Skip to content

Commit

Permalink
add option to enforce passwords on public links (#3698)
Browse files Browse the repository at this point in the history
  • Loading branch information
David Christofas authored Mar 6, 2023
1 parent 3de7ec1 commit 24f11f3
Show file tree
Hide file tree
Showing 5 changed files with 48 additions and 10 deletions.
5 changes: 5 additions & 0 deletions changelog/unreleased/public-link-password.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Enhancement: Add config option to enforce passwords on public links

Added a new config option to enforce passwords on public links with "Uploader, Editor, Contributor" roles.

https://github.com/cs3org/reva/pull/3698
18 changes: 11 additions & 7 deletions internal/grpc/services/gateway/publicshareprovider.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,9 @@ func (s *svc) CreatePublicShare(ctx context.Context, req *link.CreatePublicShare
return nil, err
}

s.statCache.RemoveStat(ctxpkg.ContextMustGetUser(ctx).GetId(), res.Share.ResourceId)
if res.GetShare() != nil {
s.statCache.RemoveStat(ctxpkg.ContextMustGetUser(ctx).GetId(), res.Share.ResourceId)
}
return res, nil
}

Expand Down Expand Up @@ -139,11 +141,13 @@ func (s *svc) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicShare
if err != nil {
return nil, errors.Wrap(err, "error updating share")
}
s.statCache.RemoveStat(
&userprovider.UserId{
OpaqueId: res.Share.Owner.GetOpaqueId(),
},
res.Share.ResourceId,
)
if res.GetShare() != nil {
s.statCache.RemoveStat(
&userprovider.UserId{
OpaqueId: res.Share.Owner.GetOpaqueId(),
},
res.Share.ResourceId,
)
}
return res, nil
}
23 changes: 20 additions & 3 deletions internal/grpc/services/publicshareprovider/publicshareprovider.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,10 @@ func init() {
}

type config struct {
Driver string `mapstructure:"driver"`
Drivers map[string]map[string]interface{} `mapstructure:"drivers"`
AllowedPathsForShares []string `mapstructure:"allowed_paths_for_shares"`
Driver string `mapstructure:"driver"`
Drivers map[string]map[string]interface{} `mapstructure:"drivers"`
AllowedPathsForShares []string `mapstructure:"allowed_paths_for_shares"`
WriteableShareMustHavePassword bool `mapstructure:"writeable_share_must_have_password"`
}

func (c *config) init() {
Expand Down Expand Up @@ -140,6 +141,14 @@ func (s *service) CreatePublicShare(ctx context.Context, req *link.CreatePublicS
}, nil
}

grant := req.GetGrant()
if grant != nil && s.conf.WriteableShareMustHavePassword &&
publicshare.IsWriteable(grant) && grant.Password == "" {
return &link.CreatePublicShareResponse{
Status: status.NewInvalid(ctx, "writeable shares must have a password protection"),
}, nil
}

u, ok := ctxpkg.ContextGetUser(ctx)
if !ok {
log.Error().Msg("error getting user from context")
Expand Down Expand Up @@ -244,6 +253,14 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS
log := appctx.GetLogger(ctx)
log.Info().Str("publicshareprovider", "update").Msg("update public share")

grant := req.GetUpdate().GetGrant()
if grant != nil && s.conf.WriteableShareMustHavePassword &&
publicshare.IsWriteable(grant) && grant.Password == "" {
return &link.UpdatePublicShareResponse{
Status: status.NewInvalid(ctx, "writeable shares must have a password protection"),
}, nil
}

u, ok := ctxpkg.ContextGetUser(ctx)
if !ok {
log.Error().Msg("error getting user from context")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -470,6 +470,11 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "Error sending update request to public link provider", err)
return
}
if uRes.Status.Code != rpc.Code_CODE_OK {
log.Debug().Str("shareID", shareID).Msgf("sending update request to public link provider failed: %s", uRes.Status.Message)
response.WriteOCSError(w, r, response.MetaServerError.StatusCode, fmt.Sprintf("Error sending update request to public link provider: %s", uRes.Status.Message), nil)
return
}
}
publicShare = uRes.Share
} else if !updatesFound {
Expand Down
7 changes: 7 additions & 0 deletions pkg/publicshare/publicshare.go
Original file line number Diff line number Diff line change
Expand Up @@ -211,3 +211,10 @@ func Authenticate(share *link.PublicShare, pw string, auth *link.PublicShareAuth
func IsCreatedByUser(share link.PublicShare, user *user.User) bool {
return utils.UserEqual(user.Id, share.Owner) || utils.UserEqual(user.Id, share.Creator)
}

// IsWriteable checks if the grant for a publicshare allows writes or uploads.
func IsWriteable(g *link.Grant) bool {
p := g.Permissions.Permissions
return p.CreateContainer || p.Delete || p.InitiateFileUpload ||
p.Move || p.AddGrant || p.PurgeRecycle || p.RestoreFileVersion || p.RestoreRecycleItem
}

0 comments on commit 24f11f3

Please sign in to comment.