From 316e676fb07b7f452253a8d5bb9f681bc0195174 Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Wed, 10 Nov 2021 11:14:32 +0100 Subject: [PATCH] Merge user ACLs from EOS to sys ACLs (#2247) --- changelog/unreleased/eos-file-perms.md | 3 +++ pkg/cbox/storage/eoswrapper/eoswrapper.go | 5 ++-- pkg/eosclient/eosbinary/eosbinary.go | 33 ++++++++++++++++++----- 3 files changed, 33 insertions(+), 8 deletions(-) create mode 100644 changelog/unreleased/eos-file-perms.md diff --git a/changelog/unreleased/eos-file-perms.md b/changelog/unreleased/eos-file-perms.md new file mode 100644 index 0000000000..0e5286e3b3 --- /dev/null +++ b/changelog/unreleased/eos-file-perms.md @@ -0,0 +1,3 @@ +Bugfix: Merge user ACLs from EOS to sys ACLs + +https://github.com/cs3org/reva/pull/2247 \ No newline at end of file diff --git a/pkg/cbox/storage/eoswrapper/eoswrapper.go b/pkg/cbox/storage/eoswrapper/eoswrapper.go index c9e805d8a5..bc55aa30c7 100644 --- a/pkg/cbox/storage/eoswrapper/eoswrapper.go +++ b/pkg/cbox/storage/eoswrapper/eoswrapper.go @@ -27,7 +27,6 @@ import ( "github.com/Masterminds/sprig" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" ctxpkg "github.com/cs3org/reva/pkg/ctx" - "github.com/cs3org/reva/pkg/errtypes" "github.com/cs3org/reva/pkg/storage" "github.com/cs3org/reva/pkg/storage/fs/registry" "github.com/cs3org/reva/pkg/storage/utils/eosfs" @@ -154,7 +153,9 @@ func (w *wrapper) setProjectSharingPermissions(ctx context.Context, r *provider. // Extract project name from the path resembling /c/cernbox or /c/cernbox/minutes/.. parts := strings.SplitN(r.Path, "/", 4) if len(parts) != 4 && len(parts) != 3 { - return errtypes.BadRequest("eoswrapper: path does not follow the allowed format") + // The request might be for / or /$letter + // Nothing to do in that case + return nil } adminGroup := projectSpaceGroupsPrefix + parts[2] + projectSpaceAdminGroupsSuffix user := ctxpkg.ContextMustGetUser(ctx) diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go index 539a961fc0..582c4a63dd 100644 --- a/pkg/eosclient/eosbinary/eosbinary.go +++ b/pkg/eosclient/eosbinary/eosbinary.go @@ -45,6 +45,7 @@ import ( const ( versionPrefix = ".sys.v#." lwShareAttrKey = "reva.lwshare" + userACLEvalKey = "eval.useracl" ) const ( @@ -296,7 +297,7 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat if a.Type == acl.TypeLightweight { sysACL := "" - aclStr, ok := finfo.Attrs[lwShareAttrKey] + aclStr, ok := finfo.Attrs["sys."+lwShareAttrKey] if ok { acls, err := acl.Parse(aclStr, acl.ShortTextForm) if err != nil { @@ -330,7 +331,7 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat args = append(args, "--user") userACLAttr := &eosclient.Attribute{ Type: SystemAttr, - Key: "eval.useracl", + Key: userACLEvalKey, Val: "1", } if err = c.SetAttr(ctx, auth, userACLAttr, false, path); err != nil { @@ -360,7 +361,7 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori if a.Type == acl.TypeLightweight { sysACL := "" - aclStr, ok := finfo.Attrs[lwShareAttrKey] + aclStr, ok := finfo.Attrs["sys."+lwShareAttrKey] if ok { acls, err := acl.Parse(aclStr, acl.ShortTextForm) if err != nil { @@ -979,7 +980,10 @@ func (c *Client) parseFileInfo(raw string) (*eosclient.FileInfo, error) { // handle xattrn and xattrv special cases switch { case partsByEqual[0] == "xattrn": - previousXAttr = strings.Replace(partsByEqual[1], "user.", "", 1) + previousXAttr = partsByEqual[1] + if previousXAttr != "user.acl" { + previousXAttr = strings.Replace(previousXAttr, "user.", "", 1) + } case partsByEqual[0] == "xattrv": attrs[previousXAttr] = partsByEqual[1] previousXAttr = "" @@ -1090,8 +1094,25 @@ func (c *Client) mapToFileInfo(kv, attrs map[string]string) (*eosclient.FileInfo if err != nil { return nil, err } - lwACLStr, ok := attrs[lwShareAttrKey] - if ok { + + // Read user ACLs if sys.eval.useracl is set + if userACLEval, ok := attrs["sys."+userACLEvalKey]; ok && userACLEval == "1" { + if userACL, ok := attrs["user.acl"]; ok { + userAcls, err := acl.Parse(userACL, acl.ShortTextForm) + if err != nil { + return nil, err + } + for _, e := range userAcls.Entries { + err = sysACL.SetEntry(e.Type, e.Qualifier, e.Permissions) + if err != nil { + return nil, err + } + } + } + } + + // Read lightweight ACLs recognized by the sys.reva.lwshare attr + if lwACLStr, ok := attrs["sys."+lwShareAttrKey]; ok { lwAcls, err := acl.Parse(lwACLStr, acl.ShortTextForm) if err != nil { return nil, err