diff --git a/go.mod b/go.mod index 15ff4d4d2..c08e14806 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/cenkalti/backoff v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.9.0 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 - github.com/cs3org/reva/v2 v2.19.4 + github.com/cs3org/reva/v2 v2.19.5 github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25 github.com/disintegration/imaging v1.6.2 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e diff --git a/go.sum b/go.sum index 2721eebd1..9230fc802 100644 --- a/go.sum +++ b/go.sum @@ -1019,8 +1019,8 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva/v2 v2.19.4 h1:gOcV6cgV+es624ckLUkXWL9mbHZpPXEgsa83/YA6WYA= -github.com/cs3org/reva/v2 v2.19.4/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E= +github.com/cs3org/reva/v2 v2.19.5 h1:Qh38wpPovnb0jPpgGR6L6HfbQ8vwObcrB8yUCRJldSw= +github.com/cs3org/reva/v2 v2.19.5/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= diff --git a/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/scope.go b/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/scope.go index 1b5edd9f2..5cb6183c6 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/scope.go +++ b/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/scope.go @@ -264,7 +264,15 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent if statResponse.Status.Code != rpc.Code_CODE_OK { return false, statuspkg.NewErrorFromCode(statResponse.Status.Code, "auth interceptor") } - parentPath := statResponse.Info.Path + + pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: statResponse.GetInfo().GetId()}) + if err != nil { + return false, err + } + if pathResp.Status.Code != rpc.Code_CODE_OK { + return false, statuspkg.NewErrorFromCode(pathResp.Status.Code, "auth interceptor") + } + parentPath := pathResp.Path childPath := ref.GetPath() if childPath != "" && childPath != "." && strings.HasPrefix(childPath, parentPath) { @@ -308,7 +316,7 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent if childStat.Status.Code != rpc.Code_CODE_OK { return false, statuspkg.NewErrorFromCode(childStat.Status.Code, "auth interceptor") } - pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: childStat.GetInfo().GetId()}) + pathResp, err = client.GetPath(ctx, &provider.GetPathRequest{ResourceId: childStat.GetInfo().GetId()}) if err != nil { return false, err } diff --git a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go index 3df749f88..a18401b5c 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go +++ b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go @@ -554,12 +554,24 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS } updatePassword := req.GetUpdate().GetType() == link.UpdatePublicShareRequest_Update_TYPE_PASSWORD setPassword := grant.GetPassword() + + // we update permissions with an empty password and password is not set on the public share + emptyPasswordInPermissionUpdate := len(setPassword) == 0 && updatePermissions && !ps.PasswordProtected + + // password is updated, we use the current permissions to check if the user can opt out if updatePassword && !isInternalLink && enforcePassword(canOptOut, ps.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 { return &link.UpdatePublicShareResponse{ Status: status.NewInvalidArg(ctx, "password protection is enforced"), }, nil } + // permissions are updated, we use the new permissions to check if the user can opt out + if emptyPasswordInPermissionUpdate && !isInternalLink && enforcePassword(canOptOut, grant.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 { + return &link.UpdatePublicShareResponse{ + Status: status.NewInvalidArg(ctx, "password protection is enforced"), + }, nil + } + // validate password policy if updatePassword && len(setPassword) > 0 { if err := s.passwordValidator.Validate(setPassword); err != nil { diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/archiver/manager/archiver.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/archiver/manager/archiver.go index 803606665..ecb3c20bc 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/archiver/manager/archiver.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/archiver/manager/archiver.go @@ -29,6 +29,7 @@ import ( provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" "github.com/cs3org/reva/v2/pkg/storage/utils/downloader" "github.com/cs3org/reva/v2/pkg/storage/utils/walker" + "github.com/cs3org/reva/v2/pkg/utils" ) // Config is the config for the Archiver @@ -77,7 +78,7 @@ func (a *Archiver) CreateTar(ctx context.Context, dst io.Writer) (func(), error) } // when archiving a space we can omit the spaceroot - if isSpaceRoot(info) { + if utils.IsSpaceRoot(info) { return nil } @@ -152,7 +153,7 @@ func (a *Archiver) CreateZip(ctx context.Context, dst io.Writer) (func(), error) } // when archiving a space we can omit the spaceroot - if isSpaceRoot(info) { + if utils.IsSpaceRoot(info) { return nil } @@ -205,9 +206,3 @@ func (a *Archiver) CreateZip(ctx context.Context, dst io.Writer) (func(), error) } return closer, nil } - -func isSpaceRoot(info *provider.ResourceInfo) bool { - f := info.GetId() - s := info.GetSpace().GetRoot() - return f.GetOpaqueId() == s.GetOpaqueId() && f.GetSpaceId() == s.GetSpaceId() -} diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go index 166c110f3..bb7b4cd6b 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go @@ -610,7 +610,7 @@ func (s *svc) prepareCopy(ctx context.Context, w http.ResponseWriter, r *http.Re errors.HandleErrorStatus(log, w, srcStatRes.Status) return nil } - if isSpaceRoot(srcStatRes.GetInfo()) { + if utils.IsSpaceRoot(srcStatRes.GetInfo()) { log.Error().Msg("the source is disallowed") w.WriteHeader(http.StatusBadRequest) return nil @@ -632,7 +632,7 @@ func (s *svc) prepareCopy(ctx context.Context, w http.ResponseWriter, r *http.Re if dstStatRes.Status.Code == rpc.Code_CODE_OK { successCode = http.StatusNoContent // 204 if target already existed, see https://tools.ietf.org/html/rfc4918#section-9.8.5 - if isSpaceRoot(dstStatRes.GetInfo()) { + if utils.IsSpaceRoot(dstStatRes.GetInfo()) { log.Error().Msg("overwriting is not allowed") w.WriteHeader(http.StatusBadRequest) return nil diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go index 4706d20e9..60516979e 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go @@ -196,7 +196,7 @@ func (s *svc) handleMove(ctx context.Context, w http.ResponseWriter, r *http.Req errors.HandleErrorStatus(&log, w, srcStatRes.Status) return } - if isSpaceRoot(srcStatRes.GetInfo()) { + if utils.IsSpaceRoot(srcStatRes.GetInfo()) { log.Error().Msg("the source is disallowed") w.WriteHeader(http.StatusBadRequest) return @@ -219,7 +219,7 @@ func (s *svc) handleMove(ctx context.Context, w http.ResponseWriter, r *http.Req if dstStatRes.Status.Code == rpc.Code_CODE_OK { successCode = http.StatusNoContent // 204 if target already existed, see https://tools.ietf.org/html/rfc4918#section-9.9.4 - if isSpaceRoot(dstStatRes.GetInfo()) { + if utils.IsSpaceRoot(dstStatRes.GetInfo()) { log.Error().Msg("overwriting is not allowed") w.WriteHeader(http.StatusBadRequest) return diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go index 509a6ea63..d3cab17be 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go @@ -418,9 +418,3 @@ func (s *svc) referenceIsChildOf(ctx context.Context, selector pool.Selectable[g pp := path.Join(parentPathRes.Path, parent.Path) + "/" return strings.HasPrefix(cp, pp), nil } - -func isSpaceRoot(info *provider.ResourceInfo) bool { - f := info.GetId() - s := info.GetSpace().GetRoot() - return f.GetOpaqueId() == s.GetOpaqueId() && f.GetSpaceId() == s.GetSpaceId() -} diff --git a/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go b/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go index d363d9f2d..075aee212 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go @@ -201,6 +201,13 @@ func IsStatusCodeError(err error, code rpc.Code) bool { return sce.code == code } +// IsSpaceRoot checks if the given resource info is referring to a space root +func IsSpaceRoot(ri *storageprovider.ResourceInfo) bool { + f := ri.GetId() + s := ri.GetSpace().GetRoot() + return f.GetOpaqueId() == s.GetOpaqueId() && f.GetSpaceId() == s.GetSpaceId() +} + func checkStatusCode(reason string, code rpc.Code) error { if code == rpc.Code_CODE_OK { return nil diff --git a/vendor/modules.txt b/vendor/modules.txt index 5e24b61df..e83f4f2cc 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -359,7 +359,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.19.4 +# github.com/cs3org/reva/v2 v2.19.5 ## explicit; go 1.21 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime