Add a route to revoke to recipient from a sharing

Author: nono

pkg/sharing/member.go

@@ -170,36 +170,11 @@ func (c *Credentials) Refresh(inst *instance.Instance, s *Sharing, m *Member) er
 
 // RevokeMember revoke the access granted to a member and contact it
 func (s *Sharing) RevokeMember(inst *instance.Instance, m *Member, c *Credentials) error {
-	u, err := url.Parse(m.Instance)
-	if m.Instance == "" || err != nil {
-		return ErrInvalidSharing
-	}
-
 	// No need to contact the revoked member if the sharing is not ready
 	if m.Status == MemberStatusReady {
-		opts := &request.Options{
-			Method: http.MethodDelete,
-			Scheme: u.Scheme,
-			Domain: u.Host,
-			Path:   "/sharings/" + s.SID,
-			Headers: request.Headers{
-				"Authorization": "Bearer " + c.AccessToken.AccessToken,
-			},
-		}
-		var res *http.Response
-		res, err := request.Req(opts)
-		if err != nil {
-			return err
-		}
-		res.Body.Close()
-		if res.StatusCode/100 == 5 {
-			return ErrInternalServerError
-		}
-		if res.StatusCode/100 == 4 {
-			if res, err = RefreshToken(inst, s, m, c, opts, nil); err != nil {
-				return err
-			}
-			res.Body.Close()
+		if err := s.NotifyMemberRevocation(inst, m, c); err != nil {
+			inst.Logger().WithField("nspace", "sharing").
+				Warnf("Error on revocation notification: %s", err)
 		}
 
 		if !s.ReadOnly() {
@@ -215,3 +190,37 @@ func (s *Sharing) RevokeMember(inst *instance.Instance, m *Member, c *Credential
 
 	return couchdb.UpdateDoc(inst, s)
 }
+
+// NotifyMemberRevocation send a notification to this member that he/she was
+// revoked from this sharing
+func (s *Sharing) NotifyMemberRevocation(inst *instance.Instance, m *Member, c *Credentials) error {
+	u, err := url.Parse(m.Instance)
+	if m.Instance == "" || err != nil {
+		return ErrInvalidSharing
+	}
+
+	opts := &request.Options{
+		Method: http.MethodDelete,
+		Scheme: u.Scheme,
+		Domain: u.Host,
+		Path:   "/sharings/" + s.SID,
+		Headers: request.Headers{
+			"Authorization": "Bearer " + c.AccessToken.AccessToken,
+		},
+	}
+	res, err := request.Req(opts)
+	if err != nil {
+		return err
+	}
+	res.Body.Close()
+	if res.StatusCode/100 == 5 {
+		return ErrInternalServerError
+	}
+	if res.StatusCode/100 == 4 {
+		if res, err = RefreshToken(inst, s, m, c, opts, nil); err != nil {
+			return err
+		}
+		res.Body.Close()
+	}
+	return nil
+}

pkg/sharing/oauth.go

@@ -163,6 +163,9 @@ func DeleteOAuthClient(inst *instance.Instance, m *Member, cred *Credentials) er
 		return ErrInvalidURL
 	}
 	clientID := cred.InboundClientID
+	if clientID == "" {
+		return nil
+	}
 	client, err := oauth.FindClient(inst, clientID)
 	if err != nil {
 		return err

pkg/sharing/sharing.go

@@ -211,10 +211,8 @@ func (s *Sharing) Revoke(inst *instance.Instance) error {
 			errm = multierror.Append(errm, err)
 		}
 	}
-	if s.WithPropagation() {
-		if err := s.RemoveTriggers(inst); err != nil {
-			return err
-		}
+	if err := s.RemoveTriggers(inst); err != nil {
+		return err
 	}
 	if err := RemoveSharedRefs(inst, s.SID); err != nil {
 		return err
@@ -226,6 +224,32 @@ func (s *Sharing) Revoke(inst *instance.Instance) error {
 	return errm
 }
 
+// RevokeRecipient revoke only one recipient on the sharer. After that, if the
+// sharing has still at least one active member, we keep it as is. Else, we
+// desactive the sharing.
+func (s *Sharing) RevokeRecipient(inst *instance.Instance, index int) error {
+	if !s.Owner {
+		return ErrInvalidSharing
+	}
+	if err := s.RevokeMember(inst, &s.Members[index], &s.Credentials[index-1]); err != nil {
+		return err
+	}
+
+	for _, m := range s.Members {
+		if m.Status == MemberStatusReady {
+			return nil
+		}
+	}
+	if err := s.RemoveTriggers(inst); err != nil {
+		return err
+	}
+	if err := RemoveSharedRefs(inst, s.SID); err != nil {
+		return err
+	}
+	s.Active = false
+	return couchdb.UpdateDoc(inst, s)
+}
+
 // RemoveTriggers remove all the triggers associated to this sharing
 func (s *Sharing) RemoveTriggers(inst *instance.Instance) error {
 	if err := removeSharingTrigger(inst, s.Triggers.TrackID); err != nil {

web/sharings/sharings.go

@@ -3,6 +3,7 @@ package sharings
 import (
 	"errors"
 	"net/http"
+	"strconv"
 	"strings"
 
 	"github.com/cozy/cozy-stack/pkg/consts"
@@ -186,6 +187,28 @@ func RevokeSharing(c echo.Context) error {
 	return c.NoContent(http.StatusNoContent)
 }
 
+// RevokeRecipient is used by the owner to revoke a recipient
+func RevokeRecipient(c echo.Context) error {
+	inst := middlewares.GetInstance(c)
+	sharingID := c.Param("sharing-id")
+	s, err := sharing.FindSharing(inst, sharingID)
+	if err != nil {
+		return wrapErrors(err)
+	}
+	_, err = checkCreatePermissions(c, s)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusForbidden)
+	}
+	index, err := strconv.Atoi(c.Param("index"))
+	if err != nil || index == 0 || index >= len(s.Members) {
+		return jsonapi.InvalidParameter("index", err)
+	}
+	if err = s.RevokeRecipient(inst, index); err != nil {
+		return wrapErrors(err)
+	}
+	return c.NoContent(http.StatusNoContent)
+}
+
 // RevocationNotif is used to inform a recipient that the sharing is revoked
 func RevocationNotif(c echo.Context) error {
 	inst := middlewares.GetInstance(c)
@@ -292,7 +315,9 @@ func Routes(router *echo.Group) {
 	router.GET("/:sharing-id", GetSharing)
 	router.POST("/:sharing-id/answer", AnswerSharing)
 
+	// Revocations
 	router.DELETE("/:sharing-id/recipients", RevokeSharing)                 // On the sharer
+	router.DELETE("/:sharing-id/recipients/:index", RevokeRecipient)        // On the sharer
 	router.DELETE("/:sharing-id", RevocationNotif, checkSharingPermissions) // On the recipient
 
 	router.GET("/doctype/:doctype", GetSharingsInfoByDocType)

web/sharings/sharings_test.go

@@ -662,7 +662,9 @@ func TestRevokeSharing(t *testing.T) {
 	assert.NoError(t, err)
 	req.Header.Add(echo.HeaderContentType, "application/vnd.api+json")
 	req.Header.Add(echo.HeaderAuthorization, "Bearer "+aliceAppToken)
-	_, _ = http.DefaultClient.Do(req)
+	res, err := http.DefaultClient.Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, 204, res.StatusCode)
 
 	var sRevoke sharing.Sharing
 	err = couchdb.GetDoc(aliceInstance, s.DocType(), s.SID, &sRevoke)
@@ -680,6 +682,92 @@ func TestRevokeSharing(t *testing.T) {
 	assert.EqualError(t, err, "CouchDB(not_found): deleted")
 }
 
+func TestRevokeRecipient(t *testing.T) {
+	sharedDocs := []string{"mygreatid3", "mygreatid4"}
+	sharedRefs := []*sharing.SharedRef{}
+	s := createSharing(t, aliceInstance, sharedDocs)
+	for _, id := range sharedDocs {
+		sid := iocozytests + "/" + id
+		sd, errs := createSharedDoc(aliceInstance, sid, s.SID)
+		sharedRefs = append(sharedRefs, sd)
+		assert.NoError(t, errs)
+		assert.NotNil(t, sd)
+	}
+
+	cli, err := sharing.CreateOAuthClient(aliceInstance, &s.Members[1])
+	assert.NoError(t, err)
+	s.Credentials[0].Client = sharing.ConvertOAuthClient(cli)
+	token, err := sharing.CreateAccessToken(aliceInstance, cli, s.SID)
+	assert.NoError(t, err)
+	s.Credentials[0].AccessToken = token
+	s.Members[1].Status = sharing.MemberStatusReady
+
+	s.Members = append(s.Members, sharing.Member{
+		Status:   sharing.MemberStatusReady,
+		Name:     "Charlie",
+		Email:    "charlie@cozy.local",
+		Instance: tsB.URL,
+	})
+	clientC, err := sharing.CreateOAuthClient(aliceInstance, &s.Members[2])
+	assert.NoError(t, err)
+	tokenC, err := sharing.CreateAccessToken(aliceInstance, clientC, s.SID)
+	assert.NoError(t, err)
+	s.Credentials = append(s.Credentials, sharing.Credentials{
+		Client:      sharing.ConvertOAuthClient(clientC),
+		AccessToken: tokenC,
+	})
+
+	err = couchdb.UpdateDoc(aliceInstance, s)
+	assert.NoError(t, err)
+
+	err = s.AddTrackTriggers(aliceInstance)
+	assert.NoError(t, err)
+	err = s.AddReplicateTrigger(aliceInstance)
+	assert.NoError(t, err)
+
+	req, err := http.NewRequest(http.MethodDelete, tsA.URL+"/sharings/"+s.ID()+"/recipients/1", nil)
+	assert.NoError(t, err)
+	req.Header.Add(echo.HeaderContentType, "application/vnd.api+json")
+	req.Header.Add(echo.HeaderAuthorization, "Bearer "+aliceAppToken)
+	res, err := http.DefaultClient.Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, 204, res.StatusCode)
+
+	var sRevokedBob sharing.Sharing
+	err = couchdb.GetDoc(aliceInstance, s.DocType(), s.SID, &sRevokedBob)
+	assert.NoError(t, err)
+
+	assert.Equal(t, sharing.MemberStatusRevoked, sRevokedBob.Members[1].Status)
+	assert.Equal(t, sharing.MemberStatusReady, sRevokedBob.Members[2].Status)
+	assert.NotEmpty(t, sRevokedBob.Triggers.TrackID)
+	assert.NotEmpty(t, sRevokedBob.Triggers.ReplicateID)
+	assert.True(t, sRevokedBob.Active)
+
+	req2, err := http.NewRequest(http.MethodDelete, tsA.URL+"/sharings/"+s.ID()+"/recipients/2", nil)
+	assert.NoError(t, err)
+	req2.Header.Add(echo.HeaderContentType, "application/vnd.api+json")
+	req2.Header.Add(echo.HeaderAuthorization, "Bearer "+aliceAppToken)
+	res2, err := http.DefaultClient.Do(req2)
+	assert.NoError(t, err)
+	assert.Equal(t, 204, res2.StatusCode)
+
+	var sRevokedCharlie sharing.Sharing
+	err = couchdb.GetDoc(aliceInstance, s.DocType(), s.SID, &sRevokedCharlie)
+	assert.NoError(t, err)
+
+	assert.Equal(t, sharing.MemberStatusRevoked, sRevokedCharlie.Members[1].Status)
+	assert.Equal(t, sharing.MemberStatusRevoked, sRevokedCharlie.Members[2].Status)
+	assert.Empty(t, sRevokedCharlie.Triggers.TrackID)
+	assert.Empty(t, sRevokedCharlie.Triggers.ReplicateID)
+	assert.False(t, sRevokedCharlie.Active)
+
+	var sdoc sharing.SharedRef
+	err = couchdb.GetDoc(aliceInstance, sharedRefs[0].DocType(), sharedRefs[0].ID(), &sdoc)
+	assert.EqualError(t, err, "CouchDB(not_found): deleted")
+	err = couchdb.GetDoc(aliceInstance, sharedRefs[1].DocType(), sharedRefs[1].ID(), &sdoc)
+	assert.EqualError(t, err, "CouchDB(not_found): deleted")
+}
+
 func TestMain(m *testing.M) {
 	config.UseTestFile()
 	config.GetConfig().Assets = "../../assets"