Enhancement: calculate and expose actual file permission set (#1368)

changelog/unreleased/share-permissions-and-resource-permissions.md

@@ -0,0 +1,14 @@
+Enhancement: calculate and expose actual file permission set
+
+Instead of hardcoding the permissions set for every file and folder to ListContainer:true, CreateContainer:true and always reporting the hardcoded string WCKDNVR for the WebDAV permissions we now aggregate the actual cs3 resource permission set in the storage drivers and correctly map them to ocs permissions and webdav permissions using a common role struct that encapsulates the mapping logic.
+
+https://github.com/cs3org/reva/pull/1368
+https://github.com/owncloud/ocis/issues/552
+https://github.com/owncloud/ocis/issues/762
+https://github.com/owncloud/ocis/issues/763
+https://github.com/owncloud/ocis/issues/893
+https://github.com/owncloud/ocis/issues/1126
+https://github.com/owncloud/ocis-reva/issues/47
+https://github.com/owncloud/ocis-reva/issues/315
+https://github.com/owncloud/ocis-reva/issues/316
+https://github.com/owncloud/product/issues/270

internal/grpc/services/authprovider/authprovider.go

@@ -26,6 +26,7 @@ import (
 	"github.com/cs3org/reva/pkg/appctx"
 	"github.com/cs3org/reva/pkg/auth"
 	"github.com/cs3org/reva/pkg/auth/manager/registry"
+	"github.com/cs3org/reva/pkg/errtypes"
 	"github.com/cs3org/reva/pkg/rgrpc"
 	"github.com/cs3org/reva/pkg/rgrpc/status"
 	"github.com/mitchellh/mapstructure"
@@ -108,18 +109,26 @@ func (s *service) Authenticate(ctx context.Context, req *provider.AuthenticateRe
 	password := req.ClientSecret
 
 	u, err := s.authmgr.Authenticate(ctx, username, password)
-	if err != nil {
+	switch v := err.(type) {
+	case nil:
+		log.Info().Msgf("user %s authenticated", u.String())
+		return &provider.AuthenticateResponse{
+			Status: status.NewOK(ctx),
+			User:   u,
+		}, nil
+	case errtypes.InvalidCredentials:
+		return &provider.AuthenticateResponse{
+			Status: status.NewPermissionDenied(ctx, v, "wrong password"),
+		}, nil
+	case errtypes.NotFound:
+		return &provider.AuthenticateResponse{
+			Status: status.NewNotFound(ctx, "unknown client id"),
+		}, nil
+	default:
 		err = errors.Wrap(err, "authsvc: error in Authenticate")
-		res := &provider.AuthenticateResponse{
+		return &provider.AuthenticateResponse{
 			Status: status.NewUnauthenticated(ctx, err, "error authenticating user"),
-		}
-		return res, nil
+		}, nil
 	}
 
-	log.Info().Msgf("user %s authenticated", u.String())
-	res := &provider.AuthenticateResponse{
-		Status: status.NewOK(ctx),
-		User:   u,
-	}
-	return res, nil
 }

internal/grpc/services/gateway/authprovider.go

@@ -20,6 +20,7 @@ package gateway
 
 import (
 	"context"
+	"fmt"
 
 	provider "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	registry "github.com/cs3org/go-cs3apis/cs3/auth/registry/v1beta1"
@@ -53,18 +54,24 @@ func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest
 		ClientSecret: req.ClientSecret,
 	}
 	res, err := c.Authenticate(ctx, authProviderReq)
-	if err != nil {
-		log.Err(err).Msgf("gateway: error calling Authenticate for type: %s", req.Type)
+	switch {
+	case err != nil:
 		return &gateway.AuthenticateResponse{
-			Status: status.NewUnauthenticated(ctx, err, "error authenticating request"),
+			Status: status.NewInternal(ctx, err, fmt.Sprintf("gateway: error calling Authenticate for type: %s", req.Type)),
 		}, nil
-	}
-
-	if res.Status.Code != rpc.Code_CODE_OK {
+	case res.Status.Code == rpc.Code_CODE_PERMISSION_DENIED:
+		fallthrough
+	case res.Status.Code == rpc.Code_CODE_UNAUTHENTICATED:
+		fallthrough
+	case res.Status.Code == rpc.Code_CODE_NOT_FOUND:
+		// normal failures, no need to log
+		return &gateway.AuthenticateResponse{
+			Status: res.Status,
+		}, nil
+	case res.Status.Code != rpc.Code_CODE_OK:
 		err := status.NewErrorFromCode(res.Status.Code, "gateway")
-		log.Err(err).Msgf("error authenticating credentials to auth provider for type: %s", req.Type)
 		return &gateway.AuthenticateResponse{
-			Status: status.NewUnauthenticated(ctx, err, ""),
+			Status: status.NewInternal(ctx, err, fmt.Sprintf("error authenticating credentials to auth provider for type: %s", req.Type)),
 		}, nil
 	}
 

internal/grpc/services/gateway/storageprovider.go

@@ -936,7 +936,7 @@ func (s *svc) UnsetArbitraryMetadata(ctx context.Context, req *provider.UnsetArb
 	c, err := s.find(ctx, req.Ref)
 	if err != nil {
 		return &provider.UnsetArbitraryMetadataResponse{
-			Status: status.NewStatusFromErrType(ctx, "SetArbitraryMetadata ref="+req.Ref.String(), err),
+			Status: status.NewStatusFromErrType(ctx, "UnsetArbitraryMetadata ref="+req.Ref.String(), err),
 		}, nil
 	}
 
@@ -1044,7 +1044,7 @@ func (s *svc) stat(ctx context.Context, req *provider.StatRequest) (*provider.St
 	c, err := s.find(ctx, req.Ref)
 	if err != nil {
 		return &provider.StatResponse{
-			Status: status.NewStatusFromErrType(ctx, "SetArbitraryMetadata ref="+req.Ref.String(), err),
+			Status: status.NewStatusFromErrType(ctx, "stat ref="+req.Ref.String(), err),
 		}, nil
 	}
 

internal/grpc/services/gateway/usershareprovider.go

@@ -46,6 +46,8 @@ func (s *svc) CreateShare(ctx context.Context, req *collaboration.CreateShareReq
 			Status: status.NewInternal(ctx, err, "error getting user share provider client"),
 		}, nil
 	}
+	// TODO the user share manager needs to be able to decide if the current user is allowed to create that share (and not eg. incerase permissions)
+	// jfd: AFAICT this can only be determined by a storage driver - either the storage provider is queried first or the share manager needs to access the storage using a storage driver
 	res, err := c.CreateShare(ctx, req)
 	if err != nil {
 		return nil, errors.Wrap(err, "gateway: error calling CreateShare")

internal/grpc/services/publicshareprovider/publicshareprovider.go

@@ -25,6 +25,7 @@ import (
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/cs3org/reva/pkg/appctx"
+	"github.com/cs3org/reva/pkg/errtypes"
 	"github.com/cs3org/reva/pkg/publicshare"
 	"github.com/cs3org/reva/pkg/publicshare/manager/registry"
 	"github.com/cs3org/reva/pkg/rgrpc"
@@ -145,18 +146,29 @@ func (s *service) RemovePublicShare(ctx context.Context, req *link.RemovePublicS
 
 func (s *service) GetPublicShareByToken(ctx context.Context, req *link.GetPublicShareByTokenRequest) (*link.GetPublicShareByTokenResponse, error) {
 	log := appctx.GetLogger(ctx)
-	log.Info().Msg("getting public share by token")
+	log.Debug().Msg("getting public share by token")
 
 	// there are 2 passes here, and the second request has no password
 	found, err := s.sm.GetPublicShareByToken(ctx, req.GetToken(), req.GetPassword())
-	if err != nil {
-		return nil, err
+	switch v := err.(type) {
+	case nil:
+		return &link.GetPublicShareByTokenResponse{
+			Status: status.NewOK(ctx),
+			Share:  found,
+		}, nil
+	case errtypes.InvalidCredentials:
+		return &link.GetPublicShareByTokenResponse{
+			Status: status.NewPermissionDenied(ctx, v, "wrong password"),
+		}, nil
+	case errtypes.NotFound:
+		return &link.GetPublicShareByTokenResponse{
+			Status: status.NewNotFound(ctx, "unknown token"),
+		}, nil
+	default:
+		return &link.GetPublicShareByTokenResponse{
+			Status: status.NewInternal(ctx, v, "unexpected error"),
+		}, nil
 	}
-
-	return &link.GetPublicShareByTokenResponse{
-		Status: status.NewOK(ctx),
-		Share:  found,
-	}, nil
 }
 
 func (s *service) GetPublicShare(ctx context.Context, req *link.GetPublicShareRequest) (*link.GetPublicShareResponse, error) {