From c718c677974b0b8620ff74908d2c4daf732ad104 Mon Sep 17 00:00:00 2001
From: "A.Unger" <zyxancf@gmail.com>
Date: Mon, 14 Jun 2021 17:44:21 +0200
Subject: [PATCH] start updating references

---
 cmd/reva/ocm-share-list.go                    |  4 +-
 cmd/reva/public-share-list.go                 |  4 +-
 cmd/reva/recycle-list.go                      |  4 +-
 cmd/reva/recycle-purge.go                     |  6 ++-
 cmd/reva/recycle-restore.go                   |  4 +-
 cmd/reva/share-list.go                        |  4 +-
 cmd/reva/upload.go                            |  2 +-
 go.mod                                        |  3 +-
 internal/grpc/interceptors/auth/auth.go       |  6 ++-
 .../grpc/services/appprovider/appprovider.go  |  2 +-
 .../grpc/services/gateway/ocmshareprovider.go | 12 +++---
 .../services/gateway/usershareprovider.go     | 42 ++++++++++++-------
 internal/grpc/services/ocmcore/ocmcore.go     |  6 ++-
 .../publicstorageprovider.go                  |  6 ++-
 .../http/services/owncloud/ocdav/ocdav.go     |  8 ++--
 internal/http/services/owncloud/ocdav/put.go  |  2 +-
 .../http/services/owncloud/ocdav/trashbin.go  | 14 ++++---
 .../http/services/owncloud/ocdav/versions.go  |  6 +--
 .../handlers/apps/sharing/shares/public.go    |  4 +-
 .../handlers/apps/sharing/shares/shares.go    | 28 ++++++++-----
 .../ocs/handlers/cloud/users/users.go         |  2 +-
 pkg/app/provider/demo/demo.go                 |  2 +-
 pkg/auth/scope/publicshare.go                 |  4 +-
 pkg/auth/scope/resourceinfo.go                |  4 +-
 pkg/cbox/publicshare/sql/sql.go               |  4 +-
 pkg/cbox/share/sql/sql.go                     | 12 +++---
 pkg/cbox/utils/conversions.go                 | 11 ++++-
 pkg/ocm/share/manager/json/json.go            | 12 +++---
 pkg/publicshare/manager/json/json.go          |  2 +-
 pkg/publicshare/manager/memory/memory.go      |  2 +-
 pkg/sdk/action/download.go                    |  2 +-
 pkg/share/cache/cbox/cbox.go                  |  6 ++-
 pkg/storage/fs/owncloud/owncloud.go           | 16 +++----
 pkg/storage/fs/s3/s3.go                       | 14 +++----
 pkg/storage/registry/static/static.go         |  8 ++--
 pkg/storage/registry/static/static_test.go    |  4 +-
 36 files changed, 161 insertions(+), 111 deletions(-)

diff --git a/cmd/reva/ocm-share-list.go b/cmd/reva/ocm-share-list.go
index 17b0ff4106b..06b8836c9bb 100644
--- a/cmd/reva/ocm-share-list.go
+++ b/cmd/reva/ocm-share-list.go
@@ -56,9 +56,9 @@ func ocmShareListCommand() *command {
 			if len(tokens) != 2 {
 				return fmt.Errorf("resource id invalid")
 			}
-			id := &provider.Reference{
+			id := &provider.ResourceId{
 				StorageId: tokens[0],
-				NodeId:    tokens[1],
+				OpaqueId:  tokens[1],
 			}
 			shareRequest.Filters = []*ocm.ListOCMSharesRequest_Filter{
 				&ocm.ListOCMSharesRequest_Filter{
diff --git a/cmd/reva/public-share-list.go b/cmd/reva/public-share-list.go
index 1bbd4d35be6..b8dbf322cee 100644
--- a/cmd/reva/public-share-list.go
+++ b/cmd/reva/public-share-list.go
@@ -56,9 +56,9 @@ func publicShareListCommand() *command {
 			if len(tokens) != 2 {
 				return fmt.Errorf("resource id invalid")
 			}
-			id := &provider.Reference{
+			id := &provider.ResourceId{
 				StorageId: tokens[0],
-				NodeId:    tokens[1],
+				OpaqueId:  tokens[1],
 			}
 			shareRequest.Filters = []*link.ListPublicSharesRequest_Filter{
 				&link.ListPublicSharesRequest_Filter{
diff --git a/cmd/reva/recycle-list.go b/cmd/reva/recycle-list.go
index 7830ca61e66..6fd9f256f5c 100644
--- a/cmd/reva/recycle-list.go
+++ b/cmd/reva/recycle-list.go
@@ -46,7 +46,9 @@ func recycleListCommand() *command {
 		}
 
 		req := &gateway.ListRecycleRequest{
-			Ref: getHomeRes.Ref,
+			Ref: &provider.Reference{
+				Path: getHomeRes.Path,
+			},
 		}
 		res, err := client.ListRecycle(ctx, req)
 		if err != nil {
diff --git a/cmd/reva/recycle-purge.go b/cmd/reva/recycle-purge.go
index c9f793edada..88e9585294e 100644
--- a/cmd/reva/recycle-purge.go
+++ b/cmd/reva/recycle-purge.go
@@ -44,7 +44,11 @@ func recyclePurgeCommand() *command {
 			return err
 		}
 
-		req := &gateway.PurgeRecycleRequest{Ref: getHomeRes.Ref}
+		req := &gateway.PurgeRecycleRequest{
+			Ref: &provider.Reference{
+				Path: getHomeRes.Path,
+			},
+		}
 
 		res, err := client.PurgeRecycle(ctx, req)
 		if err != nil {
diff --git a/cmd/reva/recycle-restore.go b/cmd/reva/recycle-restore.go
index 1b62778c496..a081251053c 100644
--- a/cmd/reva/recycle-restore.go
+++ b/cmd/reva/recycle-restore.go
@@ -51,7 +51,9 @@ func recycleRestoreCommand() *command {
 		}
 
 		req := &provider.RestoreRecycleItemRequest{
-			Ref: getHomeRes.Ref,
+			Ref: &provider.Reference{
+				Path: getHomeRes.Path,
+			},
 			Key: key,
 		}
 
diff --git a/cmd/reva/share-list.go b/cmd/reva/share-list.go
index 3b869c685f2..73b005d0cd0 100644
--- a/cmd/reva/share-list.go
+++ b/cmd/reva/share-list.go
@@ -56,9 +56,9 @@ func shareListCommand() *command {
 			if len(tokens) != 2 {
 				return fmt.Errorf("resource id invalid")
 			}
-			id := &provider.Reference{
+			id := &provider.ResourceId{
 				StorageId: tokens[0],
-				NodeId:    tokens[1],
+				OpaqueId:  tokens[1],
 			}
 			shareRequest.Filters = []*collaboration.ListSharesRequest_Filter{
 				&collaboration.ListSharesRequest_Filter{
diff --git a/cmd/reva/upload.go b/cmd/reva/upload.go
index 335de6ac9fd..f9c969aba65 100644
--- a/cmd/reva/upload.go
+++ b/cmd/reva/upload.go
@@ -221,7 +221,7 @@ func uploadCommand() *command {
 
 		info := res2.Info
 
-		fmt.Printf("File uploaded: %s:%s %d %s\n", info.Id.StorageId, info.Id.NodeId, info.Size, info.Path)
+		fmt.Printf("File uploaded: %s:%s %d %s\n", info.Id.StorageId, info.Id.OpaqueId, info.Size, info.Path)
 
 		return nil
 	}
diff --git a/go.mod b/go.mod
index ddab8390082..c9330dba675 100644
--- a/go.mod
+++ b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/cheggaaa/pb v1.0.29
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/cs3org/cato v0.0.0-20200828125504-e418fc54dd5e
-	github.com/cs3org/go-cs3apis v0.0.0-20210527092509-2b828e94ed4c
+	github.com/cs3org/go-cs3apis v0.0.0-20210614143420-5ee2eb1e7887
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/eventials/go-tus v0.0.0-20200718001131-45c7ec8f5d59
 	github.com/gdexlab/go-render v1.0.1
@@ -61,7 +61,6 @@ require (
 go 1.16
 
 replace (
-	github.com/cs3org/go-cs3apis => github.com/butonic/go-cs3apis v0.0.0-20210608111428-0b2c079174c9
 	github.com/eventials/go-tus => github.com/andrewmostello/go-tus v0.0.0-20200314041820-904a9904af9a
 	github.com/oleiade/reflections => github.com/oleiade/reflections v1.0.1
 	google.golang.org/grpc => google.golang.org/grpc v1.26.0 // temporary downgrade
diff --git a/internal/grpc/interceptors/auth/auth.go b/internal/grpc/interceptors/auth/auth.go
index 54b8a24dd9f..b7618b4686d 100644
--- a/internal/grpc/interceptors/auth/auth.go
+++ b/internal/grpc/interceptors/auth/auth.go
@@ -261,7 +261,11 @@ func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.
 
 			// Since the public share is obtained from the scope, the current token
 			// has access to it.
-			statReq := &provider.StatRequest{Ref: share.ResourceId}
+			statReq := &provider.StatRequest{
+				Ref: &provider.Reference{
+					ResourceId: share.ResourceId,
+				},
+			}
 
 			statResponse, err := client.Stat(ctx, statReq)
 			if err != nil || statResponse.Status.Code != rpc.Code_CODE_OK {
diff --git a/internal/grpc/services/appprovider/appprovider.go b/internal/grpc/services/appprovider/appprovider.go
index 09cd9486ffc..b7545f7927e 100644
--- a/internal/grpc/services/appprovider/appprovider.go
+++ b/internal/grpc/services/appprovider/appprovider.go
@@ -165,7 +165,7 @@ func (s *service) OpenInApp(ctx context.Context, req *providerpb.OpenInAppReques
 	}
 
 	q := httpReq.URL.Query()
-	q.Add("fileid", req.ResourceInfo.GetId().NodeId)
+	q.Add("fileid", req.ResourceInfo.GetId().OpaqueId)
 	q.Add("endpoint", req.ResourceInfo.GetId().StorageId)
 	q.Add("viewmode", req.ViewMode.String())
 	// TODO the folder URL should be resolved as e.g. `'https://cernbox.cern.ch/index.php/apps/files/?dir=' + filepath.Dir(req.Ref.GetPath())`
diff --git a/internal/grpc/services/gateway/ocmshareprovider.go b/internal/grpc/services/gateway/ocmshareprovider.go
index 67b7d2fd315..a64f2dc326e 100644
--- a/internal/grpc/services/gateway/ocmshareprovider.go
+++ b/internal/grpc/services/gateway/ocmshareprovider.go
@@ -54,7 +54,8 @@ func (s *svc) CreateOCMShare(ctx context.Context, req *ocm.CreateOCMShareRequest
 
 	// TODO(labkode): if both commits are enabled they could be done concurrently.
 	if s.c.CommitShareToStorageGrant {
-		addGrantStatus, err := s.addGrant(ctx, req.ResourceId, req.Grant.Grantee, req.Grant.Permissions.Permissions)
+		rid := &provider.Reference{ResourceId: req.ResourceId}
+		addGrantStatus, err := s.addGrant(ctx, rid, req.Grant.Grantee, req.Grant.Permissions.Permissions)
 		if err != nil {
 			return nil, errors.Wrap(err, "gateway: error adding OCM grant to storage")
 		}
@@ -109,7 +110,8 @@ func (s *svc) RemoveOCMShare(ctx context.Context, req *ocm.RemoveOCMShareRequest
 
 	// TODO(labkode): if both commits are enabled they could be done concurrently.
 	if s.c.CommitShareToStorageGrant {
-		removeGrantStatus, err := s.removeGrant(ctx, share.ResourceId, share.Grantee, share.Permissions.Permissions)
+		rid := &provider.Reference{ResourceId: share.ResourceId}
+		removeGrantStatus, err := s.removeGrant(ctx, rid, share.Grantee, share.Permissions.Permissions)
 		if err != nil {
 			return nil, errors.Wrap(err, "gateway: error removing OCM grant from storage")
 		}
@@ -318,7 +320,7 @@ func (s *svc) createOCMReference(ctx context.Context, share *ocm.Share) (*rpc.St
 	if share.ShareType == ocm.Share_SHARE_TYPE_TRANSFER {
 		createTransferDir, err := s.CreateContainer(ctx, &provider.CreateContainerRequest{
 			Ref: &provider.Reference{
-				Path: path.Join(homeRes.Ref.Path, s.c.DataTransfersFolder),
+				Path: path.Join(homeRes.Path, s.c.DataTransfersFolder),
 			},
 		})
 		if err != nil {
@@ -329,14 +331,14 @@ func (s *svc) createOCMReference(ctx context.Context, share *ocm.Share) (*rpc.St
 			return status.NewInternal(ctx, err, "error creating transfers directory"), nil
 		}
 
-		refPath = path.Join(homeRes.Ref.Path, s.c.DataTransfersFolder, path.Base(share.Name))
+		refPath = path.Join(homeRes.Path, s.c.DataTransfersFolder, path.Base(share.Name))
 		targetURI = fmt.Sprintf("datatx://%s@%s?name=%s", token, share.Creator.Idp, share.Name)
 	} else {
 		// reference path is the home path + some name on the corresponding
 		// mesh provider (/home/MyShares/x)
 		// It is the responsibility of the gateway to resolve these references and merge the response back
 		// from the main request.
-		refPath = path.Join(homeRes.Ref.Path, s.c.ShareFolder, path.Base(share.Name))
+		refPath = path.Join(homeRes.Path, s.c.ShareFolder, path.Base(share.Name))
 		// webdav is the scheme, token@host the opaque part and the share name the query of the URL.
 		targetURI = fmt.Sprintf("webdav://%s@%s?name=%s", token, share.Creator.Idp, share.Name)
 	}
diff --git a/internal/grpc/services/gateway/usershareprovider.go b/internal/grpc/services/gateway/usershareprovider.go
index a070a6ee20a..2e9536619a0 100644
--- a/internal/grpc/services/gateway/usershareprovider.go
+++ b/internal/grpc/services/gateway/usershareprovider.go
@@ -320,12 +320,14 @@ func (s *svc) UpdateReceivedShare(ctx context.Context, req *collaboration.Update
 	}, nil
 }
 
-func (s *svc) createReference(ctx context.Context, resourceID *provider.Reference) *rpc.Status {
-
+func (s *svc) createReference(ctx context.Context, resourceID *provider.ResourceId) *rpc.Status {
+	ref := &provider.Reference{
+		ResourceId: resourceID,
+	}
 	log := appctx.GetLogger(ctx)
 
 	// get the metadata about the share
-	c, err := s.find(ctx, resourceID)
+	c, err := s.find(ctx, ref)
 	if err != nil {
 		if _, ok := err.(errtypes.IsNotFound); ok {
 			return status.NewNotFound(ctx, "storage provider not found")
@@ -334,7 +336,7 @@ func (s *svc) createReference(ctx context.Context, resourceID *provider.Referenc
 	}
 
 	statReq := &provider.StatRequest{
-		Ref: resourceID,
+		Ref: ref,
 	}
 
 	statRes, err := c.Stat(ctx, statReq)
@@ -364,13 +366,13 @@ func (s *svc) createReference(ctx context.Context, resourceID *provider.Referenc
 	// It is the responsibility of the gateway to resolve these references and merge the response back
 	// from the main request.
 	// TODO(labkode): the name of the share should be the filename it points to by default.
-	refPath := path.Join(homeRes.Ref.Path, s.c.ShareFolder, path.Base(statRes.Info.Path))
+	refPath := path.Join(homeRes.Path, s.c.ShareFolder, path.Base(statRes.Info.Path))
 	log.Info().Msg("mount path will be:" + refPath)
 
 	createRefReq := &provider.CreateReferenceRequest{
 		Ref: &provider.Reference{Path: refPath},
 		// cs3 is the Scheme and %s/%s is the Opaque parts of a net.URL.
-		TargetUri: fmt.Sprintf("cs3:%s/%s", resourceID.GetStorageId(), resourceID.GetNodeId()),
+		TargetUri: fmt.Sprintf("cs3:%s/%s", resourceID.GetStorageId(), resourceID.GetOpaqueId()),
 	}
 
 	c, err = s.findByPath(ctx, refPath)
@@ -397,17 +399,20 @@ func (s *svc) createReference(ctx context.Context, resourceID *provider.Referenc
 	return status.NewOK(ctx)
 }
 
-func (s *svc) addGrant(ctx context.Context, id *provider.Reference, g *provider.Grantee, p *provider.ResourcePermissions) (*rpc.Status, error) {
+func (s *svc) addGrant(ctx context.Context, id *provider.ResourceId, g *provider.Grantee, p *provider.ResourcePermissions) (*rpc.Status, error) {
+	ref := &provider.Reference{
+		ResourceId: id,
+	}
 
 	grantReq := &provider.AddGrantRequest{
-		Ref: id,
+		Ref: ref,
 		Grant: &provider.Grant{
 			Grantee:     g,
 			Permissions: p,
 		},
 	}
 
-	c, err := s.find(ctx, id)
+	c, err := s.find(ctx, ref)
 	if err != nil {
 		if _, ok := err.(errtypes.IsNotFound); ok {
 			return status.NewNotFound(ctx, "storage provider not found"), nil
@@ -427,17 +432,19 @@ func (s *svc) addGrant(ctx context.Context, id *provider.Reference, g *provider.
 	return status.NewOK(ctx), nil
 }
 
-func (s *svc) updateGrant(ctx context.Context, id *provider.Reference, g *provider.Grantee, p *provider.ResourcePermissions) (*rpc.Status, error) {
-
+func (s *svc) updateGrant(ctx context.Context, id *provider.ResourceId, g *provider.Grantee, p *provider.ResourcePermissions) (*rpc.Status, error) {
+	ref := &provider.Reference{
+		ResourceId: id,
+	}
 	grantReq := &provider.UpdateGrantRequest{
-		Ref: id,
+		Ref: ref,
 		Grant: &provider.Grant{
 			Grantee:     g,
 			Permissions: p,
 		},
 	}
 
-	c, err := s.find(ctx, id)
+	c, err := s.find(ctx, ref)
 	if err != nil {
 		if _, ok := err.(errtypes.IsNotFound); ok {
 			return status.NewNotFound(ctx, "storage provider not found"), nil
@@ -457,17 +464,20 @@ func (s *svc) updateGrant(ctx context.Context, id *provider.Reference, g *provid
 	return status.NewOK(ctx), nil
 }
 
-func (s *svc) removeGrant(ctx context.Context, id *provider.Reference, g *provider.Grantee, p *provider.ResourcePermissions) (*rpc.Status, error) {
+func (s *svc) removeGrant(ctx context.Context, id *provider.ResourceId, g *provider.Grantee, p *provider.ResourcePermissions) (*rpc.Status, error) {
+	ref := &provider.Reference{
+		ResourceId: id,
+	}
 
 	grantReq := &provider.RemoveGrantRequest{
-		Ref: id,
+		Ref: ref,
 		Grant: &provider.Grant{
 			Grantee:     g,
 			Permissions: p,
 		},
 	}
 
-	c, err := s.find(ctx, id)
+	c, err := s.find(ctx, ref)
 	if err != nil {
 		if _, ok := err.(errtypes.IsNotFound); ok {
 			return status.NewNotFound(ctx, "storage provider not found"), nil
diff --git a/internal/grpc/services/ocmcore/ocmcore.go b/internal/grpc/services/ocmcore/ocmcore.go
index 0fcd1dba534..fd41802957a 100644
--- a/internal/grpc/services/ocmcore/ocmcore.go
+++ b/internal/grpc/services/ocmcore/ocmcore.go
@@ -117,8 +117,10 @@ func (s *service) CreateOCMCoreShare(ctx context.Context, req *ocmcore.CreateOCM
 	}
 
 	resource := &provider.Reference{
-		StorageId: parts[0],
-		NodeId:    parts[1],
+		ResourceId: &provider.ResourceId{
+			StorageId: parts[0],
+			OpaqueId:  parts[1],
+		},
 	}
 
 	var resourcePermissions *provider.ResourcePermissions
diff --git a/internal/grpc/services/publicstorageprovider/publicstorageprovider.go b/internal/grpc/services/publicstorageprovider/publicstorageprovider.go
index dcf8a4ff6bb..50273357afd 100644
--- a/internal/grpc/services/publicstorageprovider/publicstorageprovider.go
+++ b/internal/grpc/services/publicstorageprovider/publicstorageprovider.go
@@ -573,7 +573,7 @@ func filterPermissions(l *provider.ResourcePermissions, r *provider.ResourcePerm
 }
 
 func (s *service) unwrap(ctx context.Context, ref *provider.Reference) (token string, relativePath string, err error) {
-	if ref.StorageId != "" || ref.NodeId != "" {
+	if ref.ResourceId.StorageId != "" || ref.ResourceId.OpaqueId != "" {
 		return "", "", errtypes.BadRequest("need absolute path ref: got " + ref.String())
 	}
 
@@ -694,7 +694,9 @@ func (s *service) resolveToken(ctx context.Context, token string) (string, *link
 	}
 
 	sRes, err := s.gateway.Stat(ctx, &provider.StatRequest{
-		Ref: publicShareResponse.GetShare().GetResourceId(),
+		Ref: &provider.Reference{
+			ResourceId: publicShareResponse.GetShare().GetResourceId(),
+		},
 	})
 	switch {
 	case err != nil:
diff --git a/internal/http/services/owncloud/ocdav/ocdav.go b/internal/http/services/owncloud/ocdav/ocdav.go
index 9e973edea67..a5a708e8bb9 100644
--- a/internal/http/services/owncloud/ocdav/ocdav.go
+++ b/internal/http/services/owncloud/ocdav/ocdav.go
@@ -207,7 +207,7 @@ func applyLayout(ctx context.Context, ns string, useLoggedInUserNS bool, request
 }
 
 func wrapResourceID(r *provider.Reference) string {
-	return wrap(r.StorageId, r.NodeId)
+	return wrap(r.ResourceId.StorageId, r.ResourceId.OpaqueId)
 }
 
 // The fileID must be encoded
@@ -234,8 +234,10 @@ func unwrap(rid string) *provider.Reference {
 	}
 
 	return &provider.Reference{
-		StorageId: parts[0],
-		NodeId:    parts[1],
+		ResourceId: &provider.ResourceId{
+			StorageId: parts[0],
+			OpaqueId:  parts[1],
+		},
 	}
 }
 
diff --git a/internal/http/services/owncloud/ocdav/put.go b/internal/http/services/owncloud/ocdav/put.go
index 7a9ad49963b..2381a28d803 100644
--- a/internal/http/services/owncloud/ocdav/put.go
+++ b/internal/http/services/owncloud/ocdav/put.go
@@ -333,7 +333,7 @@ func (s *svc) handlePutHelper(w http.ResponseWriter, r *http.Request, content io
 
 	w.Header().Add("Content-Type", newInfo.MimeType)
 	w.Header().Set("ETag", newInfo.Etag)
-	w.Header().Set("OC-FileId", wrapResourceID(newInfo.Id))
+	w.Header().Set("OC-FileId", wrapResourceID(&provider.Reference{ResourceId: newInfo.Id}))
 	w.Header().Set("OC-ETag", newInfo.Etag)
 	t := utils.TSToTime(newInfo.Mtime).UTC()
 	lastModifiedString := t.Format(time.RFC1123Z)
diff --git a/internal/http/services/owncloud/ocdav/trashbin.go b/internal/http/services/owncloud/ocdav/trashbin.go
index de5d9dede44..cbc992f922b 100644
--- a/internal/http/services/owncloud/ocdav/trashbin.go
+++ b/internal/http/services/owncloud/ocdav/trashbin.go
@@ -179,7 +179,7 @@ func (h *TrashbinHandler) listTrashbin(w http.ResponseWriter, r *http.Request, s
 
 	// ask gateway for recycle items
 	// TODO(labkode): add Reference to ListRecycleRequest
-	getRecycleRes, err := gc.ListRecycle(ctx, &gateway.ListRecycleRequest{Ref: getHomeRes.Ref})
+	getRecycleRes, err := gc.ListRecycle(ctx, &gateway.ListRecycleRequest{Ref: &provider.Reference{Path: getHomeRes.Path}})
 
 	if err != nil {
 		sublog.Error().Err(err).Msg("error calling ListRecycle")
@@ -393,7 +393,9 @@ func (h *TrashbinHandler) restore(w http.ResponseWriter, r *http.Request, s *svc
 		// this means we can only undelete on the same storage, not to a different folder
 		// use the key which is prefixed with the StoragePath to lookup the correct storage ...
 		// TODO currently limited to the home storage
-		Ref:        getHomeRes.Ref,
+		Ref: &provider.Reference{
+			Path: getHomeRes.Path,
+		},
 		Key:        key,
 		RestoreRef: &provider.Reference{Path: dst},
 	}
@@ -437,7 +439,7 @@ func (h *TrashbinHandler) delete(w http.ResponseWriter, r *http.Request, s *svc,
 		HandleErrorStatus(&sublog, w, getHomeRes.Status)
 		return
 	}
-	sRes, err := client.Stat(ctx, &provider.StatRequest{Ref: getHomeRes.Ref})
+	sRes, err := client.Stat(ctx, &provider.StatRequest{Ref: &provider.Reference{Path: getHomeRes.Path}})
 	if err != nil {
 		sublog.Error().Err(err).Msg("error calling Stat")
 		w.WriteHeader(http.StatusInternalServerError)
@@ -453,8 +455,10 @@ func (h *TrashbinHandler) delete(w http.ResponseWriter, r *http.Request, s *svc,
 
 	req := &gateway.PurgeRecycleRequest{
 		Ref: &provider.Reference{
-			NodeId:    key,
-			StorageId: sRes.Info.Id.StorageId,
+			ResourceId: &provider.ResourceId{
+				StorageId: sRes.Info.Id.StorageId,
+				OpaqueId:  key,
+			},
 		},
 	}
 
diff --git a/internal/http/services/owncloud/ocdav/versions.go b/internal/http/services/owncloud/ocdav/versions.go
index 0f833205ad2..fad6182b3ee 100644
--- a/internal/http/services/owncloud/ocdav/versions.go
+++ b/internal/http/services/owncloud/ocdav/versions.go
@@ -139,9 +139,9 @@ func (h *VersionsHandler) doListVersions(w http.ResponseWriter, r *http.Request,
 			// TODO(jfd) we cannot access version content, this will be a problem when trying to fetch version thumbnails
 			// Opaque
 			Type: provider.ResourceType_RESOURCE_TYPE_FILE,
-			Id: &provider.Reference{
-				StorageId: "versions", // this is a virtual storage
-				NodeId:    info.Id.NodeId + "@" + versions[i].GetKey(),
+			Id: &provider.ResourceId{
+				StorageId: "versions",
+				OpaqueId:  info.Id.OpaqueId + "@" + versions[i].GetKey(),
 			},
 			// Checksum
 			Etag: versions[i].Etag,
diff --git a/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go b/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go
index 7f7427a5998..831ed994152 100644
--- a/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go
+++ b/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go
@@ -160,7 +160,7 @@ func (h *Handler) listPublicShares(r *http.Request, filters []*link.ListPublicSh
 		}
 
 		for _, share := range res.GetShare() {
-			info, status, err := h.getResourceInfoByID(ctx, client, share.ResourceId)
+			info, status, err := h.getResourceInfoByID(ctx, client, &provider.Reference{ResourceId: share.ResourceId})
 			if err != nil || status.Code != rpc.Code_CODE_OK {
 				log.Debug().Interface("share", share).Interface("status", status).Err(err).Msg("could not stat share, skipping")
 				continue
@@ -377,7 +377,7 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
 		return
 	}
 
-	statReq := provider.StatRequest{Ref: before.Share.ResourceId}
+	statReq := provider.StatRequest{Ref: &provider.Reference{ResourceId: before.Share.ResourceId}}
 
 	statRes, err := gwC.Stat(r.Context(), &statReq)
 	if err != nil {
diff --git a/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go b/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go
index 5eeb0dd0902..d56dc774eb2 100644
--- a/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go
+++ b/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go
@@ -112,7 +112,7 @@ func (h *Handler) startCacheWarmup(c cache.Warmup) {
 		return
 	}
 	for _, r := range infos {
-		key := wrapResourceID(r.Id)
+		key := wrapResourceID(&provider.Reference{ResourceId: r.Id})
 		_ = h.resourceInfoCache.SetWithExpire(key, r, time.Second*h.resourceInfoCacheTTL)
 	}
 }
@@ -331,7 +331,7 @@ type PublicShareContextName string
 
 func (h *Handler) getShare(w http.ResponseWriter, r *http.Request, shareID string) {
 	var share *conversions.ShareData
-	var resourceID *provider.Reference
+	var reference *provider.Reference
 	ctx := r.Context()
 	logger := appctx.GetLogger(r.Context())
 	logger.Debug().Str("shareID", shareID).Msg("get share by id")
@@ -371,7 +371,9 @@ func (h *Handler) getShare(w http.ResponseWriter, r *http.Request, shareID strin
 
 	if err == nil && psRes.GetShare() != nil {
 		share = conversions.PublicShare2ShareData(psRes.Share, r, h.publicURL)
-		resourceID = psRes.Share.ResourceId
+		reference = &provider.Reference{
+			ResourceId: psRes.Share.ResourceId,
+		}
 	}
 
 	if share == nil {
@@ -404,7 +406,9 @@ func (h *Handler) getShare(w http.ResponseWriter, r *http.Request, shareID strin
 		*/
 
 		if err == nil && uRes.GetShare() != nil {
-			resourceID = uRes.Share.ResourceId
+			reference = &provider.Reference{
+				ResourceId: uRes.Share.ResourceId,
+			}
 			share, err = conversions.CS3Share2ShareData(ctx, uRes.Share)
 			if err != nil {
 				response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error mapping share data", err)
@@ -419,7 +423,7 @@ func (h *Handler) getShare(w http.ResponseWriter, r *http.Request, shareID strin
 		return
 	}
 
-	info, status, err := h.getResourceInfoByID(ctx, client, resourceID)
+	info, status, err := h.getResourceInfoByID(ctx, client, reference)
 	if err != nil {
 		log.Error().Err(err).Msg("error mapping share data")
 		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error mapping share data", err)
@@ -506,7 +510,9 @@ func (h *Handler) updateShare(w http.ResponseWriter, r *http.Request, shareID st
 		return
 	}
 
-	statReq := provider.StatRequest{Ref: uRes.Share.ResourceId}
+	statReq := provider.StatRequest{Ref: &provider.Reference{
+		ResourceId: uRes.Share.ResourceId,
+	}}
 
 	statRes, err := client.Stat(r.Context(), &statReq)
 	if err != nil {
@@ -616,7 +622,7 @@ func (h *Handler) listSharesWithMe(w http.ResponseWriter, r *http.Request) {
 		var info *provider.ResourceInfo
 		if pinfo != nil {
 			// check if the shared resource matches the path resource
-			if !utils.ResourceEqual(rs.Share.ResourceId, pinfo.Id) {
+			if !utils.ResourceEqual(&provider.Reference{ResourceId: rs.Share.ResourceId}, &provider.Reference{ResourceId: pinfo.Id}) {
 				// try next share
 				continue
 			}
@@ -624,7 +630,7 @@ func (h *Handler) listSharesWithMe(w http.ResponseWriter, r *http.Request) {
 			info = pinfo
 		} else {
 			var status *rpc.Status
-			info, status, err = h.getResourceInfoByID(ctx, client, rs.Share.ResourceId)
+			info, status, err = h.getResourceInfoByID(ctx, client, &provider.Reference{ResourceId: rs.Share.ResourceId})
 			if err != nil || status.Code != rpc.Code_CODE_OK {
 				h.logProblems(status, err, "could not stat, skipping")
 				continue
@@ -763,7 +769,7 @@ func (h *Handler) addFilters(w http.ResponseWriter, r *http.Request, prefix stri
 }
 
 func wrapResourceID(r *provider.Reference) string {
-	return wrap(r.StorageId, r.NodeId)
+	return wrap(r.ResourceId.StorageId, r.ResourceId.OpaqueId)
 }
 
 // The fileID must be encoded
@@ -785,9 +791,9 @@ func (h *Handler) addFileInfo(ctx context.Context, s *conversions.ShareData, inf
 		}
 		s.MimeType = parsedMt
 		// TODO STime:     &types.Timestamp{Seconds: info.Mtime.Seconds, Nanos: info.Mtime.Nanos},
-		s.StorageID = info.Id.StorageId + "!" + info.Id.NodeId
+		s.StorageID = info.Id.StorageId + "!" + info.Id.OpaqueId
 		// TODO Storage: int
-		s.ItemSource = wrapResourceID(info.Id)
+		s.ItemSource = wrapResourceID(&provider.Reference{ResourceId: info.Id})
 		s.FileSource = s.ItemSource
 		s.FileTarget = path.Join("/", path.Base(info.Path))
 		s.Path = path.Join("/", path.Base(info.Path)) // TODO hm this might have to be relative to the users home ... depends on the webdav_namespace config
diff --git a/internal/http/services/owncloud/ocs/handlers/cloud/users/users.go b/internal/http/services/owncloud/ocs/handlers/cloud/users/users.go
index f99dbb6b46d..37f6232784a 100644
--- a/internal/http/services/owncloud/ocs/handlers/cloud/users/users.go
+++ b/internal/http/services/owncloud/ocs/handlers/cloud/users/users.go
@@ -126,7 +126,7 @@ func (h *Handler) handleUsers(w http.ResponseWriter, r *http.Request, u *userpb.
 		return
 	}
 
-	getQuotaRes, err := gc.GetQuota(ctx, &gateway.GetQuotaRequest{Ref: getHomeRes.Ref})
+	getQuotaRes, err := gc.GetQuota(ctx, &gateway.GetQuotaRequest{Ref: &provider.Reference{Path: getHomeRes.Path}})
 	if err != nil {
 		sublog.Error().Err(err).Msg("error calling GetQuota")
 		w.WriteHeader(http.StatusInternalServerError)
diff --git a/pkg/app/provider/demo/demo.go b/pkg/app/provider/demo/demo.go
index ba934dac2ca..28134083e57 100644
--- a/pkg/app/provider/demo/demo.go
+++ b/pkg/app/provider/demo/demo.go
@@ -33,7 +33,7 @@ type provider struct {
 }
 
 func (p *provider) GetIFrame(ctx context.Context, resID *providerpb.Reference, token string) (string, error) {
-	msg := fmt.Sprintf("<iframe src=%s/open/%s?access-token=%s />", p.iframeUIProvider, resID.StorageId+":"+resID.NodeId, token)
+	msg := fmt.Sprintf("<iframe src=%s/open/%s?access-token=%s />", p.iframeUIProvider, resID.ResourceId.StorageId+":"+resID.ResourceId.OpaqueId, token)
 	return msg, nil
 }
 
diff --git a/pkg/auth/scope/publicshare.go b/pkg/auth/scope/publicshare.go
index 2f2f00eda17..872ff56d100 100644
--- a/pkg/auth/scope/publicshare.go
+++ b/pkg/auth/scope/publicshare.go
@@ -72,8 +72,8 @@ func publicshareScope(scope *authpb.Scope, resource interface{}) (bool, error) {
 
 func checkStorageRef(s *link.PublicShare, r *provider.Reference) bool {
 	// r: <id:<storage_id:$storageID node_id:$nodeID path:$path > >
-	if (r.StorageId != "" || r.NodeId != "") && r.Path == "" { // path must be empty
-		return s.ResourceId.StorageId == r.StorageId && s.ResourceId.NodeId == r.NodeId
+	if (r.ResourceId.StorageId != "" || r.ResourceId.OpaqueId != "") && r.Path == "" { // path must be empty
+		return s.ResourceId.StorageId == r.ResourceId.StorageId && s.ResourceId.OpaqueId == r.ResourceId.OpaqueId
 	}
 
 	// r: <path:"/public/$token" >
diff --git a/pkg/auth/scope/resourceinfo.go b/pkg/auth/scope/resourceinfo.go
index 374b8d54493..fe359294109 100644
--- a/pkg/auth/scope/resourceinfo.go
+++ b/pkg/auth/scope/resourceinfo.go
@@ -69,8 +69,8 @@ func resourceinfoScope(scope *authpb.Scope, resource interface{}) (bool, error)
 
 func checkResourceInfo(inf *provider.ResourceInfo, ref *provider.Reference) bool {
 	// ref: <id:<storage_id:$storageID node_id:$nodeID path:$path> >
-	if ref.StorageId != "" || ref.NodeId != "" { // path can be empty or a relative path
-		return inf.Id.StorageId == ref.StorageId && inf.Id.NodeId == ref.NodeId && inf.Id.Path == ref.Path
+	if ref.ResourceId.StorageId != "" || ref.ResourceId.OpaqueId != "" { // path can be empty or a relative path
+		return inf.Id.StorageId == ref.ResourceId.StorageId && inf.Id.OpaqueId == ref.ResourceId.OpaqueId
 	}
 	// ref: <path:$path >
 	if strings.HasPrefix(ref.GetPath(), inf.Path) {
diff --git a/pkg/cbox/publicshare/sql/sql.go b/pkg/cbox/publicshare/sql/sql.go
index 66b846cc72d..cfc0ba6796b 100644
--- a/pkg/cbox/publicshare/sql/sql.go
+++ b/pkg/cbox/publicshare/sql/sql.go
@@ -134,7 +134,7 @@ func (m *manager) CreatePublicShare(ctx context.Context, u *user.User, rInfo *pr
 	permissions := conversions.SharePermToInt(g.Permissions.Permissions)
 	itemType := conversions.ResourceTypeToItem(rInfo.Type)
 	prefix := rInfo.Id.StorageId
-	itemSource := rInfo.Id.NodeId
+	itemSource := rInfo.Id.OpaqueId
 	fileSource, err := strconv.ParseUint(itemSource, 10, 64)
 	if err != nil {
 		// it can be the case that the item source may be a character string
@@ -318,7 +318,7 @@ func (m *manager) ListPublicShares(ctx context.Context, u *user.User, filters []
 			if i != len(filters)-1 {
 				filterQuery += " AND "
 			}
-			params = append(params, f.GetResourceId().StorageId, f.GetResourceId().NodeId)
+			params = append(params, f.GetResourceId().StorageId, f.GetResourceId().OpaqueId)
 		case link.ListPublicSharesRequest_Filter_TYPE_OWNER:
 			filterQuery += "(uid_owner=?)"
 			if i != len(filters)-1 {
diff --git a/pkg/cbox/share/sql/sql.go b/pkg/cbox/share/sql/sql.go
index 21cca37e4a5..f9b0e5eb180 100644
--- a/pkg/cbox/share/sql/sql.go
+++ b/pkg/cbox/share/sql/sql.go
@@ -120,7 +120,7 @@ func (m *mgr) Share(ctx context.Context, md *provider.ResourceInfo, g *collabora
 	targetPath := path.Join("/", path.Base(md.Path))
 	permissions := conversions.SharePermToInt(g.Permissions.Permissions)
 	prefix := md.Id.StorageId
-	itemSource := md.Id.NodeId
+	itemSource := md.Id.OpaqueId
 	fileSource, err := strconv.ParseUint(itemSource, 10, 64)
 	if err != nil {
 		// it can be the case that the item source may be a character string
@@ -178,7 +178,7 @@ func (m *mgr) getByKey(ctx context.Context, key *collaboration.ShareKey) (*colla
 	s := conversions.DBShare{}
 	shareType, shareWith := conversions.FormatGrantee(key.Grantee)
 	query := "select coalesce(uid_owner, '') as uid_owner, coalesce(uid_initiator, '') as uid_initiator, coalesce(share_with, '') as share_with, coalesce(fileid_prefix, '') as fileid_prefix, coalesce(item_source, '') as item_source, id, stime, permissions, share_type FROM oc_share WHERE (orphan = 0 or orphan IS NULL) AND uid_owner=? AND fileid_prefix=? AND item_source=? AND share_type=? AND share_with=? AND (uid_owner=? or uid_initiator=?)"
-	if err := m.db.QueryRow(query, owner, key.ResourceId.StorageId, key.ResourceId.NodeId, shareType, shareWith, uid, uid).Scan(&s.UIDOwner, &s.UIDInitiator, &s.ShareWith, &s.Prefix, &s.ItemSource, &s.ID, &s.STime, &s.Permissions, &s.ShareType); err != nil {
+	if err := m.db.QueryRow(query, owner, key.ResourceId.StorageId, key.ResourceId.OpaqueId, shareType, shareWith, uid, uid).Scan(&s.UIDOwner, &s.UIDInitiator, &s.ShareWith, &s.Prefix, &s.ItemSource, &s.ID, &s.STime, &s.Permissions, &s.ShareType); err != nil {
 		if err == sql.ErrNoRows {
 			return nil, errtypes.NotFound(key.String())
 		}
@@ -219,7 +219,7 @@ func (m *mgr) Unshare(ctx context.Context, ref *collaboration.ShareReference) er
 		shareType, shareWith := conversions.FormatGrantee(key.Grantee)
 		owner := conversions.FormatUserID(key.Owner)
 		query = "delete from oc_share where uid_owner=? AND fileid_prefix=? AND item_source=? AND share_type=? AND share_with=? AND (uid_owner=? or uid_initiator=?)"
-		params = append(params, owner, key.ResourceId.StorageId, key.ResourceId.NodeId, shareType, shareWith, uid, uid)
+		params = append(params, owner, key.ResourceId.StorageId, key.ResourceId.OpaqueId, shareType, shareWith, uid, uid)
 	default:
 		return errtypes.NotFound(ref.String())
 	}
@@ -258,7 +258,7 @@ func (m *mgr) UpdateShare(ctx context.Context, ref *collaboration.ShareReference
 		shareType, shareWith := conversions.FormatGrantee(key.Grantee)
 		owner := conversions.FormatUserID(key.Owner)
 		query = "update oc_share set permissions=?,stime=? where (uid_owner=? or uid_initiator=?) AND fileid_prefix=? AND item_source=? AND share_type=? AND share_with=? AND (uid_owner=? or uid_initiator=?)"
-		params = append(params, permissions, time.Now().Unix(), owner, owner, key.ResourceId.StorageId, key.ResourceId.NodeId, shareType, shareWith, uid, uid)
+		params = append(params, permissions, time.Now().Unix(), owner, owner, key.ResourceId.StorageId, key.ResourceId.OpaqueId, shareType, shareWith, uid, uid)
 	default:
 		return nil, errtypes.NotFound(ref.String())
 	}
@@ -285,7 +285,7 @@ func (m *mgr) ListShares(ctx context.Context, filters []*collaboration.ListShare
 			if i != len(filters)-1 {
 				filterQuery += " AND "
 			}
-			params = append(params, f.GetResourceId().StorageId, f.GetResourceId().NodeId)
+			params = append(params, f.GetResourceId().StorageId, f.GetResourceId().OpaqueId)
 		}
 	}
 	if filterQuery != "" {
@@ -381,7 +381,7 @@ func (m *mgr) getReceivedByKey(ctx context.Context, key *collaboration.ShareKey)
 	uid := conversions.FormatUserID(user.Id)
 
 	shareType, shareWith := conversions.FormatGrantee(key.Grantee)
-	params := []interface{}{uid, conversions.FormatUserID(key.Owner), key.ResourceId.StorageId, key.ResourceId.NodeId, shareType, shareWith, shareWith}
+	params := []interface{}{uid, conversions.FormatUserID(key.Owner), key.ResourceId.StorageId, key.ResourceId.OpaqueId, shareType, shareWith, shareWith}
 	for _, v := range user.Groups {
 		params = append(params, v)
 	}
diff --git a/pkg/cbox/utils/conversions.go b/pkg/cbox/utils/conversions.go
index e2081d60149..12a5510a89e 100644
--- a/pkg/cbox/utils/conversions.go
+++ b/pkg/cbox/utils/conversions.go
@@ -187,7 +187,11 @@ func ConvertToCS3Share(s DBShare) *collaboration.Share {
 		Id: &collaboration.ShareId{
 			OpaqueId: s.ID,
 		},
-		ResourceId:  &provider.Reference{StorageId: s.Prefix, NodeId: s.ItemSource},
+		//ResourceId:  &provider.Reference{StorageId: s.Prefix, NodeId: s.ItemSource},
+		ResourceId: &provider.ResourceId{
+			StorageId: s.Prefix,
+			OpaqueId:  s.ItemSource,
+		},
 		Permissions: &collaboration.SharePermissions{Permissions: IntTosharePerm(s.Permissions)},
 		Grantee:     ExtractGrantee(s.ShareType, s.ShareWith),
 		Owner:       ExtractUserID(s.UIDOwner),
@@ -234,7 +238,10 @@ func ConvertToCS3PublicShare(s DBShare) *link.PublicShare {
 		Id: &link.PublicShareId{
 			OpaqueId: s.ID,
 		},
-		ResourceId:        &provider.Reference{StorageId: s.Prefix, NodeId: s.ItemSource},
+		ResourceId: &provider.ResourceId{
+			StorageId: s.Prefix,
+			OpaqueId:  s.ItemSource,
+		},
 		Permissions:       &link.PublicSharePermissions{Permissions: IntTosharePerm(s.Permissions)},
 		Owner:             ExtractUserID(s.UIDOwner),
 		Creator:           ExtractUserID(s.UIDInitiator),
diff --git a/pkg/ocm/share/manager/json/json.go b/pkg/ocm/share/manager/json/json.go
index 0caa6f56aeb..f952ad12d88 100644
--- a/pkg/ocm/share/manager/json/json.go
+++ b/pkg/ocm/share/manager/json/json.go
@@ -243,7 +243,7 @@ func (m *mgr) Share(ctx context.Context, md *provider.Reference, g *ocm.ShareGra
 	// check if share already exists.
 	key := &ocm.ShareKey{
 		Owner:      userID,
-		ResourceId: md,
+		ResourceId: md.ResourceId,
 		Grantee:    g.Grantee,
 	}
 	_, err := m.getByKey(ctx, key)
@@ -258,7 +258,7 @@ func (m *mgr) Share(ctx context.Context, md *provider.Reference, g *ocm.ShareGra
 			OpaqueId: id,
 		},
 		Name:        name,
-		ResourceId:  md,
+		ResourceId:  md.ResourceId,
 		Permissions: g.Permissions,
 		Grantee:     g.Grantee,
 		Owner:       userID,
@@ -308,7 +308,7 @@ func (m *mgr) Share(ctx context.Context, md *provider.Reference, g *ocm.ShareGra
 		requestBody := url.Values{
 			"shareWith":    {g.Grantee.GetUserId().OpaqueId},
 			"name":         {name},
-			"providerId":   {fmt.Sprintf("%s:%s", md.StorageId, md.NodeId)},
+			"providerId":   {fmt.Sprintf("%s:%s", md.ResourceId.StorageId, md.ResourceId.OpaqueId)},
 			"owner":        {userID.OpaqueId},
 			"protocol":     {string(protocol)},
 			"meshProvider": {userID.Idp},
@@ -416,7 +416,7 @@ func (m *mgr) getByKey(ctx context.Context, key *ocm.ShareKey) (*ocm.Share, erro
 			continue
 		}
 		if (utils.UserEqual(key.Owner, share.Owner) || utils.UserEqual(key.Owner, share.Creator)) &&
-			utils.ResourceEqual(key.ResourceId, share.ResourceId) && utils.GranteeEqual(key.Grantee, share.Grantee) {
+			utils.ResourceEqual(&provider.Reference{ResourceId: key.ResourceId}, &provider.Reference{ResourceId: share.ResourceId}) && utils.GranteeEqual(key.Grantee, share.Grantee) {
 			return &share, nil
 		}
 	}
@@ -492,7 +492,7 @@ func sharesEqual(ref *ocm.ShareReference, s *ocm.Share) bool {
 		}
 	} else if ref.GetKey() != nil {
 		if (utils.UserEqual(ref.GetKey().Owner, s.Owner) || utils.UserEqual(ref.GetKey().Owner, s.Creator)) &&
-			utils.ResourceEqual(ref.GetKey().ResourceId, s.ResourceId) && utils.GranteeEqual(ref.GetKey().Grantee, s.Grantee) {
+			utils.ResourceEqual(&provider.Reference{ResourceId: ref.GetKey().ResourceId}, &provider.Reference{ResourceId: s.ResourceId}) && utils.GranteeEqual(ref.GetKey().Grantee, s.Grantee) {
 			return true
 		}
 	}
@@ -563,7 +563,7 @@ func (m *mgr) ListShares(ctx context.Context, filters []*ocm.ListOCMSharesReques
 				// TODO(labkode): add the rest of filters.
 				for _, f := range filters {
 					if f.Type == ocm.ListOCMSharesRequest_Filter_TYPE_RESOURCE_ID {
-						if utils.ResourceEqual(share.ResourceId, f.GetResourceId()) {
+						if utils.ResourceEqual(&provider.Reference{ResourceId: share.ResourceId}, &provider.Reference{ResourceId: f.GetResourceId()}) {
 							ss = append(ss, &share)
 						}
 					}
diff --git a/pkg/publicshare/manager/json/json.go b/pkg/publicshare/manager/json/json.go
index 7ec59eef78d..655f8b78a75 100644
--- a/pkg/publicshare/manager/json/json.go
+++ b/pkg/publicshare/manager/json/json.go
@@ -379,7 +379,7 @@ func (m *manager) ListPublicShares(ctx context.Context, u *user.User, filters []
 		} else {
 			for i := range filters {
 				if filters[i].Type == link.ListPublicSharesRequest_Filter_TYPE_RESOURCE_ID {
-					if utils.ResourceEqual(local.ResourceId, filters[i].GetResourceId()) {
+					if utils.ResourceEqual(&provider.Reference{ResourceId: local.ResourceId}, &provider.Reference{ResourceId: filters[i].GetResourceId()}) {
 						if notExpired(&local.PublicShare) {
 							shares = append(shares, &local.PublicShare)
 						} else if err := m.revokeExpiredPublicShare(ctx, &local.PublicShare, u); err != nil {
diff --git a/pkg/publicshare/manager/memory/memory.go b/pkg/publicshare/manager/memory/memory.go
index 1a24fe9e0d2..f06aa393580 100644
--- a/pkg/publicshare/manager/memory/memory.go
+++ b/pkg/publicshare/manager/memory/memory.go
@@ -180,7 +180,7 @@ func (m *manager) ListPublicShares(ctx context.Context, u *user.User, filters []
 			} else {
 				for _, f := range filters {
 					if f.Type == link.ListPublicSharesRequest_Filter_TYPE_RESOURCE_ID {
-						if utils.ResourceEqual(s.ResourceId, f.GetResourceId()) {
+						if utils.ResourceEqual(&provider.Reference{ResourceId: s.ResourceId}, &provider.Reference{ResourceId: f.GetResourceId()}) {
 							shares = append(shares, s)
 						}
 					}
diff --git a/pkg/sdk/action/download.go b/pkg/sdk/action/download.go
index 0ba5851c942..7f081a58fa9 100644
--- a/pkg/sdk/action/download.go
+++ b/pkg/sdk/action/download.go
@@ -89,7 +89,7 @@ func (action *DownloadAction) Download(fileInfo *storage.ResourceInfo) ([]byte,
 
 func (action *DownloadAction) initiateDownload(fileInfo *storage.ResourceInfo) (*gateway.InitiateFileDownloadResponse, error) {
 	// Initiating a download request gets us the download endpoint for the specified resource
-	req := &provider.InitiateFileDownloadRequest{Ref: fileInfo.Id}
+	req := &provider.InitiateFileDownloadRequest{Ref: &provider.Reference{ResourceId: fileInfo.Id}}
 	res, err := action.session.Client().InitiateFileDownload(action.session.Context(), req)
 	if err := net.CheckRPCInvocation("initiating download", res, err); err != nil {
 		return nil, err
diff --git a/pkg/share/cache/cbox/cbox.go b/pkg/share/cache/cbox/cbox.go
index 057644e336b..9404926ecfe 100644
--- a/pkg/share/cache/cbox/cbox.go
+++ b/pkg/share/cache/cbox/cbox.go
@@ -127,8 +127,10 @@ func (m *manager) GetResourceInfos() ([]*provider.ResourceInfo, error) {
 		})
 
 		inf, err := eos.GetMD(ctx, &provider.Reference{
-			StorageId: storageID,
-			NodeId:    nodeID,
+			ResourceId: &provider.ResourceId{
+				StorageId: storageID,
+				OpaqueId:  nodeID,
+			},
 		}, []string{})
 		if err != nil {
 			return nil, err
diff --git a/pkg/storage/fs/owncloud/owncloud.go b/pkg/storage/fs/owncloud/owncloud.go
index 9208d3e1463..dec328b203c 100644
--- a/pkg/storage/fs/owncloud/owncloud.go
+++ b/pkg/storage/fs/owncloud/owncloud.go
@@ -661,7 +661,7 @@ func (fs *ocfs) convertToResourceInfo(ctx context.Context, fi os.FileInfo, ip st
 	}
 
 	ri := &provider.ResourceInfo{
-		Id:       &provider.Reference{NodeId: id},
+		Id:       &provider.ResourceId{OpaqueId: id},
 		Path:     sp,
 		Type:     getResourceType(fi.IsDir()),
 		Etag:     etag,
@@ -743,14 +743,14 @@ func (fs *ocfs) getPath(ctx context.Context, id *provider.Reference) (string, er
 	c := fs.pool.Get()
 	defer c.Close()
 	fs.scanFiles(ctx, c)
-	ip, err := redis.String(c.Do("GET", id.NodeId))
+	ip, err := redis.String(c.Do("GET", id.ResourceId.OpaqueId))
 	if err != nil {
-		return "", errtypes.NotFound(id.NodeId)
+		return "", errtypes.NotFound(id.ResourceId.OpaqueId)
 	}
 
 	idFromXattr, err := xattr.Get(ip, idAttribute)
 	if err != nil {
-		return "", errtypes.NotFound(id.NodeId)
+		return "", errtypes.NotFound(id.ResourceId.OpaqueId)
 	}
 
 	uid, err := uuid.FromBytes(idFromXattr)
@@ -758,11 +758,11 @@ func (fs *ocfs) getPath(ctx context.Context, id *provider.Reference) (string, er
 		log.Error().Err(err).Msg("error parsing uuid")
 	}
 
-	if uid.String() != id.NodeId {
-		if _, err := c.Do("DEL", id.NodeId); err != nil {
+	if uid.String() != id.ResourceId.OpaqueId {
+		if _, err := c.Do("DEL", id.ResourceId.OpaqueId); err != nil {
 			return "", err
 		}
-		return "", errtypes.NotFound(id.NodeId)
+		return "", errtypes.NotFound(id.ResourceId.OpaqueId)
 	}
 
 	return ip, nil
@@ -794,7 +794,7 @@ func (fs *ocfs) GetPathByID(ctx context.Context, id *provider.Reference) (string
 func (fs *ocfs) resolve(ctx context.Context, ref *provider.Reference) (string, error) {
 
 	// if storage id is set look up that
-	if ref.StorageId != "" || ref.NodeId != "" {
+	if ref.ResourceId.StorageId != "" || ref.ResourceId.OpaqueId != "" {
 		ip, err := fs.getPath(ctx, ref)
 		if err != nil {
 			return "", err
diff --git a/pkg/storage/fs/s3/s3.go b/pkg/storage/fs/s3/s3.go
index 9386e0fbbcc..99c18e02648 100644
--- a/pkg/storage/fs/s3/s3.go
+++ b/pkg/storage/fs/s3/s3.go
@@ -119,8 +119,8 @@ func (fs *s3FS) resolve(ctx context.Context, ref *provider.Reference) (string, e
 		return fs.addRoot(ref.GetPath()), nil
 	}
 
-	if ref.NodeId != "" {
-		fn := path.Join("/", strings.TrimPrefix(ref.NodeId, "fileid-"))
+	if ref.ResourceId.OpaqueId != "" {
+		fn := path.Join("/", strings.TrimPrefix(ref.ResourceId.OpaqueId, "fileid-"))
 		fn = fs.addRoot(fn)
 		return fn, nil
 	}
@@ -172,8 +172,8 @@ func (fs *s3FS) normalizeObject(ctx context.Context, o *s3.Object, fn string) *p
 	fn = fs.removeRoot(path.Join("/", fn))
 	isDir := strings.HasSuffix(*o.Key, "/")
 	md := &provider.ResourceInfo{
-		Id: &provider.Reference{
-			NodeId: "fileid-" + strings.TrimPrefix(fn, "/"),
+		Id: &provider.ResourceId{
+			OpaqueId: "fileid-" + strings.TrimPrefix(fn, "/"),
 		},
 		Path:          fn,
 		Type:          getResourceType(isDir),
@@ -203,7 +203,7 @@ func (fs *s3FS) normalizeHead(ctx context.Context, o *s3.HeadObjectOutput, fn st
 	fn = fs.removeRoot(path.Join("/", fn))
 	isDir := strings.HasSuffix(fn, "/")
 	md := &provider.ResourceInfo{
-		Id:            &provider.Reference{NodeId: "fileid-" + strings.TrimPrefix(fn, "/")},
+		Id:            &provider.ResourceId{OpaqueId: "fileid-" + strings.TrimPrefix(fn, "/")},
 		Path:          fn,
 		Type:          getResourceType(isDir),
 		Etag:          *o.ETag,
@@ -223,7 +223,7 @@ func (fs *s3FS) normalizeHead(ctx context.Context, o *s3.HeadObjectOutput, fn st
 func (fs *s3FS) normalizeCommonPrefix(ctx context.Context, p *s3.CommonPrefix) *provider.ResourceInfo {
 	fn := fs.removeRoot(path.Join("/", *p.Prefix))
 	md := &provider.ResourceInfo{
-		Id:            &provider.Reference{NodeId: "fileid-" + strings.TrimPrefix(fn, "/")},
+		Id:            &provider.ResourceId{OpaqueId: "fileid-" + strings.TrimPrefix(fn, "/")},
 		Path:          fn,
 		Type:          getResourceType(true),
 		Etag:          "TODO(labkode)",
@@ -245,7 +245,7 @@ func (fs *s3FS) normalizeCommonPrefix(ctx context.Context, p *s3.CommonPrefix) *
 // In this implementation the file id is that path of the file without the first slash
 // thus the file id always points to the filename
 func (fs *s3FS) GetPathByID(ctx context.Context, id *provider.Reference) (string, error) {
-	return path.Join("/", strings.TrimPrefix(id.NodeId, "fileid-")), nil
+	return path.Join("/", strings.TrimPrefix(id.ResourceId.OpaqueId, "fileid-")), nil
 }
 
 func (fs *s3FS) AddGrant(ctx context.Context, ref *provider.Reference, g *provider.Grant) error {
diff --git a/pkg/storage/registry/static/static.go b/pkg/storage/registry/static/static.go
index 298adcf786e..7ab3bed4eda 100644
--- a/pkg/storage/registry/static/static.go
+++ b/pkg/storage/registry/static/static.go
@@ -144,7 +144,7 @@ func (b *reg) FindProviders(ctx context.Context, ref *provider.Reference) ([]*re
 	var shardedMatches []*registrypb.ProviderInfo
 
 	// If the reference has a storage id set, use it to route
-	if ref.StorageId != "" {
+	if ref.ResourceId.StorageId != "" {
 		for prefix, rule := range b.c.Rules {
 			addr := getProviderAddr(ctx, rule)
 			r, err := regexp.Compile("^" + prefix + "$")
@@ -152,9 +152,9 @@ func (b *reg) FindProviders(ctx context.Context, ref *provider.Reference) ([]*re
 				continue
 			}
 			// TODO(labkode): fill path info based on provider id, if path and storage id points to same id, take that.
-			if m := r.FindString(ref.StorageId); m != "" {
+			if m := r.FindString(ref.ResourceId.StorageId); m != "" {
 				return []*registrypb.ProviderInfo{{
-					ProviderId: ref.StorageId,
+					ProviderId: ref.ResourceId.StorageId,
 					Address:    addr,
 				}}, nil
 			}
@@ -163,7 +163,7 @@ func (b *reg) FindProviders(ctx context.Context, ref *provider.Reference) ([]*re
 
 	// TODO if the storage id is not set but node id is set we could poll all storage providers to check if the node is known there
 	// for now, say the reference is invalid
-	if ref.NodeId != "" {
+	if ref.ResourceId.OpaqueId != "" {
 		return nil, errtypes.BadRequest("invalid reference " + ref.String())
 	}
 
diff --git a/pkg/storage/registry/static/static_test.go b/pkg/storage/registry/static/static_test.go
index 49ee3020b4b..1872ba8aab7 100644
--- a/pkg/storage/registry/static/static_test.go
+++ b/pkg/storage/registry/static/static_test.go
@@ -227,7 +227,9 @@ var _ = Describe("Static", func() {
 
 	Describe("FindProviders for reference containing ID", func() {
 		ref := &provider.Reference{
-			StorageId: "123e4567-e89b-12d3-a456-426655440000",
+			ResourceId: &provider.ResourceId{
+				StorageId: "123e4567-e89b-12d3-a456-426655440000",
+			},
 		}
 
 		It("finds all providers for user alice for ref containing ID", func() {