do not check lightweight account scope into gateway

gmgigi96 · Oct 11, 2022 · e1a4817 · e1a4817
1 parent 3402490
commit e1a4817
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 69 deletions.
diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go
@@ -77,80 +77,15 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s
 				if err = resolveUserShare(ctx, ref, tokenScope[k], client, mgr); err == nil {
 					return nil
 				}
-
-			case strings.HasPrefix(k, "lightweight"):
-				if err = resolveLightweightScope(ctx, ref, tokenScope[k], user, client, mgr); err == nil {
-					return nil
-				}
 			}
 			log.Err(err).Msgf("error resolving reference %s under scope %+v", ref.String(), k)
 		}
 
-	} else if ref, ok := extractShareRef(req); ok {
-		// It's a share ref
-		// The request might be coming from a share created for a lightweight account
-		// after the token was minted.
-		log.Info().Msgf("resolving share reference against received shares to verify token scope %+v", ref.String())
-		for k := range tokenScope {
-			if strings.HasPrefix(k, "lightweight") {
-				// Check if this ID is cached
-				key := "lw:" + user.Id.OpaqueId + scopeDelimiter + ref.GetId().OpaqueId
-				if _, err := scopeExpansionCache.Get(key); err == nil {
-					return nil
-				}
-
-				shares, err := client.ListReceivedShares(ctx, &collaboration.ListReceivedSharesRequest{})
-				if err != nil || shares.Status.Code != rpc.Code_CODE_OK {
-					log.Warn().Err(err).Msg("error listing received shares")
-					continue
-				}
-				for _, s := range shares.Shares {
-					shareKey := "lw:" + user.Id.OpaqueId + scopeDelimiter + s.Share.Id.OpaqueId
-					_ = scopeExpansionCache.SetWithExpire(shareKey, nil, scopeCacheExpiration*time.Second)
-
-					if ref.GetId() != nil && ref.GetId().OpaqueId == s.Share.Id.OpaqueId {
-						return nil
-					}
-					if key := ref.GetKey(); key != nil && (utils.UserEqual(key.Owner, s.Share.Owner) || utils.UserEqual(key.Owner, s.Share.Creator)) &&
-						utils.ResourceIDEqual(key.ResourceId, s.Share.ResourceId) && utils.GranteeEqual(key.Grantee, s.Share.Grantee) {
-						return nil
-					}
-				}
-			}
-		}
 	}
 
 	return errtypes.PermissionDenied("access to resource not allowed within the assigned scope")
 }
 
-func resolveLightweightScope(ctx context.Context, ref *provider.Reference, scope *authpb.Scope, user *userpb.User, client gateway.GatewayAPIClient, mgr token.Manager) error {
-	// Check if this ref is cached
-	key := "lw:" + user.Id.OpaqueId + scopeDelimiter + getRefKey(ref)
-	if _, err := scopeExpansionCache.Get(key); err == nil {
-		return nil
-	}
-
-	shares, err := client.ListReceivedShares(ctx, &collaboration.ListReceivedSharesRequest{})
-	if err != nil || shares.Status.Code != rpc.Code_CODE_OK {
-		return errtypes.InternalError("error listing received shares")
-	}
-
-	for _, share := range shares.Shares {
-		shareKey := "lw:" + user.Id.OpaqueId + scopeDelimiter + resourceid.OwnCloudResourceIDWrap(share.Share.ResourceId)
-		_ = scopeExpansionCache.SetWithExpire(shareKey, nil, scopeCacheExpiration*time.Second)
-
-		if ref.ResourceId != nil && utils.ResourceIDEqual(share.Share.ResourceId, ref.ResourceId) {
-			return nil
-		}
-		if ok, err := checkIfNestedResource(ctx, ref, share.Share.ResourceId, client, mgr); err == nil && ok {
-			_ = scopeExpansionCache.SetWithExpire(key, nil, scopeCacheExpiration*time.Second)
-			return nil
-		}
-	}
-
-	return errtypes.PermissionDenied("request is not for a nested resource")
-}
-
 func resolvePublicShare(ctx context.Context, ref *provider.Reference, scope *authpb.Scope, client gateway.GatewayAPIClient, mgr token.Manager) error {
 	var share link.PublicShare
 	err := utils.UnmarshalJSONToProtoV1(scope.Resource.Value, &share)

diff --git a/pkg/auth/scope/lightweight.go b/pkg/auth/scope/lightweight.go
@@ -22,22 +22,38 @@ import (
 	"context"
 	"strings"
 
+	appprovider "github.com/cs3org/go-cs3apis/cs3/app/provider/v1beta1"
 	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	registry "github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/pkg/utils"
 	"github.com/rs/zerolog"
 )
 
 func lightweightAccountScope(_ context.Context, scope *authpb.Scope, resource interface{}, _ *zerolog.Logger) (bool, error) {
-	// Lightweight accounts have access to resources shared with them.
-	// These cannot be resolved from here, but need to be added to the scope from
-	// where the call to mint tokens is made.
-	// From here, we only allow ListReceivedShares calls
 	switch v := resource.(type) {
 	case *collaboration.ListReceivedSharesRequest:
 		return true, nil
+	// Editing role for shares
+	case *provider.CreateContainerRequest,
+		*provider.TouchFileRequest,
+		*provider.DeleteRequest,
+		*provider.MoveRequest,
+		*provider.InitiateFileUploadRequest,
+		*provider.SetArbitraryMetadataRequest,
+		*provider.UnsetArbitraryMetadataRequest:
+		return true, nil
+	// Viewer role for shares
+	case *registry.GetStorageProvidersRequest,
+		*provider.StatRequest,
+		*provider.ListContainerRequest,
+		*provider.InitiateFileDownloadRequest,
+		*appprovider.OpenInAppRequest,
+		*gateway.OpenInAppRequest:
+		return true, nil
 	case string:
 		return checkLightweightPath(v), nil
 	}