From a09426bf3f1420d6c7b2e55aca6a14c8443763d9 Mon Sep 17 00:00:00 2001 From: Roman Perekhod Date: Wed, 1 May 2024 16:56:18 +0200 Subject: [PATCH] Replacement for TokenInfo endpoint --- .../tokenInfo-endpoint-replacement.md | 12 ++++ internal/http/services/owncloud/ocdav/dav.go | 62 +++++++++++++++++++ .../owncloud/ocdav/ocdav_blackbox_test.go | 4 ++ 3 files changed, 78 insertions(+) create mode 100644 changelog/unreleased/tokenInfo-endpoint-replacement.md diff --git a/changelog/unreleased/tokenInfo-endpoint-replacement.md b/changelog/unreleased/tokenInfo-endpoint-replacement.md new file mode 100644 index 0000000000..b62beb45c1 --- /dev/null +++ b/changelog/unreleased/tokenInfo-endpoint-replacement.md @@ -0,0 +1,12 @@ +Enhancement: Allow to resolve public shares without the ocs tokeninfo endpoint + + +Instead of querying the /v1.php/apps/files_sharing/api/v1/tokeninfo/ endpoint, a client can now resolve public and internal links by sending a PROPFIND request to /dav/public-files/{sharetoken} + +* authenticated clients accessing an internal link are redirected to the "real" resource (`/dav/spaces/{target-resource-id} +* authenticated clients are able to resolve public links like before. For password protected links they need to supply the password even if they have access to the underlying resource by other means. +* unauthenticated clients accessing an internal link get a 401 returned with WWW-Authenticate set to Bearer (so that the client knows that it need to get a token via the IDP login page. +* unauthenticated clients accessing a password protected link get a 401 returned with an error message to indicate the requirement for needing the link's password. + +https://github.com/cs3org/reva/pull/4653 +https://github.com/owncloud/ocis/issues/8858 diff --git a/internal/http/services/owncloud/ocdav/dav.go b/internal/http/services/owncloud/ocdav/dav.go index 5c5b6e258b..d6234f1508 100644 --- a/internal/http/services/owncloud/ocdav/dav.go +++ b/internal/http/services/owncloud/ocdav/dav.go @@ -20,6 +20,7 @@ package ocdav import ( "context" + "fmt" "net/http" "path" "path/filepath" @@ -28,6 +29,7 @@ import ( gatewayv1beta1 "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" + link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" "github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/config" "github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/errors" @@ -36,12 +38,18 @@ import ( ctxpkg "github.com/cs3org/reva/v2/pkg/ctx" "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool" "github.com/cs3org/reva/v2/pkg/rhttp/router" + "github.com/cs3org/reva/v2/pkg/storage/utils/grants" + "github.com/cs3org/reva/v2/pkg/storagespace" "github.com/cs3org/reva/v2/pkg/utils" + "go.opentelemetry.io/otel/trace" "google.golang.org/grpc/metadata" ) const ( _trashbinPath = "trash-bin" + + // WwwAuthenticate captures the Www-Authenticate header string. + WwwAuthenticate = "Www-Authenticate" ) // DavHandler routes to the different sub handlers @@ -248,6 +256,39 @@ func (h *DavHandler) Handler(s *svc) http.Handler { var hasValidBasicAuthHeader bool var pass string var err error + // If user is authenticated + _, userExists := ctxpkg.ContextGetUser(ctx) + if userExists { + client, err := s.gatewaySelector.Next() + if err != nil { + log.Error().Err(err).Msg("error sending grpc stat request") + w.WriteHeader(http.StatusInternalServerError) + return + } + psRes, err := client.GetPublicShare(ctx, &link.GetPublicShareRequest{ + Ref: &link.PublicShareReference{ + Spec: &link.PublicShareReference_Token{ + Token: token, + }, + }}) + if err != nil && !strings.Contains(err.Error(), "core access token not found") { + log.Error().Err(err).Msg("error sending grpc stat request") + w.WriteHeader(http.StatusInternalServerError) + return + } + // If the link is internal then 307 redirect + if psRes.Status.Code == rpc.Code_CODE_OK && grants.PermissionsEqual(psRes.Share.Permissions.GetPermissions(), &provider.ResourcePermissions{}) { + if psRes.GetShare().GetResourceId() != nil { + rUrl := path.Join("/dav/spaces", storagespace.FormatResourceID(*psRes.GetShare().GetResourceId())) + http.Redirect(w, r, rUrl, http.StatusTemporaryRedirect) + return + } + log.Debug().Str("token", token).Interface("status", res.Status).Msg("resource id not found") + w.WriteHeader(http.StatusNotFound) + return + } + } + if _, pass, hasValidBasicAuthHeader = r.BasicAuth(); hasValidBasicAuthHeader { res, err = handleBasicAuth(r.Context(), s.gatewaySelector, token, pass) } else { @@ -286,6 +327,17 @@ func (h *DavHandler) Handler(s *svc) http.Handler { return } + if userExists { + // Build new context without an authenticated user. + // the public link should be resolved by the 'publicshares' authenticated user + baseURI := ctx.Value(net.CtxKeyBaseURI).(string) + logger := appctx.GetLogger(ctx) + span := trace.SpanFromContext(ctx) + span.End() + ctx = trace.ContextWithSpan(context.Background(), span) + ctx = appctx.WithLogger(ctx, logger) + ctx = context.WithValue(ctx, net.CtxKeyBaseURI, baseURI) + } ctx = ctxpkg.ContextSetToken(ctx, res.Token) ctx = ctxpkg.ContextSetUser(ctx, res.User) ctx = metadata.AppendToOutgoingContext(ctx, ctxpkg.TokenHeader, res.Token) @@ -301,6 +353,16 @@ func (h *DavHandler) Handler(s *svc) http.Handler { return case sRes.Status.Code == rpc.Code_CODE_PERMISSION_DENIED: fallthrough + case sRes.Status.Code == rpc.Code_CODE_OK && grants.PermissionsEqual(sRes.GetInfo().GetPermissionSet(), &provider.ResourcePermissions{}): + // If the link is internal + if !userExists { + w.Header().Add(WwwAuthenticate, fmt.Sprintf("Bearer realm=\"%s\", charset=\"UTF-8\"", r.Host)) + w.WriteHeader(http.StatusUnauthorized) + b, err := errors.Marshal(http.StatusUnauthorized, "No 'Authorization: Bearer' header found", "") + errors.HandleWebdavError(log, w, b, err) + return + } + fallthrough case sRes.Status.Code == rpc.Code_CODE_NOT_FOUND: log.Debug().Str("token", token).Interface("status", res.Status).Msg("resource not found") w.WriteHeader(http.StatusNotFound) // log the difference diff --git a/internal/http/services/owncloud/ocdav/ocdav_blackbox_test.go b/internal/http/services/owncloud/ocdav/ocdav_blackbox_test.go index 5c15d41446..008f3ebd80 100644 --- a/internal/http/services/owncloud/ocdav/ocdav_blackbox_test.go +++ b/internal/http/services/owncloud/ocdav/ocdav_blackbox_test.go @@ -30,6 +30,7 @@ import ( gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" cs3user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" cs3rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" + link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1" cs3storageprovider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" cs3types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav" @@ -180,6 +181,9 @@ var _ = Describe("ocdav", func() { }, } + client.On("GetPublicShare", mock.Anything, mock.Anything).Return(&link.GetPublicShareResponse{ + Status: status.NewNotFound(ctx, "not found")}, + nil) client.On("GetUser", mock.Anything, mock.Anything).Return(&cs3user.GetUserResponse{ Status: status.NewNotFound(ctx, "not found"), }, nil)