Merge pull request #8756 from dragonchaser/filter-user-email-in-results

Filter user email in results

changelog/unreleased/mask-user-email-in-output.md

@@ -0,0 +1,7 @@
+Bugfix: Mask user email in output
+
+We have fixed a bug where the user email was not masked in the output and the user emails could be enumerated through
+the sharee search. This is the ocis side which adds an suiting config option to mask user emails in the output.
+
+https://github.com/owncloud/ocis/issues/8726
+https://github.com/cs3org/reva/pull/4603

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781
-	github.com/cs3org/reva/v2 v2.19.2-0.20240322140620-cbb501a7ae3a
+	github.com/cs3org/reva/v2 v2.19.2-0.20240328104440-9c04f2d8ab7e
 	github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25
 	github.com/disintegration/imaging v1.6.2
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e

go.sum

@@ -1018,8 +1018,8 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
 github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME=
 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY=
 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
-github.com/cs3org/reva/v2 v2.19.2-0.20240322140620-cbb501a7ae3a h1:dqIqhnxiRYfmDHhlgtEAeTbOJxQ2nca4O/Gius/TnxQ=
-github.com/cs3org/reva/v2 v2.19.2-0.20240322140620-cbb501a7ae3a/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E=
+github.com/cs3org/reva/v2 v2.19.2-0.20240328104440-9c04f2d8ab7e h1:WkmwnjiTC9FBDQqJhv4IUBBXDEvqKhlgfaJ1sZ3T3N8=
+github.com/cs3org/reva/v2 v2.19.2-0.20240328104440-9c04f2d8ab7e/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
 github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
 github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=

services/ocs/pkg/config/reva.go

@@ -2,5 +2,6 @@ package config
 
 // TokenManager is the config for using the reva token manager
 type TokenManager struct {
-	JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;OCS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens." introductionVersion:"pre5.0"`
+	JWTSecret              string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;OCS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens." introductionVersion:"pre5.0"`
+	ShowUserEmailInResults bool   `yaml:"mask_user_email" env:"OCS_SHOW_USER_EMAIL_IN_RESULTS" desc:"Mask user email addresses in responses." introductionVersion:"5.1"`
 }

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/config/config.go

@@ -47,6 +47,7 @@ type Config struct {
 	ListOCMShares                         bool                              `mapstructure:"list_ocm_shares"`
 	Notifications                         map[string]interface{}            `mapstructure:"notifications"`
 	IncludeOCMSharees                     bool                              `mapstructure:"include_ocm_sharees"`
+	ShowEmailInResults                    bool                              `mapstructure:"show_email_in_results"`
 }
 
 // Init sets sane defaults

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/sharees/sharees.go

@@ -40,6 +40,7 @@ type Handler struct {
 	gatewayAddr             string
 	additionalInfoAttribute string
 	includeOCMSharees       bool
+	showUserEmailInResults  bool
 }
 
 // Init initializes this and any contained handlers
@@ -47,6 +48,7 @@ func (h *Handler) Init(c *config.Config) {
 	h.gatewayAddr = c.GatewaySvc
 	h.additionalInfoAttribute = c.AdditionalInfoAttribute
 	h.includeOCMSharees = c.IncludeOCMSharees
+	h.showUserEmailInResults = c.ShowEmailInResults
 }
 
 // FindSharees implements the /apps/files_sharing/api/v1/sharees endpoint
@@ -123,6 +125,21 @@ func (h *Handler) FindSharees(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	if !h.showUserEmailInResults {
+		for _, m := range userMatches {
+			m.Value.ShareWithAdditionalInfo = m.Value.ShareWith
+		}
+		for _, m := range exactUserMatches {
+			m.Value.ShareWithAdditionalInfo = m.Value.ShareWith
+		}
+		for _, m := range groupMatches {
+			m.Value.ShareWithAdditionalInfo = m.Value.ShareWith
+		}
+		for _, m := range exactGroupMatches {
+			m.Value.ShareWithAdditionalInfo = m.Value.ShareWith
+		}
+	}
+
 	response.WriteOCSSuccess(w, r, &conversions.ShareeData{
 		Exact: &conversions.ExactMatchesData{
 			Users:   exactUserMatches,

vendor/modules.txt

@@ -359,7 +359,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1
 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1
 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1
 github.com/cs3org/go-cs3apis/cs3/types/v1beta1
-# github.com/cs3org/reva/v2 v2.19.2-0.20240322140620-cbb501a7ae3a
+# github.com/cs3org/reva/v2 v2.19.2-0.20240328104440-9c04f2d8ab7e
 ## explicit; go 1.21
 github.com/cs3org/reva/v2/cmd/revad/internal/grace
 github.com/cs3org/reva/v2/cmd/revad/runtime