github.com/cs3org/reva/v2@v2.27.7/pkg/auth/scope/lightweight.go

github.com/cs3org/reva/v2@v2.27.7/pkg/auth/scope/lightweight.go (about)

     1  // Copyright 2018-2021 CERN
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  //
    15  // In applying this license, CERN does not waive the privileges and immunities
    16  // granted to it by virtue of its status as an Intergovernmental Organization
    17  // or submit itself to any jurisdiction.
    18  
    19  package scope
    20  
    21  import (
    22  	"context"
    23  	"strings"
    24  
    25  	authpb "github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1"
    26  	collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
    27  	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
    28  	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
    29  	"github.com/cs3org/reva/v2/pkg/utils"
    30  	"github.com/rs/zerolog"
    31  )
    32  
    33  func lightweightAccountScope(_ context.Context, scope *authpb.Scope, resource interface{}, _ *zerolog.Logger) (bool, error) {
    34  	// Lightweight accounts have access to resources shared with them.
    35  	// These cannot be resolved from here, but need to be added to the scope from
    36  	// where the call to mint tokens is made.
    37  	// From here, we only allow ListReceivedShares calls
    38  	switch v := resource.(type) {
    39  	case *collaboration.ListReceivedSharesRequest:
    40  		return true, nil
    41  	case string:
    42  		return checkLightweightPath(v), nil
    43  	}
    44  	return false, nil
    45  }
    46  
    47  func checkLightweightPath(path string) bool {
    48  	paths := []string{
    49  		"/ocs/v2.php/apps/files_sharing/api/v1/shares",
    50  		"/ocs/v1.php/apps/files_sharing/api/v1/shares",
    51  		"/ocs/v2.php/apps/files_sharing//api/v1/shares",
    52  		"/ocs/v1.php/apps/files_sharing//api/v1/shares",
    53  		"/ocs/v2.php/cloud/capabilities",
    54  		"/ocs/v1.php/cloud/capabilities",
    55  		"/ocs/v2.php/cloud/user",
    56  		"/ocs/v1.php/cloud/user",
    57  		"/remote.php/webdav",
    58  		"/remote.php/dav/files",
    59  		"/app/open",
    60  		"/app/new",
    61  		"/archiver",
    62  		"/dataprovider",
    63  		"/data",
    64  	}
    65  	for _, p := range paths {
    66  		if strings.HasPrefix(path, p) {
    67  			return true
    68  		}
    69  	}
    70  	return false
    71  }
    72  
    73  // AddLightweightAccountScope adds the scope to allow access to lightweight user.
    74  func AddLightweightAccountScope(role authpb.Role, scopes map[string]*authpb.Scope) (map[string]*authpb.Scope, error) {
    75  	ref := &provider.Reference{Path: "/"}
    76  	val, err := utils.MarshalProtoV1ToJSON(ref)
    77  	if err != nil {
    78  		return nil, err
    79  	}
    80  	if scopes == nil {
    81  		scopes = make(map[string]*authpb.Scope)
    82  	}
    83  	scopes["lightweight"] = &authpb.Scope{
    84  		Resource: &types.OpaqueEntry{
    85  			Decoder: "json",
    86  			Value:   val,
    87  		},
    88  		Role: role,
    89  	}
    90  	return scopes, nil
    91  }