From 35fb5576a8c7db35aab39eb433fdac21e42c333a Mon Sep 17 00:00:00 2001 From: Ishank Arora Date: Tue, 13 Jul 2021 13:46:17 +0200 Subject: [PATCH] Pass directories with trailing slashes to eosclient.GenerateToken (#1883) --- changelog/unreleased/eos-token-dir.md | 3 +++ pkg/cbox/user/rest/cache.go | 21 +++++++-------------- pkg/cbox/utils/conversions.go | 7 ++++++- pkg/eosclient/eosbinary/eosbinary.go | 14 ++++---------- pkg/storage/utils/eosfs/eosfs.go | 17 +++++++++++------ 5 files changed, 31 insertions(+), 31 deletions(-) create mode 100644 changelog/unreleased/eos-token-dir.md diff --git a/changelog/unreleased/eos-token-dir.md b/changelog/unreleased/eos-token-dir.md new file mode 100644 index 0000000000..846bced44f --- /dev/null +++ b/changelog/unreleased/eos-token-dir.md @@ -0,0 +1,3 @@ +Bugfix: Pass directories with trailing slashes to eosclient.GenerateToken + +https://github.com/cs3org/reva/pull/1883 diff --git a/pkg/cbox/user/rest/cache.go b/pkg/cbox/user/rest/cache.go index 418cf8fa2b..5361f0c164 100644 --- a/pkg/cbox/user/rest/cache.go +++ b/pkg/cbox/user/rest/cache.go @@ -41,22 +41,15 @@ func initRedisPool(address, username, password string) *redis.Pool { IdleTimeout: 240 * time.Second, Dial: func() (redis.Conn, error) { - var c redis.Conn - var err error - switch { - case username != "": - c, err = redis.Dial("tcp", address, - redis.DialUsername(username), - redis.DialPassword(password), - ) - case password != "": - c, err = redis.Dial("tcp", address, - redis.DialPassword(password), - ) - default: - c, err = redis.Dial("tcp", address) + var opts []redis.DialOption + if username != "" { + opts = append(opts, redis.DialUsername(username)) + } + if password != "" { + opts = append(opts, redis.DialPassword(password)) } + c, err := redis.Dial("tcp", address, opts...) if err != nil { return nil, err } diff --git a/pkg/cbox/utils/conversions.go b/pkg/cbox/utils/conversions.go index 12a5510a89..18c5cda704 100644 --- a/pkg/cbox/utils/conversions.go +++ b/pkg/cbox/utils/conversions.go @@ -19,6 +19,7 @@ package utils import ( + "strings" "time" grouppb "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1" @@ -165,7 +166,11 @@ func FormatUserID(u *userpb.UserId) string { // ExtractUserID retrieves a CS3API user ID from a string func ExtractUserID(u string) *userpb.UserId { - return &userpb.UserId{OpaqueId: u} + t := userpb.UserType_USER_TYPE_PRIMARY + if strings.HasPrefix(u, "guest:") { + t = userpb.UserType_USER_TYPE_LIGHTWEIGHT + } + return &userpb.UserId{OpaqueId: u, Type: t} } // FormatGroupID formats a CS3API group ID to a string diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go index 34286da4dd..10044983f7 100644 --- a/pkg/eosclient/eosbinary/eosbinary.go +++ b/pkg/eosclient/eosbinary/eosbinary.go @@ -304,7 +304,7 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat Key: lwShareAttrKey, Val: sysACL, } - if err = c.SetAttr(ctx, auth, sysACLAttr, true, path); err != nil { + if err = c.SetAttr(ctx, auth, sysACLAttr, finfo.IsDir, path); err != nil { return err } return nil @@ -361,7 +361,7 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori Key: lwShareAttrKey, Val: sysACL, } - if err = c.SetAttr(ctx, auth, sysACLAttr, true, path); err != nil { + if err = c.SetAttr(ctx, auth, sysACLAttr, finfo.IsDir, path); err != nil { return err } return nil @@ -373,13 +373,6 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori args = append(args, "--sys", "--recursive") } else { args = append(args, "--user") - userACLAttr := &eosclient.Attribute{ - Type: SystemAttr, - Key: "eval.useracl", - } - if err = c.UnsetAttr(ctx, auth, userACLAttr, path); err != nil { - return err - } } args = append(args, sysACL, path) @@ -509,6 +502,7 @@ func (c *Client) UnsetAttr(ctx context.Context, auth eosclient.Authorization, at if !isValidAttribute(attr) { return errors.New("eos: attr is invalid: " + serializeAttribute(attr)) } + args := []string{"attr", "-r", "rm", fmt.Sprintf("%d.%s", attr.Type, attr.Key), path} _, _, err := c.executeEOS(ctx, args, auth) if err != nil { @@ -699,7 +693,7 @@ func (c *Client) ReadVersion(ctx context.Context, auth eosclient.Authorization, // GenerateToken returns a token on behalf of the resource owner to be used by lightweight accounts func (c *Client) GenerateToken(ctx context.Context, auth eosclient.Authorization, p string, a *acl.Entry) (string, error) { expiration := strconv.FormatInt(time.Now().Add(time.Duration(c.opt.TokenExpiry)*time.Second).Unix(), 10) - args := []string{"token", "--permission", a.Permissions, "--tree", "--path", path.Clean(p) + "/", "--expires", expiration} + args := []string{"token", "--permission", a.Permissions, "--tree", "--path", p, "--expires", expiration} stdout, _, err := c.executeEOS(ctx, args, auth) return stdout, err } diff --git a/pkg/storage/utils/eosfs/eosfs.go b/pkg/storage/utils/eosfs/eosfs.go index a4affa4fe9..6110fd1386 100644 --- a/pkg/storage/utils/eosfs/eosfs.go +++ b/pkg/storage/utils/eosfs/eosfs.go @@ -191,6 +191,7 @@ func NewEOSFS(c *Config) (storage.FS, error) { Keytab: c.Keytab, SecProtocol: c.SecProtocol, VersionInvariant: c.VersionInvariant, + TokenExpiry: c.TokenExpiry, } eosClient, err = eosbinary.New(eosClientOpts) } @@ -456,7 +457,7 @@ func (fs *eosfs) SetArbitraryMetadata(ctx context.Context, ref *provider.Referen Val: v, } - // TODO(labkode): SetArbitraryMetadata does not has semantic for recursivity. + // TODO(labkode): SetArbitraryMetadata does not have semantics for recursivity. // We set it to false err := fs.c.SetAttr(ctx, auth, attr, false, fn) if err != nil { @@ -1750,29 +1751,33 @@ func (fs *eosfs) getEOSToken(ctx context.Context, u *userpb.User, fn string) (eo }, } - var a *acl.Entry + perm := "rwx" for _, e := range info.SysACL.Entries { if e.Type == acl.TypeLightweight && e.Qualifier == u.Id.OpaqueId { - a = e + perm = e.Permissions break } } p := path.Clean(fn) for p != "." && p != fs.conf.Namespace { - key := p + "!" + a.Permissions + key := p + "!" + perm if tknIf, err := fs.tokenCache.Get(key); err == nil { return eosclient.Authorization{Token: tknIf.(string)}, nil } p = path.Dir(p) } - tkn, err := fs.c.GenerateToken(ctx, auth, fn, a) + if info.IsDir { + // EOS expects directories to have a trailing slash when generating tokens + fn = path.Clean(fn) + "/" + } + tkn, err := fs.c.GenerateToken(ctx, auth, fn, &acl.Entry{Permissions: perm}) if err != nil { return eosclient.Authorization{}, err } - key := path.Clean(fn) + "!" + a.Permissions + key := path.Clean(fn) + "!" + perm _ = fs.tokenCache.SetWithExpire(key, tkn, time.Second*time.Duration(fs.conf.TokenExpiry)) return eosclient.Authorization{Token: tkn}, nil