Mint temporary token for expanding access

cs3org · Jun 1, 2021 · 271fe79 · 271fe79
1 parent bb8e41c
commit 271fe79
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 15 deletions.
diff --git a/internal/grpc/interceptors/auth/auth.go b/internal/grpc/interceptors/auth/auth.go
@@ -31,6 +31,7 @@ import (
 	"github.com/cs3org/reva/pkg/appctx"
 	"github.com/cs3org/reva/pkg/auth/scope"
 	"github.com/cs3org/reva/pkg/errtypes"
+	statuspkg "github.com/cs3org/reva/pkg/rgrpc/status"
 	"github.com/cs3org/reva/pkg/rgrpc/todo/pool"
 	"github.com/cs3org/reva/pkg/sharedconf"
 	"github.com/cs3org/reva/pkg/token"
@@ -267,7 +268,8 @@ func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.
 						continue
 					}
 					shares, err := client.ListReceivedShares(ctx, &collaboration.ListReceivedSharesRequest{})
-					if err != nil {
+					if err != nil || shares.Status.Code != rpc.Code_CODE_OK {
+						log.Warn().Err(err).Msg("error listing received shares")
 						continue
 					}
 					for _, share := range shares.Shares {
@@ -280,7 +282,7 @@ func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.
 		}
 	}
 
-	return nil, err
+	return nil, errtypes.PermissionDenied("access to resource not allowed within the assigned scope")
 }
 
 func checkResourcePath(ctx context.Context, ref *provider.Reference, r *provider.ResourceId, gatewayAddr string) (bool, error) {
@@ -298,9 +300,12 @@ func checkResourcePath(ctx context.Context, ref *provider.Reference, r *provider
 	}
 
 	statResponse, err := client.Stat(ctx, statReq)
-	if err != nil || statResponse.Status.Code != rpc.Code_CODE_OK {
+	if err != nil {
 		return false, err
 	}
+	if statResponse.Status.Code != rpc.Code_CODE_OK {
+		return false, statuspkg.NewErrorFromCode(statResponse.Status.Code, "auth interceptor")
+	}
 
 	if strings.HasPrefix(ref.GetPath(), statResponse.Info.Path) {
 		// The path corresponds to the resource to which the token has access.

diff --git a/internal/grpc/services/gateway/authprovider.go b/internal/grpc/services/gateway/authprovider.go
@@ -27,6 +27,7 @@ import (
 	provider "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	registry "github.com/cs3org/go-cs3apis/cs3/auth/registry/v1beta1"
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
@@ -98,6 +99,23 @@ func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest
 		}, nil
 	}
 
+	// We need to expand the scopes of lightweight accounts, user shares and
+	// public shares, for which we need to retrieve the receieved shares and stat
+	// the resources referenced by these. Since the current scope can do that,
+	// mint a temporary token based on that and expand the scope. Then set the
+	// token obtained from the updated scope in the context.
+	token, err := s.tokenmgr.MintToken(ctx, res.User, res.TokenScope)
+	if err != nil {
+		err = errors.Wrap(err, "authsvc: error in MintToken")
+		res := &gateway.AuthenticateResponse{
+			Status: status.NewUnauthenticated(ctx, err, "error creating access token"),
+		}
+		return res, nil
+	}
+
+	ctx = tokenpkg.ContextSetToken(ctx, token)
+	ctx = userpkg.ContextSetUser(ctx, res.User)
+	ctx = metadata.AppendToOutgoingContext(ctx, tokenpkg.TokenHeader, token)
 	scope, err := s.expandScopes(ctx, res.TokenScope)
 	if err != nil {
 		err = errors.Wrap(err, "authsvc: error expanding token scope")
@@ -106,7 +124,7 @@ func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest
 		}, nil
 	}
 
-	token, err := s.tokenmgr.MintToken(ctx, res.User, scope)
+	token, err = s.tokenmgr.MintToken(ctx, res.User, scope)
 	if err != nil {
 		err = errors.Wrap(err, "authsvc: error in MintToken")
 		res := &gateway.AuthenticateResponse{
@@ -115,7 +133,7 @@ func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest
 		return res, nil
 	}
 
-	if scope, ok := res.TokenScope["user"]; s.c.DisableHomeCreationOnLogin || !ok || scope.Role != authpb.Role_ROLE_OWNER {
+	if scope, ok := res.TokenScope["user"]; s.c.DisableHomeCreationOnLogin || !ok || scope.Role != authpb.Role_ROLE_OWNER || res.User.Id.Type == userpb.UserType_USER_TYPE_FEDERATED {
 		gwRes := &gateway.AuthenticateResponse{
 			Status: status.NewOK(ctx),
 			User:   res.User,
@@ -206,45 +224,54 @@ func (s *svc) findAuthProvider(ctx context.Context, authType string) (provider.P
 }
 
 func (s *svc) expandScopes(ctx context.Context, scopeMap map[string]*authpb.Scope) (map[string]*authpb.Scope, error) {
+	log := appctx.GetLogger(ctx)
 	newMap := make(map[string]*authpb.Scope)
+
 	for k, v := range scopeMap {
 		newMap[k] = v
 		switch {
 		case strings.HasPrefix(k, "publicshare"):
 			var share link.PublicShare
 			err := utils.UnmarshalJSONToProtoV1(v.Resource.Value, &share)
 			if err != nil {
-				return nil, err
+				log.Warn().Err(err).Msgf("error unmarshalling public share %+v", v.Resource.Value)
+				continue
 			}
 			newMap, err = s.statAndAddResource(ctx, share.ResourceId, v.Role, newMap)
 			if err != nil {
-				return nil, err
+				log.Warn().Err(err).Msgf("error expanding publicshare scope %+v", share.ResourceId)
+				continue
 			}
 
 		case strings.HasPrefix(k, "share"):
 			var share collaboration.Share
 			err := utils.UnmarshalJSONToProtoV1(v.Resource.Value, &share)
 			if err != nil {
-				return nil, err
+				log.Warn().Err(err).Msgf("error unmarshalling share %+v", v.Resource.Value)
+				continue
 			}
 			newMap, err = s.statAndAddResource(ctx, share.ResourceId, v.Role, newMap)
 			if err != nil {
-				return nil, err
+				log.Warn().Err(err).Msgf("error expanding share scope %+v", share.ResourceId)
+				continue
 			}
 
 		case strings.HasPrefix(k, "lightweight"):
 			shares, err := s.ListReceivedShares(ctx, &collaboration.ListReceivedSharesRequest{})
-			if err != nil {
-				return nil, err
+			if err != nil || shares.Status.Code != rpc.Code_CODE_OK {
+				log.Warn().Err(err).Msg("error listing received shares")
+				continue
 			}
 			for _, share := range shares.Shares {
 				newMap, err = scope.AddShareScope(share.Share, v.Role, newMap)
 				if err != nil {
-					return nil, err
+					log.Warn().Err(err).Msgf("error expanding received share scope %+v", share.Share.ResourceId)
+					continue
 				}
 				newMap, err = s.statAndAddResource(ctx, share.Share.ResourceId, v.Role, newMap)
 				if err != nil {
-					return nil, err
+					log.Warn().Err(err).Msgf("error expanding received share scope %+v", share.Share.ResourceId)
+					continue
 				}
 			}
 		}
@@ -259,8 +286,12 @@ func (s *svc) statAndAddResource(ctx context.Context, r *storageprovider.Resourc
 		},
 	}
 	statResponse, err := s.Stat(ctx, statReq)
-	if err != nil || statResponse.Status.Code != rpc.Code_CODE_OK {
-		return nil, err
+	if err != nil {
+		return scopeMap, err
 	}
+	if statResponse.Status.Code != rpc.Code_CODE_OK {
+		return scopeMap, status.NewErrorFromCode(statResponse.Status.Code, "authprovider")
+	}
+
 	return scope.AddResourceInfoScope(statResponse.Info, role, scopeMap)
 }