Pass directories with trailing slashes to eosclient.GenerateToken (#1883

)

changelog/unreleased/eos-token-dir.md

@@ -0,0 +1,3 @@
+Bugfix: Pass directories with trailing slashes to eosclient.GenerateToken
+
+https://github.com/cs3org/reva/pull/1883

pkg/cbox/user/rest/cache.go

@@ -41,22 +41,15 @@ func initRedisPool(address, username, password string) *redis.Pool {
 		IdleTimeout: 240 * time.Second,
 
 		Dial: func() (redis.Conn, error) {
-			var c redis.Conn
-			var err error
-			switch {
-			case username != "":
-				c, err = redis.Dial("tcp", address,
-					redis.DialUsername(username),
-					redis.DialPassword(password),
-				)
-			case password != "":
-				c, err = redis.Dial("tcp", address,
-					redis.DialPassword(password),
-				)
-			default:
-				c, err = redis.Dial("tcp", address)
+			var opts []redis.DialOption
+			if username != "" {
+				opts = append(opts, redis.DialUsername(username))
+			}
+			if password != "" {
+				opts = append(opts, redis.DialPassword(password))
 			}
 
+			c, err := redis.Dial("tcp", address, opts...)
 			if err != nil {
 				return nil, err
 			}

pkg/cbox/utils/conversions.go

@@ -19,6 +19,7 @@
 package utils
 
 import (
+	"strings"
 	"time"
 
 	grouppb "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1"
@@ -165,7 +166,11 @@ func FormatUserID(u *userpb.UserId) string {
 
 // ExtractUserID retrieves a CS3API user ID from a string
 func ExtractUserID(u string) *userpb.UserId {
-	return &userpb.UserId{OpaqueId: u}
+	t := userpb.UserType_USER_TYPE_PRIMARY
+	if strings.HasPrefix(u, "guest:") {
+		t = userpb.UserType_USER_TYPE_LIGHTWEIGHT
+	}
+	return &userpb.UserId{OpaqueId: u, Type: t}
 }
 
 // FormatGroupID formats a CS3API group ID to a string

pkg/eosclient/eosbinary/eosbinary.go

@@ -304,7 +304,7 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat
 			Key:  lwShareAttrKey,
 			Val:  sysACL,
 		}
-		if err = c.SetAttr(ctx, auth, sysACLAttr, true, path); err != nil {
+		if err = c.SetAttr(ctx, auth, sysACLAttr, finfo.IsDir, path); err != nil {
 			return err
 		}
 		return nil
@@ -361,7 +361,7 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori
 			Key:  lwShareAttrKey,
 			Val:  sysACL,
 		}
-		if err = c.SetAttr(ctx, auth, sysACLAttr, true, path); err != nil {
+		if err = c.SetAttr(ctx, auth, sysACLAttr, finfo.IsDir, path); err != nil {
 			return err
 		}
 		return nil
@@ -373,13 +373,6 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori
 		args = append(args, "--sys", "--recursive")
 	} else {
 		args = append(args, "--user")
-		userACLAttr := &eosclient.Attribute{
-			Type: SystemAttr,
-			Key:  "eval.useracl",
-		}
-		if err = c.UnsetAttr(ctx, auth, userACLAttr, path); err != nil {
-			return err
-		}
 	}
 	args = append(args, sysACL, path)
 
@@ -509,6 +502,7 @@ func (c *Client) UnsetAttr(ctx context.Context, auth eosclient.Authorization, at
 	if !isValidAttribute(attr) {
 		return errors.New("eos: attr is invalid: " + serializeAttribute(attr))
 	}
+
 	args := []string{"attr", "-r", "rm", fmt.Sprintf("%d.%s", attr.Type, attr.Key), path}
 	_, _, err := c.executeEOS(ctx, args, auth)
 	if err != nil {
@@ -699,7 +693,7 @@ func (c *Client) ReadVersion(ctx context.Context, auth eosclient.Authorization,
 // GenerateToken returns a token on behalf of the resource owner to be used by lightweight accounts
 func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, p string, a *acl.Entry) (string, error) {
 	expiration := strconv.FormatInt(time.Now().Add(time.Duration(c.opt.TokenExpiry)*time.Second).Unix(), 10)
-	args := []string{"token", "--permission", a.Permissions, "--tree", "--path", path.Clean(p) + "/", "--expires", expiration}
+	args := []string{"token", "--permission", a.Permissions, "--tree", "--path", p, "--expires", expiration}
 	stdout, _, err := c.executeEOS(ctx, args, auth)
 	return stdout, err
 }

pkg/storage/utils/eosfs/eosfs.go

@@ -191,6 +191,7 @@ func NewEOSFS(c *Config) (storage.FS, error) {
 			Keytab:              c.Keytab,
 			SecProtocol:         c.SecProtocol,
 			VersionInvariant:    c.VersionInvariant,
+			TokenExpiry:         c.TokenExpiry,
 		}
 		eosClient, err = eosbinary.New(eosClientOpts)
 	}
@@ -456,7 +457,7 @@ func (fs *eosfs) SetArbitraryMetadata(ctx context.Context, ref *provider.Referen
 			Val:  v,
 		}
 
-		// TODO(labkode): SetArbitraryMetadata does not has semantic for recursivity.
+		// TODO(labkode): SetArbitraryMetadata does not have semantics for recursivity.
 		// We set it to false
 		err := fs.c.SetAttr(ctx, auth, attr, false, fn)
 		if err != nil {
@@ -1750,29 +1751,33 @@ func (fs *eosfs) getEOSToken(ctx context.Context, u *userpb.User, fn string) (eo
 		},
 	}
 
-	var a *acl.Entry
+	perm := "rwx"
 	for _, e := range info.SysACL.Entries {
 		if e.Type == acl.TypeLightweight && e.Qualifier == u.Id.OpaqueId {
-			a = e
+			perm = e.Permissions
 			break
 		}
 	}
 
 	p := path.Clean(fn)
 	for p != "." && p != fs.conf.Namespace {
-		key := p + "!" + a.Permissions
+		key := p + "!" + perm
 		if tknIf, err := fs.tokenCache.Get(key); err == nil {
 			return eosclient.Authorization{Token: tknIf.(string)}, nil
 		}
 		p = path.Dir(p)
 	}
 
-	tkn, err := fs.c.GenerateToken(ctx, auth, fn, a)
+	if info.IsDir {
+		// EOS expects directories to have a trailing slash when generating tokens
+		fn = path.Clean(fn) + "/"
+	}
+	tkn, err := fs.c.GenerateToken(ctx, auth, fn, &acl.Entry{Permissions: perm})
 	if err != nil {
 		return eosclient.Authorization{}, err
 	}
 
-	key := path.Clean(fn) + "!" + a.Permissions
+	key := path.Clean(fn) + "!" + perm
 	_ = fs.tokenCache.SetWithExpire(key, tkn, time.Second*time.Duration(fs.conf.TokenExpiry))
 
 	return eosclient.Authorization{Token: tkn}, nil