Skip to content

Commit

Permalink
fix token scope authentication (#2612)
Browse files Browse the repository at this point in the history
  • Loading branch information
David Christofas authored Mar 3, 2022
1 parent 22ecdf7 commit 87bfb8d
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 5 deletions.
5 changes: 5 additions & 0 deletions changelog/unreleased/scope-handling-spaces.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Bugfix: Adjust the scope handling to support the spaces architecture

The scope authentication interceptors weren't updated to the spaces architecture and couldn't authenticate some requests.

https://github.com/cs3org/reva/pull/2612
29 changes: 24 additions & 5 deletions internal/grpc/interceptors/auth/scope.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent
parentPath := statResponse.Info.Path

childPath := ref.GetPath()
if childPath == "" {
if childPath == "" || childPath == "." {
// We mint a token as the owner of the public share and try to stat the reference
// TODO(ishank011): We need to find a better alternative to this

Expand All @@ -201,14 +201,14 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent
}
ctx = metadata.AppendToOutgoingContext(context.Background(), ctxpkg.TokenHeader, token)

childStat, err := client.Stat(ctx, &provider.StatRequest{Ref: ref})
gpRes, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: ref.ResourceId})
if err != nil {
return false, err
}
if childStat.Status.Code != rpc.Code_CODE_OK {
return false, statuspkg.NewErrorFromCode(childStat.Status.Code, "auth interceptor")
if gpRes.Status.Code != rpc.Code_CODE_OK {
return false, statuspkg.NewErrorFromCode(gpRes.Status.Code, "auth interceptor")
}
childPath = statResponse.Info.Path
childPath = gpRes.Path
}

return strings.HasPrefix(childPath, parentPath), nil
Expand All @@ -219,6 +219,25 @@ func extractRef(req interface{}, hasEditorRole bool) (*provider.Reference, bool)
// Read requests
case *registry.GetStorageProvidersRequest:
return v.GetRef(), true
case *registry.ListStorageProvidersRequest:
ref := &provider.Reference{}
if v.Opaque != nil && v.Opaque.Map != nil {
if e, ok := v.Opaque.Map["storage_id"]; ok {
ref.ResourceId = &provider.ResourceId{
StorageId: string(e.Value),
}
}
if e, ok := v.Opaque.Map["opaque_id"]; ok {
if ref.ResourceId == nil {
ref.ResourceId = &provider.ResourceId{}
}
ref.ResourceId.OpaqueId = string(e.Value)
}
if e, ok := v.Opaque.Map["path"]; ok {
ref.Path = string(e.Value)
}
}
return ref, true
case *provider.StatRequest:
return v.GetRef(), true
case *provider.ListContainerRequest:
Expand Down
2 changes: 2 additions & 0 deletions pkg/auth/scope/publicshare.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,8 @@ func publicshareScope(ctx context.Context, scope *authpb.Scope, resource interfa

case *userv1beta1.GetUserByClaimRequest:
return true, nil
case *userv1beta1.GetUserRequest:
return true, nil

case *provider.ListStorageSpacesRequest:
return checkPublicListStorageSpacesFilter(v.Filters), nil
Expand Down

0 comments on commit 87bfb8d

Please sign in to comment.