Persistency of incoming OCM shares - incorrect handling of read-only folders

[glpatcern]

Currently, incoming OCM shares are stored in the native EFSS table oc_external_share. This implies that some metadata gets forgotten as the EFSS does not allow to store all metadata.

On top of the well-known multiple protocols (which would enable apps, see pondersource/sciencemesh-php#161) and their options, the permissions associated with the webdav protocol (either read, write or share) get lost.

The consequence is that OC (and NC) delegate the permission check to the provider (remote) site, as opposed to already block locally with e.g. greying out the upload action in the GUI. But in the ScienceMesh scenario where reva proxies the remote site, a read-only share is just not respected, because reva has full power (via shared secret) over the SM app and would honor an upload independent from the original permissions.

I propose to not address this issue now, but just document it and say that read-only shares are not supported by the SM app. A proper fix requires creating a table to persist the OCM 1.1 payload, and would be beneficial to finally implement also apps and data transfers.

[glpatcern]

Related to this issue, commit cs3org/reva@8620ddc in Reva currently includes all the missing fields "documented" as FIXME comments, to be populated once the payload gets exposed by the SM app.

[glpatcern]

Related to this: when a share is sent to CERNBox, which does implement full persistency of the OCM 1.1 share payload, it turns out the received permissions are set as read-only, and the sender cannot change them.

[MahdiBaghbani]

The database schema of ocm payload:

The payload received from Reva calling /~{userId}/api/ocm/addReceivedShare:

Array
(
    [userId] => marie
    [_route] => sciencemesh.reva.addReceivedShare
    [name] => TestFolder
    [remoteShareId] => "2"
    [grantee] => Array
    (
        [type] => GRANTEE_TYPE_USER
        [userId] => Array
        (
            [idp] => revaowncloud2.docker
            [opaqueId] => marie
        )
        
    )
    [owner] => Array
    (
        [idp] => revaowncloud1.docker
        [opaqueId] => einstein
        [type] => USER_TYPE_FEDERATED
    )
    [creator] => Array
    (
        [idp] => revaowncloud1.docker
        [opaqueId] => einstein
        [type] => USER_TYPE_FEDERATED
    )
    [ctime] => Array
    (
        [seconds] => 1694897330
    )                          
    [mtime] => Array
    (
        [seconds] => 1694897330
    )
    [shareType] => SHARE_TYPE_USER
    [protocols] => Array
    (
        [0] => Array
        (
            [webappOptions] => Array
            (
                [uriTemplate] => https://revaowncloud1.docker/external/sciencemesh/IIUVilCNV11TdSjO9yPbYXoALwO7xelu/{relative-path-to-shared-resource}
            )
        )
        [1] => Array
        (
            [webdavOptions] => Array
            (
                [sharedSecret] => IIUVilCNV11TdSjO9yPbYXoALwO7xelu
                [permissions] => Array
                (                                    
                    [permissions] => Array
                    (
                        [getPath] => 1
                        [initiateFileDownload] => 1
                        [listContainer] => 1
                        [stat] => 1
                    )
                )
                [uri] => https://revaowncloud1.docker/remote.php/dav/ocm/IIUVilCNV11TdSjO9yPbYXoALwO7xelu
            )
        )
    )
    [state] => SHARE_STATE_PENDING
    [resourceType] => RESOURCE_TYPE_CONTAINER
)                                                      

@glpatcern can you help me with these?

1. It looks like Reva gets this value from the SM app in the first place! but doesn't explain why we have [name] => TestFolder here, since https://github.com/cs3org/reva/blob/a9dc6d321db83514bc1f996c37adf587bfbb9305/pkg/ocm/share/repository/nextcloud/nextcloud.go#L172 && https://github.com/cs3org/reva/blob/a9dc6d321db83514bc1f996c37adf587bfbb9305/pkg/ocm/share/repository/nextcloud/nextcloud.go#L305
   Maybe I'm looking at the wrong place.
   [edit] Ah, of course, they are coming from https://github.com/cs3org/reva/blob/a9dc6d321db83514bc1f996c37adf587bfbb9305/pkg/ocm/share/repository/nextcloud/nextcloud.go#L286, which I cannot follow to the protobuf definition, I'd like to know how this part works.

2. is grantee == share_with and creator == initiator? if yes why different names? (not that it is a big problem, I just want to get familiar with OCM)

3. we have to join share_with, owner, and initiator with @ to store them in the database in a format like opaqueId@idp, however, information about user type will be lost.

4. what are the enum values for SHARE_TYPE_USER, RESOURCE_TYPE_CONTAINER, and user types in general? I can implement my own set of value mapping s in PHP but I want to be as compliant with OCM as I can.

5. can view_mode of ocm_protocol_webapp be null? since it is not returned in the payload or the payload is incomplete since we don't really use web apps yet.

6. What is the difference between type and item_type? I can't find item_type in the returned payload, what is their mapping to resourceType and shareType?

7. is the ocm_received_shares field type the same as the ocm_received_share_protocols field type?

8. shouldn't [webdavOptions] have a flat permissions with integer value?

[MahdiBaghbani]

Initial support for the persistence of OCM shares has been implemented at this commit. the hard-coded values and unclear entity mappings should be fixed.

Native EFSS db entry:

MariaDB [efss]>  select * from oc_share_external;
+----+------------------------------+-----------+----------------------------------+----------+----------------+-------+----------+--------------------------------------------+----------------------------------+----------+----------+
| id | remote                       | remote_id | share_token                      | password | name           | owner | user     | mountpoint                                 | mountpoint_hash                  | accepted | lastscan |
+----+------------------------------+-----------+----------------------------------+----------+----------------+-------+----------+--------------------------------------------+----------------------------------+----------+----------+
|  1 | https://revaowncloud2.docker | 1         | V7qCEYl4mDo1ZprS553yvgLrA15lYOxk | NULL     | TestOcmPayload | marie | einstein | {{TemporaryMountPointName#TestOcmPayload}} | 93d316b2153e299d599c6cc339063f6b |        0 |     NULL |
+----+------------------------------+-----------+----------------------------------+----------+----------------+-------+----------+--------------------------------------------+----------------------------------+----------+----------+
1 row in set (0.001 sec)

OCM tables entries:

MariaDB [efss]>  select * from oc_sciencemesh_ocm_received_shares;
+----+-------------------+----------------+-----------+-------------------------------+----------------------------+----------------------------+------------+------------+------------+------+-------+-----------------+
| id | share_external_id | name           | item_type | share_with                    | owner                      | initiator                  | ctime      | mtime      | expiration | type | state | remote_share_id |
+----+-------------------+----------------+-----------+-------------------------------+----------------------------+----------------------------+------------+------------+------------+------+-------+-----------------+
|  1 |                 1 | TestOcmPayload |         1 | einstein@revaowncloud1.docker | marie@revaowncloud2.docker | marie@revaowncloud2.docker | 1694950501 | 1694950501 |       NULL |    1 |     1 | "1"             |
+----+-------------------+----------------+-----------+-------------------------------+----------------------------+----------------------------+------------+------------+------------+------+-------+-----------------+
1 row in set (0.000 sec)

MariaDB [efss]>  select * from oc_sciencemesh_ocm_received_share_protocols;
+----+-----------------------+------+
| id | ocm_received_share_id | type |
+----+-----------------------+------+
|  1 |                     1 |    1 |
+----+-----------------------+------+
1 row in set (0.000 sec)

MariaDB [efss]>  select * from oc_sciencemesh_ocm_protocol_transfer;
Empty set (0.001 sec)

MariaDB [efss]>  select * from oc_sciencemesh_ocm_protocol_webapp;
Empty set (0.001 sec)

MariaDB [efss]>  select * from oc_sciencemesh_ocm_protocol_webdav;
+-----------------+----------------------------------------------------------------------------------+----------------------------------+-------------+
| ocm_protocol_id | uri                                                                              | shared_secret                    | permissions |
+-----------------+----------------------------------------------------------------------------------+----------------------------------+-------------+
|               1 | https://revaowncloud2.docker/remote.php/dav/ocm/V7qCEYl4mDo1ZprS553yvgLrA15lYOxk | V7qCEYl4mDo1ZprS553yvgLrA15lYOxk |           1 |
+-----------------+----------------------------------------------------------------------------------+----------------------------------+-------------+
1 row in set (0.000 sec)

[glpatcern]

To address the questions, a general answer is that everything is specified in the official OCM API at: https://cs3org.github.io/OCM-API/docs.html?branch=v1.1.0&repo=OCM-API&user=cs3org#/paths/~1shares/post

For more details we better get together ;-)

[glpatcern]

This all works now with ownCloud, Nextcloud just needs the same patch