diff --git a/deployments/examples/service_policies/policies/postprocessing.rego b/deployments/examples/service_policies/policies/postprocessing.rego index 8b77f0446f..4dad89f414 100644 --- a/deployments/examples/service_policies/policies/postprocessing.rego +++ b/deployments/examples/service_policies/policies/postprocessing.rego @@ -3,8 +3,8 @@ package postprocessing import future.keywords.if import data.utils -default granted = true +default granted := true -granted := false if { +granted = false if { not utils.collection_contains(utils.ALLOWED_FILE_EXTENSIONS, input.resource.name) } diff --git a/deployments/examples/service_policies/policies/proxy.rego b/deployments/examples/service_policies/policies/proxy.rego index c1e9da7830..aae711c04a 100644 --- a/deployments/examples/service_policies/policies/proxy.rego +++ b/deployments/examples/service_policies/policies/proxy.rego @@ -3,10 +3,16 @@ package proxy import future.keywords.if import data.utils -default granted = true +default granted := true -granted := false if { +granted = false if { utils.is_request_type_put not input.request.path == "/data" not utils.collection_contains(utils.ALLOWED_FILE_EXTENSIONS, input.request.path) } + +granted = false if { + utils.is_request_type_post + startswith(input.request.path, "/remote.php") + not utils.collection_contains(utils.ALLOWED_FILE_EXTENSIONS, input.resource.name) +} diff --git a/deployments/examples/service_policies/policies/utils.rego b/deployments/examples/service_policies/policies/utils.rego index 65e55e31b7..40aea327b0 100644 --- a/deployments/examples/service_policies/policies/utils.rego +++ b/deployments/examples/service_policies/policies/utils.rego @@ -34,9 +34,9 @@ is_request_type_put { input.request.method == "PUT" } -is_request_path_file { +is_request_type_post { is_stage_http - input.request.method == "PUT" + input.request.method == "POST" } is_request_type_mkcol { diff --git a/go.mod b/go.mod index 0f0670f4f6..d9d7d093ea 100644 --- a/go.mod +++ b/go.mod @@ -65,7 +65,7 @@ require ( github.com/onsi/ginkgo v1.16.5 github.com/onsi/ginkgo/v2 v2.9.1 github.com/onsi/gomega v1.27.4 - github.com/open-policy-agent/opa v0.50.2 + github.com/open-policy-agent/opa v0.51.0 github.com/orcaman/concurrent-map v1.0.0 github.com/owncloud/libre-graph-api-go v1.0.2-0.20230330145712-ea267ccd404a github.com/pkg/errors v0.9.1 @@ -184,7 +184,7 @@ require ( github.com/go-git/go-git/v5 v5.4.2 // indirect github.com/go-kit/log v0.2.1 // indirect github.com/go-logfmt/logfmt v0.5.1 // indirect - github.com/go-logr/logr v1.2.3 // indirect + github.com/go-logr/logr v1.2.4 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-resty/resty/v2 v2.7.0 // indirect github.com/go-sql-driver/mysql v1.6.0 // indirect diff --git a/go.sum b/go.sum index 9280e5ce4a..1f6c8b0238 100644 --- a/go.sum +++ b/go.sum @@ -764,8 +764,8 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA= github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= -github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-micro/plugins/v4/client/grpc v1.2.0 h1:Z8BB6jqslXM2aMMhjZ+QfNuzR+msCMtGd83DGlsQQG0= @@ -1363,8 +1363,8 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E= github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3q3fQ= -github.com/open-policy-agent/opa v0.50.2 h1:iD2kKLFkflgSCTMtrC/3jLmOQ7IWyDXMg6+VQA0tSC0= -github.com/open-policy-agent/opa v0.50.2/go.mod h1:9jKfDk0L5b9rnhH4M0nq10cGHbYOxqygxzTT3dsvhec= +github.com/open-policy-agent/opa v0.51.0 h1:2hS5xhos8HtkN+mgpqMhNJSFtn/1n/h3wh+AeTPJg6Q= +github.com/open-policy-agent/opa v0.51.0/go.mod h1:OjmwLfXdeR7skSxrt8Yd3ScXTqPxyJn7GeTRJrcEerU= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= diff --git a/services/proxy/pkg/middleware/policies.go b/services/proxy/pkg/middleware/policies.go index 99097cf60a..0ebf92d108 100644 --- a/services/proxy/pkg/middleware/policies.go +++ b/services/proxy/pkg/middleware/policies.go @@ -8,6 +8,8 @@ import ( "github.com/owncloud/ocis/v2/ocis-pkg/service/grpc" pMessage "github.com/owncloud/ocis/v2/protogen/gen/ocis/messages/policies/v0" pService "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/policies/v0" + "github.com/owncloud/ocis/v2/services/webdav/pkg/net" + tusd "github.com/tus/tusd/pkg/handler" ) // Policies verifies if a request is granted or not. @@ -32,6 +34,11 @@ func Policies(logger log.Logger, qs string) func(next http.Handler) http.Handler }, } + meta := tusd.ParseMetadataHeader(r.Header.Get(net.HeaderUploadMetadata)) + req.Environment.Resource = &pMessage.Resource{ + Name: meta["filename"], + } + if user, ok := revactx.ContextGetUser(r.Context()); ok { req.Environment.User = &pMessage.User{ Id: &pMessage.User_ID{