[tests-only] Merge master into edge

changelog/unreleased/oidc-lw-users.md

@@ -0,0 +1,3 @@
+Enhancement: OIDC driver changes for lightweight users
+
+https://github.com/cs3org/reva/pull/2278

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.2
-	github.com/gomodule/redigo v1.8.6
+	github.com/gomodule/redigo v1.8.8
 	github.com/google/go-cmp v0.5.6
 	github.com/google/go-github v17.0.0+incompatible
 	github.com/google/go-querystring v1.1.0 // indirect
@@ -39,7 +39,7 @@ require (
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/jedib0t/go-pretty v4.3.0+incompatible
 	github.com/juliangruber/go-intersect v1.1.0
-	github.com/mattn/go-sqlite3 v1.14.10
+	github.com/mattn/go-sqlite3 v2.0.3+incompatible
 	github.com/mileusna/useragent v1.0.2
 	github.com/minio/minio-go/v7 v7.0.20
 	github.com/mitchellh/copystructure v1.2.0 // indirect

go.sum

@@ -345,8 +345,8 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/gomodule/redigo v1.8.6 h1:h7kHSqUl2kxeaQtVslsfUCPJ1oz2pxcyzLy4zezIzPw=
-github.com/gomodule/redigo v1.8.6/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
+github.com/gomodule/redigo v1.8.8 h1:f6cXq6RRfiyrOJEV7p3JhLDlmawGBVBBP1MggY8Mo4E=
+github.com/gomodule/redigo v1.8.8/go.mod h1:7ArFNvsTjH8GMMzB4uy1snslv2BwmginuMs06a1uzZE=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -504,8 +504,8 @@ github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
 github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-sqlite3 v1.14.10 h1:MLn+5bFRlWMGoSRmJour3CL1w/qL96mvipqpwQW/Sfk=
-github.com/mattn/go-sqlite3 v1.14.10/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U=
+github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-tty v0.0.3 h1:5OfyWorkyO7xP52Mq7tB36ajHDG5OHrmBGIS/DtakQI=
 github.com/mattn/go-tty v0.0.3/go.mod h1:ihxohKRERHTVzN+aSVRwACLCeqIoZAWpoICkkvrWyR0=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
@@ -664,8 +664,6 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/studio-b12/gowebdav v0.0.0-20210917133250-a3a86976a1df h1:C+J/LwTqP8gRPt1MdSzBNZP0OYuDm5wsmDKgwpLjYzo=
-github.com/studio-b12/gowebdav v0.0.0-20210917133250-a3a86976a1df/go.mod h1:gCcfDlA1Y7GqOaeEKw5l9dOGx1VLdc/HuQSlQAaZ30s=
 github.com/studio-b12/gowebdav v0.0.0-20211109083228-3f8721cd4b6f h1:L2NE7BXnSlSLoNYZ0lCwZDjdnYjCNYC71k9ClZUTFTs=
 github.com/studio-b12/gowebdav v0.0.0-20211109083228-3f8721cd4b6f/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=

internal/grpc/interceptors/auth/scope.go

@@ -120,6 +120,9 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s
 						if utils.ResourceIDEqual(share.Share.ResourceId, ref.GetResourceId()) {
 							return nil
 						}
+						if ok, err := checkIfNestedResource(ctx, ref, share.Share.ResourceId, client, mgr); err == nil && ok {
+							return nil
+						}
 					}
 				} else if strings.HasPrefix(k, "publicshare") {
 					var share link.PublicShare

internal/grpc/services/gateway/authprovider.go

@@ -118,6 +118,8 @@ func (s *svc) Authenticate(ctx context.Context, req *gateway.AuthenticateRequest
 	ctx = ctxpkg.ContextSetToken(ctx, token)
 	ctx = ctxpkg.ContextSetUser(ctx, res.User)
 	ctx = metadata.AppendToOutgoingContext(ctx, ctxpkg.TokenHeader, token)
+
+	// TODO(ishank011): Add a cache for these
 	scope, err := s.expandScopes(ctx, res.TokenScope)
 	if err != nil {
 		err = errors.Wrap(err, "authsvc: error expanding token scope")

internal/grpc/services/gateway/storageprovider.go

@@ -35,6 +35,7 @@ import (
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	registry "github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1"
 	typesv1beta1 "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	"google.golang.org/grpc/codes"
 
 	"github.com/cs3org/reva/pkg/appctx"
 	ctxpkg "github.com/cs3org/reva/pkg/ctx"
@@ -46,6 +47,8 @@ import (
 	"github.com/cs3org/reva/pkg/utils"
 	"github.com/golang-jwt/jwt"
 	"github.com/pkg/errors"
+
+	gstatus "google.golang.org/grpc/status"
 )
 
 /*  About caching
@@ -558,15 +561,16 @@ func (s *svc) TouchFile(ctx context.Context, req *provider.TouchFileRequest) (*p
 	c, _, err := s.find(ctx, req.Ref)
 	if err != nil {
 		return &provider.TouchFileResponse{
-			Status: status.NewStatusFromErrType(ctx, fmt.Sprintf("gateway could not find reference %+v", req.Ref), err),
+			Status: status.NewStatusFromErrType(ctx, "TouchFile ref="+req.Ref.String(), err),
 		}, nil
 	}
 
 	res, err := c.TouchFile(ctx, req)
 	if err != nil {
-		return &provider.TouchFileResponse{
-			Status: status.NewStatusFromErrType(ctx, "gateway could not call TouchFile", err),
-		}, nil
+		if gstatus.Code(err) == codes.PermissionDenied {
+			return &provider.TouchFileResponse{Status: &rpc.Status{Code: rpc.Code_CODE_PERMISSION_DENIED}}, nil
+		}
+		return nil, errors.Wrap(err, "gateway: error calling TouchFile")
 	}
 
 	return res, nil
@@ -651,9 +655,10 @@ func (s *svc) SetArbitraryMetadata(ctx context.Context, req *provider.SetArbitra
 
 	res, err := c.SetArbitraryMetadata(ctx, req)
 	if err != nil {
-		return &provider.SetArbitraryMetadataResponse{
-			Status: status.NewStatusFromErrType(ctx, "gateway could not call SetArbitraryMetadata", err),
-		}, nil
+		if gstatus.Code(err) == codes.PermissionDenied {
+			return &provider.SetArbitraryMetadataResponse{Status: &rpc.Status{Code: rpc.Code_CODE_PERMISSION_DENIED}}, nil
+		}
+		return nil, errors.Wrap(err, "gateway: error calling SetArbitraryMetadata")
 	}
 
 	s.cache.RemoveStat(ctxpkg.ContextMustGetUser(ctx), req.Ref.ResourceId)
@@ -673,12 +678,13 @@ func (s *svc) UnsetArbitraryMetadata(ctx context.Context, req *provider.UnsetArb
 
 	res, err := c.UnsetArbitraryMetadata(ctx, req)
 	if err != nil {
-		return &provider.UnsetArbitraryMetadataResponse{
-			Status: status.NewStatusFromErrType(ctx, "gateway could not call UnsetArbitraryMetadata", err),
-		}, nil
+		if gstatus.Code(err) == codes.PermissionDenied {
+			return &provider.UnsetArbitraryMetadataResponse{Status: &rpc.Status{Code: rpc.Code_CODE_PERMISSION_DENIED}}, nil
+		}
+		return nil, errors.Wrap(err, "gateway: error calling UnsetArbitraryMetadata")
 	}
-
 	s.cache.RemoveStat(ctxpkg.ContextMustGetUser(ctx), req.Ref.ResourceId)
+
 	return res, nil
 }
 
@@ -695,72 +701,70 @@ func (s *svc) SetLock(ctx context.Context, req *provider.SetLockRequest) (*provi
 
 	res, err := c.SetLock(ctx, req)
 	if err != nil {
-		return &provider.SetLockResponse{
-			Status: status.NewStatusFromErrType(ctx, "gateway could not call SetLock", err),
-		}, nil
+		if gstatus.Code(err) == codes.PermissionDenied {
+			return &provider.SetLockResponse{Status: &rpc.Status{Code: rpc.Code_CODE_PERMISSION_DENIED}}, nil
+		}
+		return nil, errors.Wrap(err, "gateway: error calling SetLock")
 	}
 
 	return res, nil
 }
 
 // GetLock returns an existing lock on the given reference
 func (s *svc) GetLock(ctx context.Context, req *provider.GetLockRequest) (*provider.GetLockResponse, error) {
-	var c provider.ProviderAPIClient
-	var err error
-	c, _, req.Ref, err = s.findAndUnwrap(ctx, req.Ref)
+	c, _, err := s.find(ctx, req.Ref)
 	if err != nil {
 		return &provider.GetLockResponse{
-			Status: status.NewStatusFromErrType(ctx, fmt.Sprintf("gateway could not find space for ref=%+v", req.Ref), err),
+			Status: status.NewStatusFromErrType(ctx, "GetLock ref="+req.Ref.String(), err),
 		}, nil
 	}
 
 	res, err := c.GetLock(ctx, req)
 	if err != nil {
-		return &provider.GetLockResponse{
-			Status: status.NewStatusFromErrType(ctx, "gateway could not call GetLock", err),
-		}, nil
+		if gstatus.Code(err) == codes.PermissionDenied {
+			return &provider.GetLockResponse{Status: &rpc.Status{Code: rpc.Code_CODE_PERMISSION_DENIED}}, nil
+		}
+		return nil, errors.Wrap(err, "gateway: error calling GetLock")
 	}
 
 	return res, nil
 }
 
 // RefreshLock refreshes an existing lock on the given reference
 func (s *svc) RefreshLock(ctx context.Context, req *provider.RefreshLockRequest) (*provider.RefreshLockResponse, error) {
-	var c provider.ProviderAPIClient
-	var err error
-	c, _, req.Ref, err = s.findAndUnwrap(ctx, req.Ref)
+	c, _, err := s.find(ctx, req.Ref)
 	if err != nil {
 		return &provider.RefreshLockResponse{
-			Status: status.NewStatusFromErrType(ctx, fmt.Sprintf("gateway could not find space for ref=%+v", req.Ref), err),
+			Status: status.NewStatusFromErrType(ctx, "RefreshLock ref="+req.Ref.String(), err),
 		}, nil
 	}
 
 	res, err := c.RefreshLock(ctx, req)
 	if err != nil {
-		return &provider.RefreshLockResponse{
-			Status: status.NewStatusFromErrType(ctx, "gateway could not call RefreshLock", err),
-		}, nil
+		if gstatus.Code(err) == codes.PermissionDenied {
+			return &provider.RefreshLockResponse{Status: &rpc.Status{Code: rpc.Code_CODE_PERMISSION_DENIED}}, nil
+		}
+		return nil, errors.Wrap(err, "gateway: error calling RefreshLock")
 	}
 
 	return res, nil
 }
 
 // Unlock removes an existing lock from the given reference
 func (s *svc) Unlock(ctx context.Context, req *provider.UnlockRequest) (*provider.UnlockResponse, error) {
-	var c provider.ProviderAPIClient
-	var err error
-	c, _, req.Ref, err = s.findAndUnwrap(ctx, req.Ref)
+	c, _, err := s.find(ctx, req.Ref)
 	if err != nil {
 		return &provider.UnlockResponse{
-			Status: status.NewStatusFromErrType(ctx, fmt.Sprintf("gateway could not find space for ref=%+v", req.Ref), err),
+			Status: status.NewStatusFromErrType(ctx, "Unlock ref="+req.Ref.String(), err),
 		}, nil
 	}
 
 	res, err := c.Unlock(ctx, req)
 	if err != nil {
-		return &provider.UnlockResponse{
-			Status: status.NewStatusFromErrType(ctx, "gateway could not call Unlock", err),
-		}, nil
+		if gstatus.Code(err) == codes.PermissionDenied {
+			return &provider.UnlockResponse{Status: &rpc.Status{Code: rpc.Code_CODE_PERMISSION_DENIED}}, nil
+		}
+		return nil, errors.Wrap(err, "gateway: error calling Unlock")
 	}
 
 	return res, nil

internal/grpc/services/gateway/usershareprovider.go

@@ -22,18 +22,17 @@ import (
 	"context"
 	"path"
 
-	ctxpkg "github.com/cs3org/reva/pkg/ctx"
-	rtrace "github.com/cs3org/reva/pkg/trace"
-
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	typesv1beta1 "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/pkg/appctx"
+	ctxpkg "github.com/cs3org/reva/pkg/ctx"
 	"github.com/cs3org/reva/pkg/errtypes"
 	"github.com/cs3org/reva/pkg/rgrpc/status"
 	"github.com/cs3org/reva/pkg/rgrpc/todo/pool"
 	"github.com/cs3org/reva/pkg/storage/utils/grants"
+	rtrace "github.com/cs3org/reva/pkg/trace"
 	"github.com/pkg/errors"
 )
 
@@ -327,8 +326,56 @@ func (s *svc) UpdateReceivedShare(ctx context.Context, req *collaboration.Update
 
 	s.cache.RemoveStat(ctxpkg.ContextMustGetUser(ctx), req.Share.Share.ResourceId)
 	return c.UpdateReceivedShare(ctx, req)
-}
+	/*
+		    TODO: Leftover from master merge. Do we need this?
+			if err != nil {
+				appctx.GetLogger(ctx).
+					Err(err).
+					Msg("UpdateReceivedShare: failed to get user share provider")
+				return &collaboration.UpdateReceivedShareResponse{
+					Status: status.NewInternal(ctx, "error getting share provider client"),
+				}, nil
+			}
+			// check if we have a resource id in the update response that we can use to update references
+			if res.GetShare().GetShare().GetResourceId() == nil {
+				log.Err(err).Msg("gateway: UpdateReceivedShare must return a ResourceId")
+				return &collaboration.UpdateReceivedShareResponse{
+					Status: &rpc.Status{
+						Code: rpc.Code_CODE_INTERNAL,
+					},
+				}, nil
+			}
 
+			// properties are updated in the order they appear in the field mask
+			// when an error occurs the request ends and no further fields are updated
+			for i := range req.UpdateMask.Paths {
+				switch req.UpdateMask.Paths[i] {
+				case "state":
+					switch req.GetShare().GetState() {
+					case collaboration.ShareState_SHARE_STATE_ACCEPTED:
+						rpcStatus := s.createReference(ctx, res.GetShare().GetShare().GetResourceId())
+						if rpcStatus.Code != rpc.Code_CODE_OK {
+							return &collaboration.UpdateReceivedShareResponse{Status: rpcStatus}, nil
+						}
+					case collaboration.ShareState_SHARE_STATE_REJECTED:
+						rpcStatus := s.removeReference(ctx, res.GetShare().GetShare().ResourceId)
+						if rpcStatus.Code != rpc.Code_CODE_OK && rpcStatus.Code != rpc.Code_CODE_NOT_FOUND {
+							return &collaboration.UpdateReceivedShareResponse{Status: rpcStatus}, nil
+						}
+					}
+				case "mount_point":
+					// TODO(labkode): implementing updating mount point
+					err = errtypes.NotSupported("gateway: update of mount point is not yet implemented")
+					return &collaboration.UpdateReceivedShareResponse{
+						Status: status.NewUnimplemented(ctx, err, "error updating received share"),
+					}, nil
+				default:
+					return nil, errtypes.NotSupported("updating " + req.UpdateMask.Paths[i] + " is not supported")
+				}
+			}
+			return res, nil
+	*/
+}
 func (s *svc) removeReference(ctx context.Context, resourceID *provider.ResourceId) *rpc.Status {
 	log := appctx.GetLogger(ctx)
 

pkg/app/provider/wopi/wopi.go

@@ -36,6 +36,7 @@ import (
 	"github.com/beevik/etree"
 	appprovider "github.com/cs3org/go-cs3apis/cs3/app/provider/v1beta1"
 	appregistry "github.com/cs3org/go-cs3apis/cs3/app/registry/v1beta1"
+	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/cs3org/reva/pkg/app"
 	"github.com/cs3org/reva/pkg/app/provider/registry"
@@ -139,6 +140,11 @@ func (p *wopiProvider) GetAppURL(ctx context.Context, resource *provider.Resourc
 
 	u, ok := ctxpkg.ContextGetUser(ctx)
 	if ok { // else defaults to "Guest xyz"
+		if u.Id.Type == userpb.UserType_USER_TYPE_LIGHTWEIGHT {
+			q.Add("userid", resource.Owner.OpaqueId+"@"+resource.Owner.Idp)
+		} else {
+			q.Add("userid", u.Id.OpaqueId+"@"+u.Id.Idp)
+		}
 		var isPublicShare bool
 		if u.Opaque != nil {
 			if _, ok := u.Opaque.Map["public-share-role"]; ok {

pkg/auth/manager/oidc/oidc.go

@@ -23,6 +23,7 @@ package oidc
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	oidc "github.com/coreos/go-oidc"
@@ -130,6 +131,12 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 	if claims["email_verified"] == nil { // This is not set in simplesamlphp
 		claims["email_verified"] = false
 	}
+	if claims["preferred_username"] == nil {
+		claims["preferred_username"] = claims[am.c.IDClaim]
+	}
+	if claims["name"] == nil {
+		claims["name"] = claims[am.c.IDClaim]
+	}
 
 	if claims["email"] == nil {
 		return nil, nil, fmt.Errorf("no \"email\" attribute found in userinfo: maybe the client did not request the oidc \"email\"-scope")
@@ -158,7 +165,7 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 	userID := &user.UserId{
 		OpaqueId: claims[am.c.IDClaim].(string), // a stable non reassignable id
 		Idp:      claims["issuer"].(string),     // in the scope of this issuer
-		Type:     user.UserType_USER_TYPE_PRIMARY,
+		Type:     getUserType(claims[am.c.IDClaim].(string)),
 	}
 	gwc, err := pool.GetGatewayServiceClient(am.c.GatewaySvc)
 	if err != nil {
@@ -236,3 +243,17 @@ func (am *mgr) getOIDCProvider(ctx context.Context) (*oidc.Provider, error) {
 	am.provider = provider
 	return am.provider, nil
 }
+
+func getUserType(upn string) user.UserType {
+	var t user.UserType
+	switch {
+	case strings.HasPrefix(upn, "guest"):
+		t = user.UserType_USER_TYPE_LIGHTWEIGHT
+	case strings.Contains(upn, "@"):
+		t = user.UserType_USER_TYPE_FEDERATED
+	default:
+		t = user.UserType_USER_TYPE_PRIMARY
+	}
+	return t
+
+}