Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Public cannot download folder via the public link of the folder inside the project space #5229

Closed
SwikritiT opened this issue Dec 15, 2022 · 5 comments · Fixed by #6216
Closed

Public cannot download folder via the public link of the folder inside the project space #5229

SwikritiT opened this issue Dec 15, 2022 · 5 comments · Fixed by #6216
Assignees
@butonic
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug

Comments

@SwikritiT
Copy link
Contributor

SwikritiT commented Dec 15, 2022
edited
Loading

Describe the bug

Public cannot download folder via the public link of the folder inside the project space

Steps to reproduce

Steps to reproduce the behavior:

  1. create project space test-space
  2. create a folder inside the project space test-folder/new-folder
  3. create a public link for the folder test-folder
  4. navigate to the public link and try to download folder new-folder

Expected behavior

It should work

Actual behavior

It doesn't

Screenshot from 2022-12-15 09-38-45

Server logs

web_ocis  | 2022-12-15T03:52:28Z ERR error when calling Createhome error="gateway: grpc failed with code CODE_PERMISSION_DENIED" service=proxy
web_ocis  | 2022-12-15T03:52:28Z ERR error resolving reference resource_id:<storage_id:"1284d238-aa92-42ce-bdc4-0b0000009157" opaque_id:"b2c80be1-8310-45fc-b015-4af21af6aaf4" space_id:"06ed60a3-0a98-4f7c-9914-c0daf30ab17d" > path:"."  under scope publicshare:OfPYouacfcxXXjB error="error: permission denied: access forbidden via public link" pkg=rgrpc service=gateway traceid=00000000000000000000000000000000
web_ocis  | 2022-12-15T03:52:28Z ERR error resolving reference resource_id:<storage_id:"1284d238-aa92-42ce-bdc4-0b0000009157" opaque_id:"b2c80be1-8310-45fc-b015-4af21af6aaf4" space_id:"06ed60a3-0a98-4f7c-9914-c0daf30ab17d" > path:"."  under scope publicshare:OfPYouacfcxXXjB error="error: permission denied: access forbidden via public link" pkg=rgrpc service=gateway traceid=00000000000000000000000000000000
web_ocis  | 2022-12-15T03:52:28Z ERR unary code=PermissionDenied end="15/Dec/2022:03:52:28 +0000" from=tcp://127.0.0.1:49962 pkg=rgrpc service=gateway start="15/Dec/2022:03:52:28 +0000" time_ns=2883858 traceid=00000000000000000000000000000000 uri=/cs3.storage.registry.v1beta1.RegistryAPI/ListStorageProviders user-agent="Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Mobile Safari/537.36"
web_ocis  | 2022-12-15T03:52:28Z ERR error: not found: gateway could not find space for ref=resource_id:<storage_id:"1284d238-aa92-42ce-bdc4-0b0000009157" opaque_id:"b2c80be1-8310-45fc-b015-4af21af6aaf4" space_id:"06ed60a3-0a98-4f7c-9914-c0daf30ab17d" > path:"."  pkg=rhttp service=frontend

Ocis started with image: owncloud/ocis:latest
This was referenced Dec 15, 2022
Closed
Merged
@micbar micbar added the Priority:p2-high Escalation, on top of current planning, release blocker label Dec 15, 2022
@butonic
Copy link
Member

butonic commented May 3, 2023

I can reproduce this ... 👀

@butonic butonic self-assigned this May 3, 2023
@butonic
Copy link
Member

butonic commented May 3, 2023

server log:

2023-05-03T12:24:47+02:00 INF get public share by token line=/home/jfd/Repositories/reva/internal/grpc/services/gateway/publicshareprovider.go:72 pkg=rgrpc service=gateway traceid=0965e1a3559b82f4adc4d63b71b6b604
2023-05-03T12:24:47+02:00 INF user idp:"internal" opaque_id:"some-system-user-id-000-000000000000" type:USER_TYPE_PRIMARY  authenticated line=/home/jfd/Repositories/reva/internal/grpc/services/authprovider/authprovider.go:141 pkg=rgrpc service=storage-system traceid=dac0903d6c48c9cc46132d97db2f4215
2023-05-03T12:24:47+02:00 INF user opaque_id:"90be6b06-eb0d-4f86-bac8-4fdeb8716928" type:USER_TYPE_SPACE_OWNER  authenticated line=/home/jfd/Repositories/reva/internal/grpc/services/authprovider/authprovider.go:141 pkg=rgrpc service=storage-publiclink traceid=10551700f040ce8880035d4fa149c337
2023-05-03T12:24:47+02:00 ERR error when calling Createhome error="gateway: grpc failed with code CODE_PERMISSION_DENIED" line=/home/jfd/Repositories/ocis/services/proxy/pkg/middleware/create_home.go:74 service=proxy
2023-05-03T12:24:47+02:00 INF resolving storage reference to check token scope resource_id:<storage_id:"storage-users-1" opaque_id:"b5d9a7b8-af83-4a00-acf3-44697e614f29" space_id:"90be6b06-eb0d-4f86-bac8-4fdeb8716928" > path:"."  line=/home/jfd/Repositories/reva/internal/grpc/interceptors/auth/scope.go:69 pkg=rgrpc service=gateway traceid=a7fff4ddfa3912a93a0054e1773eab96
2023-05-03T12:24:48+02:00 ERR error resolving reference resource_id:<storage_id:"storage-users-1" opaque_id:"b5d9a7b8-af83-4a00-acf3-44697e614f29" space_id:"90be6b06-eb0d-4f86-bac8-4fdeb8716928" > path:"."  under scope publicshare:kLAMVrxtDdtxwsH error="error: permission denied: access forbidden via public link" line=/home/jfd/Repositories/reva/internal/grpc/interceptors/auth/scope.go:87 pkg=rgrpc service=gateway traceid=a7fff4ddfa3912a93a0054e1773eab96
2023-05-03T12:24:48+02:00 INF resolving storage reference to check token scope resource_id:<storage_id:"storage-users-1" opaque_id:"b5d9a7b8-af83-4a00-acf3-44697e614f29" space_id:"90be6b06-eb0d-4f86-bac8-4fdeb8716928" > path:"."  line=/home/jfd/Repositories/reva/internal/grpc/interceptors/auth/scope.go:69 pkg=rgrpc service=gateway traceid=c2154cd6fff9ebc6ca9f4f2e0183fe21
2023-05-03T12:24:48+02:00 ERR error resolving reference resource_id:<storage_id:"storage-users-1" opaque_id:"b5d9a7b8-af83-4a00-acf3-44697e614f29" space_id:"90be6b06-eb0d-4f86-bac8-4fdeb8716928" > path:"."  under scope publicshare:kLAMVrxtDdtxwsH error="error: permission denied: access forbidden via public link" line=/home/jfd/Repositories/reva/internal/grpc/interceptors/auth/scope.go:87 pkg=rgrpc service=gateway traceid=c2154cd6fff9ebc6ca9f4f2e0183fe21
2023-05-03T12:24:48+02:00 WRN access token is invalid error="error: permission denied: access to resource opaque:<map:<key:\"mask\" value:<decoder:\"plain\" value:\"root\" > > map:<key:\"opaque_id\" value:<decoder:\"plain\" value:\"b5d9a7b8-af83-4a00-acf3-44697e614f29\" > > map:<key:\"path\" value:<decoder:\"plain\" value:\".\" > > map:<key:\"space_id\" value:<decoder:\"plain\" value:\"90be6b06-eb0d-4f86-bac8-4fdeb8716928\" > > map:<key:\"storage_id\" value:<decoder:\"plain\" value:\"storage-users-1\" > > map:<key:\"unique\" value:<decoder:\"plain\" value:\"true\" > > >  not allowed within the assigned scope" line=/home/jfd/Repositories/reva/internal/grpc/interceptors/auth/auth.go:150 pkg=rgrpc service=gateway traceid=c2154cd6fff9ebc6ca9f4f2e0183fe21
2023-05-03T12:24:48+02:00 ERR unary code=PermissionDenied end="03/May/2023:12:24:48 +0200" from=tcp://127.0.0.1:49664 line=/home/jfd/Repositories/reva/internal/grpc/interceptors/log/log.go:66 pkg=rgrpc service=gateway start="03/May/2023:12:24:48 +0200" time_ns=655542520 traceid=c2154cd6fff9ebc6ca9f4f2e0183fe21 uri=/cs3.storage.registry.v1beta1.RegistryAPI/ListStorageProviders user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.58"
2023-05-03T12:24:48+02:00 ERR error: not found: gateway could not find space for ref=resource_id:<storage_id:"storage-users-1" opaque_id:"b5d9a7b8-af83-4a00-acf3-44697e614f29" space_id:"90be6b06-eb0d-4f86-bac8-4fdeb8716928" > path:"."  line=/home/jfd/Repositories/reva/internal/http/services/archiver/handler.go:201 pkg=rhttp service=frontend
2023-05-03T12:24:48+02:00 WRN http end="03/May/2023:12:24:48 +0200" host=127.0.0.1 line=/home/jfd/Repositories/reva/internal/http/interceptors/log/log.go:112 method=GET pkg=rhttp proto=HTTP/1.1 service=frontend size=205 start="03/May/2023:12:24:47 +0200" status=404 time_ns=1596058219 traceid=a41c95bd312920bc987ff7568ab033dc uri=/archiver?public-token=loXcKKjEkAaiuhu&id=storage-users-1$90be6b06-eb0d-4f86-bac8-4fdeb8716928!b5d9a7b8-af83-4a00-acf3-44697e614f29 url=/?public-token=loXcKKjEkAaiuhu&id=storage-users-1$90be6b06-eb0d-4f86-bac8-4fdeb8716928!b5d9a7b8-af83-4a00-acf3-44697e614f29
2023-05-03T12:24:48+02:00 INF access-log bytes=205 duration=1717.534466 line=/home/jfd/Repositories/ocis/services/proxy/pkg/middleware/accesslog.go:28 method=GET path=/archiver proto=HTTP/1.1 remote-addr=192.168.1.226 request-id=73c5dad1-d284-4029-a0d9-0abd954404c4 service=proxy status=404

@butonic
Copy link
Member

butonic commented May 3, 2023

the scope check has to impersonate the owner to stat the share in


func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent *provider.ResourceId, client gateway.GatewayAPIClient, mgr token.Manager) (bool, error) {
	// Since the resource ID is obtained from the scope, the current token
	// has access to it.
	statResponse, err := client.Stat(ctx, &provider.StatRequest{Ref: &provider.Reference{ResourceId: parent}})
	if err != nil {
		return false, err
	}
	if statResponse.Status.Code != rpc.Code_CODE_OK {
		return false, statuspkg.NewErrorFromCode(statResponse.Status.Code, "auth interceptor")
	}
	parentPath := statResponse.Info.Path

	childPath := ref.GetPath()
	if childPath == "" || childPath == "." {
		// We mint a token as the owner of the public share and try to stat the reference
		// TODO(ishank011): We need to find a better alternative to this

		userResp, err := client.GetUser(ctx, &userpb.GetUserRequest{UserId: statResponse.Info.Owner, SkipFetchingUserGroups: true})
		if err != nil || userResp.Status.Code != rpc.Code_CODE_OK {
			return false, err
		}
...

but statResponse.Info.Owner contains a UserType_USER_TYPE_SPACE_OWNER (8) ... which cannot be resolved via GetUser ...

@butonic butonic mentioned this issue May 3, 2023
Merged
@butonic
Copy link
Member

butonic commented May 3, 2023

requires cs3org/reva#3843 in ocis

@butonic
Copy link
Member

butonic commented May 3, 2023

fixed by #6216

@butonic butonic mentioned this issue May 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@butonic butonic

Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug
Projects
Infinite Scale Team Board
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[full-ci] bump reva to 2118139f5420 owncloud/ocis
3 participants
@butonic @micbar @SwikritiT