Member in a group cannot see the share which has been shared with the group

[jasson99]

Description:

When a sharer shares a file with a group, the user in the group cannot find the share in the list of pending shares, or the shares in any state.

Steps to reproduce:

1. Create users Alice and user Brian
2. Add user Brian to group grp1
3. As user Alice, share a file textfile0.txt with group grp1
4. As user Alice, get all the shares shared by the user as follows:

curl -X GET http://localhost:20080/ocs/v1.php/apps/files_sharing/api/v1/shares -H OCS_APIREQUEST=true -u Alice:123456 | xmllint --format -


<ocs>
  <meta>
    <status>ok</status>
    <statuscode>100</statuscode>
    <message>OK</message>
  </meta>
  <data>
    <element>
      <id>8</id>
      <share_type>1</share_type>
      <uid_owner>Alice</uid_owner>
      <displayname_owner>Alice Hansen</displayname_owner>
      <additional_info_owner>alice@example.org</additional_info_owner>
      <permissions>19</permissions>
      <stime>1624869903</stime>
      <parent/>
      <expiration/>
      <token/>
      <uid_file_owner>Alice</uid_file_owner>
      <displayname_file_owner>Alice Hansen</displayname_file_owner>
      <additional_info_file_owner>alice@example.org</additional_info_file_owner>
      <state>0</state>
      <path>/textfile0.txt</path>
      <item_type>file</item_type>
      <mimetype>text/plain</mimetype>
      <storage_id>123e4567-e89b-12d3-a456-426655440000!0cfb1e45-2623-4ccf-be1b-d9f0075ae5d3</storage_id>
      <storage>0</storage>
      <item_source>MTIzZTQ1NjctZTg5Yi0xMmQzLWE0NTYtNDI2NjU1NDQwMDAwOjBjZmIxZTQ1LTI2MjMtNGNjZi1iZTFiLWQ5ZjAwNzVhZTVkMw==</item_source>
      <file_source>MTIzZTQ1NjctZTg5Yi0xMmQzLWE0NTYtNDI2NjU1NDQwMDAwOjBjZmIxZTQ1LTI2MjMtNGNjZi1iZTFiLWQ5ZjAwNzVhZTVkMw==</file_source>
      <file_parent/>
      <file_target>/textfile0.txt</file_target>
      <share_with>grp1</share_with>
      <share_with_displayname>grp1</share_with_displayname>
      <share_with_additional_info/>
      <mail_send>0</mail_send>
      <name/>
    </element>
  </data>
</ocs>

5. As user Brian, get all the shares shared with the user:

curl -X GET http://localhost:20080/ocs/v1.php/apps/files_sharing/api/v1/shares\?format\=json\&shared_with_me\=true\&state\=all -H OCS_APIREQUEST=true -u Brian:1234 -v;

 HTTP/1.1 200 OK
{"ocs":{"meta":{"status":"ok","statuscode":100,"message":"OK"},"data":[]}}%    

[jasson99]

This might be related to #1769

[labkode]

@jasson99 is this expected?
As I'm the owner of the share, I don't see a reason why it should appear in the "Shared with me"?

[jasson99]

@jasson99 is this expected?
As I'm the owner of the share, I don't see a reason why it should appear in the "Shared with me"?

It is expected that the share receiver gets the shares in "shared with me". Brian is the expected share receiver in the above case. Alice has shared the file with group grp1 and Brian is in the group grp1

[phil-davis]

@jasson99 what happens in oC10 core?

[jasson99]

@jasson99 what happens in oC10 core?

curl -X GET http://localhost/oc/ocs/v1.php/apps/files_sharing/api/v1/shares\?format\=json\&shared_with_me\=true\&state\=all -u Brian:1234 -v;

{"ocs":{"meta":{"status":"ok","statuscode":100,"message":null,"totalitems":"","itemsperpage":""},"data":[{"id":"95","share_type":1,"uid_owner":"Alice","displayname_owner":"Alice","permissions":19,"stime":1624875397,"parent":null,"expiration":null,"token":null,"uid_file_owner":"Alice","displayname_file_owner":"Alice","additional_info_owner":null,"additional_info_file_owner":null,"state":0,"path":"\/textfile0.txt","mimetype":"text\/plain","storage_id":"shared::\/textfile0.txt","storage":48,"item_type":"file","item_source":2147537570,"file_source":2147537570,"file_parent":2147537577,"file_target":"\/textfile0.txt","share_with":"grp1","share_with_displayname":"grp1","mail_send":0,"attributes":null}]}}%

[ishank011]

@jasson99 can you check the logs to see if the group grp1 appears in the list of groups forBrian? Because we have this in prod at the moment and it works as expected

[ishank011]

#1769 is related to the fact that we need to modify the schema for our sharing db to accommodate accepting shares as well. We didn't have the concept of accepting shares previously so there are a few nuances that need to be figured out.

[individual-it]

maybe there is an issue in the ldap config. @ishank011 could you have a look at https://github.com/cs3org/reva/blob/master/tests/oc-integration-tests/drone/ldap-users.toml to see if you can spot an issue

[jasson99]

My ldapserver has the following objects:

# LDIF Export for dc=owncloud,dc=com
# Server: 172.17.0.3 (172.17.0.3)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 7
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on June 29, 2021 7:20 am
# Version: 1.2.5

version: 1

# Entry 1: dc=owncloud,dc=com
dn: dc=owncloud,dc=com
dc: owncloud
o: ownCloud
objectclass: top
objectclass: dcObject
objectclass: organization

# Entry 2: cn=admin,dc=owncloud,dc=com
dn: cn=admin,dc=owncloud,dc=com
cn: admin
description: LDAP administrator
objectclass: simpleSecurityObject
objectclass: organizationalRole
userpassword: {SSHA}U6kyFappS9OMXddm+Z4aqE2MtlqKixML

# Entry 3: ou=TestGroups,dc=owncloud,dc=com
dn: ou=TestGroups,dc=owncloud,dc=com
objectclass: top
objectclass: organizationalUnit
ou: TestGroups

# Entry 4: cn=grp1,ou=TestGroups,dc=owncloud,dc=com
dn: cn=grp1,ou=TestGroups,dc=owncloud,dc=com
cn: grp1
gidnumber: 5000
memberuid: Brian
objectclass: posixGroup
objectclass: top

# Entry 5: ou=TestUsers,dc=owncloud,dc=com
dn: ou=TestUsers,dc=owncloud,dc=com
objectclass: top
objectclass: organizationalUnit
ou: TestUsers

# Entry 6: uid=Alice,ou=TestUsers,dc=owncloud,dc=com
dn: uid=Alice,ou=TestUsers,dc=owncloud,dc=com
cn: Alice
displayname: Alice Hansen
gidnumber: 5000
homedirectory: /home/openldap/Alice
mail: alice@example.org
objectclass: posixAccount
objectclass: inetOrgPerson
sn: Alice
uid: Alice
uidnumber: 30000
userpassword: 123456

# Entry 7: uid=Brian,ou=TestUsers,dc=owncloud,dc=com
dn: uid=Brian,ou=TestUsers,dc=owncloud,dc=com
cn: Brian
displayname: Brian Murphy
gidnumber: 5000
homedirectory: /home/openldap/Brian
mail: brian@example.org
objectclass: posixAccount
objectclass: inetOrgPerson
sn: Brian
uid: Brian
uidnumber: 30001
userpassword: 1234

I am running using this config file: https://github.com/cs3org/reva/blob/master/tests/oc-integration-tests/local/ldap-users.toml .
While querying the groups using the api, I get empty result, i.e no groups are returned.

curl -X GET http://localhost:20080/ocs/v1.php/cloud/groups -u Brian:1234 -v;     
< HTTP/1.1 200 OK

<ocs><meta><status>error</status><statuscode>998</statuscode><message>Not found</message></meta></ocs>%   

curl -X GET http://localhost:20080/ocs/v1.php/cloud/users/Brian/groups -u Brian:1234 -v;
< HTTP/1.1 200 OK
<ocs><meta><status>ok</status><statuscode>100</statuscode><message>OK</message></meta><data><groups></groups></data></ocs>%  

I am especially confused in this line: https://github.com/cs3org/reva/blob/master/tests/oc-integration-tests/local/ldap-users.toml#L56 as mail has been used for group filter. But group doesnot have mail property in my case.

[ishank011]

@jasson99 @individual-it https://github.com/cs3org/reva/blob/master/tests/oc-integration-tests/local/ldap-users.toml#L37 is what needs to be fixed. For a given user, we use this filter to retrieve the list of their groups, and we're searching for posix groups using the user's OpaqueId, which doesn't work.

We need to use the memberof overlay as described here https://github.com/owncloud/ocis/blob/master/storage/pkg/flagset/ldap.go#L66-L67

[ishank011]

@jasson99 can you try setting groupfilter (https://github.com/cs3org/reva/blob/master/tests/oc-integration-tests/local/ldap-users.toml#L37) to (&(objectclass=posixGroup)(cn=*)(memberuid={{.Username}}))?

[jasson99]

2021-06-30 09:44:52.77 ERR ../../../internal/grpc/interceptors/recovery/recovery.go:50 > template: gf:1:45: executing "gf" at <.Username>: can't evaluate field Username in type *userv1beta1.UserId
error executing group template: userid:idp:"http://localhost:18000" opaque_id:"Alice" 
github.com/cs3org/reva/pkg/user/manager/ldap.(*manager).getGroupFilter
	/home/jasminebaral/www/jankaritech-reva/reva/pkg/user/manager/ldap/ldap.go:401
github.com/cs3org/reva/pkg/user/manager/ldap.(*manager).GetUserGroups
	/home/jasminebaral/www/jankaritech-reva/reva/pkg/user/manager/ldap/ldap.go:358
github.com/cs3org/reva/internal/grpc/services/userprovider.(*service).GetUserGroups
	/home/jasminebaral/www/jankaritech-reva/reva/internal/grpc/services/userprovider/userprovider.go:162
github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1._UserAPI_GetUserGroups_Handler.func1
	/home/jasminebaral/go/pkg/mod/github.com/cs3org/go-cs3apis@v0.0.0-20210614143420-5ee2eb1e7887/cs3/identity/user/v1beta1/user_api.pb.go:690
github.com/cs3org/reva/internal/grpc/interceptors/auth.NewUnary.func1
	/home/jasminebaral/www/jankaritech-reva/reva/internal/grpc/interceptors/auth/auth.go:106
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1
	/home/jasminebaral/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:25
github.com/grpc-ecosystem/go-grpc-middleware/recovery.UnaryServerInterceptor.func1
	/home/jasminebaral/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/recovery/interceptors.go:33
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1
	/home/jasminebaral/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:25
github.com/cs3org/reva/internal/grpc/interceptors/log.NewUnary.func1
	/home/jasminebaral/www/jankaritech-reva/reva/internal/grpc/interceptors/log/log.go:39
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1
	/home/jasminebaral/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:25
github.com/cs3org/reva/internal/grpc/interceptors/token.NewUnary.func1
	/home/jasminebaral/www/jankaritech-reva/reva/internal/grpc/interceptors/token/token.go:44
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1
	/home/jasminebaral/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:25
github.com/cs3org/reva/internal/grpc/interceptors/appctx.NewUnary.func1
	/home/jasminebaral/www/jankaritech-reva/reva/internal/grpc/interceptors/appctx/appctx.go:36
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1
	/home/jasminebaral/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:25
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1
	/home/jasminebaral/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:34
github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1._UserAPI_GetUserGroups_Handler
	/home/jasminebaral/go/pkg/mod/github.com/cs3org/go-cs3apis@v0.0.0-20210614143420-5ee2eb1e7887/cs3/identity/user/v1beta1/user_api.pb.go:692
google.golang.org/grpc.(*Server).processUnaryRPC
	/home/jasminebaral/go/pkg/mod/google.golang.org/grpc@v1.26.0/server.go:1024
google.golang.org/grpc.(*Server).handleStream
	/home/jasminebaral/go/pkg/mod/google.golang.org/grpc@v1.26.0/server.go:1313
google.golang.org/grpc.(*Server).serveStreams.func1.1
	/home/jasminebaral/go/pkg/mod/google.golang.org/grpc@v1.26.0/server.go:722
runtime.goexit

I get this error in reva logs when I adjust the line 37: https://github.com/cs3org/reva/blob/master/tests/oc-integration-tests/local/ldap-users.toml#L37 to (&(objectclass=posixGroup)(cn=*)(memberuid={{.Username}}))

[ishank011]

My bad. The template is applied to UserId not User. (&(objectclass=posixGroup)(cn=*)(memberuid={{.OpaqueId}})) should work. Can you try that @jasson99?

[jasson99]

Sure. Thankyou

[phil-davis]

That works really well. Lots of scenarios start passing in PR #1881 where the CI settings are adjusted.