Use permissions API in decomposedfs (#2341)

.drone.star

@@ -719,6 +719,7 @@ def litmusOcisSpacesDav():
                     "/drone/src/cmd/revad/revad -c gateway.toml &",
                     "/drone/src/cmd/revad/revad -c storage-home-ocis.toml &",
                     "/drone/src/cmd/revad/revad -c storage-users-ocis.toml &",
+                    "/drone/src/cmd/revad/revad -c permissions-ocis-ci.toml &",
                     "/drone/src/cmd/revad/revad -c users.toml",
                 ],
             },

changelog/unreleased/cs3-permissions-service.md

@@ -0,0 +1,5 @@
+Enhancement: Use CS3 permissions API
+
+Added calls to the CS3 permissions API to the decomposedfs in order to check the user permissions.
+
+https://github.com/cs3org/reva/pull/2341

cmd/revad/runtime/loader.go

@@ -38,6 +38,7 @@ import (
 	_ "github.com/cs3org/reva/pkg/ocm/invite/manager/loader"
 	_ "github.com/cs3org/reva/pkg/ocm/provider/authorizer/loader"
 	_ "github.com/cs3org/reva/pkg/ocm/share/manager/loader"
+	_ "github.com/cs3org/reva/pkg/permission/manager/loader"
 	_ "github.com/cs3org/reva/pkg/publicshare/manager/loader"
 	_ "github.com/cs3org/reva/pkg/rhttp/datatx/manager/loader"
 	_ "github.com/cs3org/reva/pkg/share/cache/loader"

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/cheggaaa/pb v1.0.29
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/cs3org/cato v0.0.0-20200828125504-e418fc54dd5e
-	github.com/cs3org/go-cs3apis v0.0.0-20211214102047-7ce3134d7bf8
+	github.com/cs3org/go-cs3apis v0.0.0-20211214102128-4e8745ab1654
 	github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8
 	github.com/dgraph-io/ristretto v0.1.0
 	github.com/eventials/go-tus v0.0.0-20200718001131-45c7ec8f5d59

go.sum

@@ -136,8 +136,8 @@ github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cs3org/cato v0.0.0-20200828125504-e418fc54dd5e h1:tqSPWQeueWTKnJVMJffz4pz0o1WuQxJ28+5x5JgaHD8=
 github.com/cs3org/cato v0.0.0-20200828125504-e418fc54dd5e/go.mod h1:XJEZ3/EQuI3BXTp/6DUzFr850vlxq11I6satRtz0YQ4=
-github.com/cs3org/go-cs3apis v0.0.0-20211214102047-7ce3134d7bf8 h1:PqOprF37OvwCbAN5W23znknGk6N/LMayqLAeP904FHE=
-github.com/cs3org/go-cs3apis v0.0.0-20211214102047-7ce3134d7bf8/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
+github.com/cs3org/go-cs3apis v0.0.0-20211214102128-4e8745ab1654 h1:ha5tiuuFyDrwKUrVEc3TrRDFgTKVQ9NGDRmEP0PRPno=
+github.com/cs3org/go-cs3apis v0.0.0-20211214102128-4e8745ab1654/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

internal/grpc/services/gateway/gateway.go

@@ -57,6 +57,7 @@ type config struct {
 	GroupProviderEndpoint         string `mapstructure:"groupprovidersvc"`
 	DataTxEndpoint                string `mapstructure:"datatx"`
 	DataGatewayEndpoint           string `mapstructure:"datagateway"`
+	PermissionsEndpoint           string `mapstructure:"permissionssvc"`
 	CommitShareToStorageGrant     bool   `mapstructure:"commit_share_to_storage_grant"`
 	CommitShareToStorageRef       bool   `mapstructure:"commit_share_to_storage_ref"`
 	DisableHomeCreationOnLogin    bool   `mapstructure:"disable_home_creation_on_login"`

internal/grpc/services/gateway/permissions.go

@@ -0,0 +1,39 @@
+// Copyright 2021 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package gateway
+
+import (
+	"context"
+
+	permissions "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1"
+	"github.com/cs3org/reva/pkg/rgrpc/status"
+	"github.com/cs3org/reva/pkg/rgrpc/todo/pool"
+	"github.com/pkg/errors"
+)
+
+func (s *svc) CheckPermission(ctx context.Context, req *permissions.CheckPermissionRequest) (*permissions.CheckPermissionResponse, error) {
+	c, err := pool.GetPermissionsClient(s.c.PermissionsEndpoint)
+	if err != nil {
+		err = errors.Wrap(err, "gateway: error calling GetPermissionssClient")
+		return &permissions.CheckPermissionResponse{
+			Status: status.NewInternal(ctx, err, "error getting permissions client"),
+		}, nil
+	}
+	return c.CheckPermission(ctx, req)
+}

internal/grpc/services/loader/loader.go

@@ -33,6 +33,7 @@ import (
 	_ "github.com/cs3org/reva/internal/grpc/services/ocminvitemanager"
 	_ "github.com/cs3org/reva/internal/grpc/services/ocmproviderauthorizer"
 	_ "github.com/cs3org/reva/internal/grpc/services/ocmshareprovider"
+	_ "github.com/cs3org/reva/internal/grpc/services/permissions"
 	_ "github.com/cs3org/reva/internal/grpc/services/preferences"
 	_ "github.com/cs3org/reva/internal/grpc/services/publicshareprovider"
 	_ "github.com/cs3org/reva/internal/grpc/services/publicstorageprovider"

internal/grpc/services/permissions/permissions.go

@@ -0,0 +1,104 @@
+// Copyright 2021 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package permissions
+
+import (
+	"context"
+	"fmt"
+
+	permissions "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1"
+	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
+	"github.com/cs3org/reva/pkg/permission"
+	"github.com/cs3org/reva/pkg/permission/manager/registry"
+	"github.com/cs3org/reva/pkg/rgrpc"
+	"github.com/mitchellh/mapstructure"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+)
+
+func init() {
+	rgrpc.Register("permissions", New)
+}
+
+type config struct {
+	Driver  string                            `mapstructure:"driver" docs:"localhome;The permission driver to be used."`
+	Drivers map[string]map[string]interface{} `mapstructure:"drivers" docs:"url:pkg/permission/permission.go"`
+}
+
+func parseConfig(m map[string]interface{}) (*config, error) {
+	c := &config{}
+	if err := mapstructure.Decode(m, c); err != nil {
+		err = errors.Wrap(err, "error decoding conf")
+		return nil, err
+	}
+	return c, nil
+}
+
+type service struct {
+	manager permission.Manager
+}
+
+// New returns a new PermissionsServiceServer
+func New(m map[string]interface{}, ss *grpc.Server) (rgrpc.Service, error) {
+	c, err := parseConfig(m)
+	if err != nil {
+		return nil, err
+	}
+
+	f, ok := registry.NewFuncs[c.Driver]
+	if !ok {
+		return nil, fmt.Errorf("could not get permission manager '%s'", c.Driver)
+	}
+	manager, err := f(c.Drivers[c.Driver])
+	if err != nil {
+		return nil, err
+	}
+
+	service := &service{manager: manager}
+	return service, nil
+}
+
+func (s *service) Close() error {
+	return nil
+}
+
+func (s *service) UnprotectedEndpoints() []string {
+	return []string{}
+}
+
+func (s *service) Register(ss *grpc.Server) {
+	permissions.RegisterPermissionsAPIServer(ss, s)
+}
+
+func (s *service) CheckPermission(ctx context.Context, req *permissions.CheckPermissionRequest) (*permissions.CheckPermissionResponse, error) {
+	var subject string
+	switch ref := req.SubjectRef.Spec.(type) {
+	case *permissions.SubjectReference_UserId:
+		subject = ref.UserId.OpaqueId
+	case *permissions.SubjectReference_GroupId:
+		subject = ref.GroupId.OpaqueId
+	}
+	var status *rpc.Status
+	if ok := s.manager.CheckPermission(req.Permission, subject, req.Ref); ok {
+		status = &rpc.Status{Code: rpc.Code_CODE_OK}
+	} else {
+		status = &rpc.Status{Code: rpc.Code_CODE_PERMISSION_DENIED}
+	}
+	return &permissions.CheckPermissionResponse{Status: status}, nil
+}

internal/grpc/services/storageprovider/storageprovider.go

@@ -20,7 +20,6 @@ package storageprovider
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"net/url"
 	"os"
@@ -579,19 +578,7 @@ func hasNodeID(s *provider.StorageSpace) bool {
 func (s *service) ListStorageSpaces(ctx context.Context, req *provider.ListStorageSpacesRequest) (*provider.ListStorageSpacesResponse, error) {
 	log := appctx.GetLogger(ctx)
 
-	// This is just a quick hack to get the users permission into reva.
-	// Replace this as soon as we have a proper system to check the users permissions.
-	opaque := req.Opaque
-	var permissions map[string]struct{}
-	if opaque != nil {
-		entry := opaque.Map["permissions"]
-		err := json.Unmarshal(entry.Value, &permissions)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	spaces, err := s.storage.ListStorageSpaces(ctx, req.Filters, permissions)
+	spaces, err := s.storage.ListStorageSpaces(ctx, req.Filters)
 	if err != nil {
 		var st *rpc.Status
 		switch err.(type) {

pkg/permission/manager/demo/demo.go

@@ -0,0 +1,43 @@
+// Copyright 2021 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package demo
+
+import (
+	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	"github.com/cs3org/reva/pkg/permission"
+	"github.com/cs3org/reva/pkg/permission/manager/registry"
+)
+
+func init() {
+	registry.Register("demo", New)
+}
+
+// New returns a new demo permission manager
+func New(c map[string]interface{}) (permission.Manager, error) {
+	return manager{}, nil
+}
+
+type manager struct {
+}
+
+func (m manager) CheckPermission(permission string, subject string, ref *provider.Reference) bool {
+	// We can currently return true all the time.
+	// Once we beginn testing roles we need to somehow check the roles of the users here
+	return true
+}

pkg/permission/manager/loader/loader.go

@@ -0,0 +1,25 @@
+// Copyright 2021 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package loader
+
+import (
+	// Load permission manager drivers
+	_ "github.com/cs3org/reva/pkg/permission/manager/demo"
+	// Add your own here
+)

pkg/permission/manager/registry/registry.go

@@ -0,0 +1,34 @@
+// Copyright 2021 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package registry
+
+import "github.com/cs3org/reva/pkg/permission"
+
+// NewFunc is the function that permission managers
+// should register at init time.
+type NewFunc func(map[string]interface{}) (permission.Manager, error)
+
+// NewFuncs is a map containing all the registered share managers.
+var NewFuncs = map[string]NewFunc{}
+
+// Register registers a new permission manager new function.
+// Not safe for concurrent use. Safe for use from package init.
+func Register(name string, f NewFunc) {
+	NewFuncs[name] = f
+}

pkg/permission/permission.go

@@ -0,0 +1,28 @@
+// Copyright 2021 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package permission
+
+import (
+	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+)
+
+// Manager defines the interface for the permission service driver
+type Manager interface {
+	CheckPermission(permission string, subject string, ref *provider.Reference) bool
+}