bump reva

Signed-off-by: jkoberg <jkoberg@owncloud.com>

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/coreos/go-oidc/v3 v3.6.0
 	github.com/cs3org/go-cs3apis v0.0.0-20230516150832-730ac860c71d
-	github.com/cs3org/reva/v2 v2.16.1-0.20230828111521-594d4e103741
+	github.com/cs3org/reva/v2 v2.16.1-0.20230829124655-8ba013d7a129
 	github.com/disintegration/imaging v1.6.2
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
 	github.com/egirna/icap-client v0.1.1

go.sum

@@ -858,8 +858,8 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
 github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc=
 github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
-github.com/cs3org/reva/v2 v2.16.1-0.20230828111521-594d4e103741 h1:y3Tw/ZVGPSDRiCslFUESomgSUOa3SAguOJKpiSk9pls=
-github.com/cs3org/reva/v2 v2.16.1-0.20230828111521-594d4e103741/go.mod h1:RvhuweTFqzezjUFU0SIdTXakrEx9vJlMvQ7znPXSP1g=
+github.com/cs3org/reva/v2 v2.16.1-0.20230829124655-8ba013d7a129 h1:259bY0/RA/xOxN+7SnRryP5MXbj/GmXgNRqv4LYb8Co=
+github.com/cs3org/reva/v2 v2.16.1-0.20230829124655-8ba013d7a129/go.mod h1:RvhuweTFqzezjUFU0SIdTXakrEx9vJlMvQ7znPXSP1g=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

ocis/pkg/command/auth-service.go

@@ -0,0 +1,30 @@
+package command
+
+import (
+	"github.com/owncloud/ocis/v2/ocis-pkg/config"
+	"github.com/owncloud/ocis/v2/ocis-pkg/config/configlog"
+	"github.com/owncloud/ocis/v2/ocis-pkg/config/parser"
+	"github.com/owncloud/ocis/v2/ocis/pkg/command/helper"
+	"github.com/owncloud/ocis/v2/ocis/pkg/register"
+	"github.com/owncloud/ocis/v2/services/auth-service/pkg/command"
+	"github.com/urfave/cli/v2"
+)
+
+// AuthServiceCommand is the entrypoint for the AuthService command.
+func AuthServiceCommand(cfg *config.Config) *cli.Command {
+	return &cli.Command{
+		Name:     cfg.AuthService.Service.Name,
+		Usage:    helper.SubcommandDescription(cfg.AuthService.Service.Name),
+		Category: "services",
+		Before: func(c *cli.Context) error {
+			configlog.Error(parser.ParseConfig(cfg, true))
+			cfg.AuthService.Commons = cfg.Commons
+			return nil
+		},
+		Subcommands: command.GetCommands(cfg.AuthService),
+	}
+}
+
+func init() {
+	register.AddCommand(AuthServiceCommand)
+}

vendor/github.com/cs3org/reva/v2/pkg/auth/manager/loader/loader.go

@@ -30,5 +30,6 @@ import (
 	_ "github.com/cs3org/reva/v2/pkg/auth/manager/oidc"
 	_ "github.com/cs3org/reva/v2/pkg/auth/manager/owncloudsql"
 	_ "github.com/cs3org/reva/v2/pkg/auth/manager/publicshares"
+	_ "github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts"
 	// Add your own here
 )

vendor/github.com/cs3org/reva/v2/pkg/auth/manager/registry/registry.go

@@ -18,7 +18,9 @@
 
 package registry
 
-import "github.com/cs3org/reva/v2/pkg/auth"
+import (
+	"github.com/cs3org/reva/v2/pkg/auth"
+)
 
 // NewFunc is the function that auth implementations
 // should register to at init time.

vendor/github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts/serviceaccounts.go

@@ -0,0 +1,90 @@
+package serviceaccounts
+
+import (
+	"context"
+
+	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
+	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+
+	"github.com/cs3org/reva/v2/pkg/auth"
+	"github.com/cs3org/reva/v2/pkg/auth/manager/registry"
+	"github.com/cs3org/reva/v2/pkg/auth/scope"
+	"github.com/mitchellh/mapstructure"
+	"github.com/pkg/errors"
+)
+
+type conf struct {
+	ServiceUsers []serviceuser `mapstructure:"service_accounts"`
+}
+
+type serviceuser struct {
+	ID     string `mapstructure:"id"`
+	Secret string `mapstructure:"secret"`
+}
+
+type manager struct {
+	authenticate func(userID, secret string) error
+}
+
+func init() {
+	registry.Register("serviceaccounts", New)
+}
+
+// Configure parses the map conf
+func (m *manager) Configure(config map[string]interface{}) error {
+	c := &conf{}
+	if err := mapstructure.Decode(config, c); err != nil {
+		return errors.Wrap(err, "error decoding conf")
+	}
+	// only inmem authenticator for now
+	a := &inmemAuthenticator{make(map[string]string)}
+	for _, s := range c.ServiceUsers {
+		a.m[s.ID] = s.Secret
+	}
+	m.authenticate = a.Authenticate
+	return nil
+}
+
+// New creates a new manager for the 'service' authentication
+func New(conf map[string]interface{}) (auth.Manager, error) {
+	m := &manager{}
+	err := m.Configure(conf)
+	if err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+// Authenticate authenticates the service account
+func (m *manager) Authenticate(ctx context.Context, userID string, secret string) (*userpb.User, map[string]*authpb.Scope, error) {
+	if err := m.authenticate(userID, secret); err != nil {
+		return nil, nil, err
+	}
+	scope, err := scope.AddOwnerScope(nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	return &userpb.User{
+		// TODO: more details for service users?
+		Id: &userpb.UserId{
+			OpaqueId: userID,
+			Type:     userpb.UserType_USER_TYPE_SERVICE,
+			Idp:      "none",
+		},
+	}, scope, nil
+}
+
+type inmemAuthenticator struct {
+	m map[string]string
+}
+
+func (a *inmemAuthenticator) Authenticate(userID string, secret string) error {
+	if secret == "" || a.m[userID] == "" {
+		return errors.New("unknown user")
+	}
+	if a.m[userID] == secret {
+		return nil
+	}
+	return errors.New("secrets do not match")
+}

vendor/github.com/cs3org/reva/v2/pkg/storage/registry/spaces/spaces.go

@@ -481,7 +481,7 @@ func (r *registry) findProvidersForResource(ctx context.Context, id string, find
 				},
 			})
 		}
-		spaces, err := r.findStorageSpaceOnProvider(ctx, address, filters, false)
+		spaces, err := r.findStorageSpaceOnProvider(ctx, address, filters, unrestricted)
 		if err != nil {
 			appctx.GetLogger(ctx).Debug().Err(err).Interface("provider", provider).Msg("findStorageSpaceOnProvider by id failed, continuing")
 			continue

vendor/github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/node/permissions.go

@@ -22,6 +22,7 @@ import (
 	"context"
 	"strings"
 
+	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/cs3org/reva/v2/pkg/appctx"
 	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
@@ -84,6 +85,21 @@ func OwnerPermissions() provider.ResourcePermissions {
 	}
 }
 
+// ServiceAccountPermissions defines the permissions for nodes when requested by a service account
+func ServiceAccountPermissions() provider.ResourcePermissions {
+	// TODO: Different permissions for different service accounts
+	return provider.ResourcePermissions{
+		Stat:                 true,
+		ListContainer:        true,
+		GetPath:              true, // for search index
+		InitiateFileUpload:   true, // for personal data export
+		InitiateFileDownload: true, // for full-text-search
+		RemoveGrant:          true, // for share expiry
+		ListRecycle:          true, // for purge-trash-bin command
+		PurgeRecycle:         true, // for purge-trash-bin command
+	}
+}
+
 // Permissions implements permission checks
 type Permissions struct {
 	lu PathLookup
@@ -113,6 +129,10 @@ func (p *Permissions) assemblePermissions(ctx context.Context, n *Node, failOnTr
 		return NoPermissions(), nil
 	}
 
+	if u.GetId().GetType() == userpb.UserType_USER_TYPE_SERVICE {
+		return ServiceAccountPermissions(), nil
+	}
+
 	// are we reading a revision?
 	if strings.Contains(n.ID, RevisionIDDelimiter) {
 		// verify revision key format

vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go

@@ -11,19 +11,8 @@ import (
 	"google.golang.org/grpc/metadata"
 )
 
-// Impersonate returns an authenticated reva context and the user it represents
-func Impersonate(userID *user.UserId, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, *user.User, error) {
-	usr, err := GetUser(userID, gwc, machineAuthAPIKey)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	ctx, err := ImpersonateUser(usr, gwc, machineAuthAPIKey)
-	return ctx, usr, err
-}
-
 // GetUser gets the specified user
-func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (*user.User, error) {
+func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient) (*user.User, error) {
 	getUserResponse, err := gwc.GetUser(context.Background(), &user.GetUserRequest{UserId: userID})
 	if err != nil {
 		return nil, err
@@ -35,19 +24,19 @@ func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient, machineAuthAPIKe
 	return getUserResponse.GetUser(), nil
 }
 
-// ImpersonateUser impersonates the given user
-func ImpersonateUser(usr *user.User, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, error) {
-	ctx := revactx.ContextSetUser(context.Background(), usr)
+// GetServiceUserContext returns an authenticated context of the given service user
+func GetServiceUserContext(serviceUserID string, gwc gateway.GatewayAPIClient, serviceUserSecret string) (context.Context, error) {
+	ctx := context.Background()
 	authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{
-		Type:         "machine",
-		ClientId:     "userid:" + usr.GetId().GetOpaqueId(),
-		ClientSecret: machineAuthAPIKey,
+		Type:         "serviceaccounts",
+		ClientId:     serviceUserID,
+		ClientSecret: serviceUserSecret,
 	})
 	if err != nil {
 		return nil, err
 	}
 	if authRes.GetStatus().GetCode() != rpc.Code_CODE_OK {
-		return nil, fmt.Errorf("error impersonating user: %s", authRes.Status.Message)
+		return nil, fmt.Errorf("error authenticating service user: %s", authRes.Status.Message)
 	}
 
 	return metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, authRes.Token), nil

vendor/modules.txt

@@ -354,7 +354,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1
 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1
 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1
 github.com/cs3org/go-cs3apis/cs3/types/v1beta1
-# github.com/cs3org/reva/v2 v2.16.1-0.20230828111521-594d4e103741
+# github.com/cs3org/reva/v2 v2.16.1-0.20230829124655-8ba013d7a129
 ## explicit; go 1.20
 github.com/cs3org/reva/v2/cmd/revad/internal/grace
 github.com/cs3org/reva/v2/cmd/revad/runtime
@@ -473,6 +473,7 @@ github.com/cs3org/reva/v2/pkg/auth/manager/owncloudsql
 github.com/cs3org/reva/v2/pkg/auth/manager/owncloudsql/accounts
 github.com/cs3org/reva/v2/pkg/auth/manager/publicshares
 github.com/cs3org/reva/v2/pkg/auth/manager/registry
+github.com/cs3org/reva/v2/pkg/auth/manager/serviceaccounts
 github.com/cs3org/reva/v2/pkg/auth/registry/loader
 github.com/cs3org/reva/v2/pkg/auth/registry/registry
 github.com/cs3org/reva/v2/pkg/auth/registry/static