refactor permissions into a first-class citizen in Reva (#5428)

* refactor permissions into a first-class citizen in Reva, with conversions between the permissions

* Fix following model type

---------

Co-authored-by: Giuseppe Lo Presti <[email protected]>

Author: jessegeens

changelog/unreleased/refactor-permissions.md

@@ -0,0 +1,5 @@
+Enhancement: refactor permissions
+
+Permissions are now, at least partially, handled and exposed within a single package (which was important for cernboxcop), with conversions between the different types of permissions
+
+https://github.com/cs3org/reva/pull/5428

cmd/reva/ocm-share-create.go

@@ -33,7 +33,7 @@ import (
 	ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
-	"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
+	"github.com/cs3org/reva/v3/pkg/permissions"
 	ocmshare "github.com/cs3org/reva/v3/pkg/ocm/share"
 	"github.com/cs3org/reva/v3/pkg/utils"
 	"github.com/jedib0t/go-pretty/table"
@@ -215,9 +215,9 @@ func getAccessMethods(webdav, webapp, datatx bool, rol string) ([]*ocm.AccessMet
 func getOCMSharePerm(p string) (*provider.ResourcePermissions, error) {
 	switch p {
 	case viewerPermission:
-		return conversions.NewViewerRole().CS3ResourcePermissions(), nil
+		return permissions.NewViewerRole().CS3ResourcePermissions(), nil
 	case editorPermission:
-		return conversions.NewEditorRole().CS3ResourcePermissions(), nil
+		return permissions.NewEditorRole().CS3ResourcePermissions(), nil
 	}
 	return nil, errors.New("invalid rol: " + p)
 }

cmd/reva/share-create.go

@@ -28,7 +28,7 @@ import (
 	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	collaboration "github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
-	"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
+	"github.com/cs3org/reva/v3/pkg/permissions"
 	"github.com/cs3org/reva/v3/pkg/utils"
 	"github.com/jedib0t/go-pretty/table"
 	"github.com/pkg/errors"
@@ -159,11 +159,11 @@ func getGrantType(t string) provider.GranteeType {
 func getSharePerm(p string) (*provider.ResourcePermissions, error) {
 	switch p {
 	case viewerPermission:
-		return conversions.NewViewerRole().CS3ResourcePermissions(), nil
+		return permissions.NewViewerRole().CS3ResourcePermissions(), nil
 	case editorPermission:
-		return conversions.NewEditorRole().CS3ResourcePermissions(), nil
+		return permissions.NewEditorRole().CS3ResourcePermissions(), nil
 	case collabPermission:
-		return conversions.NewManagerRole().CS3ResourcePermissions(), nil
+		return permissions.NewManagerRole().CS3ResourcePermissions(), nil
 	case denyPermission:
 		return &provider.ResourcePermissions{}, nil
 	default:

internal/grpc/services/spacesregistry/spacesregistry.go

@@ -31,7 +31,7 @@ import (
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	cachereg "github.com/cs3org/reva/v3/pkg/share/cache/registry"
 
-	"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
+	"github.com/cs3org/reva/v3/pkg/permissions"
 	"github.com/cs3org/reva/v3/pkg/appctx"
 	"github.com/cs3org/reva/v3/pkg/errtypes"
 	"github.com/cs3org/reva/v3/pkg/plugin"
@@ -410,14 +410,14 @@ func (s *service) userSpace(ctx context.Context, user *userpb.User) (*provider.S
 		Name:      user.Username,
 		SpaceType: spaces.SpaceTypeHome.AsString(),
 		RootInfo: &provider.ResourceInfo{
-			PermissionSet: conversions.NewManagerRole().CS3ResourcePermissions(),
+			PermissionSet: permissions.NewManagerRole().CS3ResourcePermissions(),
 			Path:          home,
 		},
 		Quota: &provider.Quota{
 			QuotaMaxBytes:  quota.TotalBytes,
 			RemainingBytes: quota.TotalBytes - quota.UsedBytes,
 		},
-		PermissionSet: conversions.NewManagerRole().CS3ResourcePermissions(),
+		PermissionSet: permissions.NewManagerRole().CS3ResourcePermissions(),
 	}, nil
 }
 

internal/http/services/owncloud/ocdav/propfind.go

@@ -40,10 +40,12 @@ import (
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
 	"github.com/cs3org/reva/v3/internal/grpc/services/storageprovider"
-	"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
 	"github.com/cs3org/reva/v3/pkg/appctx"
 	"github.com/cs3org/reva/v3/pkg/spaces"
+	"github.com/cs3org/reva/v3/pkg/permissions"
+
 	"github.com/pkg/errors"
+	
 
 	"github.com/cs3org/reva/v3/pkg/publicshare"
 	"github.com/cs3org/reva/v3/pkg/share"
@@ -563,7 +565,7 @@ func (s *svc) mdToPropResponse(ctx context.Context, pf *propfindXML, md *provide
 		}
 	}
 
-	role := conversions.RoleFromResourcePermissions(md.PermissionSet)
+	role := permissions.RoleFromResourcePermissions(md.PermissionSet)
 
 	isShared := !isCurrentUserOwner(ctx, md.Owner)
 	var wdp string
@@ -1036,8 +1038,8 @@ func (s *svc) mdToPropResponse(ctx context.Context, pf *propfindXML, md *provide
 						perms := role.OCSPermissions()
 						// shared files cant have the create or delete permission set
 						if md.Type == provider.ResourceType_RESOURCE_TYPE_FILE {
-							perms &^= conversions.PermissionCreate
-							perms &^= conversions.PermissionDelete
+							perms &^= permissions.PermissionCreate
+							perms &^= permissions.PermissionDelete
 						}
 						propstatOK.Prop = append(propstatOK.Prop, s.newPropNS(pf.Prop[i].Space, pf.Prop[i].Local, strconv.FormatUint(uint64(perms), 10)))
 					}

internal/http/services/owncloud/ocdav/tus.go

@@ -31,7 +31,7 @@ import (
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	typespb "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
-	"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
+	"github.com/cs3org/reva/v3/pkg/permissions"
 	"github.com/cs3org/reva/v3/pkg/appctx"
 	"github.com/cs3org/reva/v3/pkg/utils"
 	"github.com/cs3org/reva/v3/pkg/utils/resourceid"
@@ -297,7 +297,7 @@ func (s *svc) handleTusPost(ctx context.Context, w http.ResponseWriter, r *http.
 				}
 			}
 			isShared := !isCurrentUserOwner(ctx, info.Owner)
-			role := conversions.RoleFromResourcePermissions(info.PermissionSet)
+			role := permissions.RoleFromResourcePermissions(info.PermissionSet)
 			permissions := role.WebDAVPermissions(
 				info.Type == provider.ResourceType_RESOURCE_TYPE_CONTAINER,
 				isShared,

internal/http/services/owncloud/ocgraph/conversions.go

@@ -18,7 +18,7 @@ import (
 	ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
-	"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
+	"github.com/cs3org/reva/v3/pkg/permissions"
 	"github.com/cs3org/reva/v3/pkg/appctx"
 	"github.com/cs3org/reva/v3/pkg/spaces"
 	"github.com/cs3org/reva/v3/pkg/utils"
@@ -253,7 +253,7 @@ func LinkTypeToPermissions(lt libregraph.SharingLinkType, resourceType provider.
 	case libregraph.INTERNAL:
 		fallthrough
 	default:
-		return conversions.NewDeniedRole().CS3ResourcePermissions()
+		return permissions.NewDeniedRole().CS3ResourcePermissions()
 	}
 }
 

internal/http/services/owncloud/ocgraph/drive_permissions.go

@@ -17,7 +17,7 @@ import (
 	ocm "github.com/cs3org/go-cs3apis/cs3/sharing/ocm/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	typesv1beta1 "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
-	"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
+	"github.com/cs3org/reva/v3/pkg/permissions"
 	"github.com/cs3org/reva/v3/pkg/appctx"
 	"github.com/cs3org/reva/v3/pkg/errtypes"
 	"github.com/cs3org/reva/v3/pkg/spaces"
@@ -808,7 +808,7 @@ func (s *svc) getLinkUpdates(ctx context.Context, link *linkv1beta1.PublicShare,
 	if permission.Link != nil && permission.Link.Type != nil {
 		isEditorLink = permission.Link.GetType() == libregraph.EDIT
 	} else if link.Permissions != nil {
-		isEditorLink = conversions.RoleFromResourcePermissions(link.Permissions.Permissions).Name == conversions.RoleEditor
+		isEditorLink = permissions.RoleFromResourcePermissions(link.Permissions.Permissions).Name == permissions.RoleEditor
 	}
 
 	// Check for update of expiration

internal/http/services/owncloud/ocgraph/linktype.go

@@ -26,7 +26,7 @@ import (
 
 	linkv1beta1 "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
-	"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
+	"github.com/cs3org/reva/v3/pkg/permissions"
 	"github.com/cs3org/reva/v3/pkg/storage/utils/grants"
 	libregraph "github.com/owncloud/libre-graph-api-go"
 )
@@ -114,31 +114,31 @@ func NewInternalLinkPermissionSet() *LinkType {
 // NewViewLinkPermissionSet creates cs3 permissions for the view link type
 func NewViewLinkPermissionSet() *LinkType {
 	return &LinkType{
-		Permissions: conversions.NewViewerRole().CS3ResourcePermissions(),
+		Permissions: permissions.NewViewerRole().CS3ResourcePermissions(),
 		linkType:    libregraph.VIEW,
 	}
 }
 
 // NewFileEditLinkPermissionSet creates cs3 permissions for the file edit link type
 func NewFileEditLinkPermissionSet() *LinkType {
 	return &LinkType{
-		Permissions: conversions.NewFileEditorRole().CS3ResourcePermissions(),
+		Permissions: permissions.NewFileEditorRole().CS3ResourcePermissions(),
 		linkType:    libregraph.EDIT,
 	}
 }
 
 // NewFolderEditLinkPermissionSet creates cs3 permissions for the folder edit link type
 func NewFolderEditLinkPermissionSet() *LinkType {
 	return &LinkType{
-		Permissions: conversions.NewEditorRole().CS3ResourcePermissions(),
+		Permissions: permissions.NewEditorRole().CS3ResourcePermissions(),
 		linkType:    libregraph.EDIT,
 	}
 }
 
 // NewFolderDropLinkPermissionSet creates cs3 permissions for the folder createOnly link type
 func NewFolderDropLinkPermissionSet() *LinkType {
 	return &LinkType{
-		Permissions: conversions.NewUploaderRole().CS3ResourcePermissions(),
+		Permissions: permissions.NewUploaderRole().CS3ResourcePermissions(),
 		linkType:    libregraph.CREATE_ONLY,
 	}
 }

internal/http/services/owncloud/ocgraph/shares.go

@@ -43,7 +43,7 @@ import (
 	link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/cs3org/reva/v3/internal/http/services/opencloudmesh/ocmd"
-	"github.com/cs3org/reva/v3/internal/http/services/owncloud/ocs/conversions"
+	"github.com/cs3org/reva/v3/pkg/permissions"
 	"github.com/cs3org/reva/v3/pkg/appctx"
 	"github.com/cs3org/reva/v3/pkg/ocm/share"
 	"github.com/cs3org/reva/v3/pkg/spaces"
@@ -272,7 +272,7 @@ func (s *svc) share(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Check that the user has share permissions
-	if !conversions.RoleFromResourcePermissions(statRes.Info.PermissionSet).OCSPermissions().Contain(conversions.PermissionShare) {
+	if !permissions.RoleFromResourcePermissions(statRes.Info.PermissionSet).OCSPermissions().Contain(permissions.PermissionShare) {
 		handleCustomError(ctx, errors.New("user does not have share permissions"), http.StatusUnauthorized, w)
 		return
 	}
@@ -411,7 +411,7 @@ func (s *svc) createLink(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Check that the user has share permissions
-	if !conversions.RoleFromResourcePermissions(statRes.Info.PermissionSet).OCSPermissions().Contain(conversions.PermissionShare) {
+	if !permissions.RoleFromResourcePermissions(statRes.Info.PermissionSet).OCSPermissions().Contain(permissions.PermissionShare) {
 		handleCustomError(ctx, errors.New("user does not have the necessary permissions"), http.StatusUnauthorized, w)
 		return
 	}