cs3org · labkode · Jul 12, 2021 · May 28, 2021 · Jun 1, 2021 · Jun 1, 2021
@@ -0,0 +1,9 @@
+Enhancement: Add support for lightweight user types
+
+This PR adds support for assigning and consuming user type when setting/reading
+users. On top of that, support for lightweight users is added. These users have
+to be restricted to accessing only shares received by them, which is
+accomplished by expanding the existing RBAC scope.
+
+https://github.com/cs3org/reva/pull/1744
+https://github.com/cs3org/cs3apis/pull/120
@@ -136,52 +136,42 @@ func appTokensCreateCommand() *command {
 }
 
 func getScope(ctx context.Context, client gateway.GatewayAPIClient, opts *appTokenCreateOpts) (map[string]*authpb.Scope, error) {
-	var scopeList []map[string]*authpb.Scope
-	switch {
-	case opts.Unlimited:
-		return scope.GetOwnerScope()
-	case len(opts.Share) != 0:
+	if opts.Unlimited {
+		return scope.AddOwnerScope(nil)
+	}
+
+	var scopes map[string]*authpb.Scope
+	var err error
+	if len(opts.Share) != 0 {
 		// TODO(gmgigi96): verify format
 		for _, entry := range opts.Share {
 			// share = xxxx:[r|w]
 			shareIDPerm := strings.Split(entry, ":")
 			shareID, perm := shareIDPerm[0], shareIDPerm[1]
-			scope, err := getPublicShareScope(ctx, client, shareID, perm)
+			scopes, err = getPublicShareScope(ctx, client, shareID, perm, scopes)
 			if err != nil {
 				return nil, err
 			}
-			scopeList = append(scopeList, scope)
 		}
-		fallthrough
-	case len(opts.Path) != 0:
+	}
+
+	if len(opts.Path) != 0 {
 		// TODO(gmgigi96): verify format
 		for _, entry := range opts.Path {
 			// path = /home/a/b:[r|w]
 			pathPerm := strings.Split(entry, ":")
 			path, perm := pathPerm[0], pathPerm[1]
-			scope, err := getPathScope(ctx, client, path, perm)
+			scopes, err = getPathScope(ctx, client, path, perm, scopes)
 			if err != nil {
 				return nil, err
 			}
-			scopeList = append(scopeList, scope)
 		}
-		fallthrough
-	default:
-		return mergeListScopeIntoMap(scopeList), nil
 	}
-}
 
-func mergeListScopeIntoMap(scopeList []map[string]*authpb.Scope) map[string]*authpb.Scope {
-	merged := make(map[string]*authpb.Scope)
-	for _, scope := range scopeList {
-		for k, v := range scope {
-			merged[k] = v
-		}
-	}
-	return merged
+	return scopes, nil
 }
 
-func getPublicShareScope(ctx context.Context, client gateway.GatewayAPIClient, shareID, perm string) (map[string]*authpb.Scope, error) {
+func getPublicShareScope(ctx context.Context, client gateway.GatewayAPIClient, shareID, perm string, scopes map[string]*authpb.Scope) (map[string]*authpb.Scope, error) {
 	role, err := parsePermission(perm)
 	if err != nil {
 		return nil, err
@@ -204,10 +194,10 @@ func getPublicShareScope(ctx context.Context, client gateway.GatewayAPIClient, s
 		return nil, formatError(publicShareResponse.Status)
 	}
 
-	return scope.GetPublicShareScope(publicShareResponse.GetShare(), role)
+	return scope.AddPublicShareScope(publicShareResponse.GetShare(), role, scopes)
 }
 
-func getPathScope(ctx context.Context, client gateway.GatewayAPIClient, path, perm string) (map[string]*authpb.Scope, error) {
+func getPathScope(ctx context.Context, client gateway.GatewayAPIClient, path, perm string, scopes map[string]*authpb.Scope) (map[string]*authpb.Scope, error) {
 	role, err := parsePermission(perm)
 	if err != nil {
 		return nil, err
@@ -222,7 +212,7 @@ func getPathScope(ctx context.Context, client gateway.GatewayAPIClient, path, pe
 		return nil, formatError(statResponse.Status)
 	}
 
-	return scope.GetResourceInfoScope(statResponse.GetInfo(), role)
+	return scope.AddResourceInfoScope(statResponse.GetInfo(), role, scopes)
 }
 
 // parse permission string in the form of "rw" to create a role

@@ -31,6 +31,7 @@ import (
 	ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"github.com/cs3org/reva/pkg/utils"
 	"github.com/jedib0t/go-pretty/table"
 	"github.com/pkg/errors"
 )
@@ -42,10 +43,11 @@ func ocmShareCreateCommand() *command {
 	grantType := cmd.String("type", "user", "grantee type (user or group)")
 	grantee := cmd.String("grantee", "", "the grantee")
 	idp := cmd.String("idp", "", "the idp of the grantee, default to same idp as the user triggering the action")
+	userType := cmd.String("user-type", "primary", "the type of user account, defaults to primary")
 	rol := cmd.String("rol", "viewer", "the permission for the share (viewer or editor)")
 
 	cmd.ResetFlags = func() {
-		*grantType, *grantee, *idp, *rol = "user", "", "", "viewer"
+		*grantType, *grantee, *idp, *rol, *userType = "user", "", "", "viewer", "primary"
 	}
 
 	cmd.Action = func(w ...io.Writer) error {
@@ -77,8 +79,9 @@ func ocmShareCreateCommand() *command {
 			return err
 		}
 
+		u := &userpb.UserId{OpaqueId: *grantee, Idp: *idp, Type: utils.UserTypeMap(*userType)}
 		remoteUserRes, err := client.GetAcceptedUser(ctx, &invitepb.GetAcceptedUserRequest{
-			RemoteUserId: &userpb.UserId{OpaqueId: *grantee, Idp: *idp},
+			RemoteUserId: u,
 		})
 		if err != nil {
 			return err
@@ -109,10 +112,7 @@ func ocmShareCreateCommand() *command {
 				Type: gt,
 				// For now, we only support user shares.
 				// TODO (ishank011): To be updated once this is decided.
-				Id: &provider.Grantee_UserId{UserId: &userpb.UserId{
-					Idp:      *idp,
-					OpaqueId: *grantee,
-				}},
+				Id: &provider.Grantee_UserId{UserId: u},
 			},
 		}
 

@@ -28,6 +28,7 @@ import (
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	"github.com/cs3org/reva/pkg/utils"
 	"github.com/jedib0t/go-pretty/table"
 	"github.com/pkg/errors"
 )
@@ -40,9 +41,10 @@ func shareCreateCommand() *command {
 	grantee := cmd.String("grantee", "", "the grantee")
 	idp := cmd.String("idp", "", "the idp of the grantee, default to same idp as the user triggering the action")
 	rol := cmd.String("rol", "viewer", "the permission for the share (viewer or editor)")
+	userType := cmd.String("user-type", "primary", "the type of user account, defaults to primary")
 
 	cmd.ResetFlags = func() {
-		*grantType, *grantee, *idp, *rol = "user", "", "", "viewer"
+		*grantType, *grantee, *idp, *rol, *userType = "user", "", "", "viewer", "primary"
 	}
 
 	cmd.Action = func(w ...io.Writer) error {
@@ -94,6 +96,7 @@ func shareCreateCommand() *command {
 			grant.Grantee.Id = &provider.Grantee_UserId{UserId: &userpb.UserId{
 				Idp:      *idp,
 				OpaqueId: *grantee,
+				Type:     utils.UserTypeMap(*userType),
 			}}
 		case "group":
 			grant.Grantee.Id = &provider.Grantee_GroupId{GroupId: &grouppb.GroupId{

@@ -32,6 +32,7 @@ import (
 	ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"github.com/cs3org/reva/pkg/utils"
 	"github.com/jedib0t/go-pretty/table"
 	"github.com/pkg/errors"
 )
@@ -43,6 +44,7 @@ func transferCreateCommand() *command {
 	grantee := cmd.String("grantee", "", "the grantee, receiver of the transfer")
 	granteeType := cmd.String("granteeType", "user", "the grantee type, one of: user, group")
 	idp := cmd.String("idp", "", "the idp of the grantee, default to same idp as the user triggering the action")
+	userType := cmd.String("user-type", "primary", "the type of user account, defaults to primary")
 
 	cmd.Action = func(w ...io.Writer) error {
 		if cmd.NArg() < 1 {
@@ -65,9 +67,11 @@ func transferCreateCommand() *command {
 			return err
 		}
 
+		u := &userpb.UserId{OpaqueId: *grantee, Idp: *idp, Type: utils.UserTypeMap(*userType)}
+
 		// check if invitation has been accepted
 		acceptedUserRes, err := client.GetAcceptedUser(ctx, &invitepb.GetAcceptedUserRequest{
-			RemoteUserId: &userpb.UserId{OpaqueId: *grantee, Idp: *idp},
+			RemoteUserId: u,
 		})
 		if err != nil {
 			return err
@@ -127,10 +131,7 @@ func transferCreateCommand() *command {
 				Grantee: &provider.Grantee{
 					Type: gt,
 					Id: &provider.Grantee_UserId{
-						UserId: &userpb.UserId{
-							Idp:      *idp,
-							OpaqueId: *grantee,
-						},
+						UserId: u,
 					},
 				},
 				Permissions: resourcePermissions,

@@ -2,7 +2,8 @@
 	{
 		"id": {
 			"opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51",
-			"idp": "localhost:20080"
+			"idp": "localhost:20080",
+			"type": 1
 		},
 		"username": "einstein",
 		"secret": "relativity",
@@ -13,7 +14,8 @@
 	{
 		"id": {
 			"opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
-			"idp": "localhost:20080"
+			"idp": "localhost:20080",
+			"type": 1
 		},
 		"username": "marie",
 		"secret": "radioactivity",
@@ -24,7 +26,8 @@
 	{
 		"id": {
 			"opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c",
-			"idp": "localhost:20080"
+			"idp": "localhost:20080",
+			"type": 1
 		},
 		"username": "richard",
 		"secret": "superfluidity",

@@ -2,7 +2,8 @@
 	{
 		"id": {
 			"opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51",
-			"idp": "localhost:20080"
+			"idp": "localhost:20080",
+			"type": 1
 		},
 		"username": "einstein",
 		"secret": "relativity",
@@ -13,7 +14,8 @@
 	{
 		"id": {
 			"opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
-			"idp": "localhost:20080"
+			"idp": "localhost:20080",
+			"type": 1
 		},
 		"username": "marie",
 		"secret": "radioactivity",
@@ -24,7 +26,8 @@
 	{
 		"id": {
 			"opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c",
-			"idp": "localhost:20080"
+			"idp": "localhost:20080",
+			"type": 1
 		},
 		"username": "richard",
 		"secret": "superfluidity",

@@ -2,7 +2,8 @@
 	{
 		"id": {
 			"opaque_id": "jarek1234",
-			"idp": "softwaremind.com"
+			"idp": "softwaremind.com",
+			"type": 1
 		},
 		"username": "jarek",
 		"secret": "jarekpass",
@@ -13,7 +14,8 @@
 	{
 		"id": {
 			"opaque_id": "mateusz5678",
-			"idp": "softwaremind.com"
+			"idp": "softwaremind.com",
+			"type": 1
 		},
 		"username": "mateusz",
 		"secret": "mateuszpass",
@@ -24,7 +26,8 @@
 	{
 		"id": {
 			"opaque_id": "dawid9876",
-			"idp": "softwaremind.com"
+			"idp": "softwaremind.com",
+			"type": 1
 		},
 		"username": "dawid",
 		"secret": "dawidpass",
@@ -35,7 +38,8 @@
 	{
 		"id": {
 			"opaque_id": "test4242",
-			"idp": "softwaremind.com"
+			"idp": "softwaremind.com",
+			"type": 1
 		},
 		"username": "test",
 		"secret": "testpass",

@@ -2,7 +2,8 @@
 	{
 		"id": {
 			"opaque_id": "ishank1234",
-			"idp": "cern.ch"
+			"idp": "cern.ch",
+			"type": 1
 		},
 		"username": "ishank",
 		"secret": "ishankpass",
@@ -13,7 +14,8 @@
 	{
 		"id": {
 			"opaque_id": "hugo5678",
-			"idp": "cern.ch"
+			"idp": "cern.ch",
+			"type": 1
 		},
 		"username": "hugo",
 		"secret": "hugopass",
@@ -24,7 +26,8 @@
 	{
 		"id": {
 			"opaque_id": "samuel9876",
-			"idp": "cern.ch"
+			"idp": "cern.ch",
+			"type": 1
 		},
 		"username": "samuel",
 		"secret": "samuelpass",
@@ -35,7 +38,8 @@
 	{
 		"id": {
 			"opaque_id": "test4242",
-			"idp": "cern.ch"
+			"idp": "cern.ch",
+			"type": 1
 		},
 		"username": "test",
 		"secret": "testpass",

@@ -2,7 +2,8 @@
 	{
 		"id": {
 			"opaque_id": "miroslav1234",
-			"idp": "cesnet.cz"
+			"idp": "cesnet.cz",
+			"type": 1
 		},
 		"username": "miroslav",
 		"secret": "miroslavpass",
@@ -13,7 +14,8 @@
 	{
 		"id": {
 			"opaque_id": "milan5678",
-			"idp": "cesnet.cz"
+			"idp": "cesnet.cz",
+			"type": 1
 		},
 		"username": "milan",
 		"secret": "milanpass",
@@ -24,7 +26,8 @@
 	{
 		"id": {
 			"opaque_id": "test4242",
-			"idp": "cesnet.cz"
+			"idp": "cesnet.cz",
+			"type": 1
 		},
 		"username": "test",
 		"secret": "testpass",