feat: add legacy mode to libregraph link types

[micbar]

Description

Enhancement: New public sharing via libregraph link types

We added libregraph link types to the graph service as a new set of api calls to replace the legacy OCS API. We added the endpoint to create links https://owncloud.dev/libre-graph-api/#/drives.permissions/CreateLink
and the linktype listing to the "SharedByMe" call. (Already done in another PR)

We also added a config to match legacy public links created by the OCS API to the new libregraph link types. This config switch is recommended for instances which were already existing before Infinite Scale 5.0.0 was released.

#7834
#7743
#6993

Related Issue

• Relates to Sharing NG #6993

Motivation and Context

Make our APIs better 🎉

How Has This Been Tested?

• manual test ✅
• unit tests ✅

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests only (no source changes)

Checklist:

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation ticket raised:

[micbar]

@kulmann @dragotin @JammingBen @michaelstingl @TheOneRing

That legacy mode might be crucial in the transition process.

Background

The legacy OCS api was creating public links with more permissions than needed 🙈

Example - Folder With "Edit" Permission set

curl 'https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/shares/RukBURtBXPmjBiM' \
  -X 'PUT' \
  -H 'authorization: Bearer <token>' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -H 'ocs-apirequest: true' \
  --data-raw 'permissions=15&name=Link&expireDate=' \
  --compressed \
  --insecure

Magic number 15 🪄 is used for the bitmask which means:

	  Read = 1 
	+ Write = 2
	+ Create = 4
	+ Delete = 8
         ------------
         = Total 15

Libregraph representation after wrong 🐛 conversion in the OCS handler (this does not happen on the new libregraph CreateLink endpoint)

                        libregraphActions := []string{
				"libre.graph/driveItem/standard/delete",
				"libre.graph/driveItem/path/read",
				"libre.graph/driveItem/quota/read",
				"libre.graph/driveItem/content/read",
				"libre.graph/driveItem/upload/create",
				"libre.graph/driveItem/children/read",
				"libre.graph/driveItem/deleted/read",
				"libre.graph/driveItem/path/update",
				"libre.graph/driveItem/deleted/update",
				"libre.graph/driveItem/basic/read",
			},

We can see that

• libre.graph/driveItem/deleted/update (Restore File from Trashbin)
• libre.graph/driveItem/deleted/read (List File in Trashbin)

was accidentally ⚠️ added to Public links in the past. It did no harm because we can not list the trashbin via the public link endpoint.

For the new LibreGraph link types we removed 🗑️ these unneeded permissions.

LibreGraph link types

Type value	Description
internal	Only people who are invited.
view	People can view and download.
edit	People can view, download, upload, edit, move, add and delete
blocksDownload	Creates a read-only link that blocks download to the item. Could be SecureView in the future. Not implemented yet.
createOnly	People can only upload, existing content is not revealed (folders only)
upload	People can upload, download and view (folders only)

Solution

We now have a config ⚙️ which is enabled by default (GRAPH_SHARING_MATCH_LEGACY_PUBLIC_LINK_PERMISSIONS) which takes care that the legacy links from OCS are also sorted into the 5 possible libregraph Link types.

The basic idea is that legacy public links will disappear over time from all instances 😄 .

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

100.0% Coverage
0.0% Duplication

[micbar]

Puh, hit some obstacles 🤦

The OCS backwards conversion is not working. That means we are trapped with the wrong permissions.

Need a fresh start tomorow.

@butonic @aduffeck maybe some inspiring ideas 🪄

[fschade]

Puh, hit some obstacles 🤦

The OCS backwards conversion is not working. That means we are trapped with the wrong permissions.

Need a fresh start tomorow.

@butonic @aduffeck maybe some inspiring ideas 🪄

👏 🙌 for the really well explanation and description! 🤗

[micbar]

After thinking about it, my conclusion is that we need to do that cleanup later for ocis 6.0.0 when the OCS code is removed.