cs3org · glpatcern · Jun 14, 2021 · Jun 15, 2021 · Jun 15, 2021 · Jun 15, 2021
@@ -0,0 +1,4 @@
+Enhancement: add support for a deny-all permission on references
+and implement it on the EOS storage
+
+http://github.com/cs3org/reva/pull/1798
@@ -32,6 +32,7 @@ import (
 const (
 	viewerPermission string = "viewer"
 	editorPermission string = "editor"
+	denyPermission   string = "deny"
 )
 
 type config struct {

@@ -153,15 +153,16 @@ func getGrantType(t string) provider.GranteeType {
 }
 
 func getSharePerm(p string) (*provider.ResourcePermissions, error) {
-	if p == viewerPermission {
+	switch p {
+	case viewerPermission:
 		return &provider.ResourcePermissions{
 			GetPath:              true,
 			InitiateFileDownload: true,
 			ListFileVersions:     true,
 			ListContainer:        true,
 			Stat:                 true,
 		}, nil
-	} else if p == editorPermission {
+	case editorPermission:
 		return &provider.ResourcePermissions{
 			GetPath:              true,
 			InitiateFileDownload: true,
@@ -174,6 +175,9 @@ func getSharePerm(p string) (*provider.ResourcePermissions, error) {
 			RestoreFileVersion:   true,
 			Move:                 true,
 		}, nil
+	case denyPermission:
+		return &provider.ResourcePermissions{}, nil
+	default:
+		return nil, errors.New("invalid rol: " + p)
 	}
-	return nil, errors.New("invalid rol: " + p)
 }
@@ -9,31 +9,31 @@ description: >
 # _struct: config_
 
 {{% dir name="mount_path" type="string" default="/" %}}
-The path where the file system would be mounted. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L52)
+The path where the file system would be mounted. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L59)
 {{< highlight toml >}}
 [grpc.services.storageprovider]
 mount_path = "/"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="mount_id" type="string" default="-" %}}
-The ID of the mounted file system. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L53)
+The ID of the mounted file system. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L60)
 {{< highlight toml >}}
 [grpc.services.storageprovider]
 mount_id = "-"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="driver" type="string" default="localhome" %}}
-The storage driver to be used. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L54)
+The storage driver to be used. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L61)
 {{< highlight toml >}}
 [grpc.services.storageprovider]
 driver = "localhome"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="drivers" type="map[string]map[string]interface{}" default="localhome" %}}
- [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L55)
+ [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L62)
 {{< highlight toml >}}
 [grpc.services.storageprovider.drivers.localhome]
 root = "/var/tmp/reva/"
@@ -44,42 +44,50 @@ user_layout = "{{.Username}}"
 {{% /dir %}}
 
 {{% dir name="tmp_folder" type="string" default="/var/tmp" %}}
-Path to temporary folder. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L56)
+Path to temporary folder. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L63)
 {{< highlight toml >}}
 [grpc.services.storageprovider]
 tmp_folder = "/var/tmp"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="data_server_url" type="string" default="http://localhost/data" %}}
-The URL for the data server. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L57)
+The URL for the data server. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L64)
 {{< highlight toml >}}
 [grpc.services.storageprovider]
 data_server_url = "http://localhost/data"
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="expose_data_server" type="bool" default=false %}}
-Whether to expose data server. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L58)
+Whether to expose data server. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L65)
 {{< highlight toml >}}
 [grpc.services.storageprovider]
 expose_data_server = false
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="available_checksums" type="map[string]uint32" default=nil %}}
-List of available checksums. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L59)
+List of available checksums. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L66)
 {{< highlight toml >}}
 [grpc.services.storageprovider]
 available_checksums = nil
 {{< /highlight >}}
 {{% /dir %}}
 
 {{% dir name="mimetypes" type="map[string]string" default=nil %}}
-List of supported mime types and corresponding file extensions. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L60)
+List of supported mime types and corresponding file extensions. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L67)
 {{< highlight toml >}}
 [grpc.services.storageprovider]
 mimetypes = nil
 {{< /highlight >}}
 {{% /dir %}}
 
+{{% dir name="gatewaysvc" type="string" default="/" %}}
+Stores the endpoint at which the GRPC gateway is exposed. [[Ref]](https://github.com/cs3org/reva/tree/master/internal/grpc/services/storageprovider/storageprovider.go#L68)
+{{< highlight toml >}}
+[grpc.services.storageprovider]
+gatewaysvc = "/"
+{{< /highlight >}}
+{{% /dir %}}
+
@@ -23,6 +23,7 @@ require (
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/golang/protobuf v1.5.2
 	github.com/gomodule/redigo v1.8.5
+	github.com/google/go-cmp v0.5.5 // indirect
 	github.com/google/go-github v17.0.0+incompatible
 	github.com/google/go-querystring v1.0.0 // indirect
 	github.com/google/uuid v1.2.0
@@ -34,6 +35,7 @@ require (
 	github.com/minio/minio-go/v7 v7.0.11
 	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.4.1
+	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.13.0
 	github.com/ory/fosite v0.40.2
@@ -46,6 +48,7 @@ require (
 	github.com/sethvargo/go-password v0.2.0
 	github.com/stretchr/testify v1.7.0
 	github.com/studio-b12/gowebdav v0.0.0-20200303150724-9380631c29a1
+	github.com/thanhpk/randstr v1.0.4
 	github.com/tus/tusd v1.1.1-0.20200416115059-9deabf9d80c2
 	go.opencensus.io v0.23.0
 	golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c

@@ -1171,6 +1171,8 @@ github.com/subosito/gotenv v1.1.1/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
+github.com/thanhpk/randstr v1.0.4 h1:IN78qu/bR+My+gHCvMEXhR/i5oriVHcTB/BJJIRTsNo=
+github.com/thanhpk/randstr v1.0.4/go.mod h1:M/H2P1eNLZzlDwAzpkkkUvoyNNMbzRGhESZuEQk3r0U=
 github.com/tidwall/gjson v1.3.2/go.mod h1:P256ACg0Mn+j1RXIDXoss50DeIABTYK1PULOJHhxOls=
 github.com/tidwall/gjson v1.6.8/go.mod h1:zeFuBCIqD4sN/gmqBzZ4j7Jd6UcA2Fc56x7QFsv+8fI=
 github.com/tidwall/gjson v1.7.1/go.mod h1:5/xDoumyyDNerp2U36lyolv46b3uF/9Bu6OfyQ9GImk=

@@ -28,16 +28,23 @@ import (
 	"strconv"
 	"strings"
 
+	groupv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1"
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
+
 	// link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/cs3org/reva/pkg/appctx"
 	"github.com/cs3org/reva/pkg/errtypes"
+	grouputils "github.com/cs3org/reva/pkg/group/utils"
 	"github.com/cs3org/reva/pkg/mime"
 	"github.com/cs3org/reva/pkg/rgrpc"
 	"github.com/cs3org/reva/pkg/rgrpc/status"
+	"github.com/cs3org/reva/pkg/rgrpc/todo/pool"
+	"github.com/cs3org/reva/pkg/sharedconf"
 	"github.com/cs3org/reva/pkg/storage"
 	"github.com/cs3org/reva/pkg/storage/fs/registry"
+	"github.com/cs3org/reva/pkg/storage/utils/grants"
+	"github.com/cs3org/reva/pkg/user"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 	"go.opencensus.io/trace"
@@ -58,6 +65,7 @@ type config struct {
 	ExposeDataServer bool                              `mapstructure:"expose_data_server" docs:"false;Whether to expose data server."` // if true the client will be able to upload/download directly to it
 	AvailableXS      map[string]uint32                 `mapstructure:"available_checksums" docs:"nil;List of available checksums."`
 	MimeTypes        map[string]string                 `mapstructure:"mimetypes" docs:"nil;List of supported mime types and corresponding file extensions."`
+	GatewaySvc       string                            `mapstructure:"gatewaysvc" docs:"/;Stores the endpoint at which the GRPC gateway is exposed."`
 }
 
 func (c *config) init() {
@@ -90,6 +98,9 @@ func (c *config) init() {
 	if len(c.AvailableXS) == 0 {
 		c.AvailableXS = map[string]uint32{"md5": 100, "unset": 1000}
 	}
+
+	// get default GatewaySVC value if not set
+	c.GatewaySvc = sharedconf.GetGatewaySVC(c.GatewaySvc)
 }
 
 type service struct {
@@ -922,6 +933,43 @@ func (s *service) AddGrant(ctx context.Context, req *provider.AddGrantRequest) (
 		}, nil
 	}
 
+	// if the grant is a denial, check if the current user is an owner of the reference
+	if grants.IsDenial(req.Grant) {
+		user, ok := user.ContextGetUser(ctx)
+		if !ok {
+			return nil, errtypes.InternalError("user not found in context")
+		}
+
+		client, err := pool.GetGatewayServiceClient(s.conf.GatewaySvc)
+		if err != nil {
+			return nil, err
+		}
+
+		// get owner of the reference
+		owners, err := s.storage.GetOwners(ctx, req.Ref)
+		if err != nil {
+			return nil, err
+		}
+
+		// check if the group is empty
+		if grouputils.IsEmptyGroup(owners) {
+			return nil, errtypes.PermissionDenied("user is not an owner")
+		}
+
+		// check if the user is in the owner list
+		hasMemberResp, err := client.HasMember(ctx, &groupv1beta1.HasMemberRequest{
+			GroupId: owners.Id,
+			UserId:  user.Id,
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		if !hasMemberResp.Ok {
+			return nil, errtypes.PermissionDenied("user is not an owner")
+		}
+	}
+
 	err = s.storage.AddGrant(ctx, newRef, req.Grant)
 	if err != nil {
 		var st *rpc.Status

@@ -26,7 +26,7 @@ import (
 type Permissions uint
 
 const (
-	// PermissionInvalid grants no permissions on a resource
+	// PermissionInvalid represents an invalid permission
 	PermissionInvalid Permissions = 0
 	// PermissionRead grants read permissions on a resource
 	PermissionRead Permissions = 1 << (iota - 1)
@@ -38,21 +38,27 @@ const (
 	PermissionDelete
 	// PermissionShare grants share permissions on a resource
 	PermissionShare
+	// PermissionNone grants no permissions on a resource
+	PermissionNone
+	// PermissionMax is to be used within value range checks
+	PermissionMax Permissions = (1 << (iota - 1)) - 1
 	// PermissionAll grants all permissions on a resource
-	PermissionAll Permissions = (1 << (iota - 1)) - 1
+	PermissionAll = PermissionMax - PermissionNone
+	// PermissionMin is to be used within value range checks
+	PermissionMin = PermissionRead
 )
 
 var (
 	// ErrPermissionNotInRange defines a permission specific error.
-	ErrPermissionNotInRange = fmt.Errorf("The provided permission is not between %d and %d", PermissionInvalid, PermissionAll)
+	ErrPermissionNotInRange = fmt.Errorf("The provided permission is not between %d and %d", PermissionMin, PermissionMax)
 )
 
 // NewPermissions creates a new Permissions instance.
 // The value must be in the valid range.
 func NewPermissions(val int) (Permissions, error) {
 	if val == int(PermissionInvalid) {
-		return PermissionInvalid, fmt.Errorf("permissions %d out of range %d - %d", val, PermissionRead, PermissionAll)
-	} else if val < int(PermissionInvalid) || int(PermissionAll) < val {
+		return PermissionInvalid, fmt.Errorf("permissions %d out of range %d - %d", val, PermissionMin, PermissionMax)
+	} else if val < int(PermissionInvalid) || int(PermissionMax) < val {
 		return PermissionInvalid, ErrPermissionNotInRange
 	}
 	return Permissions(val), nil

@@ -23,7 +23,7 @@ import (
 )
 
 func TestNewPermissions(t *testing.T) {
-	for val := int(PermissionRead); val <= int(PermissionAll); val++ {
+	for val := int(PermissionMin); val <= int(PermissionMax); val++ {
 		_, err := NewPermissions(val)
 		if err != nil {
 			t.Errorf("value %d should be a valid permissions", val)
@@ -35,7 +35,7 @@ func TestNewPermissionsWithInvalidValueShouldFail(t *testing.T) {
 	vals := []int{
 		int(PermissionInvalid),
 		-1,
-		int(PermissionAll) + 1,
+		int(PermissionMax) + 1,
 	}
 	for _, v := range vals {
 		_, err := NewPermissions(v)
@@ -149,6 +149,7 @@ func TestPermissions2Role(t *testing.T) {
 		PermissionWrite:                   RoleLegacy,
 		PermissionShare:                   RoleLegacy,
 		PermissionWrite | PermissionShare: RoleLegacy,
+		PermissionNone:                    RoleDenied,
 	}
 
 	for permissions, role := range table {

@@ -38,6 +38,8 @@ const (
 	RoleUnknown string = "unknown"
 	// RoleLegacy provides backwards compatibility
 	RoleLegacy string = "legacy"
+	// RoleDenied grants no permission at all on a resource
+	RoleDenied string = "denied"
 	// RoleViewer grants non-editor role on a resource
 	RoleViewer string = "viewer"
 	// RoleEditor grants editor permission on a resource, including folders
@@ -119,6 +121,8 @@ func (r *Role) WebDAVPermissions(isDir, isShared, isMountpoint, isPublic bool) s
 // RoleFromName creates a role from the name
 func RoleFromName(name string) *Role {
 	switch name {
+	case RoleDenied:
+		return NewDeniedRole()
 	case RoleViewer:
 		return NewViewerRole()
 	case RoleEditor:
@@ -142,6 +146,15 @@ func NewUnknownRole() *Role {
 	}
 }
 
+// NewDeniedRole creates a fully denied role
+func NewDeniedRole() *Role {
+	return &Role{
+		Name:                   RoleDenied,
+		cS3ResourcePermissions: &provider.ResourcePermissions{},
+		ocsPermissions:         PermissionNone,
+	}
+}
+
 // NewViewerRole creates a viewer role
 func NewViewerRole() *Role {
 	return &Role{
@@ -294,6 +307,9 @@ func RoleFromOCSPermissions(p Permissions) *Role {
 	if p == PermissionCreate {
 		return NewUploaderRole()
 	}
+	if p == PermissionNone {
+		return NewDeniedRole()
+	}
 	// legacy
 	return NewLegacyRoleFromOCSPermissions(p)
 }
@@ -401,6 +417,10 @@ func RoleFromResourcePermissions(rp *provider.ResourcePermissions) *Role {
 		r.Name = RoleUploader
 		return r
 	}
+	if r.ocsPermissions == PermissionNone {
+		r.Name = RoleDenied
+		return r
+	}
 	r.Name = RoleLegacy
 	// at this point other ocs permissions may have been mapped.
 	// TODO what about even more granular cs3 permissions?, eg. only stat