From 8e1b033a63071d000b22609e5200b0da5190d845 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Tue, 22 Aug 2023 11:54:45 +0200 Subject: [PATCH] auto-accept shares in frontend service Signed-off-by: jkoberg --- changelog/unreleased/auto-accept-shares.md | 5 + ocis/pkg/init/init.go | 8 +- services/frontend/README.md | 8 + services/frontend/pkg/command/events.go | 170 ++++++++++++++++++ services/frontend/pkg/command/server.go | 3 + services/frontend/pkg/config/config.go | 20 +++ .../pkg/config/defaults/defaultconfig.go | 5 + services/frontend/pkg/config/parser/parse.go | 5 + services/ocs/README.md | 9 +- .../settings/pkg/store/defaults/defaults.go | 79 ++++++++ 10 files changed, 308 insertions(+), 4 deletions(-) create mode 100644 changelog/unreleased/auto-accept-shares.md create mode 100644 services/frontend/pkg/command/events.go diff --git a/changelog/unreleased/auto-accept-shares.md b/changelog/unreleased/auto-accept-shares.md new file mode 100644 index 0000000000..75ebfb699d --- /dev/null +++ b/changelog/unreleased/auto-accept-shares.md @@ -0,0 +1,5 @@ +Enhancement: Auto-Accept Shares + +Automatically accept shares when configured by the user or admin + +https://github.com/owncloud/ocis/pull/7097 diff --git a/ocis/pkg/init/init.go b/ocis/pkg/init/init.go index 01aef0ceab..b49352e915 100644 --- a/ocis/pkg/init/init.go +++ b/ocis/pkg/init/init.go @@ -73,7 +73,8 @@ type IdmService struct { } type FrontendService struct { - Archiver InsecureService + Archiver InsecureService + ServiceAccount ServiceAccount `yaml:"service_account"` } type AuthbasicService struct { @@ -377,6 +378,9 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin Notifications: Notifications{ ServiceAccount: serviceAccount, }, + Frontend: FrontendService{ + ServiceAccount: serviceAccount, + }, } if insecure { @@ -384,7 +388,7 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin cfg.AuthBearer = AuthbearerService{ AuthProviders: AuthProviderSettings{Oidc: _insecureService}, } - cfg.Frontend = FrontendService{Archiver: _insecureService} + cfg.Frontend.Archiver = _insecureService cfg.Graph.Spaces = _insecureService cfg.Graph.Events = _insecureEvents cfg.Notifications.Notifications.Events = _insecureEvents diff --git a/services/frontend/README.md b/services/frontend/README.md index abf2c3b5de..36c9b2a7b3 100644 --- a/services/frontend/README.md +++ b/services/frontend/README.md @@ -55,3 +55,11 @@ The `frontend` service can use a configured store via `FRONTEND_OCS_STAT_CACHE_S 2. Though usually not necessary, a database name and a database table can be configured for event stores if the event store supports this. Generally not applicable for stores of type `in-memory`. These settings are blank by default which means that the standard settings of the configured store apply. 3. The frontend service can be scaled if not using `in-memory` stores and the stores are configured identically over all instances. 4. When using `redis-sentinel`, the Redis master to use is configured via `FRONTEND_OCS_STAT_CACHE_STORE_NODES` in the form of `:/` like `10.10.0.200:26379/mymaster`. + +## Event Handler + +The `frontend` service contains an eventhandler for handling `ocs` related events. As of now, it only listens to the `ShareCreated` event. + +### Auto-Accept Shares + +When setting the `FRONTEND_AUTO_ACCEPT_SHARES` to `true`, all incoming shares will be accepted automatically. Users can overwrite this setting individually in their profile. diff --git a/services/frontend/pkg/command/events.go b/services/frontend/pkg/command/events.go new file mode 100644 index 0000000000..24141a8add --- /dev/null +++ b/services/frontend/pkg/command/events.go @@ -0,0 +1,170 @@ +package command + +import ( + "context" + "errors" + + "github.com/cs3org/reva/v2/pkg/events" + "github.com/cs3org/reva/v2/pkg/events/stream" + "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool" + "github.com/cs3org/reva/v2/pkg/utils" + "github.com/owncloud/ocis/v2/ocis-pkg/log" + "github.com/owncloud/ocis/v2/ocis-pkg/middleware" + "github.com/owncloud/ocis/v2/ocis-pkg/registry" + "github.com/owncloud/ocis/v2/ocis-pkg/service/grpc" + "github.com/owncloud/ocis/v2/ocis-pkg/tracing" + "github.com/owncloud/ocis/v2/services/frontend/pkg/config" + "github.com/owncloud/ocis/v2/services/settings/pkg/store/defaults" + "go-micro.dev/v4/metadata" + "google.golang.org/protobuf/types/known/fieldmaskpb" + + gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" + group "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1" + user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" + rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" + collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1" + settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0" +) + +var _registeredEvents = []events.Unmarshaller{ + events.ShareCreated{}, +} + +// ListenForEvents listens for events and acts accordingly +func ListenForEvents(cfg *config.Config, l log.Logger) { + bus, err := stream.NatsFromConfig(cfg.Service.Name, stream.NatsConfig(cfg.Events)) + if err != nil { + l.Error().Err(err).Msg("cannot connect to nats") + return + } + + evChannel, err := events.Consume(bus, "frontend", _registeredEvents...) + if err != nil { + l.Error().Err(err).Msg("cannot consume from nats") + } + + tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode) + if err != nil { + return + } + + gatewaySelector, err := pool.GatewaySelector( + cfg.Reva.Address, + pool.WithTLSCACert(cfg.GRPCClientTLS.CACert), + pool.WithTLSMode(tm), + pool.WithRegistry(registry.GetRegistry()), + ) + if err != nil { + l.Error().Err(err).Msg("cannot get gateway selector") + return + } + + gwc, err := gatewaySelector.Next() + if err != nil { + l.Error().Err(err).Msg("cannot get gateway client") + return + } + + traceProvider, err := tracing.GetServiceTraceProvider(cfg.Tracing, cfg.Service.Name) + if err != nil { + l.Error().Err(err).Msg("cannot initialize tracing") + return + } + + grpcClient, err := grpc.NewClient( + append( + grpc.GetClientOptions(cfg.GRPCClientTLS), + grpc.WithTraceProvider(traceProvider), + )..., + ) + if err != nil { + l.Error().Err(err).Msg("cannot create grpc client") + return + } + + valueService := settingssvc.NewValueService("com.owncloud.api.settings", grpcClient) + + for e := range evChannel { + switch ev := e.Event.(type) { + default: + l.Error().Interface("event", e).Msg("unhandled event") + case events.ShareCreated: + AutoAcceptShares(ev, cfg.AutoAcceptShares, l, gwc, valueService, cfg.ServiceAccount) + } + } +} + +// AutoAcceptShares automatically accepts shares if configured by the admin or user +func AutoAcceptShares(ev events.ShareCreated, autoAcceptDefault bool, l log.Logger, gwc gateway.GatewayAPIClient, vs settingssvc.ValueService, cfg config.ServiceAccount) { + ctx, err := utils.GetServiceUserContext(cfg.ServiceAccountID, gwc, cfg.ServiceAccountSecret) + if err != nil { + l.Error().Err(err).Msg("cannot impersonate user") + return + } + + uids, err := getUserIDs(ctx, gwc, ev.GranteeUserID, ev.GranteeGroupID) + if err != nil { + l.Error().Err(err).Msg("cannot get granteess") + return + } + + for _, uid := range uids { + if !autoAcceptShares(ctx, uid, autoAcceptDefault, vs) { + continue + } + + resp, err := gwc.UpdateReceivedShare(ctx, updateShareRequest(ev.ShareID, uid)) + if err != nil { + l.Error().Err(err).Msg("error sending grpc request") + continue + } + + if resp.GetStatus().GetCode() != rpc.Code_CODE_OK { + l.Error().Interface("status", resp.GetStatus()).Str("userid", uid.GetOpaqueId()).Msg("unexpected status code while accepting share") + } + } + +} + +func getUserIDs(ctx context.Context, gwc gateway.GatewayAPIClient, uid *user.UserId, gid *group.GroupId) ([]*user.UserId, error) { + if uid != nil { + return []*user.UserId{uid}, nil + } + + res, err := gwc.GetGroup(ctx, &group.GetGroupRequest{GroupId: gid}) + if err != nil { + return nil, err + } + if res.GetStatus().GetCode() != rpc.Code_CODE_OK { + return nil, errors.New("could not get group") + } + + return res.GetGroup().GetMembers(), nil +} + +func autoAcceptShares(ctx context.Context, u *user.UserId, defaultValue bool, vs settingssvc.ValueService) bool { + granteeCtx := metadata.Set(ctx, middleware.AccountID, u.OpaqueId) + if resp, err := vs.GetValueByUniqueIdentifiers(granteeCtx, + &settingssvc.GetValueByUniqueIdentifiersRequest{ + AccountUuid: u.OpaqueId, + SettingId: defaults.SettingUUIDProfileAutoAcceptShares, + }, + ); err == nil { + return resp.GetValue().GetValue().GetBoolValue() + + } + return defaultValue +} + +func updateShareRequest(shareID *collaboration.ShareId, uid *user.UserId) *collaboration.UpdateReceivedShareRequest { + return &collaboration.UpdateReceivedShareRequest{ + Opaque: utils.AppendJSONToOpaque(nil, "userid", uid), + Share: &collaboration.ReceivedShare{ + Share: &collaboration.Share{ + Id: shareID, + }, + State: collaboration.ShareState_SHARE_STATE_ACCEPTED, + }, + UpdateMask: &fieldmaskpb.FieldMask{Paths: []string{"state"}}, + } +} diff --git a/services/frontend/pkg/command/server.go b/services/frontend/pkg/command/server.go index 7308a31463..a6a813e55c 100644 --- a/services/frontend/pkg/command/server.go +++ b/services/frontend/pkg/command/server.go @@ -90,6 +90,9 @@ func Server(cfg *config.Config) *cli.Command { logger.Fatal().Err(err).Msg("failed to register the http service") } + // start event handler + go ListenForEvents(cfg, logger) + return gr.Run() }, } diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go index 65d26f6cc3..21acc43fc3 100644 --- a/services/frontend/pkg/config/config.go +++ b/services/frontend/pkg/config/config.go @@ -53,6 +53,11 @@ type Config struct { Middleware Middleware `yaml:"middleware"` + Events Events `yaml:"events"` + GRPCClientTLS *shared.GRPCClientTLS `yaml:"grpc_client_tls"` + AutoAcceptShares bool `yaml:"auto_accept_shares" env:"FRONTEND_AUTO_ACCEPT_SHARES" desc:"Defines if shares should be auto accepted by default. Users can change this setting individually in their profile."` + ServiceAccount ServiceAccount `yaml:"service_account"` + Supervised bool `yaml:"-"` Context context.Context `yaml:"-"` } @@ -151,3 +156,18 @@ type Checksums struct { SupportedTypes []string `yaml:"supported_types" env:"FRONTEND_CHECKSUMS_SUPPORTED_TYPES" desc:"Define the checksum types that indicate to clients which hashes the server can use to verify upload integrity. You can provide multiple types separated by blank or comma. Supported types are 'sha1', 'md5' and 'adler32'."` PreferredUploadType string `yaml:"preferred_upload_type" env:"FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE" desc:"The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES."` } + +// Events combines the configuration options for the event bus. +type Events struct { + Endpoint string `yaml:"endpoint" env:"OCIS_EVENTS_ENDPOINT;FRONTEND_EVENTS_ENDPOINT" desc:"The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture."` + Cluster string `yaml:"cluster" env:"OCIS_EVENTS_CLUSTER;FRONTEND_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system."` + TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;FRONTEND_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE;OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false."` + EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;FRONTEND_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.."` +} + +// ServiceAccount is the configuration for the used service account +type ServiceAccount struct { + ServiceAccountID string `yaml:"service_account_id" env:"OCIS_SERVICE_ACCOUNT_ID;FRONTEND_SERVICE_ACCOUNT_ID" desc:"The ID of the service account the service should use. See the 'auth-service' service description for more details."` + ServiceAccountSecret string `yaml:"service_account_secret" env:"OCIS_SERVICE_ACCOUNT_SECRET;FRONTEND_SERVICE_ACCOUNT_SECRET" desc:"The service account secret."` +} diff --git a/services/frontend/pkg/config/defaults/defaultconfig.go b/services/frontend/pkg/config/defaults/defaultconfig.go index 39bf0c4d31..8421d30baf 100644 --- a/services/frontend/pkg/config/defaults/defaultconfig.go +++ b/services/frontend/pkg/config/defaults/defaultconfig.go @@ -120,6 +120,11 @@ func DefaultConfig() *config.Config { }, }, LDAPServerWriteEnabled: true, + Events: config.Events{ + Endpoint: "127.0.0.1:9233", + Cluster: "ocis-cluster", + EnableTLS: false, + }, } } diff --git a/services/frontend/pkg/config/parser/parse.go b/services/frontend/pkg/config/parser/parse.go index 026ae126c9..3045136e3b 100644 --- a/services/frontend/pkg/config/parser/parse.go +++ b/services/frontend/pkg/config/parser/parse.go @@ -5,6 +5,7 @@ import ( ociscfg "github.com/owncloud/ocis/v2/ocis-pkg/config" "github.com/owncloud/ocis/v2/ocis-pkg/shared" + "github.com/owncloud/ocis/v2/ocis-pkg/structs" "github.com/owncloud/ocis/v2/services/frontend/pkg/config" "github.com/owncloud/ocis/v2/services/frontend/pkg/config/defaults" @@ -46,5 +47,9 @@ func Validate(cfg *config.Config) error { return shared.MissingMachineAuthApiKeyError(cfg.Service.Name) } + if cfg.GRPCClientTLS == nil && cfg.Commons != nil { + cfg.GRPCClientTLS = structs.CopyOrZeroValue(cfg.Commons.GRPCClientTLS) + } + return nil } diff --git a/services/ocs/README.md b/services/ocs/README.md index e4fe4e1bb7..c755f84090 100644 --- a/services/ocs/README.md +++ b/services/ocs/README.md @@ -1,3 +1,8 @@ -# OCS +# OCS Service + +The `ocs` service (open collaboration services) serves one purpous: it has an endpoint for signing keys. + +## Signing-Keys Endpoint + +The `ocs` service contains an endpoint `/cloud/user/signing-key` on which a user can GET a signing key. Note, this functionality might be deprecated or moved in the future. -The ocs service is an ... diff --git a/services/settings/pkg/store/defaults/defaults.go b/services/settings/pkg/store/defaults/defaults.go index 96ca44acfd..e8f38c24f8 100644 --- a/services/settings/pkg/store/defaults/defaults.go +++ b/services/settings/pkg/store/defaults/defaults.go @@ -40,6 +40,13 @@ const ( // DisableEmailNotificationsPermissionDisplayName is the hardcoded setting name for the disable email notifications permission DisableEmailNotificationsPermissionDisplayName string = "Disable Email Notifications" + // AutoAcceptSharesPermissionID is the hardcoded setting UUID for the disable email notifications permission + AutoAcceptSharesPermissionID string = "4e41363c-a058-40a5-aec8-958897511209" + // AutoAcceptSharesPermissionName is the hardcoded setting name for the disable email notifications permission + AutoAcceptSharesPermissionName string = "AutoAcceptShares.ReadWriteDisabled" + // AutoAcceptSharesPermissionDisplayName is the hardcoded setting name for the disable email notifications permission + AutoAcceptSharesPermissionDisplayName string = "enable/disable auto accept shares" + // SetPersonalSpaceQuotaPermissionID is the hardcoded setting UUID for the set personal space quota permission SetPersonalSpaceQuotaPermissionID string = "4e6f9709-f9e7-44f1-95d4-b762d27b7896" // SetPersonalSpaceQuotaPermissionName is the hardcoded setting name for the set personal space quota permission @@ -84,6 +91,8 @@ const ( SettingUUIDProfileLanguage = "aa8cfbe5-95d4-4f7e-a032-c3c01f5f062f" // SettingUUIDProfileDisableNotifications is the hardcoded setting UUID for the disable notifications setting SettingUUIDProfileDisableNotifications = "33ffb5d6-cd07-4dc0-afb0-84f7559ae438" + // SettingUUIDProfileAutoAcceptShares is the hardcoded setting UUID for the disable notifications setting + SettingUUIDProfileAutoAcceptShares = "ec3ed4a3-3946-4efc-8f9f-76d38b12d3a9" // AccountManagementPermissionID is the hardcoded setting UUID for the account management permission AccountManagementPermissionID string = "8e587774-d929-4215-910b-a317b1e80f73" @@ -193,6 +202,21 @@ func generateBundleAdminRole() *settingsmsg.Bundle { }, }, }, + { + Id: AutoAcceptSharesPermissionID, + Name: AutoAcceptSharesPermissionName, + DisplayName: AutoAcceptSharesPermissionDisplayName, + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SETTING, + Id: SettingUUIDProfileAutoAcceptShares, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: settingsmsg.Permission_CONSTRAINT_OWN, + }, + }, + }, { Id: AccountManagementPermissionID, Name: AccountManagementPermissionName, @@ -510,6 +534,21 @@ func generateBundleSpaceAdminRole() *settingsmsg.Bundle { }, }, }, + { + Id: AutoAcceptSharesPermissionID, + Name: AutoAcceptSharesPermissionName, + DisplayName: AutoAcceptSharesPermissionDisplayName, + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SETTING, + Id: SettingUUIDProfileAutoAcceptShares, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: settingsmsg.Permission_CONSTRAINT_OWN, + }, + }, + }, { Id: SelfManagementPermissionID, Name: SelfManagementPermissionName, @@ -601,6 +640,21 @@ func generateBundleUserRole() *settingsmsg.Bundle { }, }, }, + { + Id: AutoAcceptSharesPermissionID, + Name: AutoAcceptSharesPermissionName, + DisplayName: AutoAcceptSharesPermissionDisplayName, + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SETTING, + Id: SettingUUIDProfileAutoAcceptShares, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: settingsmsg.Permission_CONSTRAINT_OWN, + }, + }, + }, { Id: SelfManagementPermissionID, Name: SelfManagementPermissionName, @@ -692,6 +746,21 @@ func generateBundleUserLightRole() *settingsmsg.Bundle { }, }, }, + { + Id: AutoAcceptSharesPermissionID, + Name: AutoAcceptSharesPermissionName, + DisplayName: AutoAcceptSharesPermissionDisplayName, + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_SETTING, + Id: SettingUUIDProfileAutoAcceptShares, + }, + Value: &settingsmsg.Setting_PermissionValue{ + PermissionValue: &settingsmsg.Permission{ + Operation: settingsmsg.Permission_OPERATION_READWRITE, + Constraint: settingsmsg.Permission_CONSTRAINT_OWN, + }, + }, + }, }, } } @@ -727,6 +796,16 @@ func generateBundleProfileRequest() *settingsmsg.Bundle { }, Value: &settingsmsg.Setting_BoolValue{BoolValue: &settingsmsg.Bool{Default: false, Label: "disable notifications"}}, }, + { + Id: SettingUUIDProfileAutoAcceptShares, + Name: "auto-accept-shares", + DisplayName: "Auto accept shares", + Description: "Automatically accept shares", + Resource: &settingsmsg.Resource{ + Type: settingsmsg.Resource_TYPE_USER, + }, + Value: &settingsmsg.Setting_BoolValue{BoolValue: &settingsmsg.Bool{Default: true, Label: "auto accept shares"}}, + }, }, } }