From cddbdd4c560f83481da7db84890555d26ada3a0e Mon Sep 17 00:00:00 2001 From: David Christofas Date: Fri, 15 Oct 2021 16:41:12 +0200 Subject: [PATCH] Enabling apps to work in public shares. (#2143) Co-authored-by: Willy Kloucek --- changelog/unreleased/public-share-app-auth.md | 6 + internal/grpc/interceptors/auth/auth.go | 19 ++-- internal/grpc/interceptors/auth/scope.go | 103 +++++++++++++----- internal/http/interceptors/auth/auth.go | 2 +- pkg/auth/scope/lightweight.go | 5 +- pkg/auth/scope/publicshare.go | 39 +++++-- pkg/auth/scope/receivedshare.go | 9 +- pkg/auth/scope/resourceinfo.go | 17 ++- pkg/auth/scope/scope.go | 10 +- pkg/auth/scope/share.go | 8 +- pkg/auth/scope/user.go | 5 +- 11 files changed, 164 insertions(+), 59 deletions(-) create mode 100644 changelog/unreleased/public-share-app-auth.md diff --git a/changelog/unreleased/public-share-app-auth.md b/changelog/unreleased/public-share-app-auth.md new file mode 100644 index 0000000000..4ac7fe2acf --- /dev/null +++ b/changelog/unreleased/public-share-app-auth.md @@ -0,0 +1,6 @@ +Change: Make apps able to work with public shares + +Public share receivers were not possible to use apps in public shares because the apps couldn't load the files in the public shares. This has now been made possible by changing the scope checks for public shares. + +https://github.com/owncloud/ocis/issues/2479 +https://github.com/cs3org/reva/pull/2143 diff --git a/internal/grpc/interceptors/auth/auth.go b/internal/grpc/interceptors/auth/auth.go index 927eab3713..1db27bb2b1 100644 --- a/internal/grpc/interceptors/auth/auth.go +++ b/internal/grpc/interceptors/auth/auth.go @@ -23,6 +23,7 @@ import ( "time" "github.com/bluele/gcache" + gatewayv1beta1 "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" "github.com/cs3org/reva/pkg/appctx" "github.com/cs3org/reva/pkg/auth/scope" @@ -209,8 +210,13 @@ func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token. return nil, err } + client, err := pool.GetGatewayServiceClient(gatewayAddr) + if err != nil { + return nil, err + } + if sharedconf.SkipUserGroupsInToken() && fetchUserGroups { - groups, err := getUserGroups(ctx, u, gatewayAddr) + groups, err := getUserGroups(ctx, u, client) if err != nil { return nil, err } @@ -218,7 +224,7 @@ func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token. } // Check if access to the resource is in the scope of the token - ok, err := scope.VerifyScope(tokenScope, req) + ok, err := scope.VerifyScope(ctx, tokenScope, req) if err != nil { return nil, errtypes.InternalError("error verifying scope of access token") } @@ -226,25 +232,20 @@ func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token. return u, nil } - if err = expandAndVerifyScope(ctx, req, tokenScope, gatewayAddr); err != nil { + if err = expandAndVerifyScope(ctx, req, tokenScope, gatewayAddr, mgr); err != nil { return nil, err } return u, nil } -func getUserGroups(ctx context.Context, u *userpb.User, gatewayAddr string) ([]string, error) { +func getUserGroups(ctx context.Context, u *userpb.User, client gatewayv1beta1.GatewayAPIClient) ([]string, error) { if groupsIf, err := userGroupsCache.Get(u.Id.OpaqueId); err == nil { log := appctx.GetLogger(ctx) log.Info().Msgf("user groups found in cache %s", u.Id.OpaqueId) return groupsIf.([]string), nil } - client, err := pool.GetGatewayServiceClient(gatewayAddr) - if err != nil { - return nil, err - } - res, err := client.GetUserGroups(ctx, &userpb.GetUserGroupsRequest{UserId: u.Id}) if err != nil { return nil, errors.Wrap(err, "gateway: error calling GetUserGroups") diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go index 7cac0416b3..113a67a311 100644 --- a/internal/grpc/interceptors/auth/scope.go +++ b/internal/grpc/interceptors/auth/scope.go @@ -22,21 +22,33 @@ import ( "context" "strings" + appprovider "github.com/cs3org/go-cs3apis/cs3/app/provider/v1beta1" + appregistry "github.com/cs3org/go-cs3apis/cs3/app/registry/v1beta1" authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1" + gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" + userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1" link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" registry "github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1" "github.com/cs3org/reva/pkg/appctx" + "github.com/cs3org/reva/pkg/auth/scope" + ctxpkg "github.com/cs3org/reva/pkg/ctx" "github.com/cs3org/reva/pkg/errtypes" statuspkg "github.com/cs3org/reva/pkg/rgrpc/status" "github.com/cs3org/reva/pkg/rgrpc/todo/pool" + "github.com/cs3org/reva/pkg/token" "github.com/cs3org/reva/pkg/utils" + "google.golang.org/grpc/metadata" ) -func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[string]*authpb.Scope, gatewayAddr string) error { +func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[string]*authpb.Scope, gatewayAddr string, mgr token.Manager) error { log := appctx.GetLogger(ctx) + client, err := pool.GetGatewayServiceClient(gatewayAddr) + if err != nil { + return err + } if ref, ok := extractRef(req); ok { // Check if req is of type *provider.Reference_Path @@ -53,7 +65,7 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s if err != nil { continue } - if ok, err := checkResourcePath(ctx, ref, share.ResourceId, gatewayAddr); err == nil && ok { + if ok, err := checkIfNestedResource(ctx, ref, share.ResourceId, client, mgr); err == nil && ok { return nil } @@ -63,21 +75,17 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s if err != nil { continue } - if ok, err := checkResourcePath(ctx, ref, share.ResourceId, gatewayAddr); err == nil && ok { + if ok, err := checkIfNestedResource(ctx, ref, share.ResourceId, client, mgr); err == nil && ok { return nil } case strings.HasPrefix(k, "lightweight"): - client, err := pool.GetGatewayServiceClient(gatewayAddr) - if err != nil { - continue - } shares, err := client.ListReceivedShares(ctx, &collaboration.ListReceivedSharesRequest{}) if err != nil || shares.Status.Code != rpc.Code_CODE_OK { log.Warn().Err(err).Msg("error listing received shares") continue } for _, share := range shares.Shares { - if ok, err := checkResourcePath(ctx, ref, share.Share.ResourceId, gatewayAddr); err == nil && ok { + if ok, err := checkIfNestedResource(ctx, ref, share.Share.ResourceId, client, mgr); err == nil && ok { return nil } } @@ -85,15 +93,17 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s } } else { // ref has ID present - // The request might be coming from a share created for a lightweight account - // after the token was minted. - log.Info().Msgf("resolving ID reference against received shares to verify token scope %+v", ref.GetResourceId()) + // The request might be coming from + // - a resource present inside a shared folder, or + // - a share created for a lightweight account after the token was minted. + client, err := pool.GetGatewayServiceClient(gatewayAddr) if err != nil { return err } for k := range tokenScope { if strings.HasPrefix(k, "lightweight") { + log.Info().Msgf("resolving ID reference against received shares to verify token scope %+v", ref.GetResourceId()) shares, err := client.ListReceivedShares(ctx, &collaboration.ListReceivedSharesRequest{}) if err != nil || shares.Status.Code != rpc.Code_CODE_OK { log.Warn().Err(err).Msg("error listing received shares") @@ -104,6 +114,15 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s return nil } } + } else if strings.HasPrefix(k, "publicshare") { + var share link.PublicShare + err := utils.UnmarshalJSONToProtoV1(tokenScope[k].Resource.Value, &share) + if err != nil { + continue + } + if ok, err := checkIfNestedResource(ctx, ref, share.ResourceId, client, mgr); err == nil && ok { + return nil + } } } } @@ -140,32 +159,50 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s return errtypes.PermissionDenied("access to resource not allowed within the assigned scope") } -func checkResourcePath(ctx context.Context, ref *provider.Reference, r *provider.ResourceId, gatewayAddr string) (bool, error) { - client, err := pool.GetGatewayServiceClient(gatewayAddr) - if err != nil { - return false, err - } - +func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent *provider.ResourceId, client gateway.GatewayAPIClient, mgr token.Manager) (bool, error) { // Since the resource ID is obtained from the scope, the current token // has access to it. - statReq := &provider.StatRequest{ - Ref: &provider.Reference{ResourceId: r}, - } - - statResponse, err := client.Stat(ctx, statReq) + statResponse, err := client.Stat(ctx, &provider.StatRequest{Ref: &provider.Reference{ResourceId: parent}}) if err != nil { return false, err } if statResponse.Status.Code != rpc.Code_CODE_OK { return false, statuspkg.NewErrorFromCode(statResponse.Status.Code, "auth interceptor") } + parentPath := statResponse.Info.Path + + childPath := ref.GetPath() + if childPath == "" { + // We mint a token as the owner of the public share and try to stat the reference + // TODO(ishank011): We need to find a better alternative to this + + userResp, err := client.GetUser(ctx, &userpb.GetUserRequest{UserId: statResponse.Info.Owner}) + if err != nil || userResp.Status.Code != rpc.Code_CODE_OK { + return false, err + } + + scope, err := scope.AddOwnerScope(map[string]*authpb.Scope{}) + if err != nil { + return false, err + } + token, err := mgr.MintToken(ctx, userResp.User, scope) + if err != nil { + return false, err + } + ctx = metadata.AppendToOutgoingContext(context.Background(), ctxpkg.TokenHeader, token) - if strings.HasPrefix(ref.GetPath(), statResponse.Info.Path) { - // The path corresponds to the resource to which the token has access. - // We allow access to it. - return true, nil + childStat, err := client.Stat(ctx, &provider.StatRequest{Ref: ref}) + if err != nil { + return false, err + } + if childStat.Status.Code != rpc.Code_CODE_OK { + return false, statuspkg.NewErrorFromCode(childStat.Status.Code, "auth interceptor") + } + childPath = statResponse.Info.Path } - return false, nil + + return strings.HasPrefix(childPath, parentPath), nil + } func extractRef(req interface{}) (*provider.Reference, bool) { @@ -186,6 +223,18 @@ func extractRef(req interface{}) (*provider.Reference, bool) { return v.GetRef(), true case *provider.InitiateFileUploadRequest: return v.GetRef(), true + case *appprovider.OpenInAppRequest: + return &provider.Reference{ResourceId: v.ResourceInfo.Id}, true + case *gateway.OpenInAppRequest: + return v.GetRef(), true + case *provider.SetArbitraryMetadataRequest: + return v.GetRef(), true + case *provider.UnsetArbitraryMetadataRequest: + return v.GetRef(), true + + // App provider requests + case *appregistry.GetAppProvidersRequest: + return &provider.Reference{ResourceId: v.ResourceInfo.Id}, true } return nil, false } diff --git a/internal/http/interceptors/auth/auth.go b/internal/http/interceptors/auth/auth.go index 57b616c13c..2e612f032f 100644 --- a/internal/http/interceptors/auth/auth.go +++ b/internal/http/interceptors/auth/auth.go @@ -265,7 +265,7 @@ func New(m map[string]interface{}, unprotected []string) (global.Middleware, err } // ensure access to the resource is allowed - ok, err := scope.VerifyScope(tokenScope, r.URL.Path) + ok, err := scope.VerifyScope(ctx, tokenScope, r.URL.Path) if err != nil { log.Error().Err(err).Msg("error verifying scope of access token") w.WriteHeader(http.StatusInternalServerError) diff --git a/pkg/auth/scope/lightweight.go b/pkg/auth/scope/lightweight.go index 9390743b24..8256f3f09b 100644 --- a/pkg/auth/scope/lightweight.go +++ b/pkg/auth/scope/lightweight.go @@ -19,14 +19,17 @@ package scope import ( + "context" + authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1" collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/pkg/utils" + "github.com/rs/zerolog" ) -func lightweightAccountScope(scope *authpb.Scope, resource interface{}) (bool, error) { +func lightweightAccountScope(_ context.Context, scope *authpb.Scope, resource interface{}, _ *zerolog.Logger) (bool, error) { // Lightweight accounts have access to resources shared with them. // These cannot be resolved from here, but need to be added to the scope from // where the call to mint tokens is made. diff --git a/pkg/auth/scope/publicshare.go b/pkg/auth/scope/publicshare.go index 7c6314c26f..56f893eed0 100644 --- a/pkg/auth/scope/publicshare.go +++ b/pkg/auth/scope/publicshare.go @@ -19,19 +19,23 @@ package scope import ( + "context" "fmt" "strings" + appregistry "github.com/cs3org/go-cs3apis/cs3/app/registry/v1beta1" authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1" + userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" registry "github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1" types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/pkg/errtypes" "github.com/cs3org/reva/pkg/utils" + "github.com/rs/zerolog" ) -func publicshareScope(scope *authpb.Scope, resource interface{}) (bool, error) { +func publicshareScope(ctx context.Context, scope *authpb.Scope, resource interface{}, logger *zerolog.Logger) (bool, error) { var share link.PublicShare err := utils.UnmarshalJSONToProtoV1(scope.Resource.Value, &share) if err != nil { @@ -41,25 +45,36 @@ func publicshareScope(scope *authpb.Scope, resource interface{}) (bool, error) { switch v := resource.(type) { // Viewer role case *registry.GetStorageProvidersRequest: - return checkStorageRef(&share, v.GetRef()), nil + return checkStorageRef(ctx, &share, v.GetRef()), nil case *provider.StatRequest: - return checkStorageRef(&share, v.GetRef()), nil + return checkStorageRef(ctx, &share, v.GetRef()), nil case *provider.ListContainerRequest: - return checkStorageRef(&share, v.GetRef()), nil + return checkStorageRef(ctx, &share, v.GetRef()), nil case *provider.InitiateFileDownloadRequest: - return checkStorageRef(&share, v.GetRef()), nil + return checkStorageRef(ctx, &share, v.GetRef()), nil // Editor role // TODO(ishank011): Add role checks, // need to return appropriate status codes in the ocs/ocdav layers. case *provider.CreateContainerRequest: - return checkStorageRef(&share, v.GetRef()), nil + return checkStorageRef(ctx, &share, v.GetRef()), nil case *provider.DeleteRequest: - return checkStorageRef(&share, v.GetRef()), nil + return checkStorageRef(ctx, &share, v.GetRef()), nil case *provider.MoveRequest: - return checkStorageRef(&share, v.GetSource()) && checkStorageRef(&share, v.GetDestination()), nil + return checkStorageRef(ctx, &share, v.GetSource()) && checkStorageRef(ctx, &share, v.GetDestination()), nil case *provider.InitiateFileUploadRequest: - return checkStorageRef(&share, v.GetRef()), nil + return checkStorageRef(ctx, &share, v.GetRef()), nil + case *provider.SetArbitraryMetadataRequest: + return checkStorageRef(ctx, &share, v.GetRef()), nil + case *provider.UnsetArbitraryMetadataRequest: + return checkStorageRef(ctx, &share, v.GetRef()), nil + + // App provider requests + case *appregistry.GetDefaultAppProviderForMimeTypeRequest: + return true, nil + + case *userv1beta1.GetUserByClaimRequest: + return true, nil case *link.GetPublicShareRequest: return checkPublicShareRef(&share, v.GetRef()), nil @@ -67,10 +82,12 @@ func publicshareScope(scope *authpb.Scope, resource interface{}) (bool, error) { return checkResourcePath(v), nil } - return false, errtypes.InternalError(fmt.Sprintf("resource type assertion failed: %+v", resource)) + msg := fmt.Sprintf("resource type assertion failed: %+v", resource) + logger.Debug().Str("scope", "publicshareScope").Msg(msg) + return false, errtypes.InternalError(msg) } -func checkStorageRef(s *link.PublicShare, r *provider.Reference) bool { +func checkStorageRef(ctx context.Context, s *link.PublicShare, r *provider.Reference) bool { // r: path:$path > > if r.ResourceId != nil && r.Path == "" { // path must be empty return utils.ResourceIDEqual(s.ResourceId, r.GetResourceId()) diff --git a/pkg/auth/scope/receivedshare.go b/pkg/auth/scope/receivedshare.go index 3fe2e99594..2974b0ca2a 100644 --- a/pkg/auth/scope/receivedshare.go +++ b/pkg/auth/scope/receivedshare.go @@ -19,6 +19,7 @@ package scope import ( + "context" "fmt" authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1" @@ -26,9 +27,10 @@ import ( types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/pkg/errtypes" "github.com/cs3org/reva/pkg/utils" + "github.com/rs/zerolog" ) -func receivedShareScope(scope *authpb.Scope, resource interface{}) (bool, error) { +func receivedShareScope(_ context.Context, scope *authpb.Scope, resource interface{}, logger *zerolog.Logger) (bool, error) { var share collaboration.ReceivedShare err := utils.UnmarshalJSONToProtoV1(scope.Resource.Value, &share) if err != nil { @@ -43,7 +45,10 @@ func receivedShareScope(scope *authpb.Scope, resource interface{}) (bool, error) case string: return checkSharePath(v) || checkResourcePath(v), nil } - return false, errtypes.InternalError(fmt.Sprintf("resource type assertion failed: %+v", resource)) + + msg := fmt.Sprintf("resource type assertion failed: %+v", resource) + logger.Debug().Str("scope", "receivedShareScope").Msg(msg) + return false, errtypes.InternalError(msg) } // AddReceivedShareScope adds the scope to allow access to a received user/group share and diff --git a/pkg/auth/scope/resourceinfo.go b/pkg/auth/scope/resourceinfo.go index c1f84f4a93..e4dc09ba8c 100644 --- a/pkg/auth/scope/resourceinfo.go +++ b/pkg/auth/scope/resourceinfo.go @@ -19,18 +19,21 @@ package scope import ( + "context" "fmt" "strings" authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" registry "github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1" + "github.com/rs/zerolog" + types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/pkg/errtypes" "github.com/cs3org/reva/pkg/utils" ) -func resourceinfoScope(scope *authpb.Scope, resource interface{}) (bool, error) { +func resourceinfoScope(_ context.Context, scope *authpb.Scope, resource interface{}, logger *zerolog.Logger) (bool, error) { var r provider.ResourceInfo err := utils.UnmarshalJSONToProtoV1(scope.Resource.Value, &r) if err != nil { @@ -59,12 +62,18 @@ func resourceinfoScope(scope *authpb.Scope, resource interface{}) (bool, error) return checkResourceInfo(&r, v.GetSource()) && checkResourceInfo(&r, v.GetDestination()), nil case *provider.InitiateFileUploadRequest: return checkResourceInfo(&r, v.GetRef()), nil + case *provider.SetArbitraryMetadataRequest: + return checkResourceInfo(&r, v.GetRef()), nil + case *provider.UnsetArbitraryMetadataRequest: + return checkResourceInfo(&r, v.GetRef()), nil case string: return checkResourcePath(v), nil } - return false, errtypes.InternalError(fmt.Sprintf("resource type assertion failed: %+v", resource)) + msg := fmt.Sprintf("resource type assertion failed: %+v", resource) + logger.Debug().Str("scope", "resourceinfoScope").Msg(msg) + return false, errtypes.InternalError(msg) } func checkResourceInfo(inf *provider.ResourceInfo, ref *provider.Reference) bool { @@ -91,6 +100,10 @@ func checkResourcePath(path string) bool { paths := []string{ "/dataprovider", "/data", + "/app/open", + "/archiver", + "/ocs/v2.php/cloud/capabilities", + "/ocs/v1.php/cloud/capabilities", } for _, p := range paths { if strings.HasPrefix(path, p) { diff --git a/pkg/auth/scope/scope.go b/pkg/auth/scope/scope.go index e88d0acc43..eccdbed496 100644 --- a/pkg/auth/scope/scope.go +++ b/pkg/auth/scope/scope.go @@ -19,13 +19,16 @@ package scope import ( + "context" "strings" authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1" + "github.com/cs3org/reva/pkg/appctx" + "github.com/rs/zerolog" ) // Verifier is the function signature which every scope verifier should implement. -type Verifier func(*authpb.Scope, interface{}) (bool, error) +type Verifier func(context.Context, *authpb.Scope, interface{}, *zerolog.Logger) (bool, error) var supportedScopes = map[string]Verifier{ "user": userScope, @@ -38,11 +41,12 @@ var supportedScopes = map[string]Verifier{ // VerifyScope is the function to be called when dismantling tokens to check if // the token has access to a particular resource. -func VerifyScope(scopeMap map[string]*authpb.Scope, resource interface{}) (bool, error) { +func VerifyScope(ctx context.Context, scopeMap map[string]*authpb.Scope, resource interface{}) (bool, error) { + logger := appctx.GetLogger(ctx) for k, scope := range scopeMap { for s, f := range supportedScopes { if strings.HasPrefix(k, s) { - if valid, err := f(scope, resource); err == nil && valid { + if valid, err := f(ctx, scope, resource, logger); err == nil && valid { return true, nil } } diff --git a/pkg/auth/scope/share.go b/pkg/auth/scope/share.go index 069a2d7d2a..1e29fd44e1 100644 --- a/pkg/auth/scope/share.go +++ b/pkg/auth/scope/share.go @@ -19,6 +19,7 @@ package scope import ( + "context" "fmt" "strings" @@ -29,9 +30,10 @@ import ( types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/pkg/errtypes" "github.com/cs3org/reva/pkg/utils" + "github.com/rs/zerolog" ) -func shareScope(scope *authpb.Scope, resource interface{}) (bool, error) { +func shareScope(_ context.Context, scope *authpb.Scope, resource interface{}, logger *zerolog.Logger) (bool, error) { var share collaboration.Share err := utils.UnmarshalJSONToProtoV1(scope.Resource.Value, &share) if err != nil { @@ -69,7 +71,9 @@ func shareScope(scope *authpb.Scope, resource interface{}) (bool, error) { return checkSharePath(v) || checkResourcePath(v), nil } - return false, errtypes.InternalError(fmt.Sprintf("resource type assertion failed: %+v", resource)) + msg := fmt.Sprintf("resource type assertion failed: %+v", resource) + logger.Debug().Str("scope", "shareScope").Msg(msg) + return false, errtypes.InternalError(msg) } func checkShareStorageRef(s *collaboration.Share, r *provider.Reference) bool { diff --git a/pkg/auth/scope/user.go b/pkg/auth/scope/user.go index 819381e911..b20330caf1 100644 --- a/pkg/auth/scope/user.go +++ b/pkg/auth/scope/user.go @@ -19,13 +19,16 @@ package scope import ( + "context" + authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/pkg/utils" + "github.com/rs/zerolog" ) -func userScope(scope *authpb.Scope, resource interface{}) (bool, error) { +func userScope(_ context.Context, scope *authpb.Scope, resource interface{}, _ *zerolog.Logger) (bool, error) { // Always return true. Registered users can access all paths. // TODO(ishank011): Add checks for read/write permissions. return true, nil