bump reva

Signed-off-by: jkoberg <jkoberg@owncloud.com>

changelog/unreleased/bump-reva.md

@@ -0,0 +1,5 @@
+Enhancement: Bump reva
+
+bumps reva version
+
+https://github.com/owncloud/ocis/pull/7721

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/coreos/go-oidc/v3 v3.7.0
 	github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781
-	github.com/cs3org/reva/v2 v2.16.1-0.20231110061744-953e57a6a95c
+	github.com/cs3org/reva/v2 v2.16.1-0.20231113153113-e258a7c4dfb0
 	github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25
 	github.com/disintegration/imaging v1.6.2
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e

go.sum

@@ -1013,8 +1013,8 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
 github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME=
 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY=
 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
-github.com/cs3org/reva/v2 v2.16.1-0.20231110061744-953e57a6a95c h1:sxTOKm1ChsykAm8ITLHXNSic9RTUfpAq6Ujj94/irXQ=
-github.com/cs3org/reva/v2 v2.16.1-0.20231110061744-953e57a6a95c/go.mod h1:utPCNSrWDdAwz2biLrKvzO6nDH9L7vRVGNzof13r8Kw=
+github.com/cs3org/reva/v2 v2.16.1-0.20231113153113-e258a7c4dfb0 h1:k7WdgewYRI5sWqfnyV3GG+nPCxyAZfh1YEkqZep1Nf8=
+github.com/cs3org/reva/v2 v2.16.1-0.20231113153113-e258a7c4dfb0/go.mod h1:utPCNSrWDdAwz2biLrKvzO6nDH9L7vRVGNzof13r8Kw=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/proppatch.go

@@ -38,7 +38,9 @@ import (
 	"github.com/cs3org/reva/v2/pkg/appctx"
 	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
 	"github.com/cs3org/reva/v2/pkg/errtypes"
+	"github.com/cs3org/reva/v2/pkg/permission"
 	rstatus "github.com/cs3org/reva/v2/pkg/rgrpc/status"
+	"github.com/cs3org/reva/v2/pkg/utils"
 	"github.com/rs/zerolog"
 )
 
@@ -217,6 +219,17 @@ func (s *svc) handleProppatch(ctx context.Context, w http.ResponseWriter, r *htt
 						return nil, nil, false
 					}
 					currentUser := ctxpkg.ContextMustGetUser(ctx)
+					ok, err := utils.CheckPermission(ctx, permission.WriteFavorites, client)
+					if err != nil {
+						log.Error().Err(err).Msg("error checking permission")
+						w.WriteHeader(http.StatusInternalServerError)
+						return nil, nil, false
+					}
+					if !ok {
+						log.Info().Interface("user", currentUser).Msg("user not allowed to unset favorite")
+						w.WriteHeader(http.StatusForbidden)
+						return nil, nil, false
+					}
 					err = s.favoritesManager.UnsetFavorite(ctx, currentUser.Id, statRes.Info)
 					if err != nil {
 						w.WriteHeader(http.StatusInternalServerError)
@@ -275,6 +288,17 @@ func (s *svc) handleProppatch(ctx context.Context, w http.ResponseWriter, r *htt
 						return nil, nil, false
 					}
 					currentUser := ctxpkg.ContextMustGetUser(ctx)
+					ok, err := utils.CheckPermission(ctx, permission.WriteFavorites, client)
+					if err != nil {
+						log.Error().Err(err).Msg("error checking permission")
+						w.WriteHeader(http.StatusInternalServerError)
+						return nil, nil, false
+					}
+					if !ok {
+						log.Info().Interface("user", currentUser).Msg("user not allowed to set favorite")
+						w.WriteHeader(http.StatusForbidden)
+						return nil, nil, false
+					}
 					err = s.favoritesManager.SetFavorite(ctx, currentUser.Id, statRes.Info)
 					if err != nil {
 						w.WriteHeader(http.StatusInternalServerError)

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/report.go

@@ -30,6 +30,8 @@ import (
 	"github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/propfind"
 	"github.com/cs3org/reva/v2/pkg/appctx"
 	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
+	"github.com/cs3org/reva/v2/pkg/permission"
+	"github.com/cs3org/reva/v2/pkg/utils"
 )
 
 const (
@@ -73,7 +75,24 @@ func (s *svc) doFilterFiles(w http.ResponseWriter, r *http.Request, ff *reportFi
 
 	if ff.Rules.Favorite {
 		// List the users favorite resources.
+		client, err := s.gatewaySelector.Next()
+		if err != nil {
+			log.Error().Err(err).Msg("error selecting next gateway client")
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
 		currentUser := ctxpkg.ContextMustGetUser(ctx)
+		ok, err := utils.CheckPermission(ctx, permission.ListFavorites, client)
+		if err != nil {
+			log.Error().Err(err).Msg("error checking permission")
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		if !ok {
+			log.Info().Interface("user", currentUser).Msg("user not allowed to list favorites")
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
 		favorites, err := s.favoritesManager.ListFavorites(ctx, currentUser.Id)
 		if err != nil {
 			log.Error().Err(err).Msg("error getting favorites")
@@ -81,12 +100,6 @@ func (s *svc) doFilterFiles(w http.ResponseWriter, r *http.Request, ff *reportFi
 			return
 		}
 
-		client, err := s.gatewaySelector.Next()
-		if err != nil {
-			log.Error().Err(err).Msg("error selecting next gateway client")
-			w.WriteHeader(http.StatusInternalServerError)
-			return
-		}
 		infos := make([]*provider.ResourceInfo, 0, len(favorites))
 		for i := range favorites {
 			statRes, err := client.Stat(ctx, &providerv1beta1.StatRequest{Ref: &providerv1beta1.Reference{ResourceId: favorites[i]}})

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/public.go

@@ -26,13 +26,14 @@ import (
 	"strconv"
 
 	userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
-	permissionsv1beta1 "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1"
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/v2/pkg/conversions"
+	"github.com/cs3org/reva/v2/pkg/permission"
 	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+	"github.com/cs3org/reva/v2/pkg/utils"
 	"github.com/huandu/xstrings"
 	"github.com/rs/zerolog/log"
 
@@ -69,15 +70,7 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request,
 
 	// NOTE: one is allowed to create an internal link without the `Publink.Write` permission
 	if permKey != nil && *permKey != 0 {
-		user := ctxpkg.ContextMustGetUser(ctx)
-		resp, err := c.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{
-			SubjectRef: &permissionsv1beta1.SubjectReference{
-				Spec: &permissionsv1beta1.SubjectReference_UserId{
-					UserId: user.Id,
-				},
-			},
-			Permission: "PublicLink.Write",
-		})
+		ok, err := utils.CheckPermission(ctx, permission.WritePublicLink, c)
 		if err != nil {
 			return nil, &ocsError{
 				Code:    response.MetaServerError.StatusCode,
@@ -85,8 +78,7 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request,
 				Error:   err,
 			}
 		}
-
-		if resp.Status.Code != rpc.Code_CODE_OK {
+		if !ok {
 			return nil, &ocsError{
 				Code:    response.MetaForbidden.StatusCode,
 				Message: "user is not allowed to create a public link",
@@ -335,20 +327,12 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
 
 	// NOTE: you are allowed to update a link TO a public link without the `PublicLink.Write` permission if you created it yourself
 	if (permKey != nil && *permKey != 0) || !createdByUser {
-		resp, err := gwC.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{
-			SubjectRef: &permissionsv1beta1.SubjectReference{
-				Spec: &permissionsv1beta1.SubjectReference_UserId{
-					UserId: user.Id,
-				},
-			},
-			Permission: "PublicLink.Write",
-		})
+		ok, err := utils.CheckPermission(ctx, permission.WritePublicLink, gwC)
 		if err != nil {
 			response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "failed to check user permission", err)
 			return
 		}
-
-		if resp.Status.Code != rpc.Code_CODE_OK {
+		if !ok {
 			response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "user is not allowed to update the public link", nil)
 			return
 		}
@@ -710,20 +694,12 @@ func (h *Handler) checkPasswordEnforcement(ctx context.Context, user *userv1beta
 		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "could not check permission", err)
 		return errors.New("could not check permission")
 	}
-	resp, err := gwC.CheckPermission(ctx, &permissionsv1beta1.CheckPermissionRequest{
-		SubjectRef: &permissionsv1beta1.SubjectReference{
-			Spec: &permissionsv1beta1.SubjectReference_UserId{
-				UserId: user.Id,
-			},
-		},
-		Permission: "ReadOnlyPublicLinkPassword.Delete",
-	})
+	ok, err := utils.CheckPermission(ctx, permission.DeleteReadOnlyPassword, gwC)
 	if err != nil {
 		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "failed to check user permission", err)
 		return errors.New("failed to check user permission")
 	}
-
-	if resp.Status.Code != rpc.Code_CODE_OK {
+	if !ok {
 		response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "user is not allowed to delete the password from the public link", nil)
 		return errors.New("user is not allowed to delete the password from the public link")
 	}

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go

@@ -42,6 +42,7 @@ import (
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/v2/pkg/conversions"
 	"github.com/cs3org/reva/v2/pkg/password"
+	"github.com/cs3org/reva/v2/pkg/permission"
 	"github.com/go-chi/chi/v5"
 	"github.com/rs/zerolog"
 	"google.golang.org/grpc/metadata"
@@ -233,6 +234,18 @@ func (h *Handler) CreateShare(w http.ResponseWriter, r *http.Request) {
 	}
 	sublog := appctx.GetLogger(ctx).With().Interface("ref", ref).Logger()
 
+	ok, err := utils.CheckPermission(ctx, permission.WriteShare, client)
+	if err != nil {
+		sublog.Error().Err(err).Msg("error checking user permissions")
+		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error checking user permissions", err)
+		return
+	}
+	if !ok {
+		sublog.Debug().Interface("user", ctxpkg.ContextMustGetUser(ctx).Id).Msg("user not allowed to create share")
+		response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "permission denied", nil)
+		return
+	}
+
 	statReq := provider.StatRequest{Ref: &ref, FieldMask: &fieldmaskpb.FieldMask{Paths: []string{"space"}}}
 	statRes, err := client.Stat(ctx, &statReq)
 	if err != nil {
@@ -725,6 +738,18 @@ func (h *Handler) updateShare(w http.ResponseWriter, r *http.Request, share *col
 		return
 	}
 
+	ok, err := utils.CheckPermission(ctx, permission.WriteShare, client)
+	if err != nil {
+		sublog.Error().Err(err).Msg("error checking user permissions")
+		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error checking user permissions", err)
+		return
+	}
+	if !ok {
+		sublog.Debug().Interface("user", ctxpkg.ContextMustGetUser(ctx).Id).Msg("user not allowed to create share")
+		response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "permission denied", nil)
+		return
+	}
+
 	info, status, err := h.getResourceInfoByID(ctx, client, share.ResourceId)
 	if err != nil || status.Code != rpc.Code_CODE_OK {
 		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error mapping share data", err)

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/user.go

@@ -32,6 +32,7 @@ import (
 	"github.com/cs3org/reva/v2/pkg/appctx"
 	"github.com/cs3org/reva/v2/pkg/conversions"
 	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
+	"github.com/cs3org/reva/v2/pkg/permission"
 	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
 	"github.com/cs3org/reva/v2/pkg/utils"
 )
@@ -163,6 +164,17 @@ func (h *Handler) removeUserShare(w http.ResponseWriter, r *http.Request, share
 		return
 	}
 
+	// TODO: should we use Share.Delete here?
+	ok, err := utils.CheckPermission(ctx, permission.WriteShare, uClient)
+	if err != nil {
+		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "error checking user permissions", err)
+		return
+	}
+	if !ok {
+		response.WriteOCSError(w, r, response.MetaForbidden.StatusCode, "permission denied", nil)
+		return
+	}
+
 	shareRef := &collaboration.ShareReference{
 		Spec: &collaboration.ShareReference_Id{
 			Id: share.Id,

vendor/github.com/cs3org/reva/v2/pkg/permission/manager/demo/demo.go

@@ -47,6 +47,15 @@ func (m manager) CheckPermission(perm string, subject string, ref *provider.Refe
 	case permission.ListAllSpaces:
 		// TODO introduce an admin role to allow listing all spaces
 		return false
+	case permission.WriteShare:
+		// TODO guest accounts cannot share
+		return true
+	case permission.ListFavorites:
+		// TODO guest accounts cannot list favorites
+		return true
+	case permission.WriteFavorites:
+		// TODO guest accounts cannot write favorites
+		return true
 	default:
 		// We can currently return false all the time.
 		// Once we beginn testing roles we need to somehow check the roles of the users here

vendor/github.com/cs3org/reva/v2/pkg/permission/permission.go

@@ -29,6 +29,14 @@ const (
 	CreateSpace string = "Drives.Create"
 	// WritePublicLink is the hardcoded name for the PublicLink.Write permission
 	WritePublicLink string = "PublicLink.Write"
+	// WriteShare is the hardcoded name for the Shares.Write permission
+	WriteShare string = "Shares.Write"
+	// ListFavorites is the hardcoded name for the Favorites.List permission
+	ListFavorites string = "Favorites.List"
+	// WriteFavorites is the hardcoded name for the Favorites.Write permission
+	WriteFavorites string = "Favorites.Write"
+	// DeleteReadOnlyPassword is the hardcoded name for the ReadOnlyPublicLinkPassword.Delete permission
+	DeleteReadOnlyPassword string = "ReadOnlyPublicLinkPassword.Delete"
 )
 
 // Manager defines the interface for the permission service driver

vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go

@@ -9,8 +9,10 @@ import (
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	group "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1"
 	user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	permissions "github.com/cs3org/go-cs3apis/cs3/permissions/v1beta1"
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	storageprovider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
 	revactx "github.com/cs3org/reva/v2/pkg/ctx"
 
 	"google.golang.org/grpc/metadata"
@@ -164,6 +166,20 @@ func GetResource(ctx context.Context, ref *storageprovider.Reference, gwc gatewa
 	return res.GetInfo(), nil
 }
 
+// CheckPermission checks if the user role contains the given permission
+func CheckPermission(ctx context.Context, perm string, gwc gateway.GatewayAPIClient) (bool, error) {
+	user := ctxpkg.ContextMustGetUser(ctx)
+	resp, err := gwc.CheckPermission(ctx, &permissions.CheckPermissionRequest{
+		SubjectRef: &permissions.SubjectReference{
+			Spec: &permissions.SubjectReference_UserId{
+				UserId: user.Id,
+			},
+		},
+		Permission: perm,
+	})
+	return resp.GetStatus().GetCode() == rpc.Code_CODE_OK, err
+}
+
 // IsStatusCodeError returns true if `err` was caused because of status code `code`
 func IsStatusCodeError(err error, code rpc.Code) bool {
 	sce, ok := err.(statusCodeError)

vendor/modules.txt

@@ -357,7 +357,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1
 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1
 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1
 github.com/cs3org/go-cs3apis/cs3/types/v1beta1
-# github.com/cs3org/reva/v2 v2.16.1-0.20231110061744-953e57a6a95c
+# github.com/cs3org/reva/v2 v2.16.1-0.20231113153113-e258a7c4dfb0
 ## explicit; go 1.20
 github.com/cs3org/reva/v2/cmd/revad/internal/grace
 github.com/cs3org/reva/v2/cmd/revad/runtime