From a381e5d3cc39bd209c178b88b500997cdc4f69df Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Wed, 6 Sep 2023 08:50:53 +0200 Subject: [PATCH 1/4] add noshare interceptor --- internal/grpc/interceptors/noshare/noshare.go | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 internal/grpc/interceptors/noshare/noshare.go diff --git a/internal/grpc/interceptors/noshare/noshare.go b/internal/grpc/interceptors/noshare/noshare.go new file mode 100644 index 0000000000..30a6103b3b --- /dev/null +++ b/internal/grpc/interceptors/noshare/noshare.go @@ -0,0 +1,83 @@ +// Copyright 2018-2023 CERN +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// In applying this license, CERN does not waive the privileges and immunities +// granted to it by virtue of its status as an Intergovernmental Organization +// or submit itself to any jurisdiction. + +package noshare + +import ( + "context" + + provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" + "github.com/cs3org/reva/pkg/rgrpc" + rstatus "github.com/cs3org/reva/pkg/rgrpc/status" + "google.golang.org/grpc" +) + +const ( + defaultPriority = 200 +) + +func init() { + rgrpc.RegisterUnaryInterceptor("noshare", NewUnary) +} + +// NewUnary returns a new unary interceptor +// that checks grpc calls and blocks write requests. +func NewUnary(_ map[string]interface{}) (grpc.UnaryServerInterceptor, int, error) { + return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) { + switch req.(type) { + case *provider.ListContainerRequest: + resp, err := handler(ctx, req) + if listResp, ok := resp.(*provider.ListContainerResponse); ok && listResp.Infos != nil { + for _, info := range listResp.Infos { + if info.PermissionSet != nil { + info.PermissionSet.AddGrant = false + info.PermissionSet.RemoveGrant = false + info.PermissionSet.UpdateGrant = false + } + } + } + return resp, err + case *provider.StatRequest: + resp, err := handler(ctx, req) + if statResp, ok := resp.(*provider.StatResponse); ok && statResp.Info != nil && statResp.Info.PermissionSet != nil { + statResp.Info.PermissionSet.AddGrant = false + statResp.Info.PermissionSet.RemoveGrant = false + statResp.Info.PermissionSet.UpdateGrant = false + } + return resp, err + case *provider.AddGrantRequest: + return &provider.AddGrantResponse{ + Status: rstatus.NewPermissionDenied(ctx, nil, "permission denied: tried to add grant on a noshare storage"), + }, nil + case *provider.DenyGrantRequest: + return &provider.DenyGrantResponse{ + Status: rstatus.NewPermissionDenied(ctx, nil, "permission denied: tried to deny grant on a noshare storage"), + }, nil + case *provider.RemoveGrantRequest: + return &provider.RemoveGrantResponse{ + Status: rstatus.NewPermissionDenied(ctx, nil, "permission denied: tried to remove grant on a noshare storage"), + }, nil + case *provider.UpdateGrantRequest: + return &provider.UpdateGrantResponse{ + Status: rstatus.NewPermissionDenied(ctx, nil, "permission denied: tried to update grant on a noshare storage"), + }, nil + default: + return handler(ctx, req) + } + }, defaultPriority, nil +} From 184e3162c30e27a722efe9d8dc6d02ebd8ac0b54 Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Wed, 6 Sep 2023 08:53:04 +0200 Subject: [PATCH 2/4] add changelog --- changelog/unreleased/noshare.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/unreleased/noshare.md diff --git a/changelog/unreleased/noshare.md b/changelog/unreleased/noshare.md new file mode 100644 index 0000000000..95151bd7ab --- /dev/null +++ b/changelog/unreleased/noshare.md @@ -0,0 +1,6 @@ +Enhancement: Disable sharing on a storage provider + +Added a GRPC interceptor that disable sharing permissions +on a storage provider. + +https://github.com/cs3org/reva/pull/4162 From 1815990edba786037da5716be7055a98a0cfd621 Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Wed, 6 Sep 2023 08:54:21 +0200 Subject: [PATCH 3/4] register noshare interceptor --- internal/grpc/interceptors/loader/loader.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/grpc/interceptors/loader/loader.go b/internal/grpc/interceptors/loader/loader.go index 8b995af76f..ac2e784ec9 100644 --- a/internal/grpc/interceptors/loader/loader.go +++ b/internal/grpc/interceptors/loader/loader.go @@ -21,6 +21,7 @@ package loader import ( // Load core GRPC services. _ "github.com/cs3org/reva/internal/grpc/interceptors/eventsmiddleware" + _ "github.com/cs3org/reva/internal/grpc/interceptors/noshare" _ "github.com/cs3org/reva/internal/grpc/interceptors/readonly" // Add your own service here. ) From 7c44396b1c24ed24edc75801c8153bbcdefc5bf1 Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Wed, 6 Sep 2023 09:23:16 +0200 Subject: [PATCH 4/4] disable deny grant --- internal/grpc/interceptors/noshare/noshare.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/internal/grpc/interceptors/noshare/noshare.go b/internal/grpc/interceptors/noshare/noshare.go index 30a6103b3b..28fd74620b 100644 --- a/internal/grpc/interceptors/noshare/noshare.go +++ b/internal/grpc/interceptors/noshare/noshare.go @@ -48,6 +48,7 @@ func NewUnary(_ map[string]interface{}) (grpc.UnaryServerInterceptor, int, error info.PermissionSet.AddGrant = false info.PermissionSet.RemoveGrant = false info.PermissionSet.UpdateGrant = false + info.PermissionSet.DenyGrant = false } } } @@ -58,6 +59,7 @@ func NewUnary(_ map[string]interface{}) (grpc.UnaryServerInterceptor, int, error statResp.Info.PermissionSet.AddGrant = false statResp.Info.PermissionSet.RemoveGrant = false statResp.Info.PermissionSet.UpdateGrant = false + statResp.Info.PermissionSet.DenyGrant = false } return resp, err case *provider.AddGrantRequest: