Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow querying federated sharing roles #9765

Merged
merged 3 commits into from
Aug 13, 2024
Merged

allow querying federated sharing roles #9765

merged 3 commits into from
Aug 13, 2024

Conversation

butonic
Copy link
Member

@butonic butonic commented Aug 8, 2024
edited
Loading

When listing permissions clients can now fetch the list of available federated sharing roles by sending a GET /graph/v1beta1/drives/{driveid}/items/{itemid}/[email protected]/rolePermissions/any(p:contains(p/condition, '@Subject.UserType=="Federated"')) request. Note that this is the only supported filter expression. Federated sharing roles will be omitted from requests without this filter.

The /roleManagement/permissions/roleDefinitions also returns the new roles. Filtering them is done in a subsequent PR which requires #9727

server part of #9745

 $ curl 'https://cloud.owncloud.test/graph/v1beta1/drives/storage-users-2%244c510ada-c86b-4815-8820-42cdf82c3d51/items/storage-users-2%244c510ada-c86b-4815-8820-42cdf82c3d51!f071293a-7cfe-4361-813d-008b791b113c/[email protected]/rolePermissions/any(p:contains(p/condition,%20\'@Subject.UserType=="Federated"\'))' -H 'Authorization: Bearer your.jwt.token'  -k | jq
{
  "@libre.graph.permissions.actions.allowedValues": [
    "libre.graph/driveItem/permissions/create",
    "libre.graph/driveItem/children/create",
    "libre.graph/driveItem/standard/delete",
    "libre.graph/driveItem/path/read",
    "libre.graph/driveItem/quota/read",
    "libre.graph/driveItem/content/read",
    "libre.graph/driveItem/upload/create",
    "libre.graph/driveItem/permissions/read",
    "libre.graph/driveItem/children/read",
    "libre.graph/driveItem/versions/read",
    "libre.graph/driveItem/deleted/read",
    "libre.graph/driveItem/path/update",
    "libre.graph/driveItem/permissions/delete",
    "libre.graph/driveItem/deleted/delete",
    "libre.graph/driveItem/versions/update",
    "libre.graph/driveItem/deleted/update",
    "libre.graph/driveItem/basic/read",
    "libre.graph/driveItem/permissions/update",
    "libre.graph/driveItem/permissions/deny"
  ],
  "@libre.graph.permissions.roles.allowedValues": [
    {
      "@libre.graph.weight": 1,
      "description": "View and download.",
      "displayName": "Can view",
      "id": "be531789-063c-48bf-a9fe-857e6fbee7da"
    },
    {
      "@libre.graph.weight": 2,
      "description": "View, download and edit.",
      "displayName": "Can edit",
      "id": "36279a93-e4e3-4bbb-8a23-53b05b560963"
    }
  ]
}

@butonic butonic self-assigned this Aug 8, 2024
@butonic butonic requested review from rhafer and JammingBen August 8, 2024 13:04
@butonic butonic force-pushed the federated-user-roles branch from 786060f to e8c6715 Compare August 8, 2024 13:11
@butonic butonic force-pushed the federated-user-roles branch from e8c6715 to bb5a199 Compare August 8, 2024 15:44
@JammingBen JammingBen mentioned this pull request Aug 9, 2024
Merged
15 tasks
@butonic butonic force-pushed the federated-user-roles branch 3 times, most recently from 775db8f to 8d10125 Compare August 9, 2024 13:31
@butonic
Copy link
Member Author

butonic commented Aug 12, 2024

To make requesting only actions more speciffic, we can add a query parameter: [email protected]

@butonic butonic force-pushed the federated-user-roles branch from 8d10125 to f98f7bd Compare August 12, 2024 09:27
@butonic butonic requested a review from kulmann as a code owner August 12, 2024 09:27
@butonic
allow querying federated sharing roles
966b4e1 
Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
@butonic butonic force-pushed the federated-user-roles branch from f98f7bd to 966b4e1 Compare August 12, 2024 09:29
@JammingBen JammingBen mentioned this pull request Aug 12, 2024
Merged
7 tasks
kobergj
kobergj requested changes Aug 13, 2024
View reviewed changes
services/graph/pkg/service/v0/api_driveitem_permissions.go
@@ -283,7 +283,7 @@ func createShareRequestToFederatedUser(user libregraph.User, resourceId *storage
Id: &storageprovider.Grantee_UserId{UserId: &userpb.UserId{
Type: userpb.UserType_USER_TYPE_FEDERATED,
OpaqueId: user.GetId(),
Idp: providerInfo.Domain, // the domain is persisted in the grant as u:{opaqueid}:{domain}
Idp: *user.GetIdentities()[0].Issuer, // the domain is persisted in the grant as u:{opaqueid}:{domain}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it guaranteed that
A) len(user.GetIdentities()) > 0
B) user.GetIdentities()[0] != nil
? Otherwise we need checks for this because it would panic.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes there is a check above the only line making a call to this function:

if len(user.Identities) < 1 {
    return libregraph.Permission{}, errorcode.New(errorcode.InvalidRequest, "user has no federated identity")
}
// [...]
createShareRequest := createShareRequestToFederatedUser(user, statResponse.GetInfo().GetId(), providerInfoResp.ProviderInfo, cs3ResourcePermissions)

services/graph/pkg/unifiedrole/unifiedrole.go Outdated Show resolved Hide resolved
services/graph/pkg/unifiedrole/unifiedrole.go Outdated Show resolved Hide resolved
services/graph/pkg/unifiedrole/unifiedrole.go Outdated Show resolved Hide resolved
@butonic butonic mentioned this pull request Aug 13, 2024
Merged
@butonic butonic requested a review from kobergj August 13, 2024 10:28
@butonic butonic force-pushed the federated-user-roles branch 2 times, most recently from 0c766c3 to 921e99e Compare August 13, 2024 13:13
@butonic
no need to introduce dedicated roles
99c6b66 
Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
@butonic butonic force-pushed the federated-user-roles branch from 921e99e to 99c6b66 Compare August 13, 2024 14:10
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Aug 13, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
70.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@butonic butonic merged commit ad62bb1 into master Aug 13, 2024
4 checks passed
@butonic butonic deleted the federated-user-roles branch August 13, 2024 14:49
ownclouders pushed a commit that referenced this pull request Aug 13, 2024
@butonic
Merge pull request #9765 from owncloud/federated-user-roles
43adb02 
allow querying federated sharing roles
@butonic butonic mentioned this pull request Aug 14, 2024
Open
55 tasks
@ScharfViktor ScharfViktor mentioned this pull request Aug 20, 2024
Closed
21 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JammingBen JammingBen JammingBen left review comments

@kobergj kobergj kobergj approved these changes

@rhafer rhafer Awaiting requested review from rhafer

@kulmann kulmann Awaiting requested review from kulmann kulmann is a code owner

Assignees

@butonic butonic

Labels
None yet
Projects
Infinite Scale Team Board
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@butonic @kobergj @JammingBen