Skip to content

Commit

Permalink
Support t and x in ACEs
Browse files Browse the repository at this point in the history
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
  • Loading branch information
butonic committed May 15, 2024
1 parent 7099ed4 commit a82261e
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 7 deletions.
5 changes: 5 additions & 0 deletions changelog/unreleased/support-tx-in-aces.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Enhancement: Support t and x in ACEs

To support view only shares (dowload forbidden) we added t (read attrs) and x (directory traversal) permissions to the decomposed FS ACEs.

https://github.com/cs3org/reva/pull/4685
25 changes: 18 additions & 7 deletions pkg/storage/utils/ace/ace.go
Original file line number Diff line number Diff line change
Expand Up @@ -316,10 +316,15 @@ func (e *ACE) granteeType() provider.GranteeType {
// grantPermissionSet returns the set of CS3 resource permissions representing the ACE
func (e *ACE) grantPermissionSet() *provider.ResourcePermissions {
p := &provider.ResourcePermissions{}
// r
if strings.Contains(e.permissions, "r") {
// t
if strings.Contains(e.permissions, "t") {
p.Stat = true
p.GetPath = true
}
// r
if strings.Contains(e.permissions, "r") {
p.Stat = true // currently assumed
p.GetPath = true // currently assumed
p.InitiateFileDownload = true
p.ListContainer = true
}
Expand All @@ -336,10 +341,9 @@ func (e *ACE) grantPermissionSet() *provider.ResourcePermissions {
p.CreateContainer = true
}
// x
// if strings.Contains(e.Permissions, "x") {
// TODO execute file permission?
// TODO change directory permission?
// }
if strings.Contains(e.permissions, "x") {
p.ListContainer = true
}
// d
if strings.Contains(e.permissions, "d") {
p.Delete = true
Expand Down Expand Up @@ -436,10 +440,17 @@ func unmarshalKV(s string) (*ACE, error) {
return e, nil
}

// getACEPerm produces an NFSv4.x inspired permission string from a CS3 resource permissions set
func getACEPerm(set *provider.ResourcePermissions) string {
var b strings.Builder

if set.Stat || set.InitiateFileDownload || set.ListContainer || set.GetPath {
if set.Stat || set.GetPath {
b.WriteString("t")
}
if set.ListContainer { // we have no dedicated traversal permission, but to listing a container allows traversing it
b.WriteString("x")
}
if set.InitiateFileDownload {
b.WriteString("r")
}
if set.InitiateFileUpload || set.Move {
Expand Down
23 changes: 23 additions & 0 deletions pkg/storage/utils/ace/ace_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,21 @@ var _ = Describe("ACE", func() {
})

Describe("converting permissions", func() {
It("converts t", func() {
userGrant.Permissions.Stat = true
newGrant := ace.FromGrant(userGrant).Grant()
userGrant.Permissions.Stat = false
Expect(newGrant.Permissions.Stat).To(BeTrue())
Expect(newGrant.Permissions.Delete).To(BeFalse())

userGrant.Permissions.GetPath = true
newGrant = ace.FromGrant(userGrant).Grant()
fmt.Println(newGrant.Permissions)
userGrant.Permissions.GetPath = false
Expect(newGrant.Permissions.GetPath).To(BeTrue())
Expect(newGrant.Permissions.Delete).To(BeFalse())
})

It("converts r", func() {
userGrant.Permissions.Stat = true
newGrant := ace.FromGrant(userGrant).Grant()
Expand Down Expand Up @@ -152,6 +167,14 @@ var _ = Describe("ACE", func() {
Expect(newGrant.Permissions.Delete).To(BeFalse())
})

It("converts x", func() {
userGrant.Permissions.ListContainer = true
newGrant := ace.FromGrant(userGrant).Grant()
userGrant.Permissions.ListContainer = false
Expect(newGrant.Permissions.ListContainer).To(BeTrue())
Expect(newGrant.Permissions.Delete).To(BeFalse())
})

It("converts d", func() {
userGrant.Permissions.Delete = true
newGrant := ace.FromGrant(userGrant).Grant()
Expand Down

0 comments on commit a82261e

Please sign in to comment.