From 7b9512be69f3cce617852834f198f493c251e24d Mon Sep 17 00:00:00 2001
From: Michael Barz <mbarz@owncloud.com>
Date: Thu, 14 Dec 2023 14:26:36 +0100
Subject: [PATCH] feat: bump reva

---
 go.mod                                        |   2 +
 go.sum                                        |   4 +-
 .../publicshareprovider.go                    | 130 ++++++++++++++++--
 vendor/modules.txt                            |   3 +-
 4 files changed, 123 insertions(+), 16 deletions(-)

diff --git a/go.mod b/go.mod
index 5349a630565..e6bf8d2fc94 100644
--- a/go.mod
+++ b/go.mod
@@ -348,3 +348,5 @@ require (
 )
 
 replace github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/kobergj/plugins/v4/store/nats-js-kv v0.0.0-20231207143248-4d424e3ae348
+
+replace github.com/cs3org/reva/v2 => github.com/micbar/reva/v2 v2.0.0-20231214135602-46da2600d90f
diff --git a/go.sum b/go.sum
index 27c6b66b5c4..2809d9d5b8c 100644
--- a/go.sum
+++ b/go.sum
@@ -1019,8 +1019,6 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
 github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME=
 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY=
 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
-github.com/cs3org/reva/v2 v2.17.0 h1:cp7WXY+mZGLie4CKvIe3K+D/wG3sKVYrZJfs9Qnzioo=
-github.com/cs3org/reva/v2 v2.17.0/go.mod h1:9hmBNVK+RSMSupWci9MQLmmj1NsJ8Bv49tqKbxMdxJY=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -1686,6 +1684,8 @@ github.com/maxymania/go-system v0.0.0-20170110133659-647cc364bf0b h1:Q53idHrTuQD
 github.com/maxymania/go-system v0.0.0-20170110133659-647cc364bf0b/go.mod h1:KirJrATYGbTyUwVR26xIkaipRqRcMRXBf8N5dacvGus=
 github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 h1:Z/i1e+gTZrmcGeZyWckaLfucYG6KYOXLWo4co8pZYNY=
 github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103/go.mod h1:o9YPB5aGP8ob35Vy6+vyq3P3bWe7NQWzf+JLiXCiMaE=
+github.com/micbar/reva/v2 v2.0.0-20231214135602-46da2600d90f h1:hEem/V2n3po6PzazPQSnsSm5X5XfOHm5tcFpm3YBKi0=
+github.com/micbar/reva/v2 v2.0.0-20231214135602-46da2600d90f/go.mod h1:9hmBNVK+RSMSupWci9MQLmmj1NsJ8Bv49tqKbxMdxJY=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 github.com/miekg/dns v1.1.40/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
diff --git a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go
index 8687a4da459..665cda7e946 100644
--- a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go
+++ b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go
@@ -20,6 +20,7 @@ package publicshareprovider
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"regexp"
 	"strconv"
@@ -301,7 +302,7 @@ func (s *service) CreatePublicShare(ctx context.Context, req *link.CreatePublicS
 
 	// enforce password if needed
 	setPassword := grant.GetPassword()
-	if !isInternalLink && enforcePassword(grant, s.conf) && len(setPassword) == 0 {
+	if !isInternalLink && enforcePassword(false, grant.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 {
 		return &link.CreatePublicShareResponse{
 			Status: status.NewInvalidArg(ctx, "password protection is enforced"),
 		}, nil
@@ -316,13 +317,9 @@ func (s *service) CreatePublicShare(ctx context.Context, req *link.CreatePublicS
 		}
 	}
 
-	u, ok := ctxpkg.ContextGetUser(ctx)
-	if !ok {
-		log.Error().Msg(getUserCtxErrMsg)
-	}
-
+	user := ctxpkg.ContextMustGetUser(ctx)
 	res := &link.CreatePublicShareResponse{}
-	share, err := s.sm.CreatePublicShare(ctx, u, req.GetResourceInfo(), req.GetGrant())
+	share, err := s.sm.CreatePublicShare(ctx, user, req.GetResourceInfo(), req.GetGrant())
 	switch {
 	case err != nil:
 		log.Error().Err(err).Interface("request", req).Msg("could not write public share")
@@ -462,12 +459,114 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS
 	log := appctx.GetLogger(ctx)
 	log.Info().Str("publicshareprovider", "update").Msg("update public share")
 
-	u, ok := ctxpkg.ContextGetUser(ctx)
-	if !ok {
-		log.Error().Msg(getUserCtxErrMsg)
+	gatewayClient, err := s.gatewaySelector.Next()
+	if err != nil {
+		return nil, err
+	}
+
+	user := ctxpkg.ContextMustGetUser(ctx)
+	ps, err := s.sm.GetPublicShare(ctx, user, req.GetRef(), false)
+	if err != nil {
+		return &link.UpdatePublicShareResponse{
+			Status: status.NewInternal(ctx, "error loading public share"),
+		}, err
+	}
+	isInternalLink := grants.PermissionsEqual(req.GetUpdate().GetGrant().GetPermissions().GetPermissions(), &provider.ResourcePermissions{})
+
+	// users should always be able to downgrade links to internal links
+	// when they are the creator of the link
+	// all other users should have the WritePublicLink permission
+	if !isInternalLink && !publicshare.IsCreatedByUser(*ps, user) {
+		canWriteLink, err := utils.CheckPermission(ctx, permission.WritePublicLink, gatewayClient)
+		if err != nil {
+			return &link.UpdatePublicShareResponse{
+				Status: status.NewInternal(ctx, "error loading public share"),
+			}, err
+		}
+		if !canWriteLink {
+			return &link.UpdatePublicShareResponse{
+				Status: status.NewPermissionDenied(ctx, nil, "no permission to update public share"),
+			}, nil
+		}
 	}
 
-	updateR, err := s.sm.UpdatePublicShare(ctx, u, req)
+	sRes, err := gatewayClient.Stat(ctx, &provider.StatRequest{Ref: &provider.Reference{ResourceId: ps.ResourceId}})
+	if err != nil {
+		log.Err(err).Interface("resource_id", ps.ResourceId).Msg("failed to stat shared resource")
+		return &link.UpdatePublicShareResponse{
+			Status: status.NewInternal(ctx, "failed to stat shared resource"),
+		}, err
+	}
+
+	if !publicshare.IsCreatedByUser(*ps, user) {
+		if !sRes.GetInfo().GetPermissionSet().UpdateGrant {
+			return &link.UpdatePublicShareResponse{
+				Status: status.NewPermissionDenied(ctx, nil, "no permission to update public share"),
+			}, err
+		}
+	}
+
+	// check if the user can change the permissions to the desired permissions
+	updatePermissions := req.GetUpdate().GetType() == link.UpdatePublicShareRequest_Update_TYPE_PERMISSIONS &&
+		req.GetUpdate().GetGrant().GetPermissions().GetPermissions() != nil
+	if updatePermissions &&
+		!conversions.SufficientCS3Permissions(
+			sRes.GetInfo().GetPermissionSet(),
+			req.GetUpdate().GetGrant().GetPermissions().GetPermissions(),
+		) {
+		return &link.UpdatePublicShareResponse{
+			Status: status.NewInvalidArg(ctx, "insufficient permissions to update that kind of share"),
+		}, nil
+	}
+	if updatePermissions {
+		beforePerm, _ := json.Marshal(sRes.GetInfo().GetPermissionSet())
+		afterPerm, _ := json.Marshal(req.GetUpdate().GetGrant().GetPermissions())
+		log.Info().
+			Str("shares", "update").
+			Msgf("updating permissions from %v to: %v",
+				string(beforePerm),
+				string(afterPerm),
+			)
+	}
+
+	grant := req.GetUpdate().GetGrant()
+
+	// validate expiration date
+	if grant.GetExpiration() != nil {
+		expirationDateTime := utils.TSToTime(grant.GetExpiration()).UTC()
+		if expirationDateTime.Before(time.Now().UTC()) {
+			msg := fmt.Sprintf("expiration date is in the past: %s", expirationDateTime.Format(time.RFC3339))
+			return &link.UpdatePublicShareResponse{
+				Status: status.NewInvalidArg(ctx, msg),
+			}, nil
+		}
+	}
+
+	// enforce password if needed
+	canOptOut, err := utils.CheckPermission(ctx, permission.DeleteReadOnlyPassword, gatewayClient)
+	if err != nil {
+		return &link.UpdatePublicShareResponse{
+			Status: status.NewInternal(ctx, err.Error()),
+		}, nil
+	}
+	updatePassword := req.GetUpdate().GetType() == link.UpdatePublicShareRequest_Update_TYPE_PASSWORD
+	setPassword := grant.GetPassword()
+	if updatePassword && !isInternalLink && enforcePassword(canOptOut, ps.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 {
+		return &link.UpdatePublicShareResponse{
+			Status: status.NewInvalidArg(ctx, "password protection is enforced"),
+		}, nil
+	}
+
+	// validate password policy
+	if updatePassword && len(setPassword) > 0 {
+		if err := s.passwordValidator.Validate(setPassword); err != nil {
+			return &link.UpdatePublicShareResponse{
+				Status: status.NewInvalidArg(ctx, err.Error()),
+			}, nil
+		}
+	}
+
+	updateR, err := s.sm.UpdatePublicShare(ctx, user, req)
 	if err != nil {
 		return &link.UpdatePublicShareResponse{
 			Status: status.NewInternal(ctx, err.Error()),
@@ -481,11 +580,16 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS
 	return res, nil
 }
 
-func enforcePassword(grant *link.Grant, conf *config) bool {
+func enforcePassword(canOptOut bool, permissions *provider.ResourcePermissions, conf *config) bool {
+	isReadOnly := conversions.SufficientCS3Permissions(conversions.NewViewerRole(true).CS3ResourcePermissions(), permissions)
+	if isReadOnly && canOptOut {
+		return false
+	}
+
 	if conf.PublicShareMustHavePassword {
 		return true
 	}
-	isReadOnly := conversions.SufficientCS3Permissions(conversions.NewViewerRole(true).CS3ResourcePermissions(), grant.GetPermissions().GetPermissions())
+
 	return !isReadOnly && conf.WriteableShareMustHavePassword
 }
 
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 069742cb8a4..606c40f0098 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -362,7 +362,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1
 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1
 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1
 github.com/cs3org/go-cs3apis/cs3/types/v1beta1
-# github.com/cs3org/reva/v2 v2.17.0
+# github.com/cs3org/reva/v2 v2.17.0 => github.com/micbar/reva/v2 v2.0.0-20231214135602-46da2600d90f
 ## explicit; go 1.21
 github.com/cs3org/reva/v2/cmd/revad/internal/grace
 github.com/cs3org/reva/v2/cmd/revad/runtime
@@ -2298,3 +2298,4 @@ stash.kopano.io/kgol/oidc-go
 ## explicit; go 1.13
 stash.kopano.io/kgol/rndm
 # github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/kobergj/plugins/v4/store/nats-js-kv v0.0.0-20231207143248-4d424e3ae348
+# github.com/cs3org/reva/v2 => github.com/micbar/reva/v2 v2.0.0-20231214135602-46da2600d90f