From 01d1c62b3fb298425ece12bbed0ebcc1a49a7ebc Mon Sep 17 00:00:00 2001
From: David Christofas <dchristofas@owncloud.com>
Date: Thu, 16 Feb 2023 17:19:04 +0100
Subject: [PATCH] remove expired spaces grants on access (#3655)

---
 .../unreleased/space-member-expiration.md     |  1 +
 pkg/storage/utils/decomposedfs/spaces.go      | 24 ++++++++++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/changelog/unreleased/space-member-expiration.md b/changelog/unreleased/space-member-expiration.md
index 2edbe964e1..f4130f14d7 100644
--- a/changelog/unreleased/space-member-expiration.md
+++ b/changelog/unreleased/space-member-expiration.md
@@ -2,4 +2,5 @@ Enhancement: Add expiration date to space memberships
 
 Added an optional expiration date to space memberships to restrict the access in time. 
 
+https://github.com/cs3org/reva/pull/3655
 https://github.com/cs3org/reva/pull/3628
diff --git a/pkg/storage/utils/decomposedfs/spaces.go b/pkg/storage/utils/decomposedfs/spaces.go
index cd9dcf8a73..bd56956f39 100644
--- a/pkg/storage/utils/decomposedfs/spaces.go
+++ b/pkg/storage/utils/decomposedfs/spaces.go
@@ -723,10 +723,25 @@ func (fs *Decomposedfs) storageSpaceFromNode(ctx context.Context, n *node.Node,
 			continue
 		}
 
-		grantMap[id] = g.Permissions
 		if g.Expiration != nil {
+			// We are doing this check here because we want to remove expired grants "on access".
+			// This way we don't have to have a cron job checking the grants in regular intervals.
+			// The tradeof obviously is that this code is here.
+			if isGrantExpired(g) {
+				err := fs.RemoveGrant(ctx, &provider.Reference{
+					ResourceId: &provider.ResourceId{
+						SpaceId:  n.SpaceRoot.SpaceID,
+						OpaqueId: n.ID},
+				}, g)
+				appctx.GetLogger(ctx).Error().Err(err).
+					Str("space", n.SpaceRoot.ID).
+					Str("grantee", id).
+					Msg("failed to remove expired space grant")
+				continue
+			}
 			grantExpiration[id] = g.Expiration
 		}
+		grantMap[id] = g.Permissions
 	}
 
 	grantMapJSON, err := json.Marshal(grantMap)
@@ -881,3 +896,10 @@ func mapHasKey(checkMap map[string]string, keys ...string) bool {
 	}
 	return false
 }
+
+func isGrantExpired(g *provider.Grant) bool {
+	if g.Expiration == nil {
+		return false
+	}
+	return time.Now().After(time.Unix(int64(g.Expiration.Seconds), int64(g.Expiration.Nanos)))
+}