From db6d2ef34dbf2ca5400e3252bc6236f775872d79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Mon, 26 Aug 2024 17:17:51 +0200 Subject: [PATCH] all actions must be part of the role MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- .../v0/api_driveitem_permissions_test.go | 2 +- services/graph/pkg/unifiedrole/unifiedrole.go | 21 +++++++++---------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/services/graph/pkg/service/v0/api_driveitem_permissions_test.go b/services/graph/pkg/service/v0/api_driveitem_permissions_test.go index c2bae8e99eb..fbe7a6d798f 100644 --- a/services/graph/pkg/service/v0/api_driveitem_permissions_test.go +++ b/services/graph/pkg/service/v0/api_driveitem_permissions_test.go @@ -178,7 +178,7 @@ var _ = Describe("DriveItemPermissionsService", func() { Expect(permission.GetRoles()[0]).To(Equal(unifiedrole.NewViewerUnifiedRole().GetId())) }) - It("succeeds with folder roles (happy path)", func() { + FIt("succeeds with folder roles (happy path)", func() { statResponse.Info.Type = provider.ResourceType_RESOURCE_TYPE_CONTAINER gatewayClient.On("GetUser", mock.Anything, mock.Anything).Return(getUserResponse, nil) gatewayClient.On("CreateShare", mock.Anything, mock.Anything).Return(createShareResponse, nil) diff --git a/services/graph/pkg/unifiedrole/unifiedrole.go b/services/graph/pkg/unifiedrole/unifiedrole.go index d20d1bd19e9..5f33950409d 100644 --- a/services/graph/pkg/unifiedrole/unifiedrole.go +++ b/services/graph/pkg/unifiedrole/unifiedrole.go @@ -528,17 +528,20 @@ func GetLegacyName(role libregraph.UnifiedRoleDefinition) string { // CS3ResourcePermissionsToUnifiedRole tries to find the UnifiedRoleDefinition that matches the supplied // CS3 ResourcePermissions and constraints. func CS3ResourcePermissionsToUnifiedRole(p *provider.ResourcePermissions, constraints string, listFederatedRoles bool) *libregraph.UnifiedRoleDefinition { - actions := CS3ResourcePermissionsToLibregraphActions(p) + actionSet := map[string]struct{}{} + for _, action := range CS3ResourcePermissionsToLibregraphActions(p) { + actionSet[action] = struct{}{} + } var res *libregraph.UnifiedRoleDefinition for _, uRole := range GetBuiltinRoleDefinitionList() { definitionMatch := false - for _, uPerm := range uRole.GetRolePermissions() { + for _, permission := range uRole.GetRolePermissions() { // this is a dirty comparison because we are not really parsing the SDDL, but as long as we && the conditions we are good - isFederatedRole := strings.Contains(uPerm.GetCondition(), UnifiedRoleConditionFederatedUser) + isFederatedRole := strings.Contains(permission.GetCondition(), UnifiedRoleConditionFederatedUser) switch { - case !strings.Contains(uPerm.GetCondition(), constraints): + case !strings.Contains(permission.GetCondition(), constraints): continue case listFederatedRoles && !isFederatedRole: continue @@ -547,13 +550,9 @@ func CS3ResourcePermissionsToUnifiedRole(p *provider.ResourcePermissions, constr } // if the actions converted from the ResourcePermissions equal the action the defined for the role, we have match - for i, action := range uPerm.GetAllowedResourceActions() { - if !slices.Contains(actions, action) { - break - } - if i == len(uPerm.GetAllowedResourceActions())-1 { - definitionMatch = true - } + if resourceActionsEqual(actionSet, permission.GetAllowedResourceActions()) { + definitionMatch = true + break } } if definitionMatch {