func (c *Client) ReadVersion(ctx context.Context, auth eosclient.Authorization,
 }
 
 // GenerateToken returns a token on behalf of the resource owner to be used by lightweight accounts
-func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, p string, a *acl.Entry) (string, error) {
+func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, p string, isDir bool, a *acl.Entry) (string, error) {
 	expiration := strconv.FormatInt(time.Now().Add(time.Duration(c.opt.TokenExpiry)*time.Second).Unix(), 10)
-	args := []string{"token", "--permission", a.Permissions, "--tree", "--path", path.Clean(p) + "/", "--expires", expiration}
+	if isDir {
+		// EOS expects directories to have a trailing slash when generating tokens
+		p = path.Clean(p) + "/"
+	}
+	args := []string{"token", "--permission", a.Permissions, "--tree", "--path", p, "--expires", expiration}
 	stdout, _, err := c.executeEOS(ctx, args, auth)
 	return stdout, err
 }

pkg/eosclient/eosclient.go

@@ -55,7 +55,7 @@ type EOSClient interface {
 	ListVersions(ctx context.Context, auth Authorization, p string) ([]*FileInfo, error)
 	RollbackToVersion(ctx context.Context, auth Authorization, path, version string) error
 	ReadVersion(ctx context.Context, auth Authorization, p, version string) (io.ReadCloser, error)
-	GenerateToken(ctx context.Context, auth Authorization, path string, a *acl.Entry) (string, error)
+	GenerateToken(ctx context.Context, auth Authorization, path string, isDir bool, a *acl.Entry) (string, error)
 }
 
 // AttrType is the type of extended attribute,

pkg/eosclient/eosgrpc/eosgrpc.go

@@ -1395,7 +1395,7 @@ func (c *Client) ReadVersion(ctx context.Context, auth eosclient.Authorization,
 }
 
 // GenerateToken returns a token on behalf of the resource owner to be used by lightweight accounts
-func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, path string, a *acl.Entry) (string, error) {
+func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, path string, isDir bool, a *acl.Entry) (string, error) {
 	return "", errtypes.NotSupported("TODO")
 }
 

pkg/storage/utils/eosfs/eosfs.go

@@ -191,6 +191,7 @@ func NewEOSFS(c *Config) (storage.FS, error) {
 			Keytab:              c.Keytab,
 			SecProtocol:         c.SecProtocol,
 			VersionInvariant:    c.VersionInvariant,
+			TokenExpiry:         c.TokenExpiry,
 		}
 		eosClient, err = eosbinary.New(eosClientOpts)
 	}
@@ -456,7 +457,7 @@ func (fs *eosfs) SetArbitraryMetadata(ctx context.Context, ref *provider.Referen
 			Val:  v,
 		}
 
-		// TODO(labkode): SetArbitraryMetadata does not has semantic for recursivity.
+		// TODO(labkode): SetArbitraryMetadata does not have semantics for recursivity.
 		// We set it to false
 		err := fs.c.SetAttr(ctx, auth, attr, false, fn)
 		if err != nil {
@@ -1750,29 +1751,29 @@ func (fs *eosfs) getEOSToken(ctx context.Context, u *userpb.User, fn string) (eo
 		},
 	}
 
-	var a *acl.Entry
+	perm := "rwx"
 	for _, e := range info.SysACL.Entries {
 		if e.Type == acl.TypeLightweight && e.Qualifier == u.Id.OpaqueId {
-			a = e
+			perm = e.Permissions
 			break
 		}
 	}
 
 	p := path.Clean(fn)
 	for p != "." && p != fs.conf.Namespace {
-		key := p + "!" + a.Permissions
+		key := p + "!" + perm
 		if tknIf, err := fs.tokenCache.Get(key); err == nil {
 			return eosclient.Authorization{Token: tknIf.(string)}, nil
 		}
 		p = path.Dir(p)
 	}
 
-	tkn, err := fs.c.GenerateToken(ctx, auth, fn, a)
+	tkn, err := fs.c.GenerateToken(ctx, auth, fn, info.IsDir, &acl.Entry{Permissions: perm})
 	if err != nil {
 		return eosclient.Authorization{}, err
 	}
 
-	key := path.Clean(fn) + "!" + a.Permissions
+	key := path.Clean(fn) + "!" + perm
 	_ = fs.tokenCache.SetWithExpire(key, tkn, time.Second*time.Duration(fs.conf.TokenExpiry))
 
 	return eosclient.Authorization{Token: tkn}, nil