Skip to content

Commit

Permalink
Add support for lightweight user types (#1744)
Browse files Browse the repository at this point in the history
  • Loading branch information
ishank011 authored Jul 12, 2021
1 parent 8658870 commit f8b91e1
Show file tree
Hide file tree
Showing 74 changed files with 1,909 additions and 1,075 deletions.
9 changes: 9 additions & 0 deletions changelog/unreleased/lw-user-support.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
Enhancement: Add support for lightweight user types

This PR adds support for assigning and consuming user type when setting/reading
users. On top of that, support for lightweight users is added. These users have
to be restricted to accessing only shares received by them, which is
accomplished by expanding the existing RBAC scope.

https://github.com/cs3org/reva/pull/1744
https://github.com/cs3org/cs3apis/pull/120
44 changes: 17 additions & 27 deletions cmd/reva/app-tokens-create.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,52 +136,42 @@ func appTokensCreateCommand() *command {
}

func getScope(ctx context.Context, client gateway.GatewayAPIClient, opts *appTokenCreateOpts) (map[string]*authpb.Scope, error) {
var scopeList []map[string]*authpb.Scope
switch {
case opts.Unlimited:
return scope.GetOwnerScope()
case len(opts.Share) != 0:
if opts.Unlimited {
return scope.AddOwnerScope(nil)
}

var scopes map[string]*authpb.Scope
var err error
if len(opts.Share) != 0 {
// TODO(gmgigi96): verify format
for _, entry := range opts.Share {
// share = xxxx:[r|w]
shareIDPerm := strings.Split(entry, ":")
shareID, perm := shareIDPerm[0], shareIDPerm[1]
scope, err := getPublicShareScope(ctx, client, shareID, perm)
scopes, err = getPublicShareScope(ctx, client, shareID, perm, scopes)
if err != nil {
return nil, err
}
scopeList = append(scopeList, scope)
}
fallthrough
case len(opts.Path) != 0:
}

if len(opts.Path) != 0 {
// TODO(gmgigi96): verify format
for _, entry := range opts.Path {
// path = /home/a/b:[r|w]
pathPerm := strings.Split(entry, ":")
path, perm := pathPerm[0], pathPerm[1]
scope, err := getPathScope(ctx, client, path, perm)
scopes, err = getPathScope(ctx, client, path, perm, scopes)
if err != nil {
return nil, err
}
scopeList = append(scopeList, scope)
}
fallthrough
default:
return mergeListScopeIntoMap(scopeList), nil
}
}

func mergeListScopeIntoMap(scopeList []map[string]*authpb.Scope) map[string]*authpb.Scope {
merged := make(map[string]*authpb.Scope)
for _, scope := range scopeList {
for k, v := range scope {
merged[k] = v
}
}
return merged
return scopes, nil
}

func getPublicShareScope(ctx context.Context, client gateway.GatewayAPIClient, shareID, perm string) (map[string]*authpb.Scope, error) {
func getPublicShareScope(ctx context.Context, client gateway.GatewayAPIClient, shareID, perm string, scopes map[string]*authpb.Scope) (map[string]*authpb.Scope, error) {
role, err := parsePermission(perm)
if err != nil {
return nil, err
Expand All @@ -204,10 +194,10 @@ func getPublicShareScope(ctx context.Context, client gateway.GatewayAPIClient, s
return nil, formatError(publicShareResponse.Status)
}

return scope.GetPublicShareScope(publicShareResponse.GetShare(), role)
return scope.AddPublicShareScope(publicShareResponse.GetShare(), role, scopes)
}

func getPathScope(ctx context.Context, client gateway.GatewayAPIClient, path, perm string) (map[string]*authpb.Scope, error) {
func getPathScope(ctx context.Context, client gateway.GatewayAPIClient, path, perm string, scopes map[string]*authpb.Scope) (map[string]*authpb.Scope, error) {
role, err := parsePermission(perm)
if err != nil {
return nil, err
Expand All @@ -222,7 +212,7 @@ func getPathScope(ctx context.Context, client gateway.GatewayAPIClient, path, pe
return nil, formatError(statResponse.Status)
}

return scope.GetResourceInfoScope(statResponse.GetInfo(), role)
return scope.AddResourceInfoScope(statResponse.GetInfo(), role, scopes)
}

// parse permission string in the form of "rw" to create a role
Expand Down
12 changes: 6 additions & 6 deletions cmd/reva/ocm-share-create.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
"github.com/cs3org/reva/pkg/utils"
"github.com/jedib0t/go-pretty/table"
"github.com/pkg/errors"
)
Expand All @@ -42,10 +43,11 @@ func ocmShareCreateCommand() *command {
grantType := cmd.String("type", "user", "grantee type (user or group)")
grantee := cmd.String("grantee", "", "the grantee")
idp := cmd.String("idp", "", "the idp of the grantee, default to same idp as the user triggering the action")
userType := cmd.String("user-type", "primary", "the type of user account, defaults to primary")
rol := cmd.String("rol", "viewer", "the permission for the share (viewer or editor)")

cmd.ResetFlags = func() {
*grantType, *grantee, *idp, *rol = "user", "", "", "viewer"
*grantType, *grantee, *idp, *rol, *userType = "user", "", "", "viewer", "primary"
}

cmd.Action = func(w ...io.Writer) error {
Expand Down Expand Up @@ -77,8 +79,9 @@ func ocmShareCreateCommand() *command {
return err
}

u := &userpb.UserId{OpaqueId: *grantee, Idp: *idp, Type: utils.UserTypeMap(*userType)}
remoteUserRes, err := client.GetAcceptedUser(ctx, &invitepb.GetAcceptedUserRequest{
RemoteUserId: &userpb.UserId{OpaqueId: *grantee, Idp: *idp},
RemoteUserId: u,
})
if err != nil {
return err
Expand Down Expand Up @@ -109,10 +112,7 @@ func ocmShareCreateCommand() *command {
Type: gt,
// For now, we only support user shares.
// TODO (ishank011): To be updated once this is decided.
Id: &provider.Grantee_UserId{UserId: &userpb.UserId{
Idp: *idp,
OpaqueId: *grantee,
}},
Id: &provider.Grantee_UserId{UserId: u},
},
}

Expand Down
5 changes: 4 additions & 1 deletion cmd/reva/share-create.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
"github.com/cs3org/reva/pkg/utils"
"github.com/jedib0t/go-pretty/table"
"github.com/pkg/errors"
)
Expand All @@ -40,9 +41,10 @@ func shareCreateCommand() *command {
grantee := cmd.String("grantee", "", "the grantee")
idp := cmd.String("idp", "", "the idp of the grantee, default to same idp as the user triggering the action")
rol := cmd.String("rol", "viewer", "the permission for the share (viewer or editor)")
userType := cmd.String("user-type", "primary", "the type of user account, defaults to primary")

cmd.ResetFlags = func() {
*grantType, *grantee, *idp, *rol = "user", "", "", "viewer"
*grantType, *grantee, *idp, *rol, *userType = "user", "", "", "viewer", "primary"
}

cmd.Action = func(w ...io.Writer) error {
Expand Down Expand Up @@ -94,6 +96,7 @@ func shareCreateCommand() *command {
grant.Grantee.Id = &provider.Grantee_UserId{UserId: &userpb.UserId{
Idp: *idp,
OpaqueId: *grantee,
Type: utils.UserTypeMap(*userType),
}}
case "group":
grant.Grantee.Id = &provider.Grantee_GroupId{GroupId: &grouppb.GroupId{
Expand Down
11 changes: 6 additions & 5 deletions cmd/reva/transfer-create.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import (
ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
"github.com/cs3org/reva/pkg/utils"
"github.com/jedib0t/go-pretty/table"
"github.com/pkg/errors"
)
Expand All @@ -43,6 +44,7 @@ func transferCreateCommand() *command {
grantee := cmd.String("grantee", "", "the grantee, receiver of the transfer")
granteeType := cmd.String("granteeType", "user", "the grantee type, one of: user, group")
idp := cmd.String("idp", "", "the idp of the grantee, default to same idp as the user triggering the action")
userType := cmd.String("user-type", "primary", "the type of user account, defaults to primary")

cmd.Action = func(w ...io.Writer) error {
if cmd.NArg() < 1 {
Expand All @@ -65,9 +67,11 @@ func transferCreateCommand() *command {
return err
}

u := &userpb.UserId{OpaqueId: *grantee, Idp: *idp, Type: utils.UserTypeMap(*userType)}

// check if invitation has been accepted
acceptedUserRes, err := client.GetAcceptedUser(ctx, &invitepb.GetAcceptedUserRequest{
RemoteUserId: &userpb.UserId{OpaqueId: *grantee, Idp: *idp},
RemoteUserId: u,
})
if err != nil {
return err
Expand Down Expand Up @@ -127,10 +131,7 @@ func transferCreateCommand() *command {
Grantee: &provider.Grantee{
Type: gt,
Id: &provider.Grantee_UserId{
UserId: &userpb.UserId{
Idp: *idp,
OpaqueId: *grantee,
},
UserId: u,
},
},
Permissions: resourcePermissions,
Expand Down
9 changes: 6 additions & 3 deletions examples/meshdirectory/users.demo.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
{
"id": {
"opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51",
"idp": "localhost:20080"
"idp": "localhost:20080",
"type": 1
},
"username": "einstein",
"secret": "relativity",
Expand All @@ -13,7 +14,8 @@
{
"id": {
"opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
"idp": "localhost:20080"
"idp": "localhost:20080",
"type": 1
},
"username": "marie",
"secret": "radioactivity",
Expand All @@ -24,7 +26,8 @@
{
"id": {
"opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c",
"idp": "localhost:20080"
"idp": "localhost:20080",
"type": 1
},
"username": "richard",
"secret": "superfluidity",
Expand Down
9 changes: 6 additions & 3 deletions examples/oc-phoenix/users.demo.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
{
"id": {
"opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51",
"idp": "localhost:20080"
"idp": "localhost:20080",
"type": 1
},
"username": "einstein",
"secret": "relativity",
Expand All @@ -13,7 +14,8 @@
{
"id": {
"opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
"idp": "localhost:20080"
"idp": "localhost:20080",
"type": 1
},
"username": "marie",
"secret": "radioactivity",
Expand All @@ -24,7 +26,8 @@
{
"id": {
"opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c",
"idp": "localhost:20080"
"idp": "localhost:20080",
"type": 1
},
"username": "richard",
"secret": "superfluidity",
Expand Down
12 changes: 8 additions & 4 deletions examples/ocm-partners/users-ailleron.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
{
"id": {
"opaque_id": "jarek1234",
"idp": "softwaremind.com"
"idp": "softwaremind.com",
"type": 1
},
"username": "jarek",
"secret": "jarekpass",
Expand All @@ -13,7 +14,8 @@
{
"id": {
"opaque_id": "mateusz5678",
"idp": "softwaremind.com"
"idp": "softwaremind.com",
"type": 1
},
"username": "mateusz",
"secret": "mateuszpass",
Expand All @@ -24,7 +26,8 @@
{
"id": {
"opaque_id": "dawid9876",
"idp": "softwaremind.com"
"idp": "softwaremind.com",
"type": 1
},
"username": "dawid",
"secret": "dawidpass",
Expand All @@ -35,7 +38,8 @@
{
"id": {
"opaque_id": "test4242",
"idp": "softwaremind.com"
"idp": "softwaremind.com",
"type": 1
},
"username": "test",
"secret": "testpass",
Expand Down
12 changes: 8 additions & 4 deletions examples/ocm-partners/users-cern.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
{
"id": {
"opaque_id": "ishank1234",
"idp": "cern.ch"
"idp": "cern.ch",
"type": 1
},
"username": "ishank",
"secret": "ishankpass",
Expand All @@ -13,7 +14,8 @@
{
"id": {
"opaque_id": "hugo5678",
"idp": "cern.ch"
"idp": "cern.ch",
"type": 1
},
"username": "hugo",
"secret": "hugopass",
Expand All @@ -24,7 +26,8 @@
{
"id": {
"opaque_id": "samuel9876",
"idp": "cern.ch"
"idp": "cern.ch",
"type": 1
},
"username": "samuel",
"secret": "samuelpass",
Expand All @@ -35,7 +38,8 @@
{
"id": {
"opaque_id": "test4242",
"idp": "cern.ch"
"idp": "cern.ch",
"type": 1
},
"username": "test",
"secret": "testpass",
Expand Down
9 changes: 6 additions & 3 deletions examples/ocm-partners/users-cesnet.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
{
"id": {
"opaque_id": "miroslav1234",
"idp": "cesnet.cz"
"idp": "cesnet.cz",
"type": 1
},
"username": "miroslav",
"secret": "miroslavpass",
Expand All @@ -13,7 +14,8 @@
{
"id": {
"opaque_id": "milan5678",
"idp": "cesnet.cz"
"idp": "cesnet.cz",
"type": 1
},
"username": "milan",
"secret": "milanpass",
Expand All @@ -24,7 +26,8 @@
{
"id": {
"opaque_id": "test4242",
"idp": "cesnet.cz"
"idp": "cesnet.cz",
"type": 1
},
"username": "test",
"secret": "testpass",
Expand Down
Loading

0 comments on commit f8b91e1

Please sign in to comment.