Reuse ocs role objects in other drivers

ishank011 · Apr 19, 2022 · d7538d8 · d7538d8
1 parent 8b95ed7
commit d7538d8
Show file tree

Hide file tree

Showing 8 changed files with 63 additions and 116 deletions.
diff --git a/changelog/unreleased/uniform-ocs-roles.md b/changelog/unreleased/uniform-ocs-roles.md
@@ -0,0 +1,3 @@
+Enhancement: Reuse ocs role objects in other drivers
+
+https://github.com/cs3org/reva/pull/2514
diff --git a/cmd/reva/ocm-share-create.go b/cmd/reva/ocm-share-create.go
@@ -31,6 +31,7 @@ import (
 	ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"github.com/cs3org/reva/internal/http/services/owncloud/ocs/conversions"
 	"github.com/cs3org/reva/pkg/utils"
 	"github.com/jedib0t/go-pretty/table"
 	"github.com/pkg/errors"
@@ -165,28 +166,11 @@ func ocmShareCreateCommand() *command {
 func getOCMSharePerm(p string) (*ocm.SharePermissions, int, error) {
 	if p == viewerPermission {
 		return &ocm.SharePermissions{
-			Permissions: &provider.ResourcePermissions{
-				GetPath:              true,
-				InitiateFileDownload: true,
-				ListFileVersions:     true,
-				ListContainer:        true,
-				Stat:                 true,
-			},
+			Permissions: conversions.NewViewerRole().CS3ResourcePermissions(),
 		}, 1, nil
 	} else if p == editorPermission {
 		return &ocm.SharePermissions{
-			Permissions: &provider.ResourcePermissions{
-				GetPath:              true,
-				InitiateFileDownload: true,
-				ListFileVersions:     true,
-				ListContainer:        true,
-				Stat:                 true,
-				CreateContainer:      true,
-				Delete:               true,
-				InitiateFileUpload:   true,
-				RestoreFileVersion:   true,
-				Move:                 true,
-			},
+			Permissions: conversions.NewEditorRole().CS3ResourcePermissions(),
 		}, 15, nil
 	}
 	return nil, 0, errors.New("invalid rol: " + p)

diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go
@@ -50,22 +50,29 @@ const (
 	scopeCacheExpiration = 3600
 )
 
+var roleRankings = map[authpb.Role]int{
+	authpb.Role_ROLE_VIEWER:   0,
+	authpb.Role_ROLE_UPLOADER: 1,
+	authpb.Role_ROLE_EDITOR:   2,
+	authpb.Role_ROLE_OWNER:    3,
+}
+
 func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[string]*authpb.Scope, user *userpb.User, gatewayAddr string, mgr token.Manager) error {
 	log := appctx.GetLogger(ctx)
 	client, err := pool.GetGatewayServiceClient(gatewayAddr)
 	if err != nil {
 		return err
 	}
 
-	hasEditorRole := false
+	highestRole := authpb.Role_ROLE_VIEWER
 	for _, v := range tokenScope {
-		if v.Role == authpb.Role_ROLE_OWNER || v.Role == authpb.Role_ROLE_EDITOR {
-			hasEditorRole = true
+		if roleRankings[v.Role] > roleRankings[highestRole] {
+			highestRole = v.Role
 			break
 		}
 	}
 
-	if ref, ok := extractRef(req, hasEditorRole); ok {
+	if ref, ok := extractRef(req, highestRole); ok {
 		// The request is for a storage reference. This can be the case for multiple scenarios:
 		// - If the path is not empty, the request might be coming from a share where the accessor is
 		//   trying to impersonate the owner, since the share manager doesn't know the
@@ -240,7 +247,7 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent
 
 }
 
-func extractRef(req interface{}, hasEditorRole bool) (*provider.Reference, bool) {
+func extractRefForReaderRole(req interface{}) (*provider.Reference, bool) {
 	switch v := req.(type) {
 	// Read requests
 	case *registry.GetStorageProvidersRequest:
@@ -256,15 +263,16 @@ func extractRef(req interface{}, hasEditorRole bool) (*provider.Reference, bool)
 	case *gateway.OpenInAppRequest:
 		return v.GetRef(), true
 
-		// App provider requests
+	// App provider requests
 	case *appregistry.GetAppProvidersRequest:
 		return &provider.Reference{ResourceId: v.ResourceInfo.Id}, true
 	}
 
-	if !hasEditorRole {
-		return nil, false
-	}
+	return nil, false
 
+}
+
+func extractRefForUploaderRole(req interface{}) (*provider.Reference, bool) {
 	switch v := req.(type) {
 	// Write Requests
 	case *provider.CreateContainerRequest:
@@ -281,7 +289,27 @@ func extractRef(req interface{}, hasEditorRole bool) (*provider.Reference, bool)
 		return v.GetRef(), true
 	case *provider.UnsetArbitraryMetadataRequest:
 		return v.GetRef(), true
+	}
 
+	return nil, false
+
+}
+
+func extractRef(req interface{}, role authpb.Role) (*provider.Reference, bool) {
+	switch role {
+	case authpb.Role_ROLE_UPLOADER:
+		return extractRefForUploaderRole(req)
+	case authpb.Role_ROLE_VIEWER:
+		return extractRefForReaderRole(req)
+	default: // Owner or editor role
+		ref, ok := extractRefForReaderRole(req)
+		if ok {
+			return ref, true
+		}
+		ref, ok = extractRefForUploaderRole(req)
+		if ok {
+			return ref, true
+		}
 	}
 	return nil, false
 }

diff --git a/internal/http/services/owncloud/ocs/conversions/role.go b/internal/http/services/owncloud/ocs/conversions/role.go
@@ -242,7 +242,7 @@ func NewCoownerRole() *Role {
 // NewUploaderRole creates an uploader role
 func NewUploaderRole() *Role {
 	return &Role{
-		Name: RoleViewer,
+		Name: RoleUploader,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
 			Stat:               true,
 			ListContainer:      true,

diff --git a/pkg/auth/manager/publicshares/publicshares.go b/pkg/auth/manager/publicshares/publicshares.go
@@ -137,10 +137,14 @@ func (m *manager) Authenticate(ctx context.Context, token, secret string) (*user
 	share := publicShareResponse.GetShare()
 	role := authpb.Role_ROLE_VIEWER
 	roleStr := "viewer"
-	if share.Permissions.Permissions.InitiateFileUpload {
+	if share.Permissions.Permissions.InitiateFileUpload && !share.Permissions.Permissions.InitiateFileDownload {
+		role = authpb.Role_ROLE_UPLOADER
+		roleStr = "uploader"
+	} else if share.Permissions.Permissions.InitiateFileUpload {
 		role = authpb.Role_ROLE_EDITOR
 		roleStr = "editor"
 	}
+
 	scope, err := scope.AddPublicShareScope(share, role, nil)
 	if err != nil {
 		return nil, nil, err

diff --git a/pkg/auth/scope/scope.go b/pkg/auth/scope/scope.go
@@ -56,5 +56,5 @@ func VerifyScope(ctx context.Context, scopeMap map[string]*authpb.Scope, resourc
 }
 
 func hasRoleEditor(scope authpb.Scope) bool {
-	return scope.Role == authpb.Role_ROLE_EDITOR
+	return scope.Role == authpb.Role_ROLE_OWNER || scope.Role == authpb.Role_ROLE_EDITOR || scope.Role == authpb.Role_ROLE_UPLOADER
 }
diff --git a/pkg/cbox/utils/conversions.go b/pkg/cbox/utils/conversions.go
@@ -28,6 +28,7 @@ import (
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	typespb "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"github.com/cs3org/reva/internal/http/services/owncloud/ocs/conversions"
 )
 
 // DBShare stores information about user and public shares.
@@ -129,46 +130,14 @@ func SharePermToInt(p *provider.ResourcePermissions) int {
 func IntTosharePerm(p int, itemType string) *provider.ResourcePermissions {
 	switch p {
 	case 1:
-		return &provider.ResourcePermissions{
-			ListContainer:        true,
-			ListGrants:           true,
-			ListFileVersions:     true,
-			ListRecycle:          true,
-			Stat:                 true,
-			GetPath:              true,
-			GetQuota:             true,
-			InitiateFileDownload: true,
-		}
+		return conversions.NewViewerRole().CS3ResourcePermissions()
 	case 15:
-		perm := &provider.ResourcePermissions{
-			ListContainer:        true,
-			ListGrants:           true,
-			ListFileVersions:     true,
-			ListRecycle:          true,
-			Stat:                 true,
-			GetPath:              true,
-			GetQuota:             true,
-			InitiateFileDownload: true,
-
-			InitiateFileUpload: true,
-			RestoreFileVersion: true,
-			RestoreRecycleItem: true,
-		}
 		if itemType == "folder" {
-			perm.CreateContainer = true
-			perm.Delete = true
-			perm.Move = true
-			perm.PurgeRecycle = true
+			return conversions.NewEditorRole().CS3ResourcePermissions()
 		}
-		return perm
+		return conversions.NewFileEditorRole().CS3ResourcePermissions()
 	case 4:
-		return &provider.ResourcePermissions{
-			Stat:               true,
-			ListContainer:      true,
-			GetPath:            true,
-			CreateContainer:    true,
-			InitiateFileUpload: true,
-		}
+		return conversions.NewUploaderRole().CS3ResourcePermissions()
 	default:
 		// TODO we may have other options, for now this is a denial
 		return &provider.ResourcePermissions{}

diff --git a/pkg/storage/utils/eosfs/eosfs.go b/pkg/storage/utils/eosfs/eosfs.go
@@ -38,6 +38,7 @@ import (
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"github.com/cs3org/reva/internal/http/services/owncloud/ocs/conversions"
 	"github.com/cs3org/reva/pkg/appctx"
 	ctxpkg "github.com/cs3org/reva/pkg/ctx"
 	"github.com/cs3org/reva/pkg/eosclient"
@@ -1677,59 +1678,17 @@ func (fs *eosfs) permissionSet(ctx context.Context, eosFileInfo *eosclient.FileI
 		if u.Opaque != nil {
 			if publicShare, ok := u.Opaque.Map["public-share-role"]; ok {
 				if string(publicShare.Value) == "editor" {
-					return &provider.ResourcePermissions{
-						CreateContainer:      true,
-						Delete:               true,
-						GetPath:              true,
-						GetQuota:             true,
-						InitiateFileDownload: true,
-						InitiateFileUpload:   true,
-						ListContainer:        true,
-						ListFileVersions:     true,
-						ListGrants:           true,
-						ListRecycle:          true,
-						Move:                 true,
-						PurgeRecycle:         true,
-						RestoreFileVersion:   true,
-						RestoreRecycleItem:   true,
-						Stat:                 true,
-					}
-				}
-				return &provider.ResourcePermissions{
-					GetPath:              true,
-					GetQuota:             true,
-					InitiateFileDownload: true,
-					ListContainer:        true,
-					ListFileVersions:     true,
-					ListRecycle:          true,
-					ListGrants:           true,
-					Stat:                 true,
+					return conversions.NewEditorRole().CS3ResourcePermissions()
+				} else if string(publicShare.Value) == "uploader" {
+					return conversions.NewUploaderRole().CS3ResourcePermissions()
 				}
+				// Default to viewer role
+				return conversions.NewViewerRole().CS3ResourcePermissions()
 			}
 		}
 
-		return &provider.ResourcePermissions{
-			// owner has all permissions
-			AddGrant:             true,
-			CreateContainer:      true,
-			Delete:               true,
-			GetPath:              true,
-			GetQuota:             true,
-			InitiateFileDownload: true,
-			InitiateFileUpload:   true,
-			ListContainer:        true,
-			ListFileVersions:     true,
-			ListGrants:           true,
-			ListRecycle:          true,
-			Move:                 true,
-			PurgeRecycle:         true,
-			RemoveGrant:          true,
-			RestoreFileVersion:   true,
-			RestoreRecycleItem:   true,
-			Stat:                 true,
-			UpdateGrant:          true,
-			DenyGrant:            true,
-		}
+		// owner has all permissions
+		return conversions.NewManagerRole().CS3ResourcePermissions()
 	}
 
 	auth, err := fs.getUserAuth(ctx, u, eosFileInfo.File)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		Enhancement: Reuse ocs role objects in other drivers

		https://github.com/cs3org/reva/pull/2514