Publicstorageprovider rewrite (#2646)

* introduce scope context

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

* add scopes to context

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

* use mrants and mountpoints for public shares

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

* add changelog

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

* update test config

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

* fix lint

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

* ocdav: replace public mountpoint fileid with grant fileid

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

* cleanup

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

* cleanup comments

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

* prevent nil by disallowing CreateHome in public scope

Signed-off-by: Jörn Friedrich Dreyer <[email protected]>

changelog/unreleased/publicstorageprovider-rewrite.md

@@ -0,0 +1,6 @@
+Bugfix: replace public mountpoint fileid with grant fileid in ocdav
+
+We now show the same resoucre id for resources when accessing them via a public links as when using a logged in user. This allows the web ui to start a WOPI session with the correct resource id.
+
+https://github.com/cs3org/reva/pull/2646
+https://github.com/cs3org/reva/issues/2635

internal/grpc/interceptors/auth/auth.go

@@ -23,6 +23,7 @@ import (
 	"time"
 
 	"github.com/bluele/gcache"
+	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
 	gatewayv1beta1 "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	"github.com/cs3org/reva/v2/pkg/appctx"
@@ -96,9 +97,11 @@ func NewUnary(m map[string]interface{}, unprotected []string) (grpc.UnaryServerI
 			// to decide the storage provider.
 			tkn, ok := ctxpkg.ContextGetToken(ctx)
 			if ok {
-				u, err := dismantleToken(ctx, tkn, req, tokenManager, conf.GatewayAddr, false)
+				u, tokenScope, err := dismantleToken(ctx, tkn, req, tokenManager, conf.GatewayAddr, false)
 				if err == nil {
+					// store user and scopes in context
 					ctx = ctxpkg.ContextSetUser(ctx, u)
+					ctx = ctxpkg.ContextSetScopes(ctx, tokenScope)
 				}
 			}
 			return handler(ctx, req)
@@ -112,13 +115,15 @@ func NewUnary(m map[string]interface{}, unprotected []string) (grpc.UnaryServerI
 		}
 
 		// validate the token and ensure access to the resource is allowed
-		u, err := dismantleToken(ctx, tkn, req, tokenManager, conf.GatewayAddr, true)
+		u, tokenScope, err := dismantleToken(ctx, tkn, req, tokenManager, conf.GatewayAddr, true)
 		if err != nil {
 			log.Warn().Err(err).Msg("access token is invalid")
 			return nil, status.Errorf(codes.PermissionDenied, "auth: core access token is invalid")
 		}
 
+		// store user and scopes in context
 		ctx = ctxpkg.ContextSetUser(ctx, u)
+		ctx = ctxpkg.ContextSetScopes(ctx, tokenScope)
 		return handler(ctx, req)
 	}
 	return interceptor, nil
@@ -159,9 +164,11 @@ func NewStream(m map[string]interface{}, unprotected []string) (grpc.StreamServe
 			// to decide the storage provider.
 			tkn, ok := ctxpkg.ContextGetToken(ctx)
 			if ok {
-				u, err := dismantleToken(ctx, tkn, ss, tokenManager, conf.GatewayAddr, false)
+				u, tokenScope, err := dismantleToken(ctx, tkn, ss, tokenManager, conf.GatewayAddr, false)
 				if err == nil {
+					// store user and scopes in context
 					ctx = ctxpkg.ContextSetUser(ctx, u)
+					ctx = ctxpkg.ContextSetScopes(ctx, tokenScope)
 					ss = newWrappedServerStream(ctx, ss)
 				}
 			}
@@ -177,14 +184,15 @@ func NewStream(m map[string]interface{}, unprotected []string) (grpc.StreamServe
 		}
 
 		// validate the token and ensure access to the resource is allowed
-		u, err := dismantleToken(ctx, tkn, ss, tokenManager, conf.GatewayAddr, true)
+		u, tokenScope, err := dismantleToken(ctx, tkn, ss, tokenManager, conf.GatewayAddr, true)
 		if err != nil {
 			log.Warn().Err(err).Msg("access token is invalid")
 			return status.Errorf(codes.PermissionDenied, "auth: core access token is invalid")
 		}
 
-		// store user and core access token in context.
+		// store user and scopes in context
 		ctx = ctxpkg.ContextSetUser(ctx, u)
+		ctx = ctxpkg.ContextSetScopes(ctx, tokenScope)
 		wrapped := newWrappedServerStream(ctx, ss)
 		return handler(srv, wrapped)
 	}
@@ -204,39 +212,40 @@ func (ss *wrappedServerStream) Context() context.Context {
 	return ss.newCtx
 }
 
-func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.Manager, gatewayAddr string, fetchUserGroups bool) (*userpb.User, error) {
+// dismantleToken extracts the user and scopes from the reva access token
+func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.Manager, gatewayAddr string, fetchUserGroups bool) (*userpb.User, map[string]*authpb.Scope, error) {
 	u, tokenScope, err := mgr.DismantleToken(ctx, tkn)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	client, err := pool.GetGatewayServiceClient(gatewayAddr)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if sharedconf.SkipUserGroupsInToken() && fetchUserGroups {
 		groups, err := getUserGroups(ctx, u, client)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		u.Groups = groups
 	}
 
 	// Check if access to the resource is in the scope of the token
 	ok, err := scope.VerifyScope(ctx, tokenScope, req)
 	if err != nil {
-		return nil, errtypes.InternalError("error verifying scope of access token")
+		return nil, nil, errtypes.InternalError("error verifying scope of access token")
 	}
 	if ok {
-		return u, nil
+		return u, tokenScope, nil
 	}
 
 	if err = expandAndVerifyScope(ctx, req, tokenScope, gatewayAddr, mgr); err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
-	return u, nil
+	return u, tokenScope, nil
 }
 
 func getUserGroups(ctx context.Context, u *userpb.User, client gatewayv1beta1.GatewayAPIClient) ([]string, error) {