Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement: calculate and expose actual file permission set #1368

Merged

Conversation

butonic
Copy link
Contributor

@butonic butonic commented Dec 10, 2020

Instead of hardcoding the permissions set for every file and folder to ListContainer:true, CreateContainer:true and always reporting the hardcoded string WCKDNVR for the WebDAV permissions we now aggregate the actual cs3 resource permissions in the storage drivers and correctly map them to ocs permissions and webdav permissions using a common role struct that encapsulates the mapping logic.

  • refactor the create*Share methods to use the same stat
  • use a common permissions check to prevent users from sharing with permissions they don't have
  • map between share role, cs3 resource permissionset, ocs permissions
    • the mapping needs to be simplified by mapping everything to roles
    • we can bring back legacy ocs permissions by mapping them to all legacy role combinations and finding corresponding mappings in cs3 permission sets.
  • refactor error handling
    • use ocdav.HandleErrorStatus in more places left for another PR I already touched too many things.
  • fix storages and calculate permissions by reading the grants in the path instead of hardcoding ListContainer:true, CreateContainer:true
    • ocis
    • eos I hardcoded returning all permissions, similar to what the ocs api was doing prior to this PR.
    • local I hardcoded returning all permissions, similar to what the ocs api was doing prior to this PR.
    • s3 I hardcoded returning all permissions, similar to what the ocs api was doing prior to this PR.
    • owncloud I hardcoded returning all permissions, similar to what the ocs api was doing prior to this PR.

should fix

related

@labkode eos, localfs, and the other storages need to return a proper PermissionSet for the logged in user so the ocs api can actually return the right ocs permissions. For the ocis I implemented a ReadUserPermissions() that aggregates the permissions on all segments of the path. ReadUserPermissions() is called in GetMD() and ListContainer(). It should be possible to aggregate the permission set for the other storages in a similar manner. Can eos return the acl or permissions for the current user in the fileinfo or is that another call. ... well it might not be necessary if eos really cannot store acls on files directly (only via fuse richacls).

Another option might be to push setting the permission set to the gateway. it could use the storage registry to fill in the permissions without having to stat every path segment, because it can look at the mount points of shares.

Anyway, this PR currently tries to check if the current user is the owner and returns all permissions if that is the case. This works on eos, ocis, local and owncloud AFAICT. not on s3, yet. For shared folders the ocis driver aggregates the permissions. I did not do thet for the other storages yet, but would start implementing it in the same way, unless you have a better idea how to do it more efficiently. For now I want to make it work. Profiling to make it fast comes later.

@update-docs
Copy link

update-docs bot commented Dec 10, 2020

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@phil-davis
Copy link
Contributor

Note: drone CI is not running for some reason today. So we are not getting results to know if the behaviour is improved or not.

@labkode
Copy link
Member

labkode commented Dec 10, 2020

@phil-davis https://discourse.drone.io/t/new-builds-not-appearing-on-drone/8479

@lgtm-com
Copy link

lgtm-com bot commented Dec 10, 2020

This pull request introduces 1 alert when merging 761ca60 into e791b55 - view on LGTM.com

new alerts:

  • 1 for Useless assignment to local variable

@butonic butonic force-pushed the share-permissions-and-resource-permissions branch from 87713dd to 9637661 Compare December 10, 2020 20:50
@butonic butonic changed the title [WIP] prevent sharing with increased permissions [WIP] Enhancement: calculate and expose actual file permission set Dec 11, 2020
@butonic butonic changed the base branch from master to unsafe December 14, 2020 15:15
@butonic butonic force-pushed the share-permissions-and-resource-permissions branch from 15f25f8 to 8238918 Compare December 14, 2020 15:22
@butonic butonic changed the title [WIP] Enhancement: calculate and expose actual file permission set Enhancement: calculate and expose actual file permission set Dec 14, 2020
@butonic butonic force-pushed the share-permissions-and-resource-permissions branch from 8238918 to b976591 Compare December 14, 2020 15:37
@butonic butonic changed the title Enhancement: calculate and expose actual file permission set [WIP] Enhancement: calculate and expose actual file permission set Dec 15, 2020
@butonic butonic marked this pull request as draft December 15, 2020 12:53
@butonic butonic changed the base branch from unsafe to master December 16, 2020 09:08
@butonic butonic force-pushed the share-permissions-and-resource-permissions branch from 79a0ae9 to 3855e0e Compare December 16, 2020 11:09
@butonic butonic marked this pull request as ready for review December 16, 2020 11:32
@butonic butonic changed the title [WIP] Enhancement: calculate and expose actual file permission set Enhancement: calculate and expose actual file permission set Dec 16, 2020
labkode
labkode previously approved these changes Dec 16, 2020
@labkode
Copy link
Member

labkode commented Dec 16, 2020

@butonic looks good to me. We'll take care of the EOS implementation. There is a conflict to be resolved, maybe just rebase on top of master.

@butonic
Copy link
Contributor Author

butonic commented Dec 16, 2020

@labkode looking at public links I see that we need to add permission checks and permission set filters to the publicstorageprovider.go from @refs because in the case of public shares ... the storage providers currently cannot determine the permissions ... because only the publicshare manager persists them.

We could implement a publicshare manager that persists shares in the storage ... which would be trivial for ocis. I asume you could persist additional metadata like expiry etc in eos as well ... the question is where should the code live that limits the cs3 permissions set to what the currently logged in user is allowed to do?

We should let the underlying storage system handle as many permission checks as possible, which is would allow a tight eos integration. On the other hand permissions for public links need to be handled in the cs3 publicstorageprovider, based on the share permissions... For the ocis driver we handle permission checks in the driver because we don't integrate with the underlying posix filesystem on purpose.

@labkode do you see my problem with the sharing responsibilities?

@butonic
Copy link
Contributor Author

butonic commented Dec 16, 2020

anyway ... this PR can go in as is

C0rby
C0rby previously approved these changes Dec 16, 2020
Copy link
Contributor

@C0rby C0rby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! 👍

@refs
Copy link
Member

refs commented Jan 7, 2021

bug while testing:

  1. log in as admin:admin
  2. create a folder and share it with Marie
  3. as marie: upload a file to the folder
  4. as admin: try to delete the file that Marie uploaded to the shared folder

expected: admin should be able to delete the file as she is the owner of the shared folder
got: admin cannot delete file uploaded to shared folder

@butonic
Copy link
Contributor Author

butonic commented Jan 7, 2021

  • moving a file into a shared folder fails with 400
2021-01-07T14:56:58Z DBG gateway: split: parts[1]:Invoice for MBA39A4.pdf != shareFolder:Shares pkg=rgrpc service=storage traceid=5108148c26c8de8e51abc9ab1f42f74c
2021-01-07T14:56:58Z DBG gateway: split: parts[1]:Invoice for MBA39A4.pdf != shareFolder:Shares pkg=rgrpc service=storage traceid=5108148c26c8de8e51abc9ab1f42f74c
2021-01-07T14:56:58Z DBG unary code=OK end="07/Jan/2021:14:56:58 +0000" from=tcp://127.0.0.1:56288 pkg=rgrpc service=storage start="07/Jan/2021:14:56:58 +0000" time_ns=268600 traceid=5108148c26c8de8e51abc9ab1f42f74c uri=/cs3.gateway.v1beta1.GatewayAPI/Move user-agent=grpc-go/1.26.0
2021-01-07T14:56:58Z DBG bad request dst="/home/Shares/Neuer Ordner/Invoice for MBA39A4.pdf" pkg=rhttp service=storage src="/home/Invoice for MBA39A4.pdf" status={"code":4,"message":"gateway: move:error: bad request: gateway: move called on unknown path: /home/Invoice for MBA39A4.pdf","trace":"5108148c26c8de8e51abc9ab1f42f74c"} traceid=5108148c26c8de8e51abc9ab1f42f74c
2021-01-07T14:56:58Z WRN http end="07/Jan/2021:14:56:58 +0000" host=127.0.0.1 method=MOVE pkg=rhttp proto=HTTP/1.1 service=storage size=0 start="07/Jan/2021:14:56:58 +0000" status=400 time_ns=39223900 traceid=5108148c26c8de8e51abc9ab1f42f74c uri=/remote.php/webdav/Invoice%20for%20MBA39A4.pdf url=/remote.php/webdav/Invoice%20for%20MBA39A4.pdf

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic butonic force-pushed the share-permissions-and-resource-permissions branch from 763de06 to 074d616 Compare January 7, 2021 15:42
@lgtm-com
Copy link

lgtm-com bot commented Jan 7, 2021

This pull request introduces 1 alert when merging 074d616 into 23e52dc - view on LGTM.com

new alerts:

  • 1 for Useless assignment to local variable

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
Copy link
Contributor Author

butonic commented Jan 7, 2021

now at 200+ fixed features:

61 | .../expected-failures-on-EOS-storage.txt           \|   8 ---
62 | .../expected-failures-on-OCIS-storage.txt          \| 176 ---------
63 | .../expected-failures-on-OWNCLOUD-storage.txt      \|  47 +--

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic butonic force-pushed the share-permissions-and-resource-permissions branch from d367114 to c69f470 Compare January 7, 2021 20:10
phil-davis
phil-davis previously approved these changes Jan 8, 2021
Copy link
Contributor

@phil-davis phil-davis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, the permissions are much better than before. IMO after merging this, people can work on more of the "ToDo"

@butonic
Copy link
Contributor Author

butonic commented Jan 8, 2021

Copy link
Contributor

@ishank011 ishank011 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can merge this. I'll add the ACL traversal for eos. Since we don't really have permissions support for localfs, we can just let it be.

// files never have the create container permission
if md.Type == provider.ResourceType_RESOURCE_TYPE_FILE && md.PermissionSet != nil {
// we need to copy the permission set in case it was reused when passing it in while listing a collection
md.PermissionSet = copyPermissionSet(md.PermissionSet)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're assigning the permissions to the same variable, we do lose the original value. Why are we making a separate copy then?

Copy link
Contributor Author

@butonic butonic Jan 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PermissionSet is a struct which is passed by reference. There are code paths that will change the PermissionSet for files, because they never have delete or create permission IIRC. When listing a folder this would change the default PermissionSet and folders that are rendered after a file would retain the changed default. 💥

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes but this particular function is called only from one place and we're forgetting the original reference (since we're storing the returned struct there) so essentially there's no way to get that back.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, you are right ... I tried cleaning the permissions and roles stuff up. I think I was confusing this with the storage drivers ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all tests green!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect!

@labkode
Copy link
Member

labkode commented Jan 8, 2021

About the EOS ACLs, EOS is different to local/ocis filesystems, EOS does not do ACL traversal, ACLs are examined on the node (not from parents). It is possible in EOS to not have any permissions on /a/b/ but have on /a/b/c.

This change in respect to UNIX is one of the design choices to reach high scalability.

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants