From bcfd49c5208dbf1d4112e8382b72be8b32f82fc5 Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Mon, 12 Jul 2021 19:50:38 +0200 Subject: [PATCH] Add directory parameter to eosclient.GenerateToken --- changelog/unreleased/eos-token-dir.md | 3 +++ pkg/cbox/utils/conversions.go | 7 ++++++- pkg/eosclient/eosbinary/eosbinary.go | 20 +++++++++----------- pkg/eosclient/eosclient.go | 2 +- pkg/eosclient/eosgrpc/eosgrpc.go | 2 +- pkg/storage/utils/eosfs/eosfs.go | 13 +++++++------ 6 files changed, 27 insertions(+), 20 deletions(-) create mode 100644 changelog/unreleased/eos-token-dir.md diff --git a/changelog/unreleased/eos-token-dir.md b/changelog/unreleased/eos-token-dir.md new file mode 100644 index 00000000000..ec6047b2213 --- /dev/null +++ b/changelog/unreleased/eos-token-dir.md @@ -0,0 +1,3 @@ +Bugfix: Add directory parameter to eosclient.GenerateToken + +https://github.com/cs3org/reva/pull/1883 diff --git a/pkg/cbox/utils/conversions.go b/pkg/cbox/utils/conversions.go index 12a5510a89e..18c5cda7040 100644 --- a/pkg/cbox/utils/conversions.go +++ b/pkg/cbox/utils/conversions.go @@ -19,6 +19,7 @@ package utils import ( + "strings" "time" grouppb "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1" @@ -165,7 +166,11 @@ func FormatUserID(u *userpb.UserId) string { // ExtractUserID retrieves a CS3API user ID from a string func ExtractUserID(u string) *userpb.UserId { - return &userpb.UserId{OpaqueId: u} + t := userpb.UserType_USER_TYPE_PRIMARY + if strings.HasPrefix(u, "guest:") { + t = userpb.UserType_USER_TYPE_LIGHTWEIGHT + } + return &userpb.UserId{OpaqueId: u, Type: t} } // FormatGroupID formats a CS3API group ID to a string diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go index 34286da4dd6..9348d8301bc 100644 --- a/pkg/eosclient/eosbinary/eosbinary.go +++ b/pkg/eosclient/eosbinary/eosbinary.go @@ -304,7 +304,7 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat Key: lwShareAttrKey, Val: sysACL, } - if err = c.SetAttr(ctx, auth, sysACLAttr, true, path); err != nil { + if err = c.SetAttr(ctx, auth, sysACLAttr, finfo.IsDir, path); err != nil { return err } return nil @@ -361,7 +361,7 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori Key: lwShareAttrKey, Val: sysACL, } - if err = c.SetAttr(ctx, auth, sysACLAttr, true, path); err != nil { + if err = c.SetAttr(ctx, auth, sysACLAttr, finfo.IsDir, path); err != nil { return err } return nil @@ -373,13 +373,6 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori args = append(args, "--sys", "--recursive") } else { args = append(args, "--user") - userACLAttr := &eosclient.Attribute{ - Type: SystemAttr, - Key: "eval.useracl", - } - if err = c.UnsetAttr(ctx, auth, userACLAttr, path); err != nil { - return err - } } args = append(args, sysACL, path) @@ -509,6 +502,7 @@ func (c *Client) UnsetAttr(ctx context.Context, auth eosclient.Authorization, at if !isValidAttribute(attr) { return errors.New("eos: attr is invalid: " + serializeAttribute(attr)) } + args := []string{"attr", "-r", "rm", fmt.Sprintf("%d.%s", attr.Type, attr.Key), path} _, _, err := c.executeEOS(ctx, args, auth) if err != nil { @@ -697,9 +691,13 @@ func (c *Client) ReadVersion(ctx context.Context, auth eosclient.Authorization, } // GenerateToken returns a token on behalf of the resource owner to be used by lightweight accounts -func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, p string, a *acl.Entry) (string, error) { +func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, p string, isDir bool, a *acl.Entry) (string, error) { expiration := strconv.FormatInt(time.Now().Add(time.Duration(c.opt.TokenExpiry)*time.Second).Unix(), 10) - args := []string{"token", "--permission", a.Permissions, "--tree", "--path", path.Clean(p) + "/", "--expires", expiration} + if isDir { + // EOS expects directories to have a trailing slash when generating tokens + p = path.Clean(p) + "/" + } + args := []string{"token", "--permission", a.Permissions, "--tree", "--path", p, "--expires", expiration} stdout, _, err := c.executeEOS(ctx, args, auth) return stdout, err } diff --git a/pkg/eosclient/eosclient.go b/pkg/eosclient/eosclient.go index 8bd2038bc54..48e2f781841 100644 --- a/pkg/eosclient/eosclient.go +++ b/pkg/eosclient/eosclient.go @@ -55,7 +55,7 @@ type EOSClient interface { ListVersions(ctx context.Context, auth Authorization, p string) ([]*FileInfo, error) RollbackToVersion(ctx context.Context, auth Authorization, path, version string) error ReadVersion(ctx context.Context, auth Authorization, p, version string) (io.ReadCloser, error) - GenerateToken(ctx context.Context, auth Authorization, path string, a *acl.Entry) (string, error) + GenerateToken(ctx context.Context, auth Authorization, path string, isDir bool, a *acl.Entry) (string, error) } // AttrType is the type of extended attribute, diff --git a/pkg/eosclient/eosgrpc/eosgrpc.go b/pkg/eosclient/eosgrpc/eosgrpc.go index c002b6294a5..3730e40232d 100644 --- a/pkg/eosclient/eosgrpc/eosgrpc.go +++ b/pkg/eosclient/eosgrpc/eosgrpc.go @@ -1395,7 +1395,7 @@ func (c *Client) ReadVersion(ctx context.Context, auth eosclient.Authorization, } // GenerateToken returns a token on behalf of the resource owner to be used by lightweight accounts -func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, path string, a *acl.Entry) (string, error) { +func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, path string, isDir bool, a *acl.Entry) (string, error) { return "", errtypes.NotSupported("TODO") } diff --git a/pkg/storage/utils/eosfs/eosfs.go b/pkg/storage/utils/eosfs/eosfs.go index a4affa4fe91..0e3d9fef90b 100644 --- a/pkg/storage/utils/eosfs/eosfs.go +++ b/pkg/storage/utils/eosfs/eosfs.go @@ -191,6 +191,7 @@ func NewEOSFS(c *Config) (storage.FS, error) { Keytab: c.Keytab, SecProtocol: c.SecProtocol, VersionInvariant: c.VersionInvariant, + TokenExpiry: c.TokenExpiry, } eosClient, err = eosbinary.New(eosClientOpts) } @@ -456,7 +457,7 @@ func (fs *eosfs) SetArbitraryMetadata(ctx context.Context, ref *provider.Referen Val: v, } - // TODO(labkode): SetArbitraryMetadata does not has semantic for recursivity. + // TODO(labkode): SetArbitraryMetadata does not have semantics for recursivity. // We set it to false err := fs.c.SetAttr(ctx, auth, attr, false, fn) if err != nil { @@ -1750,29 +1751,29 @@ func (fs *eosfs) getEOSToken(ctx context.Context, u *userpb.User, fn string) (eo }, } - var a *acl.Entry + perm := "rwx" for _, e := range info.SysACL.Entries { if e.Type == acl.TypeLightweight && e.Qualifier == u.Id.OpaqueId { - a = e + perm = e.Permissions break } } p := path.Clean(fn) for p != "." && p != fs.conf.Namespace { - key := p + "!" + a.Permissions + key := p + "!" + perm if tknIf, err := fs.tokenCache.Get(key); err == nil { return eosclient.Authorization{Token: tknIf.(string)}, nil } p = path.Dir(p) } - tkn, err := fs.c.GenerateToken(ctx, auth, fn, a) + tkn, err := fs.c.GenerateToken(ctx, auth, fn, info.IsDir, &acl.Entry{Permissions: perm}) if err != nil { return eosclient.Authorization{}, err } - key := path.Clean(fn) + "!" + a.Permissions + key := path.Clean(fn) + "!" + perm _ = fs.tokenCache.SetWithExpire(key, tkn, time.Second*time.Duration(fs.conf.TokenExpiry)) return eosclient.Authorization{Token: tkn}, nil